Removing rogue browser bar

Dear friend,

I have been on the site before when Chaslang very kindly helped me to remove a rogue browser bar.

I am afraid that after almost six months of rogue browser bar and pop-up free operation...they're back!

My two teenage sons share this PC with separate user accounts and I dont know whether music files or videos they may have downloaded have brought this back to me!

Would anyone be able to help me with another look at a HijackThis log please?

PS. I have tried a system restore but this is now telling me that no system restore is available so I fear the virus has embedded itself in the system files.

Nick

 

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Dear bjgarrick,

Thanks for your help.

I have fully complied with all of the steps outlined in the basic spyware, trojan and virus removal thread, including updates for all of the tools/utilities listed. Everything scanned OK but I am afraid that the LOP.com browser bars (at both the top and bottom of the screen) are still present.

I have now attached a HJT logfile and would value your advice on those things it would be safe to remove.

Please let me know if you need any further information or for me to take any further action.

Thanks again.

Nick

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vkeolhdlvvqxtcczmkvgjrdft.us/_d1bFPsjRzCLD0Yn0W5fVO444/KpGNDotHqeKETF p6JwShzuovDUU5BOoFghyD7z.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O2 - BHO: (no name) - {4C09941E-C1BE-92FD-CDB5-36DB47821763} - C:\DOCUME~1\Patrick\APPLIC~1\MOVEAD~1\Window Audio.exe (file missing)

O4 - HKLM\..\Run: [Vgasettings01coal] C:\Documents and Settings\All Users\Application Data\USER SLOW VGA SETTINGS\Blue Itch.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Downloads\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [AxisBoob] C:\DOCUME~1\Nick\APPLIC~1\MANAGE~1\RdrNew.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Documents and Settings\All Users\Application Data\USER SLOW VGA SETTINGS ←–– Delete this whole folder if it exist!

C:\Documents and Settings\Nick\Application Data\MANAGE~1 ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Dear bjgarrick,

Thanks for your help

I have complied with the advice in your second post.

Although I deleted the following on the first scan of HJT, I notice it has reappeared at the top of the new HJT log - see attached new HJT log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vkeolhdlvvqxtcczmkvgjrdf.../KpGNDotHqeKETF
p6JwShzuovDUU5BOoFghyD7z.cgi.

Also when running Ad-Aware and SPybot S&D they both detected a problem that they apparently could not fix (even when prompted to reboot the PC). This was shown as: "AltnetBDE. A data miner. RegKey. Location: software/altnet.

Everything else seems ok and the lop bars have gone from IE now.

Perhaps you could take another look at the new HJT log and advise accordingly.

Many thanks

Nick

 

Scan with HJT and have it fix the below entry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wzqhbwfhctsmeosm.biz/_d1bFPsjRzCLD0Yn0W5fVO444/KpGNDotHqeKETFp6LUMPdSYnT9 apBOoFghyD7z.html

After you remove the above entry procede with the below step:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file iefix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the iefix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

After you complete the above reboot and attach a fresh HJT log.

 

Hi,

Thanks for your help again.

I have been away for four days so apologies for the delay in getting back to you.

I have complied with the advice in your last post and have attached another HJT log as below. I'd be grateful if you could let me know if you think I need to take any further action.

Thanks again.

Nick

 

Your HJT log is clean, are you having any further problems?

 

Hi,

All appears well now. Many thanks for all of your help with this - it is much appreciated - Respect!

Do you think I need to take any action that could prevent the LOP.com problem returning?


Nick

 

Yes, I would recommend your following the steps in this thread How to Protect yourself from malware!

Surf Safely!