Virus to Hijack

Discussion in 'Malware Help (A Specialist Will Reply)' started by bhaunna, Apr 14, 2015.

  1. bhaunna

    bhaunna Private E-2

    My wife managed to download a virus by inadvertently 'updating' Adobe Flash. I've run the Read and RUN ME FIRST. The computer seems to not have the virus problems but does have a browser hijacking issue now. All browsers homepages load www-searching.com. Any help would greatly be appreciated!
     

    Attached Files:

    bhaunna, Apr 14, 2015
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rerun Hitman and have it fix everything it found.

    Then rerun RogueKiller and have it fix these items:
    Code:
    [PUP] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | SearchProtect : \SearchProtect\bin\cltmng.exe  -> Found
[PUP] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | SearchProtect : \SearchProtect\bin\cltmng.exe  -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sbmntr (\??\C:\PROGRA~2\YTDOWN~1\sbmntr.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sbmntr (\??\C:\PROGRA~2\YTDOWN~1\sbmntr.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BPPpCCvLvUR ("C:\ProgramData\gCPOdYY\BPPpCCvLvUR.exe") -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\fpv (c:\windows\fpv.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mfpv (c:\windows\mfpv.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sbmntr (\??\C:\PROGRA~2\YTDOWN~1\sbmntr.sys) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SMUpd (C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe /service) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SMUpdd (\??\C:\Program Files\Common Files\Goobzo\GBUpdate\smw.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1913550328-2428899425-3548616479-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://taplika.com/?f=1&a=tpl_tuto9_15_15&cd=2XzuyEtN2Y1L1Qzu0FzztC0AyCyBtD0EyDzztB0AtAtBzyyCtN0D0Tzu0StCtCzyyBtN1L2XzutAtFzztFtAtFtAtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyD0AtB0FtD0BtCyDtGtC0A0AyDtGzzzztD0BtG0AtDtB0BtGtCyC0EtDtC0DtDtAtCtB0E0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0EtDtB0EyDyEtGyD0AyDyBtGyEtC0DzztGzztCzz0CtG0C0FtB0B0DyC0E0EyC0C0BtD2QtN1B2Z1V1T1S1NzuyCyCyD&cr=1979882857&ir=  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1913550328-2428899425-3548616479-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://taplika.com/?f=1&a=tpl_tuto9_15_15&cd=2XzuyEtN2Y1L1Qzu0FzztC0AyCyBtD0EyDzztB0AtAtBzyyCtN0D0Tzu0StCtCzyyBtN1L2XzutAtFzztFtAtFtAtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyD0AtB0FtD0BtCyDtGtC0A0AyDtGzzzztD0BtG0AtDtB0BtGtCyC0EtDtC0DtDtAtCtB0E0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0EtDtB0EyDyEtGyD0AyDyBtGyEtC0DzztGzztCzz0CtG0C0FtB0B0DyC0E0EyC0C0BtD2QtN1B2Z1V1T1S1NzuyCyCyD&cr=1979882857&ir=  -> Found
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : C:/PROGRA~3/{80856~1/193~1.1/lifi.dll  -> Found
    Now have it fix these items:
    Code:
    ¤¤¤ Registry : 26 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{60260024-AA48-4A2F-84DA-2C2DCB24AAD0} (C:\Program Files (x86)\Consumer Input\InternetExplorer\x64\cpturlpassthru.dll) -> Found
[PUP] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | SearchProtect : \SearchProtect\bin\cltmng.exe  -> Found
[PUP] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | SearchProtect : \SearchProtect\bin\cltmng.exe  -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-1913550328-2428899425-3548616479-1001\Software\Microsoft\Windows\CurrentVersion\Run | Optimizer Pro : C:\Program Files (x86)\Optimizer Pro 3.79\OptProLauncher.exe  -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-1913550328-2428899425-3548616479-1001\Software\Microsoft\Windows\CurrentVersion\Run | Optimizer Pro : C:\Program Files (x86)\Optimizer Pro 3.79\OptProLauncher.exe  -> Found
    And then, these items;
    Code:
    ¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] IPKFS.job -- C:\Users\Lenovo\AppData\Roaming\IPKFS.exe (/infocmdline=J0XRa9t2pIuJ5JrGs3mr4wRnb1vGCAXrkEzYGwjl/UM0/nIWnvOwXYs2USetpzy7adhOKgH6IsYyL6GWbuwSLqlbBgoOKCOPUJ+Sni6/Yq9ndc5AB9x+xJpimq58No7zATdFlLa5KLgKLWEUIU+kdPAv/54GTYTk/pQGw+amAr94Ib1keRYpCNg5zV1+bw20Zi+IvLJQrdNvTMpp7htdz4O1WjpKCGGydl0NW1MGFOgJVPbkeKdtFXoZFDsAAcfLUpnOivRQFbxO4OAu2+GQV2D5xxkiyjAfWhfYxG+RJ2th1ai7bcHtr2nZprPPUjAwZ7A0Z7sAK3lN8TZRr8Qaun2af0QVSeiz0YjKeNJwj7CV76ikvG1pL7Sz+gbsz1GyaNu/vUMhn4ETNc3dKJccJ8BI9ygsRCHZp7hJgSPsKTLmw51QJx+PB2A+QDXyNpdx4rf/oV7ez8yroq5MbaF0NVzmxB4lIQNagub6gSiOTT858D+n8ygPX3EXjBtyHJzj) -> Found
[Suspicious.Path] Wse_taplika.job -- C:\Users\Lenovo\AppData\Roaming\WSE_TA~1\UPDATE~1\UPDATE~1.EXE (/Check) -> Found
    And last, these items:
    Code:
    ¤¤¤ Files : 1 ¤¤¤
[Suspicious.Path][File] hqghumeaylnlf.lnk -- C:\Users\Lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk [LNK@] C:\PROGRA~3\{95233~1\HQGHUM~1.EXE /startup -> Found
    Reboot and rescan with both Hitman and RogueKiller and attach the new logs.

    Be sure to tell me how things are running.
     
    TimW, Apr 14, 2015
    #2
  3. bhaunna

    bhaunna Private E-2

    Ran instructions as best as possible. I'm still having hijacking problems with web browser (www-searching.com). Here's the logs. I made sure to update Hitman to most recent version.
    Thanks in advance -
     

    Attached Files:

    bhaunna, Apr 15, 2015
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Which browser is giving you problems?

    Rerun Hitman and remove the one item it finds.
     
    TimW, Apr 18, 2015
    #4
  5. bhaunna

    bhaunna Private E-2

    I've run Hitman again (I've attached the log). The original virus that was opening unwanted programs appears to no longer be active but all three browsers are still having trouble with hijacking to www-searching.com. The hijacking only happens when I initially open the browser or open a new tab. I've also gone into all three browsers and made sure that the browser settings and search options are set correctly.

    Thanks in advance!
     

    Attached Files:

    bhaunna, Apr 25, 2015
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to rerun Hitman and have it delete this item:

    Suspicious files ____________________________________________________________

    C:\Users\Lenovo\AppData\Local\Temp\nsy405C.tmp\ezklbxix.dll

    Reboot and rescan with Hitman and attach the new log.
     
    TimW, Apr 25, 2015
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds