iStart malware, how to delete it?

system · February 20, 2015, 6:40pm

Hi i can’t remove this malvare, please help me!

essexboy · February 20, 2015, 6:43pm

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

system · February 20, 2015, 7:33pm

sorry but it doesn’t delete the malware

essexboy · February 20, 2015, 7:46pm

No, it will produce a log. Which I will then use to generate a script to remove it

Could you attach the two logs it generated

system · February 20, 2015, 7:50pm

oh, sorry i didn’t know the translate for attach, so how to attach it here?

system · February 20, 2015, 8:04pm

thank you

essexboy · February 20, 2015, 8:24pm

If you do not understand anything please ask

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [fst_it_180] => [X] HKLM-x32\...\Run: [fst_it_193] => [X] HKLM-x32\...\Run: [fst_it_196] => [X] IFEO\DatamngrCoordinator.exe: [Debugger] tasklist.exe Startup: C:\Users\mio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TornTvDownloader.lnk ShortcutTarget: TornTvDownloader.lnk -> C:\Users\mio\AppData\Roaming\TornTV.com\Torntv Downloader.exe (No File) GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKU\S-1-5-21-823245312-4192679623-1061001583-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.istartsurf.com/?type=hppp&ts=1424110039&from=face&uid=395049983_1052451_5CC041BD HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1424110026&from=face&uid=395049983_1052451_5CC041BD&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1424110039&from=face&uid=395049983_1052451_5CC041BD HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=ds&ts=1424110026&from=face&uid=395049983_1052451_5CC041BD&q={searchTerms} HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com URLSearchHook: HKU\S-1-5-21-823245312-4192679623-1061001583-1000 - (No Name) - {84FF7BD6-B47F-46F8-9130-01B2696B36CB} - No File SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=ds&ts=1424110026&from=face&uid=395049983_1052451_5CC041BD&q={searchTerms} SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=tuto_14_18&cd=2XzuyEtN2Y1L1QzutDtDtC0EzytDyEyByCzz0FtCyEtC0B0DtN0D0Tzu0SzytCzytN1L2XzutBtFtBtCtFtCtCtFtBtN1L1Czu2Z2Y2Z1F1VtCyE1VtCzztN1L1G1B1V1N2Y1L1Qzu2SyD0C0E0DzyyEyDtCtGtD0FyCyEtGtCzy0EtBtGyCyD0AyEtGyCtA0C0A0DtC0ByB0BtC0Bzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyB0ByCtBtCtCtDyCtGyB0B0D0BtG0AtByC0CtG0D0CzzyDtGtC0AtAyByDyBzy0DyC0AyD0B2Q&cr=353109550&ir= SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=ds&ts=1424110026&from=face&uid=395049983_1052451_5CC041BD&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=dspp&ts=1424110039&from=face&uid=395049983_1052451_5CC041BD&q={searchTerms} SearchScopes: HKU\S-1-5-21-823245312-4192679623-1061001583-1000 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=face&utm_campaign=install_ie&utm_content=ds&from=face&uid=395049983_1052451_5CC041BD&ts=1424110065&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-823245312-4192679623-1061001583-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=face&utm_campaign=install_ie&utm_content=ds&from=face&uid=395049983_1052451_5CC041BD&ts=1424110065&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-823245312-4192679623-1061001583-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=face&utm_campaign=install_ie&utm_content=ds&from=face&uid=395049983_1052451_5CC041BD&ts=1424110065&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-823245312-4192679623-1061001583-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=dspp&ts=1424110039&from=face&uid=395049983_1052451_5CC041BD&q={searchTerms} SearchScopes: HKU\S-1-5-21-823245312-4192679623-1061001583-1000 -> {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=face&utm_campaign=install_ie&utm_content=ds&from=face&uid=395049983_1052451_5CC041BD&ts=1424110065&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-823245312-4192679623-1061001583-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=face&utm_campaign=install_ie&utm_content=ds&from=face&uid=395049983_1052451_5CC041BD&ts=1424110065&type=default&q={searchTerms} BHO-x32: IETabPage Class -> {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} -> C:\Program Files (x86)\XTab\SupTab.dll No File BHO-x32: No Name -> {84FF7BD6-B47F-46F8-9130-01B2696B36CB} -> No File BHO-x32: No Name -> {E10D0846-2FE5-FB94-C972-7D137FF4F0E9} -> No File CHR HKLM\...\Chrome\Extension: [iagcajndpnfncplednpbnkahadegklfa] - No Path R2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [487056 2015-02-16] (SysTool PasSame LIMITED) 2015-02-16 19:07 - 2015-02-16 19:07 - 00000000 ___DC () C:\Users\mio\AppData\Roaming\istartsurf 2015-02-16 19:07 - 2015-02-16 19:07 - 00000000 ___DC () C:\ProgramData\WindowsMangerProtect 2015-02-16 19:07 - 2015-02-16 19:07 - 00000000 ___DC () C:\ProgramData\IHProtectUpDate R2 qrsvc_1.10.0.8; C:\Program Files (x86)\QuickRef_1.10.0.8\Service\qrsvc.exe [278592 2015-01-21] (Quick Ref) 2015-02-16 19:05 - 2015-02-16 19:06 - 00000000 ___DC () C:\Program Files (x86)\QuickRef_1.10.0.8 2015-01-21 20:39 - 2015-01-21 20:39 - 00058224 _____ (Quick Ref) C:\Windows\system32\Drivers\qrnfd_1_10_0_8.sys 2015-02-20 20:50 - 2014-07-07 13:50 - 00000284 _____ () C:\Windows\Tasks\MySearchDial.job 2015-01-29 19:07 - 2015-01-19 21:00 - 00000000 ___DC () C:\Users\mio\AppData\Local\ConvertAd 2014-05-25 18:22 - 2014-05-19 06:19 - 1705063 ____C (AnyProtect.com) C:\Users\mio\AppData\Local\AnyProtectScannerSetup.exe Task: {5E2D67D8-97B7-4760-8762-D3337062A983} - System32\Tasks\APSnotifierPP3 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: {6A426F2A-24AA-4C4B-93F2-5CF20D8A03DE} - System32\Tasks\APSnotifierPP1 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: {6F93BC80-BC80-454A-85AC-5983A356A41C} - System32\Tasks\MySearchDial => C:\Users\mio\AppData\Roaming\MYSEAR~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION Task: {84899187-9EC3-4046-81FA-5343131A0EBB} - System32\Tasks\APSnotifierPP2 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: {9127B37C-7E93-40DD-A63D-2241023BF3CA} - System32\Tasks\Advanced System Protector_startup => C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe <==== ATTENTION Task: {FA73E65C-A831-4BE4-81ED-14569E8DCAF7} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION Task: C:\Windows\Tasks\MySearchDial.job => C:\Users\mio\AppData\Roaming\MYSEAR~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION C:\Users\mio\AppData\Roaming\MYSEAR~1 C:\Program Files (x86)\AnyProtectEx C:\Program Files (x86)\MyPC Backup C:\Program Files (x86)\Advanced System Protector C:\ProgramData\WindowsMangerProtect EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

system · February 20, 2015, 10:30pm

ok

system · February 20, 2015, 10:34pm

essexboy · February 21, 2015, 2:18pm

AdwCleaner should remove any registry entries that I missed, how is the computer now ?

system · April 24, 2015, 5:08pm

with adwcleaner it is all right now!! thanks

iStart malware, how to delete it?

Announcements