Avast WEBforum

Other => Viruses and worms => Topic started by: Derek Fabb on April 27, 2014, 10:35:33 PM

Title: Delta Homes infection
Post by: Derek Fabb on April 27, 2014, 10:35:33 PM
I'm running Windows 7. One of the users on the PC is infected with Delta Homes.
I've run Malwarebytes Anti Malware, OTC and aswMBR. The log files are attached below.

I cleared out suspicious looknig programs, and addons, also removed dodgy looking search services.

This appears in both Firefox and Chrome.

Any help in removing this will be appreciated.

Thanks
Title: Re: Delta Homes infection
Post by: Michael (alan1998) on April 27, 2014, 11:32:53 PM
Hi, I see the infection.

Remover notified. For future reference. The program Unchecky is a great program to avoid these types of infections.

You can install it: Download is is... http://unchecky.com/files/unchecky_setup.exe

Also, did you do this?

Code: [Select]
O27:[b]64bit:[/b] - HKLM IFEO\bitguard.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\bprotect.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\bpsvc.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browserdefender.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browserprotect.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browsersafeguard.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\dprotectsvc.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\jumpflip: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\protectedsearch.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\searchinstaller.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\searchprotection.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\searchprotector.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\searchsettings.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\searchsettings64.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\snapdo.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\stinst32.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\stinst64.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\umbrella.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\utiljumpflip.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\volaro: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\vonteera: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\websteroids.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\websteroidsservice.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bitguard.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bprotect.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bpsvc.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browserdefender.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browserprotect.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browsersafeguard.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\dprotectsvc.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\jumpflip: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\protectedsearch.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchinstaller.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchprotection.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchprotector.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchsettings.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchsettings64.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\snapdo.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\stinst32.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\stinst64.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\umbrella.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\utiljumpflip.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\volaro: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\vonteera: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\websteroids.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\websteroidsservice.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: UPB:{B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No CLSID value found.

That's not normal....

Also, I can only see the Delta infection in IE... Wait for Magna, essex, Twin, or argus to give you further instrcutions.
Title: Re: Delta Homes infection
Post by: magna86 on April 28, 2014, 01:08:28 AM
@ Michael,
IFEO registry values are PUP related. The average user is unaware of these entries.



@ Derek Fabb

Hi,
I will be working on your Malware issues. Let's start cleaning with tool known as 'Zoek'. Zoek will target and clean most (if not all) bad entrys.
As additional, it will preform some additional cleaning routines which should contribute to better and faster system response.


Please download zoek.zip or zoek.rar by smeenk ((http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png)) from here (http://hijackthis.nl/smeenk) or here (http://home.kpn.nl/stefsmeenk/zoek.exe) and save it to your Desktop.
Unpack the archive...
Code: [Select]
Uninstall-List;
FilesRCM;
EmptyFoldersCheck;Delete
C:\Users\Caroline\Documents\*.tmp;f
EmptyCLSID;
StartupAll;
ipconfig /flushdns >> %temp%\log.txt;b
AutoClean;
Title: Re: Delta Homes infection
Post by: Derek Fabb on April 28, 2014, 10:38:07 PM
I can't get the zoek application to work.

I have downloaded it.
Unzipped it
Turned off the Anti-virus
When I double click the application it goes and restarts windows.

Should I be running this as the infected user?
Title: Re: Delta Homes infection
Post by: Michael (alan1998) on April 28, 2014, 11:36:54 PM
Zoek is perfectly safe to use. Wait for Magna too help you
Title: Re: Delta Homes infection
Post by: magna86 on April 29, 2014, 01:18:50 AM
Hi Derek Fabb,

Have you try to download & run zoek.exe insted? Duble-click on icon to run the tool and then wait for tool to load itself. Sometime this take time.

When the GUI appears to you, paste the above script and hit Run Script button. Then just wait for zoek to finish his fixing. Zoek shall ask you for Windows repoot.

Title: Re: Delta Homes infection
Post by: Derek Fabb on April 30, 2014, 09:14:22 PM
I'm still unable to run the Zoek tool.
I've tried all three of the downloads, the zoek.exe, zoek.zip and zoek.rar.
Anti virus is disabled.
When I double click Zoek.exe I get a Windows box come up asking if I want to allow the program to update the computer.
I click yes
Then I get a box saying that Windows will be closed down in less than one minute.
Windows then restarts.

Thanks
Title: Re: Delta Homes infection
Post by: magna86 on April 30, 2014, 11:20:48 PM
Hi Derek Fabb,

Hm ... then we need to run some alter tools.

This would be easily resolved by simple uninstalling the toolbar from system but since MBAM target this PUP, we have to target the leftovers manually.

First, we'll run AdwCleaner. This tool should target a lot of known Delta Homes variants as well as other known PUP entries and in most cases it will remove large amount of bad things.
In practice, a lot of remains or updated/newer version of bad PUP software knows to left behind in system, untargeted by AdwCleaner. Therefore we need to re-check after this tool. For that check we will use FRST tool. Let's start ...





=> Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
.



.




=>Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) ((http://www.mcshield.net/personal/magna86/Images/FRST_canned.png)) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

Title: Re: Delta Homes infection
Post by: Derek Fabb on May 01, 2014, 09:02:12 PM
I've successfully run both of these. The log files are attached.
Title: Re: Delta Homes infection
Post by: magna86 on May 01, 2014, 09:16:52 PM
Hi Derek,





1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
File: C:\Windows\system32\hauppauge\hcwD3dvb\DVBT\cutil64.dll
C:\Program Files (x86)\Search Results Toolbar
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKCU - {3E2FB71F-A19C-446A-8E63-A9FD212EC687} URL =
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
BHO-x32: No Name - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
ShellExecuteHooks-x32:  - UPB:{B5A7F190-DDA6-4420-B3BA-52453494E6CD} -  No File [ ]
CHR HKLM-x32\...\Chrome\Extension: [ijbjbpmhcemdbplaiccloimaedacmjdo] - C:\Program Files (x86)\Search Results Toolbar\Datamngr\chromeExtension.crx [2013-11-14]
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Title: Re: Delta Homes infection
Post by: Derek Fabb on May 02, 2014, 08:05:19 PM
I've run this.
Initially I ran it as my uninfected user. Looking at the log file I saw that only files from user Derek were cleared.
Then I ran it again as the infected account.
Both log files are attached. The second log file is zipped.
Title: Re: Delta Homes infection
Post by: Derek Fabb on May 02, 2014, 08:08:38 PM
I had to rename the 2nd file to give it an extension of .log as I wasn't allowed to upload a file with an extension of .zip
Title: Re: Delta Homes infection
Post by: magna86 on May 03, 2014, 02:52:19 AM
Hi,

Run this tool from 'infected' useraccount. Please download SystemLook_x64.exe from one of the links below and save it to your desktop.

http://downloads.malwareremoval.com/SystemLook/

Temporarily disable your antivirus and any antispyware real time protection before performing a scan.

    Double-click SystemLook.exe to run it.
    Copy the contents of the following codebox into the main textfield.

Code: [Select]
:FILEFIND
*AskToolbar*
*ContentSAFER*
*Bandoo*
*Babylon*
*Conduit*
*Coupons*
*DP1815*
*Fun4IM*
*Funmoods*
*facemoods*
*iLivid*
*IObit*
*Iminent*
*IMVU*
*Mysearchdial*
*PutLockerDownloader*
*searchab*
*Searchqu*
*Searchnu*
*Searchou*
*SearchProtect*
*Slick*
*smartbar*
*Sweet*
*Tarma*
*Trusteer*
*trolltech*
*vshare*
*WiseConvert*
*whitesmoke*
*FriendsChecker*
*UnfriendApp*
*ExFriendAlert*
*RecordChecker*
*InfoSeeker*
*SecureWeb*
*Yontoo*

:FOLDERFIND
*AskToolbar*
*ContentSAFER*
*Babylon*
*Bandoo*
*Conduit*
*Coupons*
*DP1815*
*smartbar*
*Fun4IM*
*Funmoods*
*facemoods*
*iLivid*
*IObit*
*Iminent*
*IMVU*
*Mysearchdial*
*PutLockerDownloader*
*searchab*
*Searchqu*
*Searchnu*
*Searchou*
*SearchProtect*
*Slick*
*smartbar*
*Sweet*
*Tarma*
*Trusteer*
*trolltech*
*Vafmusic2*
*vshare*
*WiseConvert*
*whitesmoke*
*FriendsChecker*
*UnfriendApp*
*ExFriendAlert*
*RecordChecker*
*InfoSeeker*
*SecureWeb*
*Yontoo*

:REGFIND
AskToolbar
ContentSAFER
Babylon
Bandoo
Conduit
Coupons
DP1815
Fun4IM
Funmoods
facemoods
iLivid
IObit
Iminent
IMVU
Mysearchdial
PutLockerDownloader
searchab
Searchqu
Searchnu
Searchou
SearchProtect
Slick
smartbar
Sweetpack
Tarma
Trusteer
trolltech
Vafmusic2
vshare
WiseConvert
whitesmoke
FriendsChecker
UnfriendApp
ExFriendAlert
RecordChecker
InfoSeeker
SecureWeb
Yontoo
    Click the Look button to start the scan.
    Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
    When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
Title: Re: Delta Homes infection
Post by: Derek Fabb on May 03, 2014, 04:13:21 PM
I've run this. The output is attached
Title: Re: Delta Homes infection
Post by: magna86 on May 03, 2014, 04:22:53 PM
Hi Derek,

Run this last FixList and then tell me how is the situation now?  :)


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}" /f
REG: reg delete "HKEY_CURRENT_USER\Software\Trolltech" /f
REG: reg delete "HKEY_USERS\S-1-5-21-3679172601-223395430-209103095-1000\Software\Trolltech" /f
REG: reg delete "S-1-5-21-3679172601-223395430-209103095-1003\Software\Trolltech" /f
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



Title: Re: Delta Homes infection
Post by: Derek Fabb on May 03, 2014, 06:19:50 PM
I still get Delta homes.
Title: Re: Delta Homes infection
Post by: magna86 on May 03, 2014, 09:42:28 PM
Quote from: Derek Fabb on May 03, 2014, 06:19:50 PM
I still get Delta homes.

Where?

Logs says you are clean + we have preform the search for any possible leftovers and remove them.
Title: Re: Delta Homes infection
Post by: Derek Fabb on May 04, 2014, 12:25:08 PM
I was using a shortcut to Firefox which was pinned to the task bar. That was still going to Delta Homes.
Interestingly, Firefox has gone from the Start menu, but running firefox.exe from C:\Program Files (x86)\Mozilla Firefox goes to the correct home page.
So Firefox looks to be free from this.
I tried IE in the infected account, and that still gets Delta Homes.

I really appreciate your help with this!
Title: Re: Delta Homes infection
Post by: magna86 on May 04, 2014, 02:26:21 PM
Hi,

Preform browser reset back to their defaults. You will not use your browser or personal info/settings. Read here how to do that.

http://en.kioskea.net/faq/6361-reset-your-browser-restore-your-browser-to-default-settings
Title: Re: Delta Homes infection
Post by: Derek Fabb on May 04, 2014, 05:42:32 PM
Fantastic. I have now managed to remove all traces of this from all of the browsers.

Thanks for your help with this.
Title: Re: Delta Homes infection
Post by: magna86 on May 04, 2014, 08:13:48 PM
Cool. If there is no problem, I would like to remove my tools.


The following will implement some post-cleanup procedures:

=> Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by Xplode to your Desktop.

Run the tool and check the following boxes below;
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Remove disinfection tools
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Create registry backup
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.