Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE and Firefox Hijacked by "http://www.delta-homes.com"


  • This topic is locked This topic is locked
12 replies to this topic

#1 Ashleshy

Ashleshy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 23 December 2014 - 10:27 AM

IE and Firefox on my system is hijacked by this site "http://www.delta-homes.com/?type=sc&ts=1419323788&from=wpm12233&uid=TOSHIBAXMK2561GSYN_Y1OZT0QVTXXY1OZT0QVT"

 

I have MBAM on my system it detected malwares and removed them but the browser is still opening with this website

 

I changed the homepage manually did all the steps required but no use...Please help

 

Attached are the DDS files...Please help me get rid of this website....

Attached Files



BC AdBot (Login to Remove)

 


#2 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:05:59 PM

Posted 23 December 2014 - 01:48 PM

Hi. I'm checking your logs now and will reply with instructions soon.



#3 Ashleshy

Ashleshy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 27 December 2014 - 05:51 AM

Any updates on this?

#4 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:05:59 PM

Posted 27 December 2014 - 02:22 PM

Sorry for the delay.

Please follow these steps:

1.- Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, this time click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt ('n' represents the most recent report).

2.- Download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.

3.- Download RogueKiller and Save to the desktop.

Note: Do NOT click the Delete button, unless otherwise instructed.

  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • Once the scan is done, click on Report.
  • A log file will open, please copy/paste the context of that file into your next reply.

 

 



#5 Ashleshy

Ashleshy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 28 December 2014 - 05:28 AM

Thanks for your response RootK....The homepage seems fine now...Its back to google.com

 

Here are the logs

 

AdwCleaner

 

# AdwCleaner v4.106 - Report created 28/12/2014 at 15:07:08
# Updated 21/12/2014 by Xplode
# Database : 2014-12-21.4 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : hp - HP-PC
# Running from : C:\Users\hp\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : winzipersvc

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Conduit
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Hotspot_Shield
Folder Deleted : C:\Program Files\Mobogenie
Folder Deleted : C:\Program Files\trolatunt
Folder Deleted : C:\Program Files\WinZipper
Folder Deleted : C:\Windows\system32\hotspot shield
Folder Deleted : C:\Windows\system32\SearchProtect
Folder Deleted : C:\Users\hp\AppData\Local\Temp\hotspot shield
Folder Deleted : C:\Users\hp\AppData\Local\Conduit
Folder Deleted : C:\Users\hp\AppData\Local\Mobogenie
Folder Deleted : C:\Users\hp\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\hp\AppData\LocalLow\Hotspot_Shield
Folder Deleted : C:\Users\hp\AppData\Roaming\SearchProtect
Folder Deleted : C:\Users\hp\AppData\Roaming\WinZipper
Folder Deleted : C:\Users\hp\Documents\Mobogenie
File Deleted : C:\END
File Deleted : C:\Users\hp\daemonprocess.txt

***** [ Scheduled Tasks ] *****

Task Deleted : BackgroundContainer Startup Task

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
Shortcut Disinfected : C:\Users\hp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Shortcut Disinfected : C:\Users\hp\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Shortcut Disinfected : C:\Users\hp\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\hp\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [mobilegeni daemon]
Key Deleted : HKCU\Software\Mozilla\Extends
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKCU\Software\anchorfree
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Tbccint_HKLM
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\BackgroundContainer
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\Hotspot_Shield
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\hdcode
Key Deleted : HKLM\SOFTWARE\Hotspot_Shield
Key Deleted : HKLM\SOFTWARE\V9
Key Deleted : HKLM\SOFTWARE\winzipersvc
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winzipper

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720

-\\ Mozilla Firefox v34.0.5 (x86 en-US)

[gswe47ia.default\prefs.js] - Line Deleted : user_pref("CT1561552.UserID", "UN25566662248300175");
[gswe47ia.default\prefs.js] - Line Deleted : user_pref("CT1561552.fullUserID", "UN25566662248300175.IN.20131124002915");
[gswe47ia.default\prefs.js] - Line Deleted : user_pref("CT1561552.installerVersion", "1.8.1.4");
[gswe47ia.default\prefs.js] - Line Deleted : user_pref("CT1561552.toolbarInstallDate", "24-11-2013 00:29:15");
[gswe47ia.default\prefs.js] - Line Deleted : user_pref("CT1561552.versionFromInstaller", "10.22.5.10");
[gswe47ia.default\prefs.js] - Line Deleted : user_pref("CT1561552.xpeMode", "0");
[gswe47ia.default\prefs.js] - Line Deleted : user_pref("browser.search.hiddenOneOffs", "Yahoo,Bing,Amazon.com,delta-homes,DuckDuckGo,eBay,Twitter,Wikipedia (en)");
[gswe47ia.default\prefs.js] - Line Deleted : user_pref("browser.search.selectedEngine", "delta-homes");
[gswe47ia.default\prefs.js] - Line Deleted : user_pref("extensions.quick_start.enable_search1", false);
[gswe47ia.default\prefs.js] - Line Deleted : user_pref("extensions.quick_start.sd.closeWindowWithLastTab_prev_state", false);
[gswe47ia.default\prefs.js] - Line Deleted : user_pref("smartbar.machineId", "QLLUZ5BQNGKA7YN7EDHORXEZCTOUFLLWEQV9HUW7F3PYTLV7X8OIMELKZB9SAG91WATU6ENXJMD3IMBABGEOPQ");

*************************

AdwCleaner[R0].txt - [4017 octets] - [28/12/2014 15:05:56]
AdwCleaner[S0].txt - [4728 octets] - [28/12/2014 15:07:08]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4788 octets] ##########

 

 

 

JRT

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Home Premium x86
Ran by hp on Sun 12/28/2014 at 15:11:11.61
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-1930653420-697493972-99954452-1000\Software\Microsoft\Internet Explorer\Main\\Start Page

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ FireFox

Emptied folder: C:\Users\hp\AppData\Roaming\mozilla\firefox\profiles\gswe47ia.default\minidumps [214 files]

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/28/2014 at 15:12:31.43
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Rouge Killer

 

RogueKiller V10.1.1.0 [Dec 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : hp [Administrator]
Mode : Scan -- Date : 12/28/2014  15:19:57

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 14 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{66E8DCC7-97D2-4A89-8E08-D0610FF0878C} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{87EAB409-97D7-4889-ACFA-C548FC6F3ECF} -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\hp\AppData\Local\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\hp\AppData\Local\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\Users\hp\AppData\Local\Temp\catchme.sys) -> Found
[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Found
[PUM.SearchPage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : www.google.com  -> Found
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-1930653420-697493972-99954452-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1930653420-697493972-99954452-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1930653420-697493972-99954452-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA MK2561GS SCSI Disk Device +++++
--- User ---
[MBR] a30257fb63ee842ae7ceeb483f1fd0ba
[BSP] 28bc74f49011eea7dd74fea1b830e250 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Ricoh SD/MMC Disk Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! ([32] The request is not supported. )
Error reading LL2 MBR! ([32] The request is not supported. )



#6 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:05:59 PM

Posted 28 December 2014 - 02:57 PM

Please follow these steps:

1.- Re-run RogueKiller and press the Scan button.
Once the scan is done, click the Registry tab.
Place a checkmark on the following items:
 
[PUP] HKEY_CLASSES_ROOT\CLSID\{66E8DCC7-97D2-4A89-8E08-D0610FF0878C} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{87EAB409-97D7-4889-ACFA-C548FC6F3ECF} -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\hp\AppData\Local\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\hp\AppData\Local\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\Users\hp\AppData\Local\Temp\catchme.sys) -> Found
Click on the Delete button.
Then, click on Report and copy/paste the context of that file into your next reply.

2.- Download TFC.exe - Temp File Cleaner by OldTimer:
Alternate link: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Save it to your Desktop
  • Close any open windows, save your work
  • Double click the TFC icon to run the program. ] (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • TFC will close all open programs itself in order to run
  • Click the Start button to begin the process
  • Allow TFC to run uninterrupted
  • The program should not take long to finish its job.
  • Once it's finished, click OK to reboot
3.- Open Malwarebytes Anti-Malware

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Please update the database by clicking on the Update Now button as shown below.
Capture1_zps47821576.jpg
  • Following the update, Click Settings > Detection and Protection and make sure Scan for Rootkits it checked.
MBAM%20rootkit%20setting.jpg
  • Click on Dashboard, then click on the large green Scan Now button to begin the Threat Scan.If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
MBAMThreatScan_zpsc6c6daeb.jpg
  • After viewing the results, please click on the Copy to Clipboard button > OK.
    MBAMScanLog_zps21b494ad.jpg
  • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.
3.- Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes and if it finds anything, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#7 Ashleshy

Ashleshy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 29 December 2014 - 07:38 AM

Thanks here are the scan results

 

RogueKiller

 

RogueKiller V10.1.1.0 [Dec 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : hp [Administrator]
Mode : Delete -- Date : 12/29/2014  16:48:36

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 18 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{66E8DCC7-97D2-4A89-8E08-D0610FF0878C} -> Deleted
[PUP] HKEY_CLASSES_ROOT\CLSID\{87EAB409-97D7-4889-ACFA-C548FC6F3ECF} -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> Deleted
[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Not selected
[PUM.SearchPage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : www.google.com  -> Not selected
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-21-1930653420-697493972-99954452-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-21-1930653420-697493972-99954452-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1930653420-697493972-99954452-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1930653420-697493972-99954452-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1930653420-697493972-99954452-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-1930653420-697493972-99954452-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA TOSHIBA MK2561GS SCSI Disk Device +++++
--- User ---
[MBR] a30257fb63ee842ae7ceeb483f1fd0ba
[BSP] 28bc74f49011eea7dd74fea1b830e250 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Ricoh SD/MMC Disk Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! ([32] The request is not supported. )
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_SCN_12282014_151957.log - RKreport_SCN_12292014_164605.log

 

 

Malwarebytes Anti-Malware

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/29/2014
Scan Time: 4:57:10 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.29.04
Rootkit Database: v2014.12.23.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: hp

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312034
Time Elapsed: 9 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.Somoto.A, C:\Users\hp\Desktop\Antivirus Stuff\Windows Loader by Daz\WAT_Fix_downloader-I9vbxD8Mi.exe, No Action By User, [6cd895d14b31da5cce455f69ef12ed13],
Hacktool.Agent, C:\Users\hp\Desktop\Antivirus Stuff\Windows Loader by Daz\Windows Loader v2.2.2.zip, No Action By User, [77cd392d14682511b47a86e361a0e818],

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

ESET Smart

 

C:\AdwCleaner\Quarantine\C\Program Files\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Mobogenie\DaemonProcess.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Mobogenie\New_UpdateMoboGenie.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\WinZipper\TrayDownloader.exe.vir Win32/ELEX.BF potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\WinZipper\winzipersvc.exe.vir a variant of Win32/ELEX.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\Conduit\Multi\CT1561552\UninstallerUI.exe.vir a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.1.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.2.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\hk64tbHot0.dll.vir a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\hk64tbHot2.dll.vir a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\hk64tbHots.dll.vir Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\hktbHot0.dll.vir a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\hktbHots.dll.vir Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\ldrtbHots.dll.vir a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\tbHot0.dll.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\tbHot1.dll.vir a variant of Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\tbHots.dll.vir a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\Users\hp\AppData\Roaming\Mozilla\Firefox\Profiles\gswe47ia.default\extensions\detgdp@gmail.com\chrome\content\js\epurls.js JS/Trackware.Agent.A potentially unwanted application deleted - quarantined
C:\Users\hp\AppData\Roaming\Mozilla\Firefox\Profiles\gswe47ia.default\extensions\detgdp@gmail.com\chrome\content\js\inject.js JS/Trackware.Agent.A potentially unwanted application deleted - quarantined
C:\Users\hp\Desktop\Antivirus Stuff\Windows Loader by Daz\WAT_Fix_downloader-I9vbxD8Mi.exe Win32/Somoto.G potentially unwanted application deleted - quarantined
 



#8 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:05:59 PM

Posted 29 December 2014 - 10:34 AM

Your logs looks OK. How are things running now?

#9 Ashleshy

Ashleshy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 30 December 2014 - 08:04 AM

Things are fine now....Thanks a lot for your assistance...

Edited by Ashleshy, 30 December 2014 - 08:05 AM.


#10 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:05:59 PM

Posted 30 December 2014 - 10:17 PM

If the computer is running fine and you're not having any other problem, then follow these final steps:

Create a System restore point.

Open System by clicking the Start button , right-clicking Computer, and then clicking Properties.
In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
Click the System Protection tab, and then click Create.
In the System Protection dialog box, type a description, and then click Create.

Remove ESET Online Scanner:

Click on Start, Settings, Control Panel
Double click on Add/Remove Programs
Find: Eset Online Scanner in the list of installed programs and click on Change/Remove to uninstall it.

Run Delfix

This program will remove the tools used and its logs. If anything remains, you can delete manually delete them.
Please download Delfix and save it to your desktop.
Double click on Delfix.exe to run the tool and click on the Run button.

Finally, to help protect your computer in the future I recommend you to read this article: So how did I get infected in the first place?. I also recommend running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

Be sure to post back if you have any more problems.

#11 Ashleshy

Ashleshy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 31 December 2014 - 12:22 PM

Thanks....Is it ok to manually delete "Quarantine" folder of AdwCleaner which are shown here in ESET Sacn results? This folder is visible here C:\AdwCleaner\Quarantine

 

I don't want these folders/viruses to stay in y system in anyway?

 

 

 

C:\AdwCleaner\Quarantine\C\Program Files\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Mobogenie\DaemonProcess.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Mobogenie\New_UpdateMoboGenie.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\WinZipper\TrayDownloader.exe.vir Win32/ELEX.BF potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\WinZipper\winzipersvc.exe.vir a variant of Win32/ELEX.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\Conduit\Multi\CT1561552\UninstallerUI.exe.vir a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.1.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.2.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\hk64tbHot0.dll.vir a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\hk64tbHot2.dll.vir a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\hk64tbHots.dll.vir Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\hktbHot0.dll.vir a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\hktbHots.dll.vir Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\ldrtbHots.dll.vir a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\tbHot0.dll.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\tbHot1.dll.vir a variant of Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\hp\AppData\LocalLow\Hotspot_Shield\tbHots.dll.vir a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined

C:\Users\hp\AppData\Roaming\Mozilla\Firefox\Profiles\gswe47ia.default\extensions\detgdp@gmail.com\chrome\content\js\epurls.js JS/Trackware.Agent.A potentially unwanted application deleted - quarantined
C:\Users\hp\AppData\Roaming\Mozilla\Firefox\Profiles\gswe47ia.default\extensions\detgdp@gmail.com\chrome\content\js\inject.js JS/Trackware.Agent.A potentially unwanted application deleted - quarantined
C:\Users\hp\Desktop\Antivirus Stuff\Windows Loader by Daz\WAT_Fix_downloader-I9vbxD8Mi.exe Win32/Somoto.G potentially unwanted application deleted - quarantined
 



#12 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:05:59 PM

Posted 31 December 2014 - 01:00 PM

If the AdwCleaner folder is still there, then you can manually delete it. BTW, those files listed by ESET were removed, so you shouldn't worry about them.

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:59 PM

Posted 26 January 2015 - 11:17 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users