PUPs and Desktop HJ

Viruses and worms
1

Windows 7

Getting the “special offers” popping up on pages. URL redirections sometimes.
Had tools bars and the like.

@ scans with Malwarebytes showed many PUPs but no rootkits
TDSSSKILLER was negative
AVAST scan showed a rootkit and removed it.

See attached logs:

2

roguekiller

3

malwarebytes 2 scans

4

Damn, you have a very uh, infecte computer…

O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.0scan.com O1 - Hosts: 127.0.0.1 0scan.com O1 - Hosts: 127.0.0.1 1000gratisproben.com O1 - Hosts: 127.0.0.1 www.1000gratisproben.com O1 - Hosts: 127.0.0.1 1001namen.com O1 - Hosts: 127.0.0.1 www.1001namen.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 www.1-2005-search.com O1 - Hosts: 127.0.0.1 1-2005-search.com O1 - Hosts: 127.0.0.1 123fporn.info O1 - Hosts: 15469 more lines...

Damn bro. You have quite the adware city there.

5

Hi,

AVAST scan showed a rootkit and removed it.
Can you post the screenshot of what avast! has been flag as rootkit? I would like to see that ...

The host changes are legit, they are created by Spybot S&D.

I do not see any real malware, only PUP leftovers. Same goes for RogueKiller, only PUP. We need to hunt the leftovers …

First from Control Panel > Programs and Features try to find and uninstall the following if you may.

YTDownloader
Shopper Pro (Goobzo Ltd is the company)
Optimizer Pro

If something can’t be uninstalled, skip it and go to the next one/step …

THEN …

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:Processes killallprocesses

:Services
YTDownloader
SMUpdd

:Files
dir C:\Users\joanne\AppData\Local\Installer /c
C:\Program Files\YTDownloader
C:\Program Files\Common Files\Goobzo
C:\ProgramData\ShopperPro
C:\Program Files\Optimizer Pro
C:\Program Files\003
C:\Users\joanne\AppData\Roaming\Optimizer Pro

:OTL
IE - HKU\S-1-5-21-2568117436-2858999117-2817911596-1000..\SearchScopes{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: “URL” = http://search.conduit.com/Results.aspx?gd=&ctid=CT3321972&octid=EB_ORIGINAL_CTID&ISID=M93938378-0FBB-4957-8FD8-DBFBDCB61D38&SearchSource=58&CUI=&UM=5&UP=SP9E31B6AA-0B50-44CD-ADBE-B59D5DAF2B5D&q={searchTerms}&SSPV=
IE - HKU\S-1-5-21-2568117436-2858999117-2817911596-1000..\SearchScopes{3ECB4FFC-872B-485B-9A01-087CCD206B61}: “URL” = http://search.conduit.com/Results.aspx?gd=&ctid=CT3321972&octid=EB_ORIGINAL_CTID&ISID=M93938378-0FBB-4957-8FD8-DBFBDCB61D38&SearchSource=58&CUI=&UM=5&UP=SP9E31B6AA-0B50-44CD-ADBE-B59D5DAF2B5D&q={searchTerms}&SSPV=
IE - HKU\S-1-5-21-2568117436-2858999117-2817911596-1000..\SearchScopes{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: “URL” = http://www-search.net/search.aspx?s=E55zadku1,52227bf8-77a3-46de-a943-08aa2f6ea06b,&q={searchTerms}
IE - HKU\S-1-5-21-2568117436-2858999117-2817911596-1000..\SearchScopes{89D680E7-86AA-4C28-AA83-B04AFDDC7BCF}: “URL” = http://search.conduit.com/Results.aspx?gd=&ctid=CT3321972&octid=EB_ORIGINAL_CTID&ISID=M93938378-0FBB-4957-8FD8-DBFBDCB61D38&SearchSource=58&CUI=&UM=5&UP=SP9E31B6AA-0B50-44CD-ADBE-B59D5DAF2B5D&q={searchTerms}&SSPV=
IE - HKU\S-1-5-21-2568117436-2858999117-2817911596-1000..\SearchScopes{B40B2376-896E-44F4-AC53-B69B93191454}: “URL” = http://search.conduit.com/Results.aspx?gd=&ctid=CT3321972&octid=EB_ORIGINAL_CTID&ISID=M93938378-0FBB-4957-8FD8-DBFBDCB61D38&SearchSource=58&CUI=&UM=5&UP=SP9E31B6AA-0B50-44CD-ADBE-B59D5DAF2B5D&q={searchTerms}&SSPV=
O2 - BHO: (Shopper Pro) - {A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C} - C:\ProgramData\ShopperPro\ShopperPro.dll (Goobzo Ltd.)
O4 - HKLM…\Run: [YTDownloader] C:\Program Files\YTDownloader\YTDownloader.exe (YTDownloader)
O4 - HKU\S-1-5-21-2568117436-2858999117-2817911596-1000…\Run: [Optimizer Pro] C:\Program Files\Optimizer Pro\OptProLauncher.exe (PC Utilities Software Limited)
O20 - AppInit_DLLs: (c:\progra~1\optimi~1\optpro~2.dll) - c:\Program Files\Optimizer Pro\OptProCrash.dll ()

:commands
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

NEXT …

Please download zoek by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…
[list]
[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

StandardSearch;
SilentRunners;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

6

screenshot

7

completed other requested tasks including deleting those programs.

8

Hi,

Now run this zoek script:

EmptyCLSID;
C:\Windows\bfsvc.exe;i
C:\Users\joanne\AppData\Local\SearchProtect;fs
C:\ProgramData\2308189059;fs
C:\ProgramData\PriceMeterLiveUpdate;vs
C:\Windows\system32\tasks\UNELEVATE_14854;f
C:\Windows\system32\tasks\UNELEVATE_6270;f
C:\Program Files\ShopperPro;fs
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}];r
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes];r
{0633EE93-D776-472f-A0FF-E1416B8B2E3A}=-;r
AutoClean;

Wait for zoek to finish his work, and when ask you for system reboot, allow that.
Then post here fresh created zoek logreprot.

9

zoek results attached. ;D

10

Ok, zoek did the great things and it looks clean. Tell me how is the computer behavior now?

11

all seems good. I have updated java, flash, windows etc…

Cleanup time? ;D

12

Aye :smiley:

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Be safe . . :wink:

13

Thanks again for your Help!! :smiley: