Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can not remove www-search.net Tuvaro


  • Please log in to reply
11 replies to this topic

#1 aninkling

aninkling

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 06 September 2014 - 09:20 AM

I realize that there are even videos out there (eg ) on how to "get rid of this." But I have a follow on question based on my experience.  Let me first detail what I found on this one computer:

Initially, less than 24 hours after the first "attack," how they got it I would like to know?, I found these malware:

- Browser Feature v 2.22

- iWebBar

- Search Protect

- The Best Deals

- Shopper Pro

- YT Downloader

- Severe Weather Alerts

- Search Module

- neurowise (difficult to remove)

- MyPCBackup

 

I used a standard combination of tools to remove these.  However, the www-search and Tuvaro home page continued to pop up only in IE. I used all the advanced techniques to clean this.  I used the hint of going to the Program Files and starting, and, indeed that home page no longer appeared.  So... I was aware of the above video, but I just plain deleted the shortcut from the taskbar (Windows 8.1)... I then created a new shortcut using the actual iexplore.exe in Program Files.   But when I clicked on this, the www-search and Tuvaro popped up again.  (By the way, Tuvaro is a new name for the old Conduit- saw that from registry entries.)  What I want to know is, what is the mechanism being used to recreate the false shortcut link when I create a new shortcut link.  Clearly there is still something in the system that is able to edit the shortcut link as it is being created.  You'll get 2 kudos for answering this one!



BC AdBot (Login to Remove)

 


#2 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 06 September 2014 - 09:34 AM

Hello, 
 

What I want to know is, what is the mechanism being used to recreate the false shortcut link when I create a new shortcut link.

 Run the following programme, and I will tell you. 
 
 
YjhLJro.png.pagespeed.ce.__mK8JaB4j.png SystemLook

  • Please download SystemLook (x64) and save the file to your Desktop.
  • Right-Click SystemLook_x64.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.
  • Copy the entire contents of the codebox below and paste into the textfield.
    :filefind
    *Tuvaro*
    
    :folderfind
    *Tuvaro*
    
    :regfind
    Tuvaro
  • Click the xJi0XpU4.png.pagespeed.ic.rkYoTeR5E5.png button to start the scan.
  • Upon completion, a log (SystemLook.txt) will open. Copy the contents of the log and paste in your next reply.
  • Click the xOCFv7xc.png.pagespeed.ic.8zW6PCGeOh.png button. 

Posted Image

#3 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 09 September 2014 - 04:23 PM

hold on, I'll get the info.  Thanks,



#4 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 09 September 2014 - 04:40 PM

OK, here are the results:

SystemLook 30.07.11 by jpshortstuff
Log created at 17:25 on 09/09/2014 by xxxxxx
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "*Tuvaro*"
C:\Users\xxxxxxxxxx\AppData\Local\Microsoft\Windows\INetCache\Low\IE\JTO9ROVD\tuvaro[1].png --a---- 648 bytes [13:58 06/09/2014] [13:58 06/09/2014] F0477FE6865178E33FD1EB93EED59DDE
 
========== folderfind ==========
 
Searching for "*Tuvaro*"
No folders found.
 
========== regfind ==========
 
Searching for "Tuvaro"
No data found.


#5 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 09 September 2014 - 04:55 PM

Looking for this file, though I have folder settings to show hidden files, etc, I could find no "Low" folder.  I did find tow ico files labeled favicon.ico.  Both "show" as "bing" icons, but one has the properties: favicon[1].ico, expires 10/6/2014, has an "address" of http://www.conduit.com/favicon.ico, and the icon shown on the general tab is the icon for tuvaro.  I don't understand how I can't "see" the remainder of the path.



#6 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 09 September 2014 - 07:36 PM

Hello, 

 

That didn't turn up with anything useful unfortunately. The file found is a graphics file, and isn't the cause of the redirects. 

 

Lets try using the following adware removal tools, and reset your IP configuration/flush your DNS cache. 

 

STEP 1
BY4dvz9.png.pagespeed.ce.cpqHQmQDB6.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 2
xE3feWj5.png.pagespeed.ic.JE3sJIzHrn.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 3
xMgeHyNE.png.pagespeed.ic.49_rDPUa_4.png Internet Flush

  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    @echo off
    echo Flushing Internet. Please wait... >"%userprofile%\desktop\flushresults.txt"
    ipconfig /release >>"%userprofile%\desktop\flushresults.txt" 2>&1
    ipconfig /renew >>"%userprofile%\desktop\flushresults.txt" 2>&1
    ipconfig /flushdns >>"%userprofile%\desktop\flushresults.txt" 2>&1
    netsh winsock reset all >>"%userprofile%\desktop\flushresults.txt" 2>&1
    netsh int ipv4 reset >>"%userprofile%\desktop\flushresults.txt" 2>&1
    netsh int ipv6 reset >>"%userprofile%\desktop\flushresults.txt" 2>&1
    echo. >>"%userprofile%\desktop\flushresults.txt"
    echo Finished. Your computer will reboot. >>"%userprofile%\desktop\flushresults.txt"
    shutdown -r -t 1
    del %0
  • Click Format. Ensure Wordwrap is unchecked
  • Click FileSave As and name the file flush.bat
  • Select All Files as the Save as type.
  • Save the file to your Desktop
  • Locate flush.bat xlmRDSkT.png.pagespeed.ic.UByFR5z3ld.jpg (W8/7/Vista) on your DesktopRight-click the icon and click xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator.
  • Your computer will reboot. If not, please manually reboot. 
  • After the reboot, a log (results.txt) will be on your DesktopCopy the contents of the log and paste in your next reply.
     

======================================================

STEP 4
xpfNZP4A.png.pagespeed.ic.bp5cRl1pJg.jpg Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • AdwCleaner[S0].txt
  • JRT.txt
  • flushresults.txt

Posted Image

#7 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 12 September 2014 - 07:30 PM

I won't be able to get to this until Sunday 9/14 due to other commitments.  I already ran AdwCleaner, but will run again.  And I will run the others.  Thank you for your patience.



#8 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 13 September 2014 - 03:38 AM

No problem at all.
Posted Image

#9 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 15 September 2014 - 09:10 AM

AdwCleaner Output:

 

# AdwCleaner v3.310 - Report created 15/09/2014 at 10:01:35
# Updated 12/09/2014 by Xplode
# Operating System : Windows 8.1  (64 bits)
# Username :  xxxxxxxx
# Running from : C:\Users\xxxxxxxx\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
Shortcut Disinfected : C:\Users\Public\Desktop\Google Chrome.lnk
Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
Shortcut Disinfected : C:\Users\xxxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\xxxxxxxx\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16384
 
 
-\\ Google Chrome v37.0.2062.120
 
[ File : C:\Users\xxxxxxxx\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Users\tech\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [4462 octets] - [05/09/2014 11:38:11]
AdwCleaner[R1].txt - [1738 octets] - [15/09/2014 09:57:34]
AdwCleaner[S0].txt - [3910 octets] - [05/09/2014 11:40:21]
AdwCleaner[S1].txt - [1359 octets] - [15/09/2014 10:01:35]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1419 octets] ##########


#10 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 15 September 2014 - 09:27 AM

JRT Results:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 8.1 x64
Ran by xxxxxxxx on Mon 09/15/2014 at 10:18:26.66
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-2826137030-2506416015-3951851562-1001\Software\Microsoft\Internet Explorer\Main\\Start Page
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 09/15/2014 at 10:24:13.97
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#11 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 15 September 2014 - 09:36 AM

flushingresults.txt:

 

Flushing Internet. Please wait... 
 
Windows IP Configuration
 
No operation can be performed on Local Area Connection* 12 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Wi-Fi while it has its media disconnected.
 
Ethernet adapter Ethernet:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2602:304:4d15:8049:cc9b:6788:ef50:adcd
   Temporary IPv6 Address. . . . . . : 2602:304:4d15:8049:61ec:9be4:9eab:df17
   Link-local IPv6 Address . . . . . : fe80::cc9b:6788:ef50:adcd%9
   Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9e:9f8d%9
 
Wireless LAN adapter Local Area Connection* 12:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wi-Fi:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Local Area Connection* 2:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:38b7:4aa:3f57:feaf
   Link-local IPv6 Address . . . . . : fe80::38b7:4aa:3f57:feaf%7
   Default Gateway . . . . . . . . . : 
 
Windows IP Configuration
 
No operation can be performed on Local Area Connection* 12 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Wi-Fi while it has its media disconnected.
 
Ethernet adapter Ethernet:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2602:304:4d15:8049:cc9b:6788:ef50:adcd
   Temporary IPv6 Address. . . . . . : 2602:304:4d15:8049:61ec:9be4:9eab:df17
   Link-local IPv6 Address . . . . . : fe80::cc9b:6788:ef50:adcd%9
   IPv4 Address. . . . . . . . . . . : 192.168.1.80
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9e:9f8d%9
                                       192.168.1.254
 
Wireless LAN adapter Local Area Connection* 12:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wi-Fi:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Local Area Connection* 2:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:38b7:4aa:3f57:feaf
   Link-local IPv6 Address . . . . . : fe80::38b7:4aa:3f57:feaf%7
   Default Gateway . . . . . . . . . : 
 
Tunnel adapter isatap.{F489EF6D-0426-4162-AC50-F247ACEE1A94}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Restart the computer to complete this action.
 
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
Finished. Your computer will reboot. 


#12 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 15 September 2014 - 02:19 PM

Hello, 
 
Bar some permission issues, is there anything outstanding that needs resolved? 
 

Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Restart the computer to complete this action.
 
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.


Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users