MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 06-12-12, 17:52
croggs croggs is offline
Private E-2
 
Join Date: Jun 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Help removing Hijacker Partner37 Domain

Hi All!

Would someone be willing to help me manually remove this from my computer? My Symantec, CC Cleaner, and Malware software haven't done anything. From what I've read, it needs to be done manually. Can anybody help walk me through the process in computer-challeneged layman's terms? I would greatly appreciate it!!!
Reply With Quote
Sponsored links
  #2  
Old 06-12-12, 19:09
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Help removing Hijacker Partner37 Domain

Welcome to MajorGeeks, croggs

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and then attach the requested logs to your next reply when you finish these instructions.
  • **** If something does not run, write down the info to explain to us later but keep on going. ****
  • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
  • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
  1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
  2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.
  3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
  4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
* Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated - our system works the oldest threads FIRST.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #3  
Old 06-17-12, 19:57
croggs croggs is offline
Private E-2
 
Join Date: Jun 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Help removing Hijacker Partner37 Domain

Hello,

Thanks for your help so far. After doing the DNS flush (I believe it was called) it seemed like Partner37 no longer appeared and I wasn't getting the NGINX message when searching any webpages. However, now my computer is significantly worse off. I ran the first four steps from "Vista and Win 7 Malware Removal/Cleaning Procedure." The scans did not find anything.

A couple days after running all the scans my computer has been becoming increasingly slow. Now, it takes minutes to open programs and I cannot connect to the internet (it says DNS lookup failed, but I'm on the internet on my older computer, so it isn't the router). Kapersky still comes up clean after a full scan.

Any recommendations or suggestions? Any help would be greatly appreciated! It's a pretty new Lenovo, and I'm really hoping I don't have to invest in another laptop so soon!

Thanks in advance!
Reply With Quote
  #4  
Old 06-17-12, 20:06
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Help removing Hijacker Partner37 Domain

Hello

Quote:
Originally Posted by croggs View Post
I ran the first four steps from "Vista and Win 7 Malware Removal/Cleaning Procedure." The scans did not find anything.
The Vista and Win 7 Malware Removal/Cleaning Procedure was recently updated. Which four scans did you complete?

I will need to see the logs from the following scans in order to assist you further (whether they found anything or not):
  • RogueKiller
  • MalwareBytes' Anti-Malware
  • HitmanPro
  • MGtools
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #5  
Old 06-18-12, 17:57
croggs croggs is offline
Private E-2
 
Join Date: Jun 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Help removing Hijacker Partner37 Domain

Hi,

I had to save the logs on my external and transfer them to a different computer because I am still without internet access (its a problem with the DNS, and I could not connect with my laptop onto any of 3 different connections). The speed on my computer doesn't seem to be too bad in safe mode. I'm not sure if it is still running poorly in the regular mode or not.

Nothing came up from the scans for Malwarebytes or HitmanPro.


Please let me know if you need anything else! Thank you for all the help so far and going forward. I really, really appreciate it!
Attached Files
File Type: zip MGlogs.zip (289.1 KB, 4 views)
File Type: txt RKreport[1].txt (1.8 KB, 5 views)
File Type: txt mbam-log-2012-06-18 (15-40-34).txt (1.9 KB, 2 views)
File Type: zip hitmanpro.zip (289 Bytes, 5 views)
Reply With Quote
Sponsored links
  #6  
Old 06-18-12, 18:48
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Help removing Hijacker Partner37 Domain

From Programs and Features (via Control Panel), please uninstall the below:
  • Java(TM) 6 Update 30

Also uninstall one of the below as it is not good to have more than one anti-virus installed.
  • Kaspersky Internet Security 2012
  • avast! Free Antivirus

__

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Attached is tdx,zip
  • Inside is tdx.reg
  • Extract tdx.reg to your desktop and double-click it.
  • Allow tdx.reg to merge into the registry.
  • If the merge was successful, restart your computer and test for internet connectivity.

__

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Right mouse click on the OTL icon on your desktop and select Run as Administrator
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the text-field.
    Code:
    activex
    netsvcs
    /md5start
    tdx.sys
    /md5stop
    %windir%\$ntuninstallkb*. /120
    %windir%\system32\drivers\*.sys /lockedfiles
  • Now click the button.
  • One report will be created:
    • OTL.txt <-- Will be opened
  • Attach OTL.txt to your next message. (How to attach)
Attached Files
File Type: zip tdx.zip (599 Bytes, 7 views)
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #7  
Old 06-18-12, 18:52
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Help removing Hijacker Partner37 Domain

One more thing, did you already run ProxyFix with RogueKiller?
If not, go ahead and do that after you complete the above.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #8  
Old 06-18-12, 19:07
croggs croggs is offline
Private E-2
 
Join Date: Jun 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Help removing Hijacker Partner37 Domain

Thanks for your prompt response! I had just downloaded Avast earlier today, but I have uninstalled it. I tried to uninstall Java and I received this message: "The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

I am still running in safemode. What do you recommend me doing to uninstall Java? Should I go ahead with the other steps if Java cannot be uninstalled at the time, or should I wait to proceed until it is uninstalled?

Thanks!

Last edited by thisisu; 06-18-12 at 19:08.. Reason: removed quoted text + approved from moderation
Reply With Quote
  #9  
Old 06-18-12, 19:10
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Help removing Hijacker Partner37 Domain

You can skip uninstalling Java for now. Proceed with the next steps.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #10  
Old 06-18-12, 20:02
croggs croggs is offline
Private E-2
 
Join Date: Jun 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Help removing Hijacker Partner37 Domain

Thanks! I am on the internet now! However, twice now the OTL has stopped working mid scan and it freezes and says "not responding." Any recommendations?

Thanks!
Reply With Quote
Sponsored links
  #11  
Old 06-18-12, 20:21
croggs croggs is offline
Private E-2
 
Join Date: Jun 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Help removing Hijacker Partner37 Domain

It seems to stop working while its "Scanning Firefox Settings" for what it's worth.
Reply With Quote
  #12  
Old 06-18-12, 20:53
croggs croggs is offline
Private E-2
 
Join Date: Jun 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Help removing Hijacker Partner37 Domain

Sorry for the multiple responses. The scan finally worked. Here's the log.
Attached Files
File Type: txt OTL.Txt (242.9 KB, 2 views)
Reply With Quote
  #13  
Old 06-19-12, 01:41
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Help removing Hijacker Partner37 Domain

While in Normal Mode:

From Programs and Features (via Control Panel), please uninstall the below:
  • Java(TM) 6 Update 30
  • Free Sound Recorder v9.3.1 (source of Conduit)
  • FreeSoundRecorder Toolbar (source of Conduit)

This OTL fix below has a higher chance of success if run while in Safe Mode.
Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.
Code:
:otl
IE - HKLM\..\URLSearchHook: {32b29df0-2237-4370-9a29-37cebb730e9b} - C:\Program Files (x86)\FreeSoundRecorder\prxtbFree.dll (Conduit Ltd.)
[2012/06/12 06:39:59 | 000,000,000 | ---D | M] (FreeSoundRecorder) -- C:\Users\CRAIG\AppData\Roaming\Mozilla\Firefox\Profiles\i56v8gbk.default\extensions\{32b29df0-2237-4370-9a29-37cebb730e9b}
O2 - BHO: (FreeSoundRecorder Toolbar) - {32b29df0-2237-4370-9a29-37cebb730e9b} - C:\Program Files (x86)\FreeSoundRecorder\prxtbFree.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (FreeSoundRecorder Toolbar) - {32b29df0-2237-4370-9a29-37cebb730e9b} - C:\Program Files (x86)\FreeSoundRecorder\prxtbFree.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3042769119-3150714495-4215333000-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
[2012/06/18 12:13:25 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/06/18 12:13:25 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/06/11 21:09:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\STOPzilla
[2012/06/11 21:09:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\STOPzilla!
[2012/06/11 21:09:27 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!
[2012/06/11 21:09:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\iS3
[2012/06/08 19:52:07 | 000,000,000 | ---D | C] -- C:\Users\CRAIG\AppData\Local\Wisdom-soft
[2012/06/08 19:51:50 | 000,000,000 | ---D | C] -- C:\Users\CRAIG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wisdom-soft ScreenHunter 6 Free
[2012/06/08 19:51:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Wisdom-soft ScreenHunter 6.0 Free
[2012/06/08 19:49:07 | 000,000,000 | ---D | C] -- C:\ProgramData\blekko toolbars
[2012/06/08 19:48:48 | 000,000,000 | ---D | C] -- C:\Users\CRAIG\AppData\Local\blekkotb_031
[2012/06/08 19:48:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Anti-phishing Domain Advisor
:files
C:\Program Files (x86)\FreeSoundRecorder /d
type C:\Users\CRAIG\Desktop\RKreport[2].txt /c
type C:\Users\CRAIG\Desktop\RKreport[3].txt /c
type C:\Users\CRAIG\Desktop\RKreport[4].txt /c
:commands
[clearallrestorepoints]
[emptytemp]
Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Let me know if you are having any other malware related problems after you have completed the above steps.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #14  
Old 06-19-12, 16:56
croggs croggs is offline
Private E-2
 
Join Date: Jun 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Help removing Hijacker Partner37 Domain

Thanks thisisu!

I am trying to uninstall Sound Recorder, but I got this message from windows about removing a shared file "NCTWMAFile2.dll." I just left it on for now, but is this something that should be deleted as well?

Last edited by thisisu; 06-19-12 at 17:09.. Reason: removed quoted text
Reply With Quote
  #15  
Old 06-19-12, 17:10
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Help removing Hijacker Partner37 Domain

Quote:
Originally Posted by croggs View Post
I just left it on for now, but is this something that should be deleted as well?
Yes just leave it.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
Sponsored links
  #16  
Old 06-20-12, 21:29
croggs croggs is offline
Private E-2
 
Join Date: Jun 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Help removing Hijacker Partner37 Domain

Sorry for the couple day delay! The computer was running pretty well over the last couple of days. I just ran the OTL fix and I have attached the log. However, I think Kapersky was running. I'm not sure if that will compromise the quality of the fix?

Thank you so much for all of your help. I am extremely, extremely grateful. Getting a new computer would have been a HUGE financial burden for me. You rock!

Can you tell how the malware/virus/hijacker originally got on the computer from the logs? Any suggestions going forward to avoid such problems? I had Kapersky running at all times I believe.

Thanks again!!!

Last edited by thisisu; 06-21-12 at 17:37.. Reason: removed quoted text.
Reply With Quote
  #17  
Old 06-20-12, 21:39
croggs croggs is offline
Private E-2
 
Join Date: Jun 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Help removing Hijacker Partner37 Domain

Sorry, forgot the log!
Attached Files
File Type: log 06202012_205843.log (52.3 KB, 2 views)

Last edited by thisisu; 06-21-12 at 17:37.. Reason: removed quoted text
Reply With Quote
  #18  
Old 06-21-12, 17:50
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Help removing Hijacker Partner37 Domain

Your logs look good now.

The NGINX webpage you mentioned in your initial post is something caused by a Blackhole exploit Kit. Read more about this here.

Basically it looks to exploit old versions of Java, Adobe Reader, and/or Adobe Flash Player. It is very important to keep these up to date if you need to use them.

__

If you are not having any other malware related problems, it is time to do our final steps:
  • Any programs we had you download and/or install can be removed at this time.
  • If we had you download and run ComboFix, here is how to uninstall it:
    • Press and hold the Windows key and then press the letter R on your keyboard.
    • This opens the Run dialog box.
    • Copy and paste the below text inside the text-field:
      • "%userprofile%\desktop\ComboFix" /uninstall
    • Now press ENTER
    • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
  • You can re-enable your Disk Emulation software at this time via DeFogger.
  • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
  • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
  • Now we will toggle System Restore to remove any infected system restore points.
  • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
  • Be safe
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help removing Malware & Hijacker paws26 Malware Removal 13 02-19-10 17:21
Need help removing browser hijacker sysnetsecurity.net W32.Myzor.fk@yf mcamm Malware Removal 2 07-14-06 10:02
Need help removing hijacker program gojukai7 Malware Removal 1 04-18-05 10:46
After all READ ME FIRST, need help removing hijacker gibson_player Malware Removal 5 09-21-04 23:57
Removing all traces of a domain from windows 2000 pro Zyto Software 1 09-16-04 09:41


All times are GMT -5. The time now is 11:17.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger