browser hijack possible

Discussion in 'Malware Help (A Specialist Will Reply)' started by robert221usa, Jul 16, 2014.

  1. robert221usa

    robert221usa Private E-2

    Thank you in advance for your help and assistance.

    "Topbuyer" ads appear in and take over Chrome ever after the scans. I did the hijack stuff first - all went well. I then did the full scans and all was good except that TDSSKiller would not run the second time (meaning in ran in the hijack process but not the full instructions process).The error I received said Extended monitoring driver is required for more advance threats detection - asked me to reboot to install a driver - I didn't as your instructions didn't say to do so.

    Logs attached.
     

    Attached Files:

    robert221usa, Jul 16, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Sorry? :confused

    Did you run MGTools? This is one of the most important logs of all, once ran, you should attach the MGlogs.zip. Thanks. :)
     
    Kestrel13!, Jul 16, 2014
    #2
  3. robert221usa

    robert221usa Private E-2

    You are correct I did not run MGTools - my apologies - see attached.

    To clarify - on the main removal page there is a sticky for "Fixing Google Redirection/hijacking and other redirection problems" as that appears to be an issue I followed those directions first and TDSSKiller ran fine. When done following those directions I was still having the issue so I went to "READ & RUN ME FIRST. Malware Removal Guide". When I was asked to run TDSSKiller in those instructions I tried but was not successful and got the error message in the original post - hope that makes a bit more sense
     

    Attached Files:

    robert221usa, Jul 16, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\ProgramData\Performancer
C:\ProgramData\6a06bd8a4b97d908
C:\ProgramData\PricceDownloadeR
C:\ProgramData\tOpbbuyer
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SweetPacks
C:\Program Files (x86)\PricceDownloadeR

:reg
[-HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}]
[-HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}]
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\BrowserSafeguard_RASAPI32]
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\BrowserSafeguard_RASMANCS]
[-HKLM\SOFTWARE\Wow6432Node\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
[-HKLM\SOFTWARE\Wow6432Node\{5F189DF5-2D05-472B-9091-84D9848AE48B}]
[-HKLM\SOFTWARE\Wow6432Node\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
[-HKLM\SOFTWARE\Wow6432Node\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
[-HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}]
[-HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKU\S-1-5-18\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}]
[-HKU\S-1-5-19\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKU\S-1-5-19\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}]
[-HKU\S-1-5-20\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKU\S-1-5-20\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}]
[-HKU\S-1-5-21-2246818765-3229850687-2129539117-1000\Software\APN PIP]
[-HKU\S-1-5-21-2246818765-3229850687-2129539117-1000\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKU\S-1-5-21-2246818765-3229850687-2129539117-1000\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}]
[-HKU\S-1-5-21-2246818765-3229850687-2129539117-1000\Software\Conduit]
[-HKU\S-1-5-21-2246818765-3229850687-2129539117-1000\Software\IM]
[-HKU\S-1-5-21-2246818765-3229850687-2129539117-1001\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jul 17, 2014
    #4
  5. robert221usa

    robert221usa Private E-2

    Thank you - I dud run all three and the only issue I had was with OTM it ran fine and asked for reboot but did not open up or save a log file anywhere (did a search for the name provided).

    The other two are attached though.
     

    Attached Files:

    robert221usa, Jul 17, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi Robert. Give Hitman another run for me please and attach the log.
     
    Kestrel13!, Jul 18, 2014
    #6
  7. robert221usa

    robert221usa Private E-2

    Ran with no issues - log attached - thank you.
     

    Attached Files:

    robert221usa, Jul 18, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    You also need to explain how things are running please. :)
     
    Kestrel13!, Jul 19, 2014
    #8
  9. robert221usa

    robert221usa Private E-2

    Thank you - I it was successful. This is my wife's computer so I will ask her to start to use it again and report back any other issues she is having. When I play around with it all seems pretty good - no more issues in Chrome which is what brought us here in the first place but I will ask her to us it as normal and see what happens - anything else we should do in the meantime?
     
    robert221usa, Jul 19, 2014
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If she says all is well now, you can follow the steps below:


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    8. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jul 20, 2014
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds