Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove http://www.istart123.com malware


  • This topic is locked This topic is locked
8 replies to this topic

#1 bikefixer

bikefixer

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:06:44 AM

Posted 11 February 2015 - 12:30 AM

Every time I start chrome or IE this start up Malware program takes over browser.

 

I tried looking for files in add remove programs and can not find any related.

 

I reset chrome and IE, with no luck.

 

I could uninstall Chrome, but the Malware would still be on IE, since it can't be removed.

 

I tried running Ad-ware Antivirus, which removed a few virus's/malware from my computer,

 

but the 123start is still there.  

 

http://www.istart123.com/?type=sc&ts=1423012793&from=wpm0202&uid=FUJITSUXMHV204RAH_NTANT93MLTSET93MLTSEX

 

I am afraid of experimenting with free antivirus's, with the chance of getting another Malware

 

infestation. 



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:44 PM

Posted 11 February 2015 - 03:36 AM

Hello bikefixer and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes

Download AdwCleaner again from here and save it to your desktop.

  • run AdwCleaner
  • when it has finished, allow AdwCleaner to deleteeverything it found, then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

[color=green]Note: You need to run the version compatible with your system, which is 32-bit.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called FRST.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.

Logs to include with next post:

AdwCleaner log
JRT.txt
FRST.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 bikefixer

bikefixer
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:06:44 AM

Posted 11 February 2015 - 09:30 PM

how do I post the logs?



#4 bikefixer

bikefixer
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:06:44 AM

Posted 11 February 2015 - 10:22 PM

I think it removed it with adwcleaner, but used all of them.

Attached Files



#5 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:44 PM

Posted 12 February 2015 - 05:04 AM

Those scans got rid of a lot but there’s still work to be done.



Disable Firefox Extensions:

  • open Firefox
  • click the menu button (3 bars icon) > Add-ons
  • in the Add-ons window, select Extensions
  • click to highlight the extensions SweetPacks & Connect DLC and select Disable - the Disable add-on window may pop up to warn you that related services and add-ons will also be disabled; click Disable
  • exit the Add-ons Manager window, and restart Firefox to complete the process.

================================================

Run Farbar Recovery Scan Tool

Open notepad (Start >All Programs > Accessories > Notepad). Please copy the entire contents of the code box below.


Toolbar: HKU\S-1-5-21-329068152-1532298954-725345543-1004 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Extension: InternetHelper3.1  - C:\Documents and Settings\anthony\Application Data\Mozilla\Firefox\Profiles\f21i6sdy.default\Extensions\{07cbf788-1359-421b-a4e3-5a8d041b90a3} [2013-09-14]
FF Extension: SweetPacks  - C:\Documents and Settings\anthony\Application Data\Mozilla\Firefox\Profiles\f21i6sdy.default\Extensions\{7e8a1050-cf67-4575-92df-dcc60e7d952d} [2013-09-15]
FF Extension: Connect DLC 5  - C:\Documents and Settings\anthony\Application Data\Mozilla\Firefox\Profiles\f21i6sdy.default\Extensions\{d1b5aad5-d1ae-4b20-88b1-feeaeb4c1ebc} [2013-11-05]
FF Extension: No Name - C:\Documents and Settings\anthony\Application Data\Mozilla\Firefox\Profiles\f21i6sdy.default\extensions\wecarereminder@bryan [Not Found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - No Path
CHR HKLM\...\Chrome\Extension: [jonjajmpblmjkhjemkalbddhodlehkfg] - C:\Documents and Settings\anthony\Local Settings\Application Data\CRE\jonjajmpblmjkhjemkalbddhodlehkfg.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [lipgolpfajiadodbcbljdpmbmbdmfcil] - C:\Documents and Settings\anthony\Local Settings\Application Data\CRE\lipgolpfajiadodbcbljdpmbmbdmfcil.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [nemfjadlboooiffmcelkafilagddogim] - C:\Documents and Settings\anthony\Local Settings\Application Data\CRE\nemfjadlboooiffmcelkafilagddogim.crx [Not Found]
CHR HKU\S-1-5-21-329068152-1532298954-725345543-1004\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\DOCUME~1\anthony\LOCALS~1\APPLIC~1\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [Not Found]
CHR HKU\S-1-5-21-329068152-1532298954-725345543-1004\...\Chrome\Extension: [jonjajmpblmjkhjemkalbddhodlehkfg] - C:\Documents and Settings\anthony\Local Settings\Application Data\CRE\jonjajmpblmjkhjemkalbddhodlehkfg.crx [Not Found]
CHR HKU\S-1-5-21-329068152-1532298954-725345543-1004\...\Chrome\Extension: [lipgolpfajiadodbcbljdpmbmbdmfcil] - C:\Documents and Settings\anthony\Local Settings\Application Data\CRE\lipgolpfajiadodbcbljdpmbmbdmfcil.crx [Not Found]
CHR HKU\S-1-5-21-329068152-1532298954-725345543-1004\...\Chrome\Extension: [nemfjadlboooiffmcelkafilagddogim] - C:\Documents and Settings\anthony\Local Settings\Application Data\CRE\nemfjadlboooiffmcelkafilagddogim.crx [Not Found]
R2 Northern Themes Service; C:\Documents and Settings\anthony\AppData\NTSFile\NTS.exe [227840 2015-01-20] (NTS Co., Ltd.") [File not signed]
CustomCLSID: HKU\S-1-5-21-329068152-1532298954-725345543-1004_Classes\CLSID\{66E8DCC7-97D2-4A89-8E08-D0610FF0878C}\InprocServer32 -> C:\Documents and Settings\anthony\Local Settings\Application Data\Conduit\Community Alerts\Alert.dll (the data entry has 8 more characters).
C:\Documents and Settings\anthony\Local Settings\Application Data\Conduit

NOTE: this script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Download Malwarebytes-Anti-Malware

Click here.
 

  • double-click mbam-setup.exe and follow the prompts to install the program – (Note: Vista & Windows 7 users, please right-click and select “Run as Administrator”)
  • select the “Scan” tab at the top
  • there are three scan types; choose Threat Scan, then click on Scan
  • when the scan is complete, if no malicious items are found you can close the program
  • if malicious items are found be sure that everything is checked and click Quarantine
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Logs to include with the next post:

Fixlog.txt
Mbam.txt


Can you tell me how your computer is running now.

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#6 bikefixer

bikefixer
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:06:44 AM

Posted 12 February 2015 - 08:09 PM

I don't have Firefox and my computer is running ok. 



#7 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:44 PM

Posted 13 February 2015 - 03:06 AM

Can you still follow the instructions as you are not clear yet.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#8 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:44 PM

Posted 15 February 2015 - 02:42 PM

Hi bikefixer

It has been several days since I sent my last set of instructions to help with your computer problem.

I don't have Firefox and my computer is running ok.
That was your last response in reply to my instructions to your request for help.

Either that is your way of saying “thank you for your help” or you have not had time to respond properly. Either way, please let me know if you are having problems and still need help.

Satchfan
 

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:44 PM

Posted 19 February 2015 - 04:17 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users