From bundled crapware/adware coming with a Cnet Downloader I got a nasty tabpage hijacker. Adware cleaner got that off.
Only problem remaining is that when I click setting and “About Google Chrome” it says google update disabled by admin.
How do I get the automatic updater back, did the hijacker code change something in the registry?
See logs,
Succesfully changed the value in the registry for policies chome update, now set to 1, and the updater is now normally checked and run.
That’s one. The malware had to change this because with every new update malcreation had been tampered with, I assume.
Saw I also had ran into a variant of the win32/Gleishug trojan that tampered with my browser settings!
I like to “thank” the deveoper of that windows IDS for the bundled crapware, that is hard to uninstall even for advanced users.
Also have to give a few extra point to AdwCleaner for doing a great job on the old laptop. Smeenk’s tool is great, but you cannot forsee all situations and the battle between cleansers and malcreants is fought out in the trenches on the webforum here.
So you see downloading from certain resources is almost a Russian roulette now to avoid junk, crap.
The crap I had is to earn the ad-rubel that “falls from the back of the lorry”, e.g. fraudulent click redirections…
Thanks to you for watching and cleansing the residu and seeing to it the system is again clean and secure…
Just have to check if this was taken into consideration?: [quopte]
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
[/quote]
SearchScopes can be considered a form of Trojan.Vundo, isn’t it?
MBAM has detected changed default settings. MBAM detected that entry because some malware also wanna play with these adjustments.
SearchScopes can be considered a form of Trojan.Vundo, isn't it?
No, they are just scope of browser search entries (providers) related to IE. In general it’s vulnerable spot that likes to be used from the side of some toolbar, adware or even malware.
Thank you for the additional explanation. Do the read up about that.
Have to say that your colleage, argus, did a fine job interpreting the zoek.exe results and building the scripts.
It is a pity that all the known tools only takes out part of that adware → SAS does some, MBAM takes part, AdwCleaner most, but in the end I had to manually reset the Chrome browser update policy in the registry. It was missed, but in hindsight I nay have read that MBAM would alert this.
Guys, your doing an excellent job here,
It is a pity that all the known tools only takes out part of that adware -> SAS does some, MBAM takes part, AdwCleaner most
They all target only to them known entries. They are unaware of entries that are not taught to aim
For example:
You wrote some malware that load it’s files into %temp%\polonus.exe and it’s registry entry in startup key under name “pol”
Then Argus and I wrote tool that will aim your malware by name (this is usually done via wildcard)
Then you re-write your malware to be loaded from %System%\some_legit_name.exe and then you set your mal-key to be loaded under a different value name for example.
Our tool will no longer known for your new modified malware.
This is school example of course, just for understanding. ;D
Adware are now “hit&in” and they non-stop seek to improve to find other ways to retain to them wannted entries in the registry so that browsers even after uninstall toolbar or some adware is being transferred to their desired page.
The analysis is sometimes the only way to remove all related entries because their uninstaller is … :
I guess the app was called “DefaultTab” or Sweetpacks. Not sure which one, but one of these downgraded my Chrome installation, made it without administrator privileges. How’s that even possible? Had to reinstall Chrome.
How it is possible? Well, this is a little extra that come bundled with some software downloaders and it starts to download the crap right away and what it does to the registry even before you get a chance to untag these little joyful extras. It is just to score money on fraudulent redirected clicks for those who put this little monster of crap- and junk ware together for cybercriminals. It is considered to be adware/spyware but the unadvanced user gets stuck trying to get rid of it, it won’t leave the system, gets reinstalled, it even makes you can no longer update the chrome browser. Normal tools only remove parts of it. As you saw in the thread the combination of AdwCleaner and a very strong specialist script tool like Smeenk’s zoek.exe under guidance removed it and turned the computer back to it’s state before this infection. Another nastiness of it is that the down loader as such is not flagged by av or by pre-scanners, but after the browser manipulation e.g. hijack has taken place. No not a nice piece of BHO to run into…or rather to cleanse…