Avast WEBforum

Other => Viruses and worms => Topic started by: Wilder on May 06, 2014, 07:17:38 PM

Title: v9 browser hijacker
Post by: Wilder on May 06, 2014, 07:17:38 PM

So I downloaded something yesterday and ended up getting the v9 browser hijacker thing as well. I was able to fix my browser settings but i'm still getting random pop up adds everywhere. I ran the Malware bytes and OTL programs. The logs are attached.

Other info,
Windows 7 64-bit os
Avast Pro

Title: Re: v9 browser hijacker
Post by: magna86 on May 06, 2014, 07:28:35 PM

I'm on it ...

Title: Re: v9 browser hijacker
Post by: magna86 on May 06, 2014, 07:35:00 PM

Hi Wilder,

First we shall target the OTL's entries using zoek tool. Zoek will preform some additional cleaning routines as well. Then, we will re-check everything with FRST tool

Please download zoek.zip or zoek.rar by smeenk ((http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png)) from here (http://hijackthis.nl/smeenk) or here (http://home.kpn.nl/stefsmeenk/zoek.exe) and save it to your Desktop.
Unpack the archive...

Close any open browsers
Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]

Uninstall-List;
EmptyFoldersCheck;Delete
C:\Users\WILDER\AppData\Roaming\v9;vs
C:\Users\WILDER\AppData\Roaming\0D0S1L2Z1P1B;vs
C:\Windows\SysNative\aeinv.dll;i
C:\Windows\Microsoft\System Update kb70007\WindowsUpdater.exe;i
EmptyCLSID;
C:\Users\WILDER\AppData\Roaming\Mozilla\Firefox\Profiles\ggpmrt4d.default\searchplugins\safeguard-secure-search.xml;f
AutoClean;

Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button.
Please wait until a logreport will open (this can be after reboot)
Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"

Then ...

Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) ((http://www.mcshield.net/personal/magna86/Images/FRST_canned.png)) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Title: Re: v9 browser hijacker
Post by: Michael (alan1998) on May 06, 2014, 08:07:56 PM

Damn boy. That's a lot of Junk. When Magna86 is done. Install unchecky (http://unchecky.com/files/unchecky_setup.exe) to avoid that amount of junk

Title: Re: v9 browser hijacker
Post by: Wilder on May 06, 2014, 08:50:56 PM

Done and Done. I've somehow managed to not have anything this bad happen since I got this computer 4 1/2 years ago. Probably got a lot of little junk along the way.

Title: Re: v9 browser hijacker
Post by: Michael (alan1998) on May 06, 2014, 09:51:40 PM

yes, junk city :(. Magna will do his best to clean it!

Title: Re: v9 browser hijacker
Post by: magna86 on May 06, 2014, 10:45:28 PM

Hi Wilder,

=>Please re-run zoek as you did before but this time run this script and press RunScript button.

Code: [Select]

C:\Windows\Microsoft\System Update kb70007\WindowsUpdater.exe;virustotal;
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes];r
"{443789B7-F39C-4b5c-9287-DA72D38F4FE6}"=-;r

Please note, this time your default browser should launch by itself. That's normal, please allow that action. Browser shall open virustotal site. Just whait for zoek to finish his scanning ...
When zoek pop ups the log, post (or paste) it here.

Title: Re: v9 browser hijacker
Post by: magna86 on May 06, 2014, 10:53:43 PM

FYI:
Essexboy and myself have been discovered some new malware entries (file) in your logs so please stay with us to the end.

... ... ... ... ... ... ... ... ... ...

=> When you're done with second zoek script and uninstall the bad PUP, this is what you're preform the next. So, this is the Step # 2.

This FixList shall target all present malware.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Quote

Start
() C:\Windows\Microsoft\System Update kb70007\WindowsUpdater.exe
C:\Windows\Microsoft\System Update kb70007\WindowsUpdater.exe
R2 System Update kb70007; C:\Windows\Microsoft\System Update kb70007\WindowsUpdater.exe [16384 2014-04-23] ()
CMD: ipconfig /flushdns
C:\Users\WILDER\AppData\Roaming\v9
C:\Users\WILDER\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages
Task: {9FF47D27-D302-4F38-92EE-55B954C3A130} - \DigitalSite No Task File <==== ATTENTION
HKU\S-1-5-21-3776316861-1936490940-4167133240-1001\...\MountPoints2: H - H:\Setup.exe
HKU\S-1-5-21-3776316861-1936490940-4167133240-1001\...\MountPoints2: {31bc6b2f-0b75-11e0-8258-90e6bacb8b1c} - "E:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-3776316861-1936490940-4167133240-1001\...\MountPoints2: {58b98c8f-234c-11e0-a358-90e6bacb8b1c} - F:\LaunchU3.exe -a
HKU\S-1-5-21-3776316861-1936490940-4167133240-1001\...\MountPoints2: {c5cc5589-8bea-11e1-ba72-90e6bacb8b1c} - H:\TL-Bootstrap.exe
HKU\S-1-5-21-3776316861-1936490940-4167133240-1001\...\MountPoints2: {e7619b9e-d2af-11e0-a216-90e6bacb8b1c} - G:\TL-Bootstrap.exe
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.v9.com/web/?type=ds&ts=1399331117&from=irs&uid=WDCXWD6401AALS-00J7B1_WD-WMATV381409614096&i=psd&t=34210fbca&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.v9.com/web/?type=ds&ts=1399331117&from=irs&uid=WDCXWD6401AALS-00J7B1_WD-WMATV381409614096&i=psd&t=34210fbca&q={searchTerms}
SearchScopes: HKLM-x32 - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-outbrowseaol-chromesbox-en-us&tb_uuid=20121112021945516&tb_oid=12-11-2012&tb_mrud=12-11-2012
SearchScopes: HKCU - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-outbrowseaol-chromesbox-en-us&tb_uuid=20121112021945516&tb_oid=12-11-2012&tb_mrud=12-11-2012
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
FF DefaultSearchEngine: v9
FF SelectedSearchEngine: v9
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S3 cpuz130; \??\C:\Users\WILDER\AppData\Local\Temp\cpuz130\cpuz_x64.sys [X]
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: DEL %WINDIR%\TEMP\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
Reboot:
End

Title: Re: v9 browser hijacker
Post by: Wilder on May 07, 2014, 12:27:43 AM

Ok, Both of those steps are done. I had to change some LAN proxy setting for Google chrome so that it would connect to the internet. Was that supposed to happen?

Title: Re: v9 browser hijacker
Post by: magna86 on May 07, 2014, 02:56:31 PM

Hi Wilder,

Quote

I had to change some LAN proxy setting for Google chrome so that it would connect to the internet. Was that supposed to happen?

Well, not exactly. I did say FRST to reset and/or kill some policy restriction related on Google Chrome but that's all.

In Step#1 we shall target the remnants.
In Step#2 we kind ask from you to upload Zoek's and FRST's Quarantine to the future analysis.
These Quarantine folders contains inactive (read: killed malware) removed by zoek.exe and FRST64.exe.

Step#1

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
C:\Windows\Microsoft
Reboot:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

Step#2

Please zip-it /rar-it and upload both Quarantine folder the future analysis to us. We will send file sample to avast! and later to all other AV vendors.
You have installed 7-Zip on your mashine. Use that software to pack (zip it) the following folders:

C:\zoek_backup
C:\FRST\Quarantine

Please upload it to http://www.wikisend.com site.
Wikisend will generate the download link. Please post here download links (before posting, break link from http to hxxt).
example: hxxp://www.wikisend.com /upload/file.php

Title: Re: v9 browser hijacker
Post by: Wilder on May 07, 2014, 06:47:41 PM

Done and Done. Here are the two links!

Title: Re: v9 browser hijacker
Post by: magna86 on May 07, 2014, 06:51:10 PM

Cool, thanks.

Tell me, how is the computer behavior now?

Title: Re: v9 browser hijacker
Post by: Wilder on May 07, 2014, 07:57:50 PM

No more random pop up adds in Google Chrome. I thinks it's even running a little faster over all. The time it takes to boot up when I start/ restart my computer has gone down quite a bit too. Thanks for all your help. That thing was really driving me nuts!

Title: Re: v9 browser hijacker
Post by: magna86 on May 07, 2014, 08:11:18 PM

Cool. Stay with me as I need to remove used tool. But before that I'll need to check something. Await my reply. ;)

Title: Re: v9 browser hijacker
Post by: magna86 on May 07, 2014, 08:33:15 PM

• The following will implement some post-cleanup procedures:

=> Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by Xplode to your Desktop.

Run the tool and check the following boxes below;
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Remove disinfection tools
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Create registry backup
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Be safe ;)

Title: Re: v9 browser hijacker
Post by: magna86 on May 07, 2014, 09:22:26 PM

I almost forgot ...

Quote from: Wilder on May 07, 2014, 06:47:41 PM

Done and Done. Here are the two links!

Could you please remove the wikisend links now? We got the files.

Thanks. :)

Title: Re: v9 browser hijacker
Post by: Wilder on May 08, 2014, 01:34:13 AM

Do you mean just remove them from the post? Or do I have to do something on the website?

I just ran that last program. Thanks again for your help!

Title: Re: v9 browser hijacker
Post by: Michael (alan1998) on May 08, 2014, 01:47:16 AM

You're all good. The links appear to be gone :)