Re: [Resolved - K]]browser hijack PUP.FCTPlugin

  • 20 Replies
  • 3740 Views
*

Offline bella

  • Bronze Member
  • 11
Re: Re: [Resolved - K]]browser hijack PUP.FCTPlugin
« Reply #15 on: October 03, 2012, 05:20:42 PM »
Hi Kevin,

Here are the ESET results.  I forgot that my Passport was attached, hope that doesn't cause issues.

C:\Qoobox\Quarantine\C\Users\Administrator\AppData\Local\Deployment\Apple\ijarbb.dll.vir   Win32/Kryptik.AMNF trojan
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Default\aagedhdigbdadhgedbdidddbdedadggf\background.html   Win32/BHO.OEI trojan
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Default\aagedhdigbdadhgedbdidddbdedadggf\ContentScript.js   Win32/BHO.OEI trojan
C:\Users\Administrator\Desktop\computerfix\WinZip165.exe   a variant of Win32/OpenInstall application
E:\Documents\Holly & I\stickfigures\registrybooster.exe   Win32/RegistryBooster application
E:\Holly & I\stickfigures\registrybooster.exe   Win32/RegistryBooster application
G:\My WD_Backup\Memeo\COMPAQ\C_\Users\Jody\Documents\Holly & I\stickfigures\registrybooster.exe   Win32/RegistryBooster application
G:\Compaq12.5.2011\Holly & I\stickfigures\registrybooster.exe   Win32/RegistryBooster application
G:\Compaq02.27.2012\Holly & I\stickfigures\registrybooster.exe   Win32/RegistryBooster application
G:\Documents\Holly & I\stickfigures\registrybooster.exe   Win32/RegistryBooster application


Thanks,
Bella
« Last Edit: October 04, 2012, 10:24:22 AM by kevinf80 »

*

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • 7696
Re: Re: [Resolved - K]]browser hijack PUP.FCTPlugin
« Reply #16 on: October 03, 2012, 05:56:19 PM »
Thanks for the reply Bella, ok continue as follows....

Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2 

Save it to your desktop.

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....
  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]
:Files
ipconfig /flushdns /c
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Default\aagedhdigbdadhgedbdidddbdedadggf\background.html
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Default\aagedhdigbdadhgedbdidddbdedadggf\ContentScript.js
C:\Users\Administrator\Desktop\computerfix\WinZip165.exe
E:\Documents\Holly & I\stickfigures\registrybooster.exe
E:\Holly & I\stickfigures\registrybooster.exe
G:\My WD_Backup\Memeo\COMPAQ\C_\Users\Jody\Documents\Holly & I\stickfigures\registrybooster.exe
G:\Compaq12.5.2011\Holly & I\stickfigures\registrybooster.exe
G:\Compaq02.27.2012\Holly & I\stickfigures\registrybooster.exe
G:\Documents\Holly & I\stickfigures\registrybooster.exe
:Commands
[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Post that log, give an update on how your system is responding, also let me know of any remaining issues or concerns..

Thanks,

Kevin

*

Offline bella

  • Bronze Member
  • 11
Re: Re: [Resolved - K]]browser hijack PUP.FCTPlugin
« Reply #17 on: October 03, 2012, 06:45:04 PM »
Hi again,

I tested my IE prior to sending this and appears appears to be OK now.

Here are the logs from OTM:

Thanks so much for all your time, I greatly appreciate it.

Bella

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Administrator\Desktop\cmd.bat deleted successfully.
C:\Users\Administrator\Desktop\cmd.txt deleted successfully.
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Default\aagedhdigbdadhgedbdidddbdedadggf\background.html moved successfully.
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Default\aagedhdigbdadhgedbdidddbdedadggf\ContentScript.js moved successfully.
C:\Users\Administrator\Desktop\computerfix\WinZip165.exe moved successfully.
E:\Documents\Holly & I\stickfigures\registrybooster.exe moved successfully.
E:\Holly & I\stickfigures\registrybooster.exe moved successfully.
G:\My WD_Backup\Memeo\COMPAQ\C_\Users\Jody\Documents\Holly & I\stickfigures\registrybooster.exe moved successfully.
G:\Compaq12.5.2011\Holly & I\stickfigures\registrybooster.exe moved successfully.
G:\Compaq02.27.2012\Holly & I\stickfigures\registrybooster.exe moved successfully.
G:\Documents\Holly & I\stickfigures\registrybooster.exe moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 948437 bytes
->Temporary Internet Files folder emptied: 5989848 bytes
->Java cache emptied: 18356442 bytes
->FireFox cache emptied: 59790672 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 523 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Jody
->Temp folder emptied: 0 bytes
->Java cache emptied: 202 bytes
->Flash cache emptied: 468 bytes
 
User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 267467 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 30783777 bytes
 
Total Files Cleaned = 111.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 10032012_193013

Files moved on Reboot...
C:\Users\Administrator\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...


*

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • 7696
Re: Re: [Resolved - K]]browser hijack PUP.FCTPlugin
« Reply #18 on: October 03, 2012, 06:56:55 PM »
Hiya Bella,

OK, if no more issues we can clean up. proceed as follows:

Step 1

Remove Combofix now that we're done with it
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")


  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Step 2

Remove ESET online scanner:

  • Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
  • Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.
Step 3

Uninstall adwcleaner.exe
  •   Please close all open programs and internet browsers.
  •   Double click on adwcleaner.exe to run the tool.
  •   Click on Uninstall
  • Click Yes at Would you like to Uninstall Adwcleaner
Step 4

  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.


Any tools/logs remaining on the Desktop can be deleted.

Step 5

Go here http://www.filehippo.com/updatechecker/ (Use the Stand Alone Version, not the installer) Run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates.
If Java or Adobe are updated please check under Start > Control Panel >  Programs and Featues, ensure any old versions are removed. <--- Very Important

Step 6

Download TFC  to your desktop, from either of the following links
Link 1
Link 2
  • Save any open work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.
  • If prompted, click "Yes" to reboot.
TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds.  TFC may re-boot your system, if not Re-boot it yourself to  complete cleaning process <---- Very Important

Keep TFC it is an excellent, run weekly utility to keep your system optimized, it empties all user temp folders, Java cache etc etc.  Always remember to re-boot after a run, even if not prompted

Let me know if those steps complete ok, if no remaining issues are you OK fo me to close this thread...

Kevin... :t












*

Offline bella

  • Bronze Member
  • 11
Re: Re: [Resolved - K]]browser hijack PUP.FCTPlugin
« Reply #19 on: October 03, 2012, 08:02:42 PM »
Hi Kevin,

All went perfectly.  I am all set to go, so you can close the thread. 

Thanks at least a hundred more times for your help.

 :w2

*

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • 7696
Re: Re: [Resolved - K]]browser hijack PUP.FCTPlugin
« Reply #20 on: October 04, 2012, 01:32:27 AM »
Hiya bella,

Good to hear that all went well, if no more issues here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol  This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained Here

Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates.
If Java or Adobe as updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
 
Firefox,

Opera, and

Chrome.
 
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,
Yellow for caution, and
Red to stop.


Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

It was a pleasure to work with you; take care,

Kevin