Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 Please help me remove isearch.claro-search.com, I'm at my wits' end.

views
     
TSblueflame
post Aug 18 2012, 11:12 AM, updated 12y ago

Scintillating
******
Senior Member
1,138 posts

Joined: Dec 2011
Hello,

I must have downloaded something and now whenever I open a new tab in all my browsers this claro search link come out.
I think I got infected with this browser hijacker isearch.claro-search.com

I've been trying to remove it the whole day yesterday but nothing works.

I followed this >> http://www.im-infected.com/hijacker/claro-search-com.html
I went in add/remove programs, uninstalled isearch.claro-search.com. I also removed it from all my browsers (IE, Google chrome and Mozilla Firefox). I re-opened all of those browsers and there it was again.

Next, I downloaded and ran Kaspersky TDSSkiller but it found nothing useful.

Then I downloaded Malwarebytes Anti-Malware and it removed some stuff (I forgot what) but the claro search thing is still there when I open Firefox.

I tried some other stuff too but I kinda forgot what they were. All I know that the problem still persists..

I googled quite a lot of solutions but some of them are complicated computer stuff and I don't know how to handle it. I'm scared I'll mess up my laptop since I'm not good in all this computer stuff.

I'm getting desperated and frustrated.. From what I read this hijacker is harmful and difficult to remove. cry.gif cry.gif
I really hope someone can help me on this. Thank you in advance.

This post has been edited by blueflame: Aug 18 2012, 11:25 AM
BlueWind
post Aug 18 2012, 11:17 AM

Sianzation
*******
Senior Member
2,898 posts

Joined: Jan 2007



First off, edit the link you posted as it will pose dangers to other users who might ignorantly click on it and get infected.

Second, before we continue with diagnosis, what OS are you using?
TSblueflame
post Aug 18 2012, 11:29 AM

Scintillating
******
Senior Member
1,138 posts

Joined: Dec 2011
QUOTE(BlueWind @ Aug 18 2012, 11:17 AM)
First off, edit the link you posted as it will pose dangers to other users who might ignorantly click on it and get infected.

Second, before we continue with diagnosis, what OS are you using?
*
I'm very sorry, I didn't know other can get infected by clicking on that. Edited.

Windows 7 Home Premium.
BlueWind
post Aug 18 2012, 11:57 AM

Sianzation
*******
Senior Member
2,898 posts

Joined: Jan 2007



Hi,

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click on Minimal Output at the top
  • Download the following file Custom Scan 2.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click OK to load a custom scan from a file or Cancel to cancel"
  • Click the OK button and navigate to the file Custom Scan 2.txt which we just saved to your desktop
  • Select Custom Scan 2.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic
===================================================

Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Allow it to update where necessary
  • Click Scan
    • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
    • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.
===================================================

On your next reply please post :
OTL log
aswMBR log
MBR.dat (attachment)


Please STOP and let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!
Xploit Machine
post Aug 18 2012, 12:56 PM

Wise Old Man
*******
Senior Member
6,823 posts

Joined: Nov 2008
From: Singapore
QUOTE(blueflame @ Aug 18 2012, 11:12 AM)
Hello,

I must have downloaded something and now whenever I open a new tab in all my browsers this claro search link come out.
I think I got infected with this browser hijacker isearch.claro-search.com

I've been trying to remove it the whole day yesterday but nothing works.

I followed this >> http://www.im-infected.com/hijacker/claro-search-com.html
I went in add/remove programs, uninstalled isearch.claro-search.com. I also removed it from all my browsers (IE, Google chrome and Mozilla Firefox). I re-opened all of those browsers and there it was again.

Next, I downloaded and ran Kaspersky TDSSkiller but it found nothing useful.

Then I downloaded Malwarebytes Anti-Malware and it removed some stuff (I forgot what) but the claro search thing is still there when I open Firefox.

I tried some other stuff too but I kinda forgot what they were. All I know that the problem still persists..

I googled quite a lot of solutions but some of them are complicated computer stuff and I don't know how to handle it. I'm scared I'll mess up my laptop since I'm not good in all this computer stuff.

I'm getting desperated and frustrated.. From what I read this hijacker is harmful and difficult to remove.  cry.gif  cry.gif
I really hope someone can help me on this. Thank you in advance.
*
nothing happens to me when browse the link .. hmm.gif
TSblueflame
post Aug 18 2012, 04:44 PM

Scintillating
******
Senior Member
1,138 posts

Joined: Dec 2011
Hello,

For OTL, can I paste the contents from Custom Scan 2.txt which I opened in notepad into the Customs scans box? This is because I had trouble locating the Custom Scan 2.txt if I double click the Customs Scan box.

And, just to make sure, are these the correct settings for the OTL scan? I think I have run this scan before and I may have changed the settings. But this OTL I used is the one I newly downloaded.

Include 64bitScans - checked
Output - Minimal output
Processes - Use Safelist
Services - Use Safelist
Standard Registry - Use Safelist
Modules - No Company Name
Drivers - Use Safelist
Extra registry - Use Safelist
File Age : 30 Days
Use No-Company-Name WhiteList - checked
Files Created Within - File Age
Files Modified Within - File Age

I will run the scan again if something went wrong - after I fixed whatever it is, of course.
If all of the above is okay, then I'll attach the OTL.txt and Extras.txt.
I have to attach the logs, I can't seem to post it here, it is too long.

Thank you for your reply and detailed instructions. smile.gif



Attached File(s)
Attached File  OTL.Txt ( 141.15k ) Number of downloads: 7
Attached File  Extras.Txt ( 67.16k ) Number of downloads: 5
Attached File  aswMBR.txt ( 1.92k ) Number of downloads: 7
Attached File  MBR.zip ( 535bytes ) Number of downloads: 12
BlueWind
post Aug 18 2012, 05:30 PM

Sianzation
*******
Senior Member
2,898 posts

Joined: Jan 2007



That is actually fine and the settings are correct. Please perform the following instructions sequentially.

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    CODE
    :OTL
    FF - prefs.js..browser.search.defaultenginename: "Claro Search"
    FF - prefs.js..browser.search.order.1: "Claro Search"
    FF - prefs.js..browser.search.useDBForOrder: true
    O4 - HKLM..\Run: [] File not found
    [2012/08/18 06:42:43 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{065920EC-5764-42E6-8323-14418A66BDB1}
    [2012/08/18 06:42:32 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{13D3310E-CE6D-4F6E-B46E-281C718D5E3E}
    [2012/08/17 09:56:46 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\Media Finder
    [2012/08/17 09:54:58 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\BabylonToolbar
    [2012/08/17 09:53:58 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\Babylon
    [2012/08/17 08:09:26 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{DC5DC3D0-250D-451E-A5C9-A5F8E00459AF}
    [2012/08/17 08:09:15 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{FD252DC2-6B8E-4422-BC40-470594972F1B}
    [2012/08/17 01:36:04 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{5FFCD237-5314-4B7F-AD58-3A25E68A5C2A}
    [2012/08/16 13:35:02 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{23365712-E153-42D8-9816-9F879EFF1D17}
    [2012/08/16 13:34:47 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{40A366C3-3EF4-4DBD-9AA6-1B568823EE25}
    [2012/08/15 22:39:36 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{CA89F7AF-F00C-48A2-89DC-A73D47F586DE}
    [2012/08/15 22:39:23 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{85E4694F-7D0A-4B30-BA22-30EAFA01E22F}
    [2012/08/15 10:38:56 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{01D1F697-9FBA-4498-BF39-1BED1428934A}
    [2012/08/15 10:38:43 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A5AA4F37-B497-4316-91DE-182450F89CA4}
    [2012/03/25 22:06:43 | 000,000,704 | ---- | C] () -- C:\Users\user\AppData\Local\f8aa04c2\U\000000cb.@
    [2012/03/25 20:07:34 | 000,022,016 | ---- | C] () -- C:\Users\user\AppData\Local\f8aa04c2\U\800000cb.@
    [2012/03/23 14:09:57 | 000,002,048 | -HS- | C] () -- C:\Users\user\AppData\Local\f8aa04c2\@
    [2012/02/13 06:27:07 | 000,017,408 | ---- | C] () -- C:\Users\user\AppData\Local\f8aa04c2\U\80000000.@
    [2012/01/19 00:25:32 | 000,000,017 | ---- | C] () -- C:\Windows\SysWow64\shortcut_ex.dat
    [2012/01/06 00:24:21 | 000,032,256 | ---- | C] () -- C:\Users\user\AppData\Local\f8aa04c2\U\800000cf.@
    [2012/08/14 11:27:21 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A32171EC-8B87-4765-ACE2-E4423706509D}
    [2012/08/14 11:27:09 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{FD20E181-E69C-4D6C-B744-11017BF1599E}
    [2012/08/13 18:22:58 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{DE2AC5AA-EC08-4C7D-A506-8CC7BFFE8418}
    [2012/08/13 18:22:46 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{AC6C144C-5ED8-4AAD-B3CB-3771700114C4}
    [2012/08/13 05:35:27 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{5252752B-4820-46CA-AC47-14B9C0ABB80C}
    [2012/08/13 05:35:14 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{8F213BC5-5368-4C3D-9333-A7400DCC05CA}
    [2012/08/13 00:34:56 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{FE1C5801-4512-4B1F-A599-6447B295029E}
    [2012/08/12 12:34:27 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{3174668D-A416-458C-BA2B-F90AFB89D586}
    [2012/08/12 12:34:15 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{663A46F8-F78C-42D2-A454-C54AAF34829A}
    [2012/08/12 00:33:04 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{B2455C11-833C-40E2-97FD-C3FC84E9B21E}
    [2012/08/12 00:32:37 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{6DD39CFD-92B3-49FC-817C-40E253F88F74}
    [2012/08/11 12:31:52 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{6F3BE59F-2F5B-49AE-8E05-51C94CAE85C2}
    [2012/08/11 12:31:39 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{6F68FF46-4BC9-4A16-AD10-3EA8D70767F2}
    [2012/08/10 06:10:29 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{FB695502-54F3-4A69-A975-8C26DB5B18C9}
    [2012/08/10 06:10:17 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{DF46841E-A918-424E-B789-CA3E52ED8EC0}
    [2012/08/09 06:52:05 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F551621D-3739-4F2D-BC80-BB2D597B6734}
    [2012/08/09 06:51:52 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A780B78E-D017-4A47-A119-6FA3273AD8D7}
    [2012/08/08 17:23:21 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{EE8084D8-F68F-49B9-A56E-C72C4A9A8BE9}
    [2012/08/08 17:23:09 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{171C574F-1341-4AD6-88CF-742393D1AA25}
    [2012/08/08 05:22:39 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{9E3C266B-A201-4DD3-9EFB-A38D5AD0D488}
    [2012/08/08 05:22:27 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{5FBD4DB7-05E0-4704-A913-DEA05B1303AF}
    [2012/08/07 13:33:39 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{8AEE7338-D7BA-4E26-A593-4F6EFE46B6C6}
    [2012/08/07 13:32:59 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{241BC31E-FDEC-473E-B3EF-930EE7C5DEFF}
    [2012/08/07 00:53:56 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{B8B81252-6638-4589-B1A7-8FEA29B54CF9}
    [2012/08/07 00:53:32 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{125E49A4-606E-46D6-9E68-C783B774CBBC}
    [2012/08/06 12:52:52 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{08112953-75D6-4422-A558-DCFEB910C8C3}
    [2012/08/06 12:52:40 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{BA9E9B3F-BE2E-4319-8587-F3E2C46FAEBE}
    [2012/08/06 12:39:52 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{4EB7C246-279D-49A5-91A7-F3CB59E1EACE}
    [2012/08/05 21:47:54 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{7C96710B-076D-4FE5-9931-E6996A5495DF}
    [2012/08/05 21:46:11 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{7A6F3254-745D-4E3C-87A2-B81CD616BB14}
    [2012/08/05 16:05:09 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{BB41AA26-4855-48F5-A5BA-449F2E0E2A22}
    [2012/08/05 03:36:11 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{601A4E19-D9ED-4442-968E-E3E8819AC80C}
    [2012/08/05 03:36:00 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{49297944-8C75-45B7-A284-C68ED5A8ACF2}
    [2012/08/05 00:01:04 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{840291BB-02E7-4F35-A26F-61AFDDC527BC}
    [2012/08/04 20:54:49 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{58BD3AB4-4659-4012-ABE3-588633E358F5}
    [2012/08/04 18:34:15 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{39FFD9B1-30EE-404B-9F53-ACB21371A73A}
    [2012/08/04 06:13:24 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{381C01D9-1E73-47CB-BFBC-857607B2F2BD}
    [2012/08/04 06:13:12 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A5C642FC-E69C-46A0-96F3-69B117E10E32}
    [2012/08/03 18:12:29 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{8D3EB5D5-B88B-4CC3-8262-323C5D26ED9B}
    [2012/08/03 18:12:17 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{EF500529-D121-4006-A77D-E75E62140AE2}
    [2012/08/03 03:21:59 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{6696BD67-A9B3-4AA7-A1FF-5CB52E1CA993}
    [2012/08/03 03:21:47 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D1628520-6CDA-41F3-88C8-7FDAF0A35EEF}
    [2012/08/03 03:16:05 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{17779435-5447-48C4-9F13-0079EBEC39C5}
    [2012/08/03 03:13:37 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{B888ACB7-69E6-40AA-9E2C-E50C03CB8945}
    [2012/08/02 07:02:05 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{ED7BA8BE-EE4C-4B97-B9A2-A1542D63E8BF}
    [2012/08/02 07:01:52 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{C505BB7E-2707-4CB9-9E34-E6A4F9864E21}
    [2012/08/01 19:01:23 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{19845566-C478-4852-9FD6-542BBDB7CE4B}
    [2012/08/01 19:01:11 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{EAFD47B7-9C1B-4DD5-91EA-2B8BE2E5F2DE}
    [2012/08/01 07:00:43 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F08E6B1C-2A0F-41BF-8F86-E6EBF85E134F}
    [2012/08/01 07:00:31 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{17924AC9-488B-49CF-8545-D43C989BBE3A}
    [2012/07/31 09:26:16 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{5085995F-4577-417C-A646-1E7735F97025}
    [2012/07/31 09:25:39 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{DD9167DA-CA08-4024-923E-1DC5296BA7B3}
    [2012/07/30 21:14:11 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F508CB10-28D3-4CC6-A71F-0600030DF16A}
    [2012/07/30 21:13:58 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{C5297F04-9D27-45AE-B19E-322B4B33C4E1}
    [2012/07/30 09:13:29 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{FB1CF54A-29F0-439B-B2C2-ED0A7EB857BD}
    [2012/07/30 09:13:17 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F15600CA-DC54-4772-8813-CD946558A4BC}
    [2012/07/29 21:12:47 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{0B507618-1BF7-4890-963A-F3DFDA8ECFBD}
    [2012/07/29 21:12:35 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D94AC4E0-B53B-49B0-95F4-FDA0A763FA4F}
    [2012/07/29 07:09:46 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{5A8598F9-6032-49E6-B6C7-6949121AE94C}
    [2012/07/29 07:09:34 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{7080A56E-379F-4AE3-A609-07BA9473B4A4}
    [2012/07/28 17:11:35 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{62857C09-FAF8-4C6D-9463-DBF466C5AE94}
    [2012/07/28 17:11:23 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{693E8387-1A04-4C25-9BD6-EB4766F5CBC3}
    [2012/07/28 03:14:55 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{63988F46-E66A-4AD5-89FF-7EEE9CDAA43D}
    [2012/07/28 03:14:43 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{6E033892-D2B5-4D61-AB72-AC16263250C1}
    [2012/07/27 11:39:05 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A5D26DC2-57BD-48E3-AC70-D4D1F2E8B896}
    [2012/07/27 11:38:53 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{2D41FAB4-1DBE-4337-BA1F-632C40F5CA1D}
    [2012/07/26 18:46:53 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A0F1B77A-19CE-4DD4-A649-A0F2F43D3419}
    [2012/07/26 18:46:40 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{35B408E2-82BB-4A8E-8607-52853A8CFFF2}
    [2012/07/26 06:45:30 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F770134A-D229-4334-A8C9-EFE45047D106}
    [2012/07/26 06:45:17 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A9083E36-28CE-495F-B978-F62004F060AE}
    [2012/07/25 18:44:47 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{E8B2F8CC-4596-46A9-A7AC-1FEA308D0BE7}
    [2012/07/25 18:44:35 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D3790AAC-6060-4FA6-B4D5-CBBD9C955508}
    [2012/07/25 14:21:28 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{76C61F7F-DC77-43AC-BF6D-D53FD6CA041D}
    [2012/07/25 13:39:16 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D9121B7E-FF1B-433E-A662-4DEEC0C1ED11}
    [2012/07/24 21:58:17 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{958FE9AF-7C4A-4A5B-9349-18134C8C3E41}
    [2012/07/24 21:58:05 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{84BEAECE-20BE-43D6-B3CA-6F01E7BB4CDA}
    [2012/07/24 20:29:02 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{80A1797C-CD37-4EA5-A1E0-8C77539FE095}
    [2012/07/24 08:12:22 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{C3E0AF1F-60B8-4636-95AA-94BAD06C6A70}
    [2012/07/24 08:12:10 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{02F8795F-21F2-4EA3-9B43-2E75E70F90A7}
    [2012/07/23 20:11:42 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{864ACAEA-F70B-4C45-95D4-225F138FC153}
    [2012/07/23 20:11:29 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{54ABF234-8633-45AD-A8E2-C24F87FDCCD4}
    [2012/07/23 04:50:47 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{44760529-0628-4703-A03C-CA5436312E47}
    [2012/07/23 04:50:35 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{97C59DF3-4A18-4347-8CC6-83CD643EB6EB}
    [2012/07/22 16:50:04 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{EA55FFDF-6CEA-48CC-B16A-2C5389004AD1}
    [2012/07/22 16:49:51 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{6472402F-2DE1-4B6F-BBF9-A95ECB8A91C1}
    [2012/07/22 03:43:52 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{7BFFCDFF-66CB-42B8-819C-D2EE20F5AF8F}
    [2012/07/22 03:43:40 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{6BDDB256-A2B8-4538-B88D-B9A13CEF87A2}
    [2012/07/21 16:25:11 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{9E98D5D6-7EEF-4C3E-AB80-510EA835B2F9}
    [2012/07/21 04:06:55 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{3F4D7B37-CDB2-404E-AEE8-C5DA3116C375}
    [2012/07/21 04:06:44 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{FEA534A9-C223-4E0D-B1E4-A7C6A602828D}
    [2012/07/20 10:21:47 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{CC2CE0E3-063B-4FE2-8B94-B6564B01AB05}
    [2012/07/20 10:21:35 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{2B9271F6-E640-4D3E-8657-C0BDA41BD90D}
    [2012/07/19 22:21:02 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{126B098B-3113-4958-8628-677E9A38050B}
    [2012/07/19 22:20:49 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{6AC1DF01-496D-48D8-B335-3DD272571DC6}

    :Commands
    [EMPTYFLASH]
    [EMPTYTEMP]
    [RESETHOSTS]
    [CREATERESTOREPOINT]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post Fix OTL log.
===================================================

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide


Download ComboFix from one of these locations:

Link 1
Link 2



* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

===================================================

On your next reply please post :
OTL fix log
ComboFix log


Please STOP and let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

This post has been edited by BlueWind: Aug 18 2012, 05:31 PM
TSblueflame
post Aug 18 2012, 09:29 PM

Scintillating
******
Senior Member
1,138 posts

Joined: Dec 2011
Here are the OTL fix log & ComboFix log.


Attached File(s)
Attached File  OTL_fix_log.txt ( 25.31k ) Number of downloads: 9
Attached File  ComboFix_log.txt ( 28.87k ) Number of downloads: 4
BlueWind
post Aug 18 2012, 10:46 PM

Sianzation
*******
Senior Member
2,898 posts

Joined: Jan 2007



Let me know if you're still facing redirects after running the fix.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

CODE
FireFox::
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\n65hgzh2.default\
FF - user.js: extensions.claro.id - f227f483000000000000e02a82a917c8
FF - user.js: extensions.claro.instlDay - 15569
FF - user.js: extensions.claro.vrsn - 1.6.4.1
FF - user.js: extensions.claro.vrsni - 1.6.4.1
FF - user.js: extensions.claro_i.vrsnTs - 1.6.4.19:54
FF - user.js: extensions.claro.prtnrId - claro
FF - user.js: extensions.claro.prdct - claro
FF - user.js: extensions.claro.aflt - babsst
FF - user.js: extensions.claro_i.smplGrp - none
FF - user.js: extensions.claro.tlbrId - iclaro
FF - user.js: extensions.claro.instlRef - sst
FF - user.js: extensions.claro.dfltLng - en
FF - user.js: extensions.claro.excTlbr - false
FF - user.js: extensions.claro.admin - false



In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

user posted image
TSblueflame
post Aug 19 2012, 12:14 AM

Scintillating
******
Senior Member
1,138 posts

Joined: Dec 2011
Claro-search is still there. sad.gif

user posted image


Attached File(s)
Attached File  ComboFix.txt2.txt ( 24.92k ) Number of downloads: 7
BlueWind
post Aug 19 2012, 12:34 AM

Sianzation
*******
Senior Member
2,898 posts

Joined: Jan 2007



Download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


On the System Recovery Options menu you will get the following options:
      Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

powerwoot
post Aug 20 2012, 12:25 AM

讨厌的 ubuntu
*******
Senior Member
2,922 posts

Joined: Jan 2007
From: Kolej Universiti Agrosains Malaysia, Melaka



QUOTE(blueflame @ Aug 19 2012, 12:14 AM)
Claro-search is still there.  sad.gif

user posted image
*
Trying mine. Look into depth of FF by entering about:config and search 'claro', delete any files associate with it. At the top right search bar, click the small arrow, edit the manage search engine and delete claro if it is in the list.
DeepMemory
post Aug 20 2012, 04:08 AM

Regular
******
Senior Member
1,765 posts

Joined: Oct 2010
For Google Chrome try Settings>Set pages>choose your preferred one and/or delete the claro link. And also Settings>manage search engines>remove all search engines on default search settings except your preferred one.
TSblueflame
post Aug 20 2012, 11:12 AM

Scintillating
******
Senior Member
1,138 posts

Joined: Dec 2011
QUOTE(BlueWind @ Aug 19 2012, 12:34 AM)
» Click to show Spoiler - click again to hide... «

*
Sorry for the late reply.

After I selected Repair Your Computer, it says that "Windows failed to start" and "A recent hardware/software change might be the cause" rclxub.gif sad.gif

QUOTE(powerwoot @ Aug 20 2012, 12:25 AM)
Trying mine. Look into depth of FF by entering about:config and search 'claro', delete any files associate with it. At the top right search bar, click the small arrow, edit the manage search engine and delete claro if it is in the list.
*
How to delete the files associated with claro?

I've already deleted claro from my list of search engines, claro is still there when I open a new tab.

QUOTE(DeepMemory @ Aug 20 2012, 04:08 AM)
For Google Chrome try Settings>Set pages>choose your preferred one and/or delete the claro link. And also Settings>manage search engines>remove all search engines on default search settings except your preferred one.
*
I've done this for all my browsers before I started this thread. Claro is still there. But thank you for your suggestion anyway. smile.gif
BlueWind
post Aug 22 2012, 10:32 AM

Sianzation
*******
Senior Member
2,898 posts

Joined: Jan 2007



Sorry for the late reply. Haven't really had the time to respond to you lol

Was there any options given to you at that point?


TSblueflame
post Aug 22 2012, 02:36 PM

Scintillating
******
Senior Member
1,138 posts

Joined: Dec 2011
QUOTE(BlueWind @ Aug 22 2012, 10:32 AM)
Sorry for the late reply. Haven't really had the time to respond to you lol

Was there any options given to you at that point?
*
No, no options.

This post has been edited by blueflame: Aug 22 2012, 02:37 PM
TSblueflame
post Aug 22 2012, 02:38 PM

Scintillating
******
Senior Member
1,138 posts

Joined: Dec 2011
QUOTE(powerwoot @ Aug 20 2012, 12:25 AM)
Trying mine. Look into depth of FF by entering about:config and search 'claro', delete any files associate with it. At the top right search bar, click the small arrow, edit the manage search engine and delete claro if it is in the list.
*
Hey! I entered the about:config thingy and managed to delete claro and it is finally gone in Firefox!! Yay!!! rclxm9.gif
But it is still there in Google Chrome though... How do I remove it in Google Chrome?

This post has been edited by blueflame: Aug 22 2012, 02:40 PM
powerwoot
post Aug 22 2012, 10:49 PM

讨厌的 ubuntu
*******
Senior Member
2,922 posts

Joined: Jan 2007
From: Kolej Universiti Agrosains Malaysia, Melaka



QUOTE(blueflame @ Aug 22 2012, 02:38 PM)
Hey! I entered the about:config thingy and managed to delete claro and it is finally gone in Firefox!! Yay!!!  rclxm9.gif 
But it is still there in Google Chrome though... How do I remove it in Google Chrome?
*
I am not a chrome fan, but try about:flags and see what can you do something in there.
wodenus
post Aug 22 2012, 10:59 PM

Tree Octopus
********
All Stars
14,990 posts

Joined: Jan 2003
QUOTE(blueflame @ Aug 22 2012, 02:38 PM)
Hey! I entered the about:config thingy and managed to delete claro and it is finally gone in Firefox!! Yay!!!  rclxm9.gif 
But it is still there in Google Chrome though... How do I remove it in Google Chrome?
*
What happens if you uninstall Chrome, Run this

http://www.eusing.com/free_registry_cleane...try_cleaner.htm

And then reinstall it?

jonilabu
post Nov 27 2012, 11:33 PM

New Member
*
Junior Member
33 posts

Joined: Apr 2008
From: Bat Town Boot Boys


If you have tried all of the above and it still isn't working for chrome, go to uninstall programs and looks for programs titled DefaulTab.exe or DefaultTabChrome.exe and Browser Manager by Bit89 and uninstall it. The easy way by sorting the programs by date installed. Hope this helps
SUSGlabros
post Nov 28 2012, 09:41 AM

New Member
*
Junior Member
28 posts

Joined: Nov 2012
From: Shah Alam


Try to use Spybot Search & Destroy for a full scan, this should solve your problem. nod.gif

This post has been edited by Glabros: Nov 28 2012, 09:43 AM

 

Change to:
| Lo-Fi Version
0.0199sec    0.50    6 queries    GZIP Disabled
Time is now: 19th March 2024 - 12:20 PM