Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tuvaro


  • Please log in to reply
6 replies to this topic

#1 CrimsonOshun

CrimsonOshun

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:10:57 PM

Posted 27 February 2014 - 01:45 PM

Hi, Has anyone out there run into issues with Tuvaro? I have been bashing my head against this all morning. I have tried everything I can think of and all the suggestions I could find. Am very frustrated. I have used ADWCleaner, JTR, Malware Bites, Hitman Pro, and CCleaner. I have changed the homepage back to google. I have checked the settings in the short cut properties. I have reset the browser setting (deleting personal settings) and lastly atempted to find it through regedit.
 The only browser still affected is IE 10, when I open the browser the Tuvaro home page appears, if I hit the home button, google returns... Help??
 
Namaste, Oshun

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum, due the absence of malware logs or prep guide being followed.~ Animal

BC AdBot (Login to Remove)

 


#2 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:01:57 PM

Posted 27 February 2014 - 01:55 PM

Hi Oshun and welcome to bleepingcomputer! :)

 

Can I see your adwcleaner log?

 

It's located in C:\adwcleaner\adwcleaner[sX].txt or adwcleaner[rX].txt when X is the most number of all, like when you have s0 s1 s2 you should post s2.

If you have both s and r version post both of them.

 

Thank you.


Edited by Sirawit, 27 February 2014 - 01:55 PM.

If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#3 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:57 AM

Posted 27 February 2014 - 01:56 PM

Under Internet Options, what is shown as your homepage?

 

Just to clarify:

 

You've removed it from Add/Remove programs?

 

You've searched for the string "Tuvaro-search.com" in regedit?



#4 CrimsonOshun

CrimsonOshun
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:10:57 PM

Posted 27 February 2014 - 02:02 PM

Internet options says my homepage is www.google.ca Yes, I have removed it in add/remove programs. I have searched Tuvaro-search.com in regedit. I can get those logs but the computer in question is doing a avast bootscan currently. The scan has found one object "C;\ProgramData\IE\common.dll is infected by Win32:BHO_AMO [PUP]X.pl" kinda hoping thats it. And thanks for the welcome and moving me to right forum.



#5 CrimsonOshun

CrimsonOshun
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:10:57 PM

Posted 27 February 2014 - 03:13 PM

adwcleaner log, as requested

 

# AdwCleaner v3.019 - Report created 26/02/2014 at 19:12:26
# Updated 17/02/2014 by Xplode
# Operating System : Windows 8  (64 bits)
# Username : viola - PEGGY
# Running from : C:\Users\viola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AXZIZ624\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Conduit
Folder Deleted : C:\ProgramData\eSafe
Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\ProgramData\uniblue
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\uniblue
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\DealPly
Folder Deleted : C:\Program Files (x86)\DefaultTab
Folder Deleted : C:\Program Files (x86)\Mobogenie
Folder Deleted : C:\Program Files (x86)\MyPC Backup
Folder Deleted : C:\Program Files (x86)\SaltarSmart
Folder Deleted : C:\windows\SysWOW64\Searchprotect
Folder Deleted : C:\Users\viola\AppData\Local\NativeMessaging
Folder Deleted : C:\Users\viola\AppData\Local\Searchprotect
Folder Deleted : C:\Users\viola\AppData\Local\WhiteListing
Folder Deleted : C:\Users\viola\AppData\Local\Temp\AirInstaller
Folder Deleted : C:\Users\viola\AppData\Local\Temp\Desk365
Folder Deleted : C:\Users\viola\AppData\Local\Temp\NativeMessaging
Folder Deleted : C:\Users\viola\AppData\Local\Temp\SaltarSmart
Folder Deleted : C:\Users\viola\AppData\Local\Temp\CT3294791
Folder Deleted : C:\Users\viola\AppData\Roaming\Mozilla\Firefox\Profiles\75832er5.default\CT3294791
Folder Deleted : C:\Users\viola\AppData\Roaming\Mozilla\Firefox\Profiles\75832er5.default\Extensions\addon@dealplyshopping.com
Folder Deleted : C:\Users\viola\AppData\Roaming\Mozilla\Firefox\Profiles\75832er5.default\Extensions\{7f3f960e-a836-45ca-8911-0accb522246e}
Folder Deleted : C:\Users\viola\AppData\Local\Google\Chrome\User Data\Default\Extensions\chdboodilddefglllfoimeceomkpmkbi
Folder Deleted : C:\Users\viola\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbjibcbpmbcabnfnohhgjjmkgkimajko
File Deleted : C:\END
File Deleted : C:\Users\viola\AppData\Roaming\Mozilla\Firefox\Profiles\75832er5.default\invalidprefs.js
File Deleted : C:\Users\viola\AppData\Roaming\Mozilla\Firefox\Profiles\75832er5.default\searchplugins\bingp.xml
File Deleted : C:\Users\viola\AppData\Roaming\Mozilla\Firefox\Profiles\75832er5.default\searchplugins\Conduit.xml
File Deleted : C:\Users\viola\AppData\Roaming\Mozilla\Firefox\Profiles\75832er5.default\searchplugins\findwide.xml
File Deleted : C:\Users\viola\AppData\Roaming\Mozilla\Firefox\Profiles\75832er5.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\chdboodilddefglllfoimeceomkpmkbi
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
Key Deleted : HKCU\Software\Google\Chrome\Extensions\cbjibcbpmbcabnfnohhgjjmkgkimajko
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cbjibcbpmbcabnfnohhgjjmkgkimajko
Key Deleted : HKLM\SOFTWARE\Classes\AppID\PricePeep.DLL
Key Deleted : HKLM\SOFTWARE\Classes\driverscanner
Key Deleted : HKLM\SOFTWARE\Classes\speedupmypc
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Mobogenie.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WsysSvc
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3294791
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{38A066B0-DD5F-4226-AC4F-6A27C1BFB892}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4B6ACEA2-308A-4876-AD36-57CEC5B4FCC7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D99A4EC9-00BD-4FE4-85A5-4DB018351265}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1B97A696-5576-43AC-A73B-E1D2C78F21E8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{75BF416E-4326-45B5-8A2D-AE32D05B930B}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B6ACEA2-308A-4876-AD36-57CEC5B4FCC7}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D99A4EC9-00BD-4FE4-85A5-4DB018351265}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4B6ACEA2-308A-4876-AD36-57CEC5B4FCC7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D99A4EC9-00BD-4FE4-85A5-4DB018351265}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DEDAF650-12B8-48F5-A843-BBA100716106}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4B6ACEA2-308A-4876-AD36-57CEC5B4FCC7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D99A4EC9-00BD-4FE4-85A5-4DB018351265}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DEDAF650-12B8-48F5-A843-BBA100716106}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{7F4EFF06-7032-458E-AE16-1C1D8255C28A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1B97A696-5576-43AC-A73B-E1D2C78F21E8}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{75BF416E-4326-45B5-8A2D-AE32D05B930B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7F4EFF06-7032-458E-AE16-1C1D8255C28A}
Key Deleted : HKCU\Software\SaltarSmart
Key Deleted : HKCU\Software\Speedchecker Limited
Key Deleted : HKCU\Software\Trymedia Systems
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\eSafeSecControl
Key Deleted : HKLM\Software\SaltarSmart
Key Deleted : HKLM\Software\Speedchecker Limited
Key Deleted : HKLM\Software\Trymedia Systems
Key Deleted : HKLM\Software\Uniblue
Key Deleted : [x64] HKLM\SOFTWARE\DomaIQ
Key Deleted : [x64] HKLM\SOFTWARE\Speedchecker Limited
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaltarSmart

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16798


-\\ Mozilla Firefox v

[ File : C:\Users\viola\AppData\Roaming\Mozilla\Firefox\Profiles\75832er5.default\prefs.js ]

Line Deleted : user_pref("CT3294791.FF19Solved", "true");
Line Deleted : user_pref("CT3294791.UserID", "UN14928622983219892");
Line Deleted : user_pref("CT3294791.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3294791.fullUserID", "UN14928622983219892.IN.20131111060443");
Line Deleted : user_pref("CT3294791.installDate", "11/11/2013 06:05:51");
Line Deleted : user_pref("CT3294791.installSessionId", "{C7F9683A-913E-4331-9961-45295793F9DA}");
Line Deleted : user_pref("CT3294791.installSp", "TRUE");
Line Deleted : user_pref("CT3294791.installerVersion", "1.7.1.7");
Line Deleted : user_pref("CT3294791.keyword", "true");
Line Deleted : user_pref("CT3294791.originalHomepage", "hxxp://www.msn.com/?pc=U141C&ocid=U141CDHP");
Line Deleted : user_pref("CT3294791.originalSearchAddressUrl", "hxxp://search.findwide.com/serp?guid={1CC5D4C5-1E93-4DE0-837A-A601B5908B3B}&action=default_search&serpv=22&k=");
Line Deleted : user_pref("CT3294791.originalSearchEngine", "FindWide");
Line Deleted : user_pref("CT3294791.originalSearchEngineName", "FindWide");
Line Deleted : user_pref("CT3294791.searchRevert", "false");
Line Deleted : user_pref("CT3294791.searchUserMode", "2");
Line Deleted : user_pref("CT3294791.smartbar.homepage", "true");
Line Deleted : user_pref("CT3294791.versionFromInstaller", "10.22.2.30");
Line Deleted : user_pref("CT3294791.xpeMode", "0");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://search.findwide.com/serp?guid={1CC5D4C5-1E93-4DE0-837A-A601B5908B3B}&action=default_search&serpv=22&k=");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "Vafmusic2 Customized Web Search");
Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3294791&CUI=UN14928622983219892&UM=2&SearchSource=3&q={searchTerms}");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://search.findwide.com/?guid={1CC5D4C5-1E93-4DE0-837A-A601B5908B3B}&serpv=22");
Line Deleted : user_pref("extensions.crossrider.bic", "142014ce7772e0efce8a4de7c595e7b7");
Line Deleted : user_pref("extensions.dynconff.cache.search.findwide.com.content", "<package expire=\"3600\" es=\"914\" pcdids=\"_1520_1146_1169_1348_1482_1493_1521_1717\">\r\n  <content id=\"MB_P1\">\r\n    <newjs><[...]
Line Deleted : user_pref("extensions.dynconff.cache.search.findwide.com.expires", "1389111744425");
Line Deleted : user_pref("keyword.URL", "hxxp://search.findwide.com/serp?guid={1CC5D4C5-1E93-4DE0-837A-A601B5908B3B}&action=default_search&serpv=22&k=");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\viola\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [35657 octets] - [27/10/2013 18:01:24]
AdwCleaner[R1].txt - [10444 octets] - [26/02/2014 19:08:24]
AdwCleaner[S0].txt - [34762 octets] - [27/10/2013 18:02:58]
AdwCleaner[S1].txt - [10287 octets] - [26/02/2014 19:12:26]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [10348 octets] ##########



#6 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:01:57 PM

Posted 28 February 2014 - 02:05 AM

We need to search for a few things with SystemLook:

  • Please download SystemLook by jpshortstuff and save it to your desktop
  • Double-click the program to run it, paste the entire text into the main text box:
    :regfind
    tuvaro
    :filefind
    *tuvaro*
    :folderfind
    *tuvaro*
  • Click the Look button to start the scan
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#7 gooseduck

gooseduck

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 09 March 2014 - 11:52 PM

Hi Oshun -

 

I don't know if you found it yet, but I encountered 3 machines w/ Tuvaro redirects last week.  Look at the browser shortcut properties - the path to the executable has been appended w/ the search.net url,  When the browser launches, it opens the target url instead of the home page.

 

The last one I cleaned is still on my bench - it has some deeper issues beyond the usual suspects.  It doesn't have Windows 7 SP1, won't do updates, won't run sfc (well it runs, but immediately exits w/ a 100% complete message), won't manually install SP1, etc.

 

All of the PCs had multiple previously-installed items in Programs and Features that had their Installed On Dates changed to the infection date.

 

 

Hope this helps.

 

-gooseduck.


Edited by gooseduck, 10 March 2014 - 09:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users