How to get rid of Strong Vault and Delta Search

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Carrott, Mar 13, 2013.

  1. Carrott

    Carrott Private E-2

    Hello, I'm having a problem with my computer. It started about a month ago while searching for some medical information I needed for my Dad. Here are the problems I can see 1) When I open a new tab in Internet Explorer 8 it uses something called "Delta Search". The first tab opens normally. 2) When I go into known sites it asks me to do surveys and questionnaires and has never done that before 3)When computer is booting, a folder with "Strong Vault App" opens. I have never heard of Strong Vault before this. 4) Computer runs slower than normal. I have read your READ ME FIRST instructions and tried to follow them as you requested. Attached are the logs other than RogueKiller which I couldn't get to run. When I try to run RogueKiller the computer "blue screens" dumps and shuts down. So I didn't try more than twice. Any help you can give me would be greatly appreicated. Thank you so much for your help.
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you install StrongVault online backup intentionally?


    Re run Hitman and have it delete Potential Unwanted Programs.



    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    • O3 - Toolbar: Delta Toolbar - {82E1477C-B154-48D3-9891-33D83C26BCD3} - C:\Program Files\Delta\delta\1.8.10.0\deltaTlbr.dll

    After clicking Fix exit HJT.




    Download and run
    OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
    C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
    C:\Documents and Settings\J&JP\Local Settings\Application Data\couponamazing
    C:\Documents and Settings\J&JP\Local Settings\Application Data\searchcom_001
    C:\Documents and Settings\J&JP\Application Data\Babylon
    C:\Documents and Settings\J&JP\Application Data\Delta
    C:\Documents and Settings\J&JP\Local Settings\Application Data\couponamazing
    C:\Documents and Settings\All Users\Application Data\Babylon
    C:\Documents and Settings\All Users\Application Data\BrowserProtect
    C:\Program Files\Internet Explorer\iexplore(2).exe
    C:\Program Files\Internet Explorer\iexplore.exe.exp.log
    C:\WINDOWS\system32\AI_RecycleBin
    C:\WINDOWS\system32\AI_RecycleBin
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\Tasks\ConfigExec.job
    C:\WINDOWS\Tasks\DataUpload.job
    
    :reg
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{34e26447-bf30-4c78-a5b9-61dfa8a55e67}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{34e26447-bf30-4c78-a5b9-61dfa8a55e67}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  3. Carrott

    Carrott Private E-2

    Thank you for your help. I did NOT install StrongVault intentionally. I have attempted to run everything you advised and attached logs. OTM would not work. When I try to run OTM, it looks like the software is running behind what appears to be some sort of log note and then it just goes away and even the software is gone from the desktop. There is no change is how it is running - all the same problems. Thank you again for your help.
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall it then if not done so already.

    Download The Avenger by Swandog469, and save it to your Desktop.

    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.



    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  5. Carrott

    Carrott Private E-2

    Hello, I did not install StrongVault intentionally and I don't find an uninstall for it. I don't find it in Add/Remove Programs and I don't find it in Start/All Programs. The only time I see it is when I reboot. On reboot the following folder opens: C:\Documents and Settings\J&JP\Local Settings\Application Data\StrongVault. The following items are inside the StrongVault folder: Mod.StrongValtappl.dat, StrongVaultK.dat, StrongVaultU.dat and a folder named 0211085306 which has lots of .tmp files in it.

    As far as the rest of your instructions, everything seemed to run successfully this time. I have attached logs as you requested. I DID RECEIVE A SUCCESS message for the registry edits.

    As far as how its running now, as I already mentioned, 1) I'm still getting the Strong Vault folder on reboot, 2) When I create a "new tab" to browse, I don't see "Delta Search" anymore, I see a new tab with a link that doesn't work saying "Learn more about tabs and tab shortcuts, Accelerator and Inprivate Browsing." The original tab when I first pull up IE is still normal (Google Search). So far when I go to known sites I am NOT getting the surveys and questionnaires anymore.

    Thank you again for all your help.
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please use Revo Uninstaller to be rid of stronghold, see if it shows up there... & let me know. :)
     
  7. Carrott

    Carrott Private E-2

    No, StrongVault did not show up on Revo either.

    Is there anything else I need to do to get my tabs to work correctly in IE?

    Thank you.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I'll see what I can do, in the mean time answer me this: Can you delete this? Reboot, and it;s still gone? C:\Documents and Settings\J&JP\Local Settings\Application Data\StrongVault
     
  9. Carrott

    Carrott Private E-2

    I have deleted and rebooted and the StrongVault folder did NOT come up. When I went into the Application Folder to delete the file, I noticed there were two other files as well: "Stronghold LLC" and "StrongVault Online Backup". I only deleted the one we have already spoke of, but they are ALL GONE. The folder does not come up now when I reboot.

    Thank you.
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do you still have issues with tabs in IE?
     
  11. Carrott

    Carrott Private E-2

    Yes, When I create a "new tab" to browse, I don't see "Delta Search" anymore, I see a new tab with a link that doesn't work saying "Learn more about tabs and tab shortcuts, Accelerator and Inprivate Browsing." The original tab when I first pull up IE is still normal (Google Search).

    Thank you for all your help.
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can ask about that in the software forum. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  13. Carrott

    Carrott Private E-2

    All is well and FIXED!!!. Thank you so much for your help.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds