Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do I get rid of the annoying v9 browser hi-jacker?


  • Please log in to reply
5 replies to this topic

#1 Lockjaw87

Lockjaw87

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 01 June 2014 - 12:43 PM

A few days ago, I downloaded the wrong free software (people, be very careful of this and do not repeat my folly!) and somehow ended up with the v9 browser hi-jacker that resists all of my attempts to get it off my computer.

 

 For those who may not know about it yet, what it does is cause your browser to instantly open a tab to the v9 multi-choice search engine page. I have a paid, up-to-date subscription to the heavy-duty Webroot anti-virus/anti-malware combo software, which has proven good for keeping most malicious malware off my computer. However, the v9 was apparently not recognized, and thus wasn't quarantined to keep it off my hard drive.

 

 So moving to the next step, I went into the uninstall/change protocol of my computer, located the v9 uninstaller on my list of software, and clicked 'uninstall.' I got a captcha box asking me to do a word entry to prove I was really a human and not a program posing as one (though I fail to understand why an uninstaller would have a captcha prompt), and I then clicked the 'continue' hot link at the bottom of the uninstall window. This is what has happened each of the several times I clicked the 'continue' link from this point: I get a box with a progress bar and a reminder that says, "Uninstaller is preparing the necessary data" (whatever that means!). You see a "Waiting..." notice above the progress bar, and once the bar is complete, the uninstall procedure simply stops and never progresses any further, no matter how long I wait for it. The continue hot link at the bottom here gives you the option to "repare", and if you click on the button for this, the progress bar works promptly and successfully... and you're still stuck with the v9 malware on your computer, along with the uninstaller in your list of software.

 

  Re-booting the computer doesn't help at all, as I certainly tried that. How do I get rid of this malware? Has anyone here encountered this problem and succeeded in getting rid of this security system-resistant malware?



BC AdBot (Login to Remove)

 


#2 AndroidOS

AndroidOS

    Malware Search++ developer


  • Security Developer
  • 146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:21 AM

Posted 01 June 2014 - 02:35 PM

Hi Lockjaw, and welcome to Bleeping Computer! :)

 

I don't think this should be too hard to remove. Can you please follow these steps.

 

PMYCj.gif Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: Download Mirror
 
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)
 
Double Click mbam-setup.exe to install the application.
 
(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)
 
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.
  • If Malwarebytes fails to download please use the following link:
     
     
    ==========
     

    Please download JRT from here & double click to start the program.
  • Hit any key when prompted and allow it to run through it's process.
  •  
    H2HaYv4.png
     
     
  • Post the log when it's finished.
  •  
    ==========
     

    Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[R0].txt as well.


  • #3 Lockjaw87

    Lockjaw87
    • Topic Starter

    • Members
    • 4 posts
    • OFFLINE
    •  
    • Local time:06:21 AM

    Posted 01 June 2014 - 04:43 PM

    Thank you for your help! Below is the cut and paste of the resulting Malwarebytes log:

     

     

    Malwarebytes Anti-Malware
    www.malwarebytes.org


    Protection, 6/1/2014 4:32:14 PM, SYSTEM, TOSHIBA-PC, Protection, Malware Protection, Starting,
    Protection, 6/1/2014 4:32:14 PM, SYSTEM, TOSHIBA-PC, Protection, Malware Protection, Started,
    Protection, 6/1/2014 4:32:14 PM, SYSTEM, TOSHIBA-PC, Protection, Malicious Website Protection, Starting,
    Protection, 6/1/2014 4:34:22 PM, SYSTEM, TOSHIBA-PC, Protection, Malicious Website Protection, Started,
    Update, 6/1/2014 4:35:12 PM, SYSTEM, TOSHIBA-PC, Manual, Rootkit Database, 2014.2.20.1, 2014.5.21.1,
    Update, 6/1/2014 4:35:17 PM, SYSTEM, TOSHIBA-PC, Manual, Malware Database, 2014.3.4.9, 2014.6.1.7,
    Protection, 6/1/2014 4:35:19 PM, SYSTEM, TOSHIBA-PC, Protection, Refresh, Starting,
    Protection, 6/1/2014 4:35:19 PM, SYSTEM, TOSHIBA-PC, Protection, Malicious Website Protection, Stopping,
    Protection, 6/1/2014 4:35:19 PM, SYSTEM, TOSHIBA-PC, Protection, Malicious Website Protection, Stopped,
    Protection, 6/1/2014 4:35:29 PM, SYSTEM, TOSHIBA-PC, Protection, Refresh, Success,
    Protection, 6/1/2014 4:35:29 PM, SYSTEM, TOSHIBA-PC, Protection, Malicious Website Protection, Starting,
    Protection, 6/1/2014 4:35:30 PM, SYSTEM, TOSHIBA-PC, Protection, Malicious Website Protection, Started,
    Update, 6/1/2014 5:24:12 PM, SYSTEM, TOSHIBA-PC, Scheduler, Malware Database, 2014.6.1.7, 2014.6.1.8,
    Protection, 6/1/2014 5:24:31 PM, SYSTEM, TOSHIBA-PC, Protection, Refresh, Starting,
    Protection, 6/1/2014 5:24:31 PM, SYSTEM, TOSHIBA-PC, Protection, Malicious Website Protection, Stopping,
    Protection, 6/1/2014 5:24:36 PM, SYSTEM, TOSHIBA-PC, Protection, Malicious Website Protection, Stopped,
    Protection, 6/1/2014 5:25:58 PM, SYSTEM, TOSHIBA-PC, Protection, Refresh, Success,
    Protection, 6/1/2014 5:25:58 PM, SYSTEM, TOSHIBA-PC, Protection, Malicious Website Protection, Starting,
    Protection, 6/1/2014 5:26:11 PM, SYSTEM, TOSHIBA-PC, Protection, Malicious Website Protection, Started,

    (end)



    #4 Lockjaw87

    Lockjaw87
    • Topic Starter

    • Members
    • 4 posts
    • OFFLINE
    •  
    • Local time:06:21 AM

    Posted 01 June 2014 - 08:07 PM

    And here is the results of the JRT scan:

     

     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.1.4 (04.06.2014:1)
    OS: Windows 7 Home Premium x64
    Ran by toshiba on Sun 06/01/2014 at 17:47:03.75
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\installcore
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonic
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduitsearchscopes
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\search settings
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1BB8B3AE-757D-443F-B3A4-0629E709B0D9}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\v9software
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3289847
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211961163}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110311091146}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211961163}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110311091146}
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AC958B89-92E4-4FEC-B3CA-2427620012CA}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}



    ~~~ Files

    Successfully deleted: [File] "C:\Users\toshiba\appdata\local\google\chrome\user data\default\local storage\http_facebook.conduitapps.com_0.localstorage"
    Successfully deleted: [File] "C:\Users\toshiba\appdata\local\google\chrome\user data\default\local storage\http_facebook.conduitapps.com_0.localstorage-journal"
    Successfully deleted: [File] "C:\end"



    ~~~ Folders

    Successfully deleted: [Folder] "C:\Users\toshiba\AppData\Roaming\getrighttogo"
    Successfully deleted: [Folder] "C:\Users\toshiba\appdata\locallow\conduit"
    Successfully deleted: [Folder] "C:\Users\toshiba\appdata\locallow\pricegong"
    Successfully deleted: [Folder] "C:\Program Files (x86)\conduit"
    Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\spigot"



    ~~~ FireFox

    Successfully deleted: [File] C:\Users\toshiba\AppData\Roaming\mozilla\firefox\profiles\szugav6e.default-1373244935569\user.js
    Successfully deleted the following from C:\Users\toshiba\AppData\Roaming\mozilla\firefox\profiles\szugav6e.default-1373244935569\prefs.js

    user_pref("browser.search.defaultenginename", "v9");
    user_pref("browser.search.selectedEngine", "v9");
    Emptied folder: C:\Users\toshiba\AppData\Roaming\mozilla\firefox\profiles\szugav6e.default-1373244935569\minidumps [79 files]



    ~~~ Chrome

    Successfully deleted: [Folder] C:\Users\toshiba\appdata\local\Google\Chrome\User Data\Default\Extensions\hbcennhacfaagdopikcegfcobcadeocj
    Successfully deleted: [Folder] C:\Users\toshiba\appdata\local\Google\Chrome\User Data\Default\Extensions\icdlfehblmklkikfigmjhbmmpmkmpooj
    Successfully deleted: [Folder] C:\Users\toshiba\appdata\local\Google\Chrome\User Data\Default\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk
    Successfully deleted: [Folder] C:\Users\toshiba\appdata\local\Google\Chrome\User Data\Default\Extensions\pfndaklgolladniicklehhancnlgocpp



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Sun 06/01/2014 at 18:09:33.23
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     



    #5 Lockjaw87

    Lockjaw87
    • Topic Starter

    • Members
    • 4 posts
    • OFFLINE
    •  
    • Local time:06:21 AM

    Posted 01 June 2014 - 08:19 PM

    And here is the log results of the AdwCleaner scan and removal:

     

    # AdwCleaner v3.211 - Report created 01/06/2014 at 21:12:08
    # Updated 26/05/2014 by Xplode
    # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
    # Username : toshiba - TOSHIBA-PC
    # Running from : C:\Users\toshiba\Downloads\adwcleaner_3.211.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\Users\toshiba\AppData\Local\Conduit
    Folder Deleted : C:\Users\toshiba\AppData\Local\DownloadTerms
    Folder Deleted : C:\Users\toshiba\AppData\Local\Slick Savings
    Folder Deleted : C:\Users\toshiba\AppData\Local\SwvUpdater
    Folder Deleted : C:\Users\toshiba\AppData\Roaming\Mozilla\Firefox\Profiles\szugav6e.default-1373244935569\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    Folder Deleted : C:\Users\toshiba\AppData\Local\Google\Chrome\User Data\Default\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi

    ***** [ Shortcuts ] *****

    Shortcut Disinfected : C:\Users\Public\Desktop\Google Chrome.lnk
    Shortcut Disinfected : C:\Users\Public\Desktop\Mozilla Firefox.lnk
    Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
    Shortcut Disinfected : C:\Users\toshiba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    Shortcut Disinfected : C:\Users\toshiba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
    Shortcut Disinfected : C:\Users\toshiba\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    Shortcut Disinfected : C:\Users\toshiba\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    Shortcut Disinfected : C:\Users\toshiba\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
    Shortcut Disinfected : C:\Users\toshiba\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
    Shortcut Disinfected : C:\Users\toshiba\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk

    ***** [ Registry ] *****

    Key Deleted : HKCU\Software\Google\Chrome\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Deleted : HKCU\Software\AppDataLow\Software

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.17041

    Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
    Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]

    -\\ Mozilla Firefox v29.0.1 (en-US)

    [ File : C:\Users\toshiba\AppData\Roaming\Mozilla\Firefox\Profiles\szugav6e.default-1373244935569\prefs.js ]


    -\\ Google Chrome v35.0.1916.114

    [ File : C:\Users\toshiba\AppData\Local\Google\Chrome\User Data\Default\preferences ]

    Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
    Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
    Deleted [Search Provider] : hxxp://search.v9.com/web/?type=ds&ts=1401406735&from=ymb&uid=WDCXWD2500BEVT-60A23T0_WD-WX11A11D3084D3084&i=psd&t=3434db297&q={searchTerms}

    *************************

    AdwCleaner[R0].txt - [5400 octets] - [01/06/2014 21:09:49]
    AdwCleaner[S0].txt - [3819 octets] - [01/06/2014 21:12:08]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3879 octets] ##########
     


    This last removal program/procedure has done the trick!!  Thank you very much for your help, and for your welcome to the board :-)



    #6 AndroidOS

    AndroidOS

      Malware Search++ developer


    • Security Developer
    • 146 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:UK
    • Local time:11:21 AM

    Posted 02 June 2014 - 09:17 AM

    Your welcome, I'm glad your problem seems to be solved!

     

    If you don't mind, however, there are a few things I want to check before you go (we need to make sure your computer is up to date, and to try and prevent this from happening again).

     

    Firstly, you seem to have posted the wrong Malwarebytes log. You should be able to find the correct one at  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt.

     

    Secondly, can you please run the following program and post back with the log it produces.

     

    Download Security Check by screen317 and save it to your Desktop.
  • Double-click Security Check.exe to start the application
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  • Note: if a security program requests permission from dig.exe to access the Internet, allow it to do so.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users