Delta Homes infection

[Derek Fabb]

I'm running Windows 7. One of the users on the PC is infected with Delta Homes.
I've run Malwarebytes Anti Malware, OTC and aswMBR. The log files are attached below.

I cleared out suspicious looknig programs, and addons, also removed dodgy looking search services.

This appears in both Firefox and Chrome.

Any help in removing this will be appreciated.

Thanks

[Michael (alan1998)]

Hi, I see the infection.

Remover notified. For future reference. The program Unchecky is a great program to avoid these types of infections.

You can install it: Download is is... http://unchecky.com/files/unchecky_setup.exe

Also, did you do this?

Code: [Select]

O27:[b]64bit:[/b] - HKLM IFEO\bitguard.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\bprotect.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\bpsvc.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browserdefender.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browserprotect.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browsersafeguard.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\dprotectsvc.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\jumpflip: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\protectedsearch.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\searchinstaller.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\searchprotection.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\searchprotector.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\searchsettings.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\searchsettings64.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\snapdo.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\stinst32.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\stinst64.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\umbrella.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\utiljumpflip.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\volaro: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\vonteera: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\websteroids.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\websteroidsservice.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bitguard.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bprotect.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bpsvc.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browserdefender.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browserprotect.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browsersafeguard.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\dprotectsvc.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\jumpflip: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\protectedsearch.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchinstaller.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchprotection.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchprotector.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchsettings.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchsettings64.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\snapdo.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\stinst32.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\stinst64.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\umbrella.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\utiljumpflip.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\volaro: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\vonteera: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\websteroids.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\websteroidsservice.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: UPB:{B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No CLSID value found.

That's not normal....

Also, I can only see the Delta infection in IE... Wait for Magna, essex, Twin, or argus to give you further instrcutions.

[magna86]

@ Michael,
IFEO registry values are PUP related. The average user is unaware of these entries.



@ Derek Fabb

Hi,
I will be working on your Malware issues. Let's start cleaning with tool known as 'Zoek'. Zoek will target and clean most (if not all) bad entrys.
As additional, it will preform some additional cleaning routines which should contribute to better and faster system response.


Please download zoek.zip or zoek.rar by smeenk () from here or here and save it to your Desktop.
Unpack the archive...

• Close any open browsers
• Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this or this Instruction.
  
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]

Uninstall-List;
FilesRCM;
EmptyFoldersCheck;Delete
C:\Users\Caroline\Documents\*.tmp;f
EmptyCLSID;
StartupAll;
ipconfig /flushdns >> %temp%\log.txt;b
AutoClean;


• Click on button.
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  

[Derek Fabb]

I can't get the zoek application to work.

I have downloaded it.
Unzipped it
Turned off the Anti-virus
When I double click the application it goes and restarts windows.

Should I be running this as the infected user?

[Michael (alan1998)]

Zoek is perfectly safe to use. Wait for Magna too help you

[magna86]

Hi Derek Fabb,

Have you try to download & run zoek.exe insted? Duble-click on icon to run the tool and then wait for tool to load itself. Sometime this take time.

When the GUI appears to you, paste the above script and hit Run Script button. Then just wait for zoek to finish his fixing. Zoek shall ask you for Windows repoot.

[Derek Fabb]

I'm still unable to run the Zoek tool.
I've tried all three of the downloads, the zoek.exe, zoek.zip and zoek.rar.
Anti virus is disabled.
When I double click Zoek.exe I get a Windows box come up asking if I want to allow the program to update the computer.
I click yes
Then I get a box saying that Windows will be closed down in less than one minute.
Windows then restarts.

Thanks

[magna86]

Hi Derek Fabb,

Hm ... then we need to run some alter tools.

This would be easily resolved by simple uninstalling the toolbar from system but since MBAM target this PUP, we have to target the leftovers manually.

First, we'll run AdwCleaner. This tool should target a lot of known Delta Homes variants as well as other known PUP entries and in most cases it will remove large amount of bad things.
In practice, a lot of remains or updated/newer version of bad PUP software knows to left behind in system, untargeted by AdwCleaner. Therefore we need to re-check after this tool. For that check we will use FRST tool. Let's start ...





=> Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
  
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  
• Post logfile will also be saved in the C:\AdwCleaner folder.

.



.




=>Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Derek Fabb]

I've successfully run both of these. The log files are attached.

[magna86]

Hi Derek,





1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
File: C:\Windows\system32\hauppauge\hcwD3dvb\DVBT\cutil64.dll
C:\Program Files (x86)\Search Results Toolbar
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKCU - {3E2FB71F-A19C-446A-8E63-A9FD212EC687} URL =
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
BHO-x32: No Name - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
ShellExecuteHooks-x32:  - UPB:{B5A7F190-DDA6-4420-B3BA-52453494E6CD} -  No File [ ]
CHR HKLM-x32\...\Chrome\Extension: [ijbjbpmhcemdbplaiccloimaedacmjdo] - C:\Program Files (x86)\Search Results Toolbar\Datamngr\chromeExtension.crx [2013-11-14]
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[Derek Fabb]

I've run this.
Initially I ran it as my uninfected user. Looking at the log file I saw that only files from user Derek were cleared.
Then I ran it again as the infected account.
Both log files are attached. The second log file is zipped.

[Derek Fabb]

I had to rename the 2nd file to give it an extension of .log as I wasn't allowed to upload a file with an extension of .zip

[magna86]

Hi,

Run this tool from 'infected' useraccount. Please download SystemLook_x64.exe from one of the links below and save it to your desktop.

http://downloads.malwareremoval.com/SystemLook/

Temporarily disable your antivirus and any antispyware real time protection before performing a scan.

    Double-click SystemLook.exe to run it.
    Copy the contents of the following codebox into the main textfield.

Code: [Select]

:FILEFIND
*AskToolbar*
*ContentSAFER*
*Bandoo*
*Babylon*
*Conduit*
*Coupons*
*DP1815*
*Fun4IM*
*Funmoods*
*facemoods*
*iLivid*
*IObit*
*Iminent*
*IMVU*
*Mysearchdial*
*PutLockerDownloader*
*searchab*
*Searchqu*
*Searchnu*
*Searchou*
*SearchProtect*
*Slick*
*smartbar*
*Sweet*
*Tarma*
*Trusteer*
*trolltech*
*vshare*
*WiseConvert*
*whitesmoke*
*FriendsChecker*
*UnfriendApp*
*ExFriendAlert*
*RecordChecker*
*InfoSeeker*
*SecureWeb*
*Yontoo*

:FOLDERFIND
*AskToolbar*
*ContentSAFER*
*Babylon*
*Bandoo*
*Conduit*
*Coupons*
*DP1815*
*smartbar*
*Fun4IM*
*Funmoods*
*facemoods*
*iLivid*
*IObit*
*Iminent*
*IMVU*
*Mysearchdial*
*PutLockerDownloader*
*searchab*
*Searchqu*
*Searchnu*
*Searchou*
*SearchProtect*
*Slick*
*smartbar*
*Sweet*
*Tarma*
*Trusteer*
*trolltech*
*Vafmusic2*
*vshare*
*WiseConvert*
*whitesmoke*
*FriendsChecker*
*UnfriendApp*
*ExFriendAlert*
*RecordChecker*
*InfoSeeker*
*SecureWeb*
*Yontoo*

:REGFIND
AskToolbar
ContentSAFER
Babylon
Bandoo
Conduit
Coupons
DP1815
Fun4IM
Funmoods
facemoods
iLivid
IObit
Iminent
IMVU
Mysearchdial
PutLockerDownloader
searchab
Searchqu
Searchnu
Searchou
SearchProtect
Slick
smartbar
Sweetpack
Tarma
Trusteer
trolltech
Vafmusic2
vshare
WiseConvert
whitesmoke
FriendsChecker
UnfriendApp
ExFriendAlert
RecordChecker
InfoSeeker
SecureWeb
Yontoo
    Click the Look button to start the scan.
    Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
    When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

[Derek Fabb]

I've run this. The output is attached

[magna86]

Hi Derek,

Run this last FixList and then tell me how is the situation now? 


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}" /f
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}" /f
REG: reg delete "HKEY_CURRENT_USER\Software\Trolltech" /f
REG: reg delete "HKEY_USERS\S-1-5-21-3679172601-223395430-209103095-1000\Software\Trolltech" /f
REG: reg delete "S-1-5-21-3679172601-223395430-209103095-1003\Software\Trolltech" /f
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.