Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with CrossBrowser and possibly others


  • This topic is locked This topic is locked
16 replies to this topic

#1 Pontiff

Pontiff

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 13 November 2015 - 03:10 PM

downloaded a program called unlocker 1.9.2 from emptyloop.com and it infected the bejeezus out of my computer... got rid of most of it, but adwcleaner keeps coming back to me with stuff in the registry to do with crossbrowser and something called "conduit"

 

Any help would be appreciated

 

Thank you

Dimitri

 

P.S. Do I still need to run Hijackthis? 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:51 AM

Posted 17 November 2015 - 10:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold via the Control Panel > Programs & Features applet.
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden


HijackThis is no longer supported and is not ready for current operating systems.
I suggest your remove it also via Control Panel > Programs and Features applet.
Use the Farbar tool from now on to report problems.
<<<>>>


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [Sound+] => "C:\Program Files\Sound+\Sound+.exe"
HKU\S-1-5-21-1921170443-2401868269-3031562822-1000\...\Run: [AdobeBridge] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1921170443-2401868269-3031562822-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1921170443-2401868269-3031562822-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Extension: PathMaxx 1.0.1 - C:\Users\Dimitri\AppData\Roaming\Mozilla\Firefox\Profiles\aga6h62f.default-1444028623233\Extensions\{e397f020-161a-48a8-88c3-2258254d41a5}.xpi [2015-11-12] [not signed]
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.86\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.86\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll => No File
U1 Beep; no ImagePath
U3 catchme; \??\C:\ComboFix\catchme.sys [X]
C:\Program Files\Sound+
C:\Users\Dimitri\AppData\Roaming\Mozilla\Firefox\Profiles\aga6h62f.default-1444028623233\Extensions\{e397f020-161a-48a8-88c3-2258254d41a5}.xpi
Task: {10082BF7-C2BF-4DDC-BB73-ABB750BCA061} - \CIMT_daily_S-1-5-21-1921170443-2401868269-3031562822-1000 -> No File <==== ATTENTION
Task: {1E8D6AF3-3B44-40CA-913A-7C99763AA3B0} - \ProPCCleaner_Popup -> No File <==== ATTENTION
Task: {86567AF1-E8C1-4608-8956-F3FCBB8B1E85} - \KXJRB1 -> No File <==== ATTENTION
Task: {98CEF4A7-6269-4F3A-92A6-3AB14B468C37} - \CIMT_S-1-5-21-1921170443-2401868269-3031562822-1000 -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

After having restarted the computer run the AdwCleaner tool.
Post the log if anything is found.

===

How is the computer running now?

#3 Pontiff

Pontiff
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 18 November 2015 - 02:40 AM

Thanks for responding so quickly!

 

I uninstalled HijackThis, but was unable to uninstall Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) because it was not on the list (hidden)... is there a way to unhide it?

 

Did the fixlist.txt and ran it.

 

Ran AdwCleaner and it found a file called Malware Cleaner (or something like that) it removed. AdwCleaner did not auto generate a log file and I forgot to hit the button (sorry about that). But I suspect the Malware Cleaner app was from a Vuze install.... Ran AdwCleaner a second time and it found nothing.

 

Ran FRST64 again to generate post-fix logs for the sake of being thorough.

 

Attached are the fixlog.txt, FRST, and Addition log files.

 

Much appreciation

Pontiff

Attached Files



#4 Pontiff

Pontiff
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 18 November 2015 - 02:44 AM

Sorry.. AdwCleaner did generate a log file and I found it... please find that attached here as well.

 

Thanks

 

Pontiff

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:51 AM

Posted 18 November 2015 - 09:35 AM

unable to uninstall Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) because it was not on the list (hidden)... is there a way to unhide it?


Un-hide the files/folders
http://www.tech-recipes.com/rx/1269/vista_show_unhide_file_extensions/

The process may just be a remnant item in the registry.
If listed remove it or leave it alone if not found.

How is the computer running now?

#6 Pontiff

Pontiff
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 18 November 2015 - 05:42 PM

I did this from withing the Control Panel > Programs & Features applet and it still isn't showing up... any other suggestions?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:51 AM

Posted 19 November 2015 - 09:33 AM

Sorry under vista it's under the Programs Icon.

See screen below.
http://screenshots.modemhelp.net/screenshots/Windows_Vista/Control_Panel/Home_View/Index.shtml

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:51 AM

Posted 25 November 2015 - 11:39 AM

Are you still with me?

#9 Pontiff

Pontiff
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 25 November 2015 - 12:13 PM

Sorry, yes I am ... I know it's under the Programs icon... went to "Uninstall a Program", went to Organize>Folder and Search Options>View and selected the radio button "Show hidden files and folders" and clicked okay. However, Itibiti RTC still does not show up, so I am at a loss... how else do I get rid of it?

 

Thanks



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:51 AM

Posted 26 November 2015 - 07:37 AM

Open your Task manager, go to processes and if Itibiti.exe is listed stop the process.

If not listed then what we are seeing in your log is some remnant item in the registry.

Lets look also in the Registry.

Please run the Farbar Recovery Scan Tool. Enter Itibiti in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#11 Pontiff

Pontiff
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 27 November 2015 - 03:34 AM

Thanks... so the process is not listed. I ran the tool and this is what it found:

 

Farbar Recovery Scan Tool (x64) Version:25-11-2015 02
Ran by Dimitri (2015-11-27 00:32:37)
Running from C:\Users\Dimitri\Downloads
Boot Mode: Normal

================== Search Registry: "Itibiti" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4]
"ProductName"="Itibiti RTC"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4\SourceList]
"LastUsedSource"="n;1;C:\Program Files (x86)\Itibiti Soft Phone\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4\SourceList\Net]
"1"="C:\Program Files (x86)\Itibiti Soft Phone\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4\InstallProperties]
"InstallSource"="C:\Program Files (x86)\Itibiti Soft Phone\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4\InstallProperties]
"Publisher"="Itibiti Inc"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4\InstallProperties]
"DisplayName"="Itibiti RTC"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}]
"InstallSource"="C:\Program Files (x86)\Itibiti Soft Phone\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}]
"Publisher"="Itibiti Inc"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}]
"DisplayName"="Itibiti RTC"

====== End of Search ======



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:51 AM

Posted 27 November 2015 - 09:53 AM

Copy the text IN THE CODE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4\InstallProperties]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}]
Restart the when completed.

You can delete the fixme.reg file when done.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#13 Pontiff

Pontiff
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 27 November 2015 - 11:55 AM

Thanks! Itibiti doesn't show up in the addition file anymore. Just to be safe, I've included the post-merge FRST and Addition logs. Please let me know if anything else needs to be done.

 

Sincerely

Pontiff

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:51 AM

Posted 27 November 2015 - 02:12 PM

Looking good.

#15 Pontiff

Pontiff
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 27 November 2015 - 02:34 PM

Awesome! Thanks so much for your help.

 

On a related note... any advice on what software is a good replacement for Unlocker (now that that program has gone adware)? It was great for allowing me to rename folders that would otherwise require a reboot or ending the explorer process and re-running it.

 

Pontiff






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users