Help removing Hijacker Partner37 Domain

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by croggs, Jun 12, 2012.

  1. croggs

    croggs Private E-2

    Hi All!

    Would someone be willing to help me manually remove this from my computer? My Symantec, CC Cleaner, and Malware software haven't done anything. From what I've read, it needs to be done manually. Can anybody help walk me through the process in computer-challeneged layman's terms? I would greatly appreciate it!!!
     
  2. thisisu

    thisisu Malware Consultant

    Welcome to MajorGeeks, croggs :)

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and then attach the requested logs to your next reply when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    * Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated - our system works the oldest threads FIRST.
     
  3. croggs

    croggs Private E-2

    Hello,

    Thanks for your help so far. After doing the DNS flush (I believe it was called) it seemed like Partner37 no longer appeared and I wasn't getting the NGINX message when searching any webpages. However, now my computer is significantly worse off. I ran the first four steps from "Vista and Win 7 Malware Removal/Cleaning Procedure." The scans did not find anything.

    A couple days after running all the scans my computer has been becoming increasingly slow. Now, it takes minutes to open programs and I cannot connect to the internet (it says DNS lookup failed, but I'm on the internet on my older computer, so it isn't the router). Kapersky still comes up clean after a full scan.

    Any recommendations or suggestions? Any help would be greatly appreciated! It's a pretty new Lenovo, and I'm really hoping I don't have to invest in another laptop so soon!

    Thanks in advance!
     
  4. thisisu

    thisisu Malware Consultant

    Hello

    The Vista and Win 7 Malware Removal/Cleaning Procedure was recently updated. Which four scans did you complete?

    I will need to see the logs from the following scans in order to assist you further (whether they found anything or not):
    • RogueKiller
    • MalwareBytes' Anti-Malware
    • HitmanPro
    • MGtools
     
  5. croggs

    croggs Private E-2

    Hi,

    I had to save the logs on my external and transfer them to a different computer because I am still without internet access (its a problem with the DNS, and I could not connect with my laptop onto any of 3 different connections). The speed on my computer doesn't seem to be too bad in safe mode. I'm not sure if it is still running poorly in the regular mode or not.

    Nothing came up from the scans for Malwarebytes or HitmanPro.


    Please let me know if you need anything else! Thank you for all the help so far and going forward. I really, really appreciate it!
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 30

    Also uninstall one of the below as it is not good to have more than one anti-virus installed.
    • Kaspersky Internet Security 2012
    • avast! Free Antivirus

    __

    [​IMG] NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    • Attached is tdx,zip
    • Inside is tdx.reg
    • Extract tdx.reg to your desktop and double-click it.
    • Allow tdx.reg to merge into the registry.
    • If the merge was successful, restart your computer and test for internet connectivity.

    __

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Right mouse click on the OTL icon on your desktop and select Run as Administrator
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      /md5start
      tdx.sys
      /md5stop
      %windir%\$ntuninstallkb*. /120
      %windir%\system32\drivers\*.sys /lockedfiles
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     

    Attached Files:

    • tdx.zip
      File size:
      599 bytes
      Views:
      7
  7. thisisu

    thisisu Malware Consultant

    One more thing, did you already run ProxyFix with RogueKiller?
    If not, go ahead and do that after you complete the above.
     
  8. croggs

    croggs Private E-2

    Thanks for your prompt response! I had just downloaded Avast earlier today, but I have uninstalled it. I tried to uninstall Java and I received this message: "The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

    I am still running in safemode. What do you recommend me doing to uninstall Java? Should I go ahead with the other steps if Java cannot be uninstalled at the time, or should I wait to proceed until it is uninstalled?

    Thanks!
     
    Last edited by a moderator: Jun 18, 2012
  9. thisisu

    thisisu Malware Consultant

    You can skip uninstalling Java for now. Proceed with the next steps.
     
  10. croggs

    croggs Private E-2

    Thanks! I am on the internet now! However, twice now the OTL has stopped working mid scan and it freezes and says "not responding." Any recommendations?

    Thanks!
     
  11. croggs

    croggs Private E-2

    It seems to stop working while its "Scanning Firefox Settings" for what it's worth.
     
  12. croggs

    croggs Private E-2

    Sorry for the multiple responses. The scan finally worked. Here's the log.
     

    Attached Files:

    • OTL.Txt
      File size:
      242.9 KB
      Views:
      2
  13. thisisu

    thisisu Malware Consultant

    While in Normal Mode:

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 30
    • Free Sound Recorder v9.3.1 (source of Conduit)
    • FreeSoundRecorder Toolbar (source of Conduit)

    This OTL fix below has a higher chance of success if run while in Safe Mode.
    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:otl[/COLOR]
    IE - HKLM\..\URLSearchHook: {32b29df0-2237-4370-9a29-37cebb730e9b} - C:\Program Files (x86)\FreeSoundRecorder\prxtbFree.dll (Conduit Ltd.)
    [2012/06/12 06:39:59 | 000,000,000 | ---D | M] (FreeSoundRecorder) -- C:\Users\CRAIG\AppData\Roaming\Mozilla\Firefox\Profiles\i56v8gbk.default\extensions\{32b29df0-2237-4370-9a29-37cebb730e9b}
    O2 - BHO: (FreeSoundRecorder Toolbar) - {32b29df0-2237-4370-9a29-37cebb730e9b} - C:\Program Files (x86)\FreeSoundRecorder\prxtbFree.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (FreeSoundRecorder Toolbar) - {32b29df0-2237-4370-9a29-37cebb730e9b} - C:\Program Files (x86)\FreeSoundRecorder\prxtbFree.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-3042769119-3150714495-4215333000-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    [2012/06/18 12:13:25 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
    [2012/06/18 12:13:25 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2012/06/11 21:09:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\STOPzilla
    [2012/06/11 21:09:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\STOPzilla!
    [2012/06/11 21:09:27 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!
    [2012/06/11 21:09:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\iS3
    [2012/06/08 19:52:07 | 000,000,000 | ---D | C] -- C:\Users\CRAIG\AppData\Local\Wisdom-soft
    [2012/06/08 19:51:50 | 000,000,000 | ---D | C] -- C:\Users\CRAIG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wisdom-soft ScreenHunter 6 Free
    [2012/06/08 19:51:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Wisdom-soft ScreenHunter 6.0 Free
    [2012/06/08 19:49:07 | 000,000,000 | ---D | C] -- C:\ProgramData\blekko toolbars
    [2012/06/08 19:48:48 | 000,000,000 | ---D | C] -- C:\Users\CRAIG\AppData\Local\blekkotb_031
    [2012/06/08 19:48:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Anti-phishing Domain Advisor
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Program Files (x86)\FreeSoundRecorder /d
    type C:\Users\CRAIG\Desktop\RKreport[2].txt /c
    type C:\Users\CRAIG\Desktop\RKreport[3].txt /c
    type C:\Users\CRAIG\Desktop\RKreport[4].txt /c
    [COLOR="DarkRed"]:commands[/COLOR]
    [clearallrestorepoints]
    [emptytemp]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    __

    Let me know if you are having any other malware related problems after you have completed the above steps.
     
  14. croggs

    croggs Private E-2

    Thanks thisisu!

    I am trying to uninstall Sound Recorder, but I got this message from windows about removing a shared file "NCTWMAFile2.dll." I just left it on for now, but is this something that should be deleted as well?
     
    Last edited by a moderator: Jun 19, 2012
  15. thisisu

    thisisu Malware Consultant

    Yes just leave it.
     
  16. croggs

    croggs Private E-2

    Sorry for the couple day delay! The computer was running pretty well over the last couple of days. I just ran the OTL fix and I have attached the log. However, I think Kapersky was running. I'm not sure if that will compromise the quality of the fix?

    Thank you so much for all of your help. I am extremely, extremely grateful. Getting a new computer would have been a HUGE financial burden for me. You rock!

    Can you tell how the malware/virus/hijacker originally got on the computer from the logs? Any suggestions going forward to avoid such problems? I had Kapersky running at all times I believe.

    Thanks again!!!
     
    Last edited by a moderator: Jun 21, 2012
  17. croggs

    croggs Private E-2

    Sorry, forgot the log!
     

    Attached Files:

    Last edited by a moderator: Jun 21, 2012
  18. thisisu

    thisisu Malware Consultant

    Your logs look good now.

    The NGINX webpage you mentioned in your initial post is something caused by a Blackhole exploit Kit. Read more about this here.

    Basically it looks to exploit old versions of Java, Adobe Reader, and/or Adobe Flash Player. It is very important to keep these up to date if you need to use them.

    __

    If you are not having any other malware related problems, it is time to do our final steps:
    • Any programs we had you download and/or install can be removed at this time.
    • If we had you download and run ComboFix, here is how to uninstall it:
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard.
      • This opens the Run dialog box.
      • Copy and paste the below text inside the text-field:
        • "%userprofile%\desktop\ComboFix" /uninstall
      • Now press ENTER
      • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
    • You can re-enable your Disk Emulation software at this time via DeFogger.
    • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
    • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
    • Now we will toggle System Restore to remove any infected system restore points.
    • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
    • Be safe :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds