How to remove Claro Search Tool/Win32 Heur & possibly more

Discussion in 'Malware Help (A Specialist Will Reply)' started by Zeetv931, Dec 15, 2012.

  1. Zeetv931

    Zeetv931 Private E-2

    Hello...
    I have Windows Vista and last night i completed the Malware Removal/Cleaning Procedure exactly as stated. My issues are not resolved.

    I noticed that my computer was doing odd things about a week-10 days ago. I would do a Google search, click on a link, and it would take me to a totally different website. At first I thought I was just clicking on a bogus link, but I soon realized that something was wrong when this was happening even when it was a legitimate site that I had visited before. I ran Malware Bytes and it found over 400 issues, which I cleared/cured. I downloaded AVG Anti-virus (my other Anti-virus had expired and honestly I just kept putting it off in getting a replacement) and ran a scan and it found problems too, which I cleared.

    After the AVG scan and clearing the issues, it said to restart, which I did, and that's when suddenly I had Claro Search Tool. My computer began running really erratically (almost like blips on the screen). I was getting pop-ups, and everything slowed down.


    Last night I ran through the exact procedures on the Malware Removal/Cleaning post. I did this in Safe Mode with Networking because it was so slow and unreliable, I don't think I would have been able to do it otherwise. I am still having probs with my computer being extremely slow, and now the Claro Search Tool takes over both Firefox and Internet Explorer. Every website I do to pops up stating that it could be malicious. I saw a comments on Microsoft.com that said to try to remove Claro by uninstalling it in Control Panel. I did this, and restarted, but it's still there.

    I'm attaching my logs. Please help!

    :(
     

    Attached Files:

    Zeetv931, Dec 15, 2012
    #1
  2. Zeetv931

    Zeetv931 Private E-2

    After reading through several other posts about Claro Search Tool issues, I also ran junk Removal Tool.

    Log for that is also attached. After I ran it and restarted, now that seems to be gone and my IE has returned to a seemingly normal state.

    Please can you check my logs and see what else I need to do? Issues with blipping and slow computer still a factor.

    Thanks
     

    Attached Files:

    • JRT.txt
      File size:
      8.4 KB
      Views:
      2
    Zeetv931, Dec 15, 2012
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You must uninstall either avg 2013 or Microsoft Security Essentials immediately.

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

    Please disable Spybot's TeaTimer.

    How to disable Spybot's TeaTimer


    Browser Manager <--- Uninstall this junk.

    Re run Hitman and have it delete Potential Unwanted Programs


    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate this 1 detection:

    • [APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\ProgramData\Browser Manager\2.5.976.107\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\mngr.dll ) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    and the same for items on file/folder tab:
    • [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$6f716a2dd381e99277a073eaa918c251\@ --> FOUND
    • [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$6f716a2dd381e99277a073eaa918c251\U --> FOUND
    • [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-443474756-47836419-3101542513-1000\$6f716a2dd381e99277a073eaa918c251\U --> FOUND
    • [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$6f716a2dd381e99277a073eaa918c251\L --> FOUND
    • [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-443474756-47836419-3101542513-1000\$6f716a2dd381e99277a073eaa918c251\L --> FOUND

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.claro-search.com/?affID=...HP_ss&mntrId=b4a92c98000000000000001d6012c464
    • R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    • O2 - BHO: Claro LTD Helper Object - {000F18F2-09EB-4A59-82B2-5AE4184C39C3} - C:\Program Files\Claro LTD\claro\1.8.3.10\bh\claro.dll
    • O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
    • O2 - BHO: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
    • O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll
    • O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    • O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    • O3 - Toolbar: Claro LTD Toolbar - {9E131A93-EED7-4BEB-B015-A0ADB30B5646} - C:\Program Files\Claro LTD\claro\1.8.3.10\claroTlbr.dll
    • O3 - Toolbar: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
    • O4 - HKLM\..\RunOnce: [4558F1DF-E7FA-4C32-80A0-C6EDA46C93A0] cmd.exe /C start /D "C:\Users\Will\AppData\Local\Temp" /B 4558F1DF-E7FA-4C32-80A0-C6EDA46C93A0.exe -postboot
    • O4 - HKCU\..\Run: [Google] "xidpwooedd.exe"
    • O15 - Trusted Zone: *.agentware.net
    • O15 - Trusted Zone: *.cibt.com
    • O15 - Trusted Zone: *.etraveladisories.com
    • O15 - Trusted Zone: *.getthere.com
    • O15 - Trusted Zone: *.onthesnow.com
    • O15 - Trusted Zone: *.pathlore.net
    • O15 - Trusted Zone: *.portpromotions.com
    • O15 - Trusted Zone: *.sabre.com
    • O15 - Trusted Zone: *.sabreconsolidator.com
    • O15 - Trusted Zone: *.softvoyage.com
    • O15 - Trusted Zone: *.theluggageclub.com
    • O15 - Trusted Zone: *.travelpn.com
    • O15 - Trusted Zone: *.travisa.com
    • O15 - Trusted Zone: *.vacationstudio.net
    • O15 - Trusted Zone: *.vaxvacationaccess.com
    • O15 - Trusted Zone: *.virtuallythere.com
    • O15 - Trusted Zone: *.vtitin.com
    • O15 - Trusted Zone: *.wcities.com
    • O15 - Trusted Zone: *.wctravel.com
    • O15 - Trusted Zone: *.wellwishers.com
    • O15 - Trusted Zone: *.whatsonwhen.com
    • O15 - Trusted Zone: *.worktopia.com
    • O20 - AppInit_DLLs: c:\progra~2\browse~1\25976~1.107\{c16c1~1\mngr.dll
    • O23 - Service: Browser Manager - Unknown owner - C:\ProgramData\Browser Manager\2.5.976.107\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\mngr.exe
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix exit HJT.


    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
C:\Users\Will\AppData\Roaming\Microsoft\Windows\Templates\ubu1g06qna22xo0d6g4fsrfg2do
C:\Users\Will\AppData\Roaming\Claro
C:\Users\Will\AppData\Roaming\Babylon
C:\Users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Browser Manager
C:\ProgramData\Babylon
C:\ProgramData\Browser Manager
C:\Program Files\Claro LTD
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC39C4.tmp
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC581D.tmp
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC7020.tmp
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC9869.tmp
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACE541.tmp
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACF2B7.tmp

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
"4558F1DF-E7FA-4C32-80A0-C6EDA46C93A0"=-
[HKEY_USERS\S-1-5-21-443474756-47836419-3101542513-1000\Software\Microsoft\Windows\CurrentVersion\run]
"Google"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{4F18B630-25B2-4079-9AD2-5AFCC5CD8A24}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4F18B630-25B2-4079-9AD2-5AFCC5CD8A24}]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    Please give Ccleaner a run, not the registry scanner, just the cleaner itself to be rid of temp files.

    Re run RogueKiller, just a scan and attach new log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Dec 17, 2012
    #3
  4. Zeetv931

    Zeetv931 Private E-2

    Hi Kestrel,
    First I want to apologize for my lack of computer savvy in case I messed anything up while attempting to following your instructions!

    I uninstalled AVG and kept Windows Security Essentials.

    Has some issues with Roguekiller. Somehow I ended up with like 5 logs. So I attached everything so you can see them. Sorry! I don't know the heck I was doing for real! :-o I never saw the file that you said to check in the Registry tab:

    so I went to the file/folder tab anyway and deleted those items.

    Logs attached.

    Blipping has stopped and computer seems faster already.



    When looking at the list from HJT, at least half the items you had on the list weren't there. I checked the ones that were though as indicated.
     

    Attached Files:

    Zeetv931, Dec 17, 2012
    #4
  5. Zeetv931

    Zeetv931 Private E-2

    MG Logs zip file attached

    Sorry if I messed anything up. I'm trying! :)

    I really appreciate your help, Kestrel. I'll await your reply to see next steps.

    BTW..I've learned a valuable lesson about AV and not to let it run out! I also need to figure out how to security enable my wireless router as I didn't realize what a open door I was creating by not having it protected. This site and everyone who helps on here is AWESOME!
     

    Attached Files:

    Last edited: Dec 17, 2012
    Zeetv931, Dec 17, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are most welcome, and in my opinion you didn't mess up anything. :)

    You did not do this though:
    Now the logs look clean. Are you ready for me to post final steps?
     
    Kestrel13!, Dec 18, 2012
    #6
  7. Zeetv931

    Zeetv931 Private E-2

    Thank you! Glad to know I'm not a hopeless case here!

    I went ahead and did the MSConfig now. Hope that was okay.

    I'm def ready for final steps.


    Also, can you tell me which topic/section in the forum I should go to figure out how to set up security on my wireless router? Right now there's no password or anything.
     
    Zeetv931, Dec 18, 2012
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try the Networking Forum. :)


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Dec 19, 2012
    #8
  9. Zeetv931

    Zeetv931 Private E-2

    Thank you so much, Kestrel! You're an absolute doll! I really appreciate all that you helped me with. Everything is A okay and I did all the steps to put Humpty Dumpty back together again and protect my machine. You're awesome! Enjoy the Holidays!:-D
     
    Zeetv931, Dec 19, 2012
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No problem! :) Happy Holidays!
     
    Kestrel13!, Dec 20, 2012
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds