Another Claro Search victim: Please help

Hello again. I’m one of those people who downloaded a program from CNET (in this case it was Revo Uninstaller) and got hit with Claro-Search. I think there was even an accept/reject box in the Revo download that asked if you wanted a Claro add-on toolbar. I declined, but it came along anyway. This happened yesterday.

Even before I looked it up and found it was a malicious program, I kept trying to get rid of it. I used Revo to uninstall one Claro program that seemed to go easily. I started Revo on a second Claro program that, as soon as it sensed it was being uninstalled, started uninstalling itself. I suspect that the self-uninstall was designed to make it burrow deeper.

There was a “Browser Manager” that went along with these programs, and something called a Coupon Companion. I uninstalled both of these or at least deleted what I could see of them.

I am running Windows XP Service Pack 3. I have Microsoft Security Essentials, which runs a scan every morning at 4 a.m. and today shows nothing amiss. Yet I still get claro-search in the toolbar whether I’m using Firefox or Google Chrome.

I’ve gone through READ AND RUN ME and Windows XP Malware Removal and Cleaning Procedure, and I’m attaching the logs. I’m not very computer-savvy, so I hope you’ll be patient with me. As I’ve gone through all these diagnostic programs, I find I’m terrified much of the time.

Here are the logs:

Actually, these are just the logs from RK Report, MGlogs and Hitman Pro. I can't find the log from TDSS Killer even though I'm following directions. As for Malwarebytes, I have a log on my Notepad but I can't figure out how to find it to attach it.

 

OK, I've finally managed to find the TDSS log. I've attached it here. Maybe someone can help me figure out how to attach the log for mbam. I have what I think is an mbam log on a notepad window, and I have all the instructions in front of me in multiple tabs, but I'm still confused.

Thanks again.

 

Hi, Dr. Moriarty. Thanks for your help. I can find and read the MBAM log in the "Logs" tab of the Malwarebytes program; I just can't get it to come up through the "Manage Attachments" browser. I can, of course, just copy out the contents here. Is that usable? Is that OK??

I have a couple of obligations this evening but will get started first thing tomorrow on the Hitman Pro and Rogue Killer re-scans, plus the Junkware Removal tool.

Thank you again. I really appreciate your help. Do let me know whether it's OK to copy out the contents of the MBAM log.

Hope

 

Oh, that's terrific! Thanks! Here's the contents of the MBAM log:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.16.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: NAMEOMITTED-7CE96C9 [administrator]

11/15/2012 9:49:28 PM
mbam-log-2012-11-15 (21-49-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183497
Time elapsed: 1 hour(s), 18 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: 23f2dea62c49300537f6b8081ea61e1e -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCR\scrfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: ("%1" /S) -> Quarantined and repaired successfully.
HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: (regedit.exe "%1") -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Many thanks, Doctor!

 

Good morning, Doc. I've just finished the Hitman Pro scan and I have a question about your specifications.

The Hitman results page that is showing now does not have any headings such as "Potential Unwanted Programs" and/or "Malware Remnants." It just lists four things to delete, all of them "Adware.IWantThis." There are eight others that it says to ignore.

After reading the bold red warnings in the Hitman Pro instruction file ( http://forums.majorgeeks.com/showthread.php?t=260397 ) that tell me to keep my hands off Hitman results unless I know what I'm doing, I figure I'd better ask you whether those four are really the ones you were talking about. It's always possible that I'm missing something, or there's another page and I'm on the wrong one -- or something else.

Sorry for this glitch. I'll await your comments.

Hope

 

The following was intended as an EDIT to my preceding post, but evidently I went over the time limit for editing. Anyway, it's good news:

EDIT: Right after I posted this reply I went back and examined the log I had attached in an earlier post. Sure enough, it does break down the findings by "Potential Unwanted programs" and "Malware Remnants." And listed under the first are the four IWantThis programs that the current Hitman page says to delete, while under the second are the eight other things the current page says to ignore.

Why my current program page would not break down the results this way is beyond me. But anyway, per your instructions, I will just go ahead and get rid of all 12 of those and then move on to Rogue Killer and the junkware removal. I hope to have the logs for you later today.

 

Hello again, Doc. I'm writing this on someone else's computer because suddenly I have no Internet access -- either on Firefox or Chrome or IE. That, and the length of time that Hitman is taking, prompts a few questions:

1. Could my loss of Internet access be the malware's fighting back? Or would this be normal during a Hitman removal process? (I notice it does say that some programs may close during the removal.)

2. I fired up Hitman shortly after my last message, which was a bit after noon. Now it's about 2:30 p.m. my time, and the program is still just sitting there. It says it's removing malicious software, and tells me to wait. But it's just looking inert -- and if it is running, it's been running for about 2 hours.

From the initial scan I ran with Hitman, I've realized that it takes a long time. The scan itself took more than an hour, and the page looked similarly inert until it sprang to life with its results. But tell me: In your experience, should Hitman's malware removal be taking this long?

I'll check this thread from time to time on this other computer. Hope to talk to you soon.

 

Hi, Doc. I don't know where to begin in reply. I'll take it in steps:

1. I DID run only one scan at a time, and I DID run each scan only one time. I'm such a novice that each of these steps is monumental for me, and I couldn't possibly have done more than one at any time.

I did, however, have multiple browser tabs open with the Major Geeks instructions for each diagnostic program, along with the logs from the programs themselves, and of course Firefox. I had no idea that these should have been closed out while I ran each scan, if that's what you're saying.

So I gather that when I run these programs again, I should run each in isolation, with everything else closed? Is that right?

2. You ask about a certain service:
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe

I don't know what it is, I'm afraid. Is it something malicious?

3. I have closed all programs on my other computer, the one without internet access now. Hitman, which continues to sit there inertly, resists all efforts to cancel or close or abort. If I'm going to run those scans again I will have to get rid of it somehow: Should I just turn off the computer and reboot?

Sorry to make all this trouble. I'll continue to monitor this second computer (my husband's) in hopes you'll reply to my questions about (a) whether to run all scans with everything else turned off absolutely and (b) whether I should turn off and reboot my original computer.

If it's not too much trouble, could you also tell me whether you think I have really screwed up?

Hope

 

Hello, Doc. I am back up and running on my original computer. I did have to shut it down completely in order to get rid of Hitman. But it rebooted in a normal-looking way (except for the presence of the Claro toolbar) and I was able to get on the Internet.

Right now I'm starting in to re-run the five diagnostics that (I guess) I screwed up the other day. Right off, I'm sensing something amiss with Rogue Killer. I clicked on the desktop icon and was taken to a site with much cleaner-looking graphics than the RK I used before. It told me the previous site was outdated and I had to download new RK software. Sounded strange, but I went ahead. It then presented me with a succession of screens offering me all kinds of add-ons and doodads, which I kept declining. Finally, at about the third screen I bailed out.

To your knowledge, is this the legitimate RK site? Or am I being messed with by Claro? Please let me know what you think is going on.

I will proceed with the other tools -- MB, TDSS Killer, MG Tools and Hitman Pro. I'll let you know if something seems wrong.

Thanks.

Hope

 

Doc, I think I have a really serious problem. I am trying to run Malwarebytes, and after 10 minutes or so (not sure of exact time because I've walked away while it was running) when I call up the page it is just totally white, with a hourglass where the cursor might be.

This has happened twice. Each time I was able to "End Program" and get back to my desktop screen, but I think there is something definitely wrong. I hope you can advise me.

Thanks.

Hope

EDIT: I must have added this while you were posting or shortly afterward.

 

The 8.3.0 version of RogueKiller that you link to is the one I downloaded a couple of days ago when we began this exercise. It is definitely the one I installed on my desktop at that time and used to produce the first log I attached.

However, it is NOT the "updated" version I described to you above in my post that said something's amiss. What's worrisome is that when I first went to use RK this morning, I just clicked on the desktop icon that I had installed a couple of days ago. The legitimate RK screen appeared, and then seemed to be commandeered by the bogus "updated" version.

I hope I don't have any of this bogus update on my machine.

I have now downloaded a fresh copy of RK from the Major Geeks download site you linked to. I think it has overridden what I had on my desktop previously.

In view of the problems I'm having with Malwarebytes, I'll let that sit for a while and I'll go ahead with RogueKiller.

Thanks again. Fingers crossed.

Hope

 

OK, I've done RogueKiller. Since I'm teetering on the edge here, I'll just post the logs right now instead of waiting to finish all five programs. (At this rate, I wonder whether I'll be able to do all five after all.)

For some reason, this go-round produced two logs, RK2 and RK3. I'll post them both.

 

Doc: I tried Malwarebytes again, using a new copy of the program that I freshly downloaded from the Major Geeks download site. I figured that since it worked with Rogue Killer, it might work with MBAM. Unfortunately, it didn't. So for now at least, I can't use MBAM.

On the subject of Rogue Killer, I just realized I deleted the four items that RK found suspicious. I hope that doesn't throw a monkey wrench into things. I was trying to remember the instructions and instead I followed the instructions for Malwarebytes, which tells you to remove everything that's checked. I didn't realize my mistake until I posted those two logs. Sorry.

We're heading into the dinner hour here and I don't know when I'll get back to this. I confess to feeling very jittery, like I'm walking on eggshells, and I don't seem to have made any progress at all after two days. On the contrary, it just seems to get worse.

I'll check in later and maybe try a few more programs. If you have comments on my problems with MBAM, I would love to hear them. Thanks.

Hope

 

Yes, I renamed it mb.exe. Maybe I'll try it again after all these others are done.

Re the others, you have the RK log attached above. Below are the logs for TDSS, MGTools and Hitman. (Interesting story on Hitman: When it finished, it said it had found nothing. That is, in spite of its hanging and hanging for hours the other day, it must have done its job anyway and deleted the 12 items I asked it to delete.)

Thanks again. I'll get back to you on Malwarebytes.

Hope

 

Doc, here is the Malwarebytes log. I was able to run it successfully, and I was also able to find the log:

 

• 
  
  Doc, I'm going to start in on the JRT as soon as you've looked over the logs above. When you say to "shut down your protection software," I'm not sure what you mean by "shut down." You mean to uninstall it? If not, how else would I shut it down?
  
  On the advice of a supposed computer expert, I'm running Microsoft Security Essentials only. I'm sure that's very minimally protective. But anyway, should I uninstall it to run JRT??
  
  Thank you.
  
  Hope
  
  (I'm still showing the Claro toolbar.)

 

OK, Doc, I disabled the MSE real-time protection, downloaded and ran JRT, re-enabled MSE real-time protection and rebooted. JRT log is attached.

Unfortunately, I still have the Claro toolbar.

 

Well, what do you know? I'm free!!!! Terrific! Happy Thanksgiving!

Terrific tool! Terrific Doc Moriarty! Terrific Major Geeks!

Thanks, Doc. So glad you made it back from the Reichenbach Falls. Here is the log:

 

Doc, I'll take this in steps, and I do have some complications when it comes to the final cleanup. But first things first...

1. Re System Mechanic: Thanks for passing on chaslang's comments. I will certainly take them into account. I've used System Mechanic for three or four years now, and I've always felt it kept my machine running smoothly and was a good choice for someone not geeky enough to do it on her own. Some time this year, though, Iolo offshored its support functions, and I'm understating it when I say the new support people do not inspire my confidence. I'm definitely going to have to reconsider System Mechanic.

I gather you and chaslang really don't think there's anything out that beats your own personal attentions -- but if you do know of a program that suits a non-geek like me, I would love to hear of it.

2. Thanks for the Java link. I thought I had it on my machine but maybe it slipped away.

3. Re the final steps: I have kept Malwarebytes. I have deleted Rogue Killer, TDSSKiller, HitmanPro and AdwCleaner. (When I say I "deleted" them, I searched for them in the Search function and then manually deleted each file that came up. Does this count as an "uninstall"?)

But I am having trouble with MGtools.

Somehow I was able to find the MGclean.bat file but now it's disappeared. And I can find the MGtools. exe file but when I click on it I get a box that says Windows cannot open the file because it needs to know what program created it. And I think I also got a box that said that program can't be deleted.

So I'm not sure what to do, and I don't know whether my inability to go through all the MGclean.bat exercises is going to affect the "Disable System Restore" step you have in mind for the very last.

So please advise what I should do about MGtools and whether I should proceed to the last steps about System Restore even though I don't have the MGtools question resolved.

Thank you again. You've been most patient with my continued screw-ups. I'll keep checking in here to get your latest instructions.

Hope

 

Doc, before you go I have a couple of other questions. One has to do with a question you posed at the very beginning of this exercise, and the second concerns JRE and Java.

1. Right up near the top, you asked me about something called Borland.

QUOTE=dr.moriarty;1785376]

What is this service related to?
Quote:
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe

[/QUOTE]

I said I didn't know, and I didn't. But I just discovered its folder in one of my directories, and I opened it and it looks as if there's some "Guardian" thing that's been running every day since 1/24/12. Does it look malicious to you?

Back on Christmas Eve 2011, I got hit with a vicious rootkit for which I had to call in professional online help, a support service based in Florida. The guy was very good and continued to work with me on and off for a whole month, up to 1/22/12, to clean the thing out and get the system running again.

The near-conjunction of the two dates -- 1/24/12 and 1/22/12 -- leads me to wonder whether he didn't install this program for some reason. The "Guardian" aspect of it suggests it's protective -- but is it? Does it seem useful to you? Should I get rid of it? Now that you've pointed it out, I find it spooky.

2. Re Java: You might say this belongs in the software forum, but please hear me out first: I have JRE installed thanks to your prompting. But whenever I go to the NYTimes crossword puzzle page, it complains that I need to install Java. So I go to the Java. com site to verify that I have it. It won't verify. So I click for a Java download. It downloads but won't respond when I click to open it to begin installation. And in general it just doesn't behave the way it used to.

So, my question is: Do you think this could be because I haven't completed the final cleanup steps here with MGlogs and I haven't done the steps concerning System Restore? Or is it possible I damaged something during the whole malware removal exercise??

The other question, and I'm sure it's for the software forum, is this: If I have JRE installed, why do I need to keep installing Java?

I hope you don't mind my bringing these up right now, but on both counts I think they're left over from our malware removal process and I think I better see them through to the end before I can feel this chapter closed.

Thank you again, and I wish you a very happy Thanksgiving.

Hope

 

Fine, Doc. I'm looking forward to hearing from you. Have a great day!

Tryptophanically yours,

Hope

 

Hi, Doc. We've had some sickness in the family in addition to the usual post-Thanksgiving lethargy, so I haven't gotten to these "last steps" as soon as I had hoped. I will try to wind them up this afternoon or this evening. Sorry for the delayed reply.

Hope

 

All done! All the MG bits and pieces are gone, and the disable/enable procedure is done, and even Borland has disappeared. Whoopee!

So thanks many many times, Doc, for your time and patience. It's just one more illustration of how the kind people at Major Geeks are doing their part to help us dummies cope with the New Age. I am most grateful. And I do hope you enjoyed your Thanksgiving!

Hope