Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zip Opener Packages in programs list after browser hijacker found


  • Please log in to reply
5 replies to this topic

#1 Pakkpekatt

Pakkpekatt

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 22 January 2014 - 01:39 PM

I'm running 64-bit Windows 7. I tried downloading software called Synergy for screen sharing between my PC monitor and laptop, but clicked the wrong link I believe, and could tell that I hadn't just installed what I had intended. Firefox opened and the home page had been set to something like "mysearchdial". I immediately closed the browswer and did a Malwarebytes Anti-Malware quick scan. There were 62 items found; I checked each box to remove all of them, restarted my PC, and ran another scan. This time only 3 items were found, and they were named PUP.mysearchdial... or something very similar. I opened Firefox and looked at the AddOns. There were 2 new AddOns with that name. I removed them, restarted Firefox, and things look back to normal. The third malwarebytes quick scan I ran was clean.

 

Right after the install, I had checked the Programs list in the Control Panel and noticed a few new things just installed. One was called OpenIt!, which I ran the Uninstall on and it looked successful. There was another whose name I now can't remember (I panicked!), but was also able to uninstall.

 

After all of these scans and uninstalls though, I still see something called "Zip Opener Packages" in my Programs list. Attempting to Uninstall brings up an almost blank window, and executing doesn't actually uninstall it. As I mentioned though, the latest malwarebytes quick scan was clean. How can I get rid of this, and/or should I be concerned? My hunch is yes, but I'm not sure how to go about thorough removal. Thanks in advance for any help!



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:56 PM

Posted 22 January 2014 - 04:06 PM

Hello -

This is the official review of it (from outside their program) -

What is Zip Opener Packages?
The software uses the Install Core Click run software which is an installer which bundles legitimate applications with offers for additional third party applications that may be unwanted by the user. Such third party applications are typically installed onto users’ computers by default, but may include an option to ‘opt-out’ during or after the installation process. Typical bundled installs include DealPly as well as other potentially unwanted programs.
Overview
Known to reinstall itself
Known to include offers within the setup
The wisdom of the experts agree, if you don't use it you should remove it
 

 

Please download and run RKill by Grinler.

A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.

 

Important: Do not reboot your computer until you complete the next step.

 

Please download AdwCleaner by Xplode and save to your Desktop.
+ NOTE : Please close or save all work, as the computer will be Rebooted
+ Double-click on AdwCleaner.exe to run the tool.
+ Vista/Windows 7/8 users right-click and select Run As Administrator.
+ Click on the Scan button. (only once)
+ AdwCleaner will begin...be patient as the scan may take some time to complete.
+ After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for your review. Uncheck any item you wish to keep, or post it here for review.

+ NOW - Click on the Clean button. (only once)
+ Press OK when asked to close all programs and follow the onscreen prompts.
+ Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
+ After Auto rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and Paste the contents of that logfile in your next reply.
+ A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Thank You -



#3 Pakkpekatt

Pakkpekatt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 22 January 2014 - 05:40 PM

Thank you for the quick and helpful response. The AdwCleaner logfile contents are below:

 

# AdwCleaner v3.017 - Report created 22/01/2014 at 17:35:28
# Updated 12/01/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Angela - ANGELA-PC
# Running from : C:\Users\Angela\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Angela\AppData\Roaming\0D0S1L2Z1P1B0T1P1B2Z
File Deleted : C:\Users\Angela\AppData\Roaming\Mozilla\Firefox\Profiles\x0auwary.default\searchplugins\Mysearchdial.xml
File Deleted : C:\Users\Angela\AppData\Roaming\Mozilla\Firefox\Profiles\x0auwary.default\user.js
File Deleted : C:\Windows\Tasks\MySearchDial.job
File Deleted : C:\Windows\System32\Tasks\MySearchDial

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zip Opener Packages
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mysearchdial

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\Angela\AppData\Roaming\Mozilla\Firefox\Profiles\x0auwary.default\prefs.js ]

Line Deleted : user_pref("browser.search.defaultenginename", "Mysearchdial");
Line Deleted : user_pref("browser.search.order.1", "Mysearchdial");
Line Deleted : user_pref("browser.search.selectedEngine", "Mysearchdial");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://start.mysearchdial.com/?f=1&a=dsites0101&cd=2XzuyEtN2Y1L1QzuyByE0E0AtA0AzzzztBtAyDtB0D0FyC0DtN0D0Tzu0SyByDtAtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutBtBtDtC[...]
Line Deleted : user_pref("extensions.mysearchdial.AL", 2);
Line Deleted : user_pref("extensions.mysearchdial.aflt", "dsites0101");
Line Deleted : user_pref("extensions.mysearchdial.appId", "{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}");
Line Deleted : user_pref("extensions.mysearchdial.cd", "2XzuyEtN2Y1L1QzuyByE0E0AtA0AzzzztBtAyDtB0D0FyC0DtN0D0Tzu0SyByDtAtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutBtBtDtC1C1N");
Line Deleted : user_pref("extensions.mysearchdial.cntry", "US");
Line Deleted : user_pref("extensions.mysearchdial.cr", "383849680");
Line Deleted : user_pref("extensions.mysearchdial.dfltLng", "");
Line Deleted : user_pref("extensions.mysearchdial.dfltSrch", true);
Line Deleted : user_pref("extensions.mysearchdial.dnsErr", true);
Line Deleted : user_pref("extensions.mysearchdial.dpkLst", "3654782829,1334533236,1121012847,231756876,1895130307,603719297,4288797614,3754950497,426401714,3046281807,752626116,1657571787,3224935090,2597085128,18285[...]
Line Deleted : user_pref("extensions.mysearchdial.excTlbr", false);
Line Deleted : user_pref("extensions.mysearchdial.hdrMd5", "D731449001F2469A217B305A5BEC9550");
Line Deleted : user_pref("extensions.mysearchdial.hmpg", true);
Line Deleted : user_pref("extensions.mysearchdial.hmpgUrl", "hxxp://start.mysearchdial.com/?f=1&a=dsites0101&cd=2XzuyEtN2Y1L1QzuyByE0E0AtA0AzzzztBtAyDtB0D0FyC0DtN0D0Tzu0SyByDtAtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1Czut[...]
Line Deleted : user_pref("extensions.mysearchdial.id", "74EA3A882352DF6D");
Line Deleted : user_pref("extensions.mysearchdial.instlDay", "16092");
Line Deleted : user_pref("extensions.mysearchdial.instlRef", "");
Line Deleted : user_pref("extensions.mysearchdial.lastB", "hxxp://start.mysearchdial.com/?f=1&a=dsites0101&cd=2XzuyEtN2Y1L1QzuyByE0E0AtA0AzzzztBtAyDtB0D0FyC0DtN0D0Tzu0SyByDtAtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutBt[...]
Line Deleted : user_pref("extensions.mysearchdial.lastVrsnTs", "");
Line Deleted : user_pref("extensions.mysearchdial.newTabUrl", "hxxp://start.mysearchdial.com/?f=2&a=dsites0101&cd=2XzuyEtN2Y1L1QzuyByE0E0AtA0AzzzztBtAyDtB0D0FyC0DtN0D0Tzu0SyByDtAtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1Cz[...]
Line Deleted : user_pref("extensions.mysearchdial.pnu_base", "{\"newVrsn\":\"90\",\"lastVrsn\":\"90\",\"vrsnLoad\":\"\",\"showMsg\":\"false\",\"showSilent\":\"false\",\"msgTs\":0,\"lstMsgTs\":\"0\"}");
Line Deleted : user_pref("extensions.mysearchdial.prdct", "mysearchdial");
Line Deleted : user_pref("extensions.mysearchdial.prtnrId", "mysearchdial");
Line Deleted : user_pref("extensions.mysearchdial.sg", "{smplGrp}");
Line Deleted : user_pref("extensions.mysearchdial.srchPrvdr", "Mysearchdial");
Line Deleted : user_pref("extensions.mysearchdial.tlbrId", "base");
Line Deleted : user_pref("extensions.mysearchdial.tlbrSrchUrl", "hxxp://start.mysearchdial.com/?f=3&a=dsites0101&cd=2XzuyEtN2Y1L1QzuyByE0E0AtA0AzzzztBtAyDtB0D0FyC0DtN0D0Tzu0SyByDtAtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1[...]
Line Deleted : user_pref("extensions.mysearchdial.vrsn", "1.8.21.0");
Line Deleted : user_pref("extensions.mysearchdial.vrsni", "1.8.21.0");
Line Deleted : user_pref("extensions.mysearchdial_i.hmpg", true);
Line Deleted : user_pref("extensions.mysearchdial_i.newTab", false);
Line Deleted : user_pref("extensions.mysearchdial_i.smplGrp", "none");
Line Deleted : user_pref("extensions.mysearchdial_i.vrsnTs", "1.8.21.012:49:27");

*************************

AdwCleaner[R0].txt - [7432 octets] - [22/01/2014 17:12:39]
AdwCleaner[S0].txt - [6904 octets] - [22/01/2014 17:35:28]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6964 octets] ##########
 



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:56 PM

Posted 22 January 2014 - 07:31 PM

Hi -

Please download  this to your desktop and double click to run it avast! cleanup

 

That has already pulled a few small bits out, did we get your problem ?

 

Thank You -



#5 Pakkpekatt

Pakkpekatt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 22 January 2014 - 09:08 PM

Yes, thanks again so much, I appreciate it!



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:56 PM

Posted 23 January 2014 - 03:36 AM

I will watch here for a few days to check all remains OK [

 

Thanks -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users