21 replies to this topic

[DC1955]

I want to remove OptProCrash.dll from my PC.

 

I downloaded and ran the Hijackthis software and obtained the report. Please see the attached txt file.

 

The rogue program I want toget rid of is in this report:

 

C:\Program Files (x86)\Optimizer Pro\OptProLauncher.dll

 

Hope you can help

 

Attached Files

•  hijackthis 18Feb2014.txt   13.03KB   342 downloads

[----------------]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

• Run FRST.
• Don´t change one of the checkboxes and hit Scan.
• Logfiles are created on your desktop.
• Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

 

 

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

• Execute TDSSKiller.exe by doubleclicking on it.
  
• Press Start Scan
  
• If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  
• Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

[DC1955]

Hi Marius,

 

I have run the scans, but I cannot paste the FRST txt file into this window. I can copy & paste it into WORD but not into this reply window.

 

I had this problem with my original post, so I attached it as a file.

 

Can you help please?

DC1955

[----------------]

Please save the generated text files and attach them to your reply.

[DC1955]

Hi Marius,

 

FRST.txt file is attached

Addition.txt file is attached

TDSSKiller log file is attached

 

Thanks,

DC1955

Attached Files

•  FRST.txt   43.83KB   285 downloads
•  Addition.txt   32.33KB   270 downloads
•  TDSSKiller.3.0.0.25_18.03.2014_13.44.58_log.txt   202.83KB   255 downloads

[----------------]

Fix with FRST (normal mode)

• Open notepad (Start =>All Programs => Accessories => Notepad).
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
• Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.
  
  

  Websteroids (x32 Version: 2.6.63 - Creative Island Media, LLC) Hidden <==== ATTENTION
  InstallConverter (x32 Version: 1.0 - InstallConverter) Hidden
  Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden

  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
• Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

Add-/remove programms

Click on start-->control panel.

Vista/7: Open Programs and Features
XP: Open add/remove programs

Search for and remove the following programs

McAfee Security Scan Plus
Internet Speed Tracker Internet Explorer Toolbar
Websteroids
InstallConverter
Google Toolbar for Internet Explorer

Close the window.

 

 

When finished, create and attach new logs with FRST.

Ensure the checkmark next to "Addition.txt" is placed before scanning to create a new addition.txt.

[DC1955]

Hi Marius,

 

I have carried out your instructions and have attached the 3 files you requested:

 

Fixlog.txt

new version of FRST.txt

and new version of Addition.txt

 

Regards

DC1955

Attached Files

•  Fixlog.txt   979bytes   235 downloads
•  FRST.txt   41.44KB   257 downloads
•  Addition.txt   31.48KB   301 downloads

[----------------]

Fix with FRST (normal mode)

• Open notepad (Start =>All Programs => Accessories => Notepad).
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
• Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.
  
  

  HKLM-x32\...\Run: [Internet Speed Tracker EPM Support] - C:\Program Files (x86)\InternetSpeedTracker_9t\bar\1.bin\9tmedint.exe [12872 2014-02-20] (Mindspark Interactive Network, Inc.)
  HKLM-x32\...\Run: [InternetSpeedTracker_9t Browser Plugin Loader 64] - C:\Program Files (x86)\InternetSpeedTracker_9t\bar\1.bin\9tbrmon64.exe [71752 2014-02-20] (VER_COMPANY_NAME)
  HKU\S-1-5-21-2307866727-4051142047-265051480-1000\...\Run: [Optimizer Pro] - C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe
  AppInit_DLLs: C:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL => C:\Program Files (x86)\Optimizer Pro\OptProCrash_x64.dll [2681648 2014-03-18] ()
  AppInit_DLLs-x32: c:\progra~2\optimi~1\optpro~1.dll => C:\Program Files (x86)\Optimizer Pro\OptProCrash.dll [2961368 2014-03-18] ()
  SearchScopes: HKLM-x32 - {a0892e19-6051-4ae6-9a5f-91542a166b2b} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^BBQ^xdm004^YYA^gb&si=CL6dotqX27wCFZHJtAod3GwAGQ&ptb=37FEEBCD-E831-4E23-B216-40490B9EC878&ind=2014022012&n=780b897c&psa=&st=sb&searchfor={searchTerms}
  SearchScopes: HKCU - SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
  SearchScopes: HKCU - {a0892e19-6051-4ae6-9a5f-91542a166b2b} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^BBQ^xdm004^YYA^gb&si=CL6dotqX27wCFZHJtAod3GwAGQ&ptb=37FEEBCD-E831-4E23-B216-40490B9EC878&ind=2014022012&n=780b897c&psa=&st=sb&searchfor={searchTerms}
  SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=360&chn=retail&geo=AU&ver=20&locale=en_AU&gct=kwd&qsrc=2869
  SearchScopes: HKCU - {FDE19A8D-2EA3-4B02-9165-8A59037A93D7} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=kw&q={searchTerms}&locale=en_UK&apn_ptnrs=U4&apn_dtid=OSJ000YYUK&apn_uid=343D0F02-5677-4E59-B452-8020F6A803AE&apn_sauid=1AFCBCB8-ACC2-46FA-ACA4-297EE09A32C6
  Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
  FF SearchEngineOrder.1: Ask.com
  FF DefaultSearchEngine: Ask.com
  FF Plugin-x32: @InternetSpeedTracker_9t.com/Plugin - C:\Program Files (x86)\InternetSpeedTracker_9t\bar\1.bin\NP9tStub.dll (Mindspark)
  FF Extension: Internet Speed Tracker - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\mpxh24f6.default\Extensions\9tffxtbr@InternetSpeedTracker_9t.com [2014-02-20]
  CHR DefaultSearchKeyword: ask
  CHR DefaultSearchProvider: Norton Safe Search
  CHR DefaultSearchURL: http://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN10506&l=dis&prt=360&chn=retail&geo=AU&ver=20&locale=en_AU&gct=sb&qsrc=2869
  CHR DefaultNewTabURL:
  
  R2 70e6ca8c; C:\Program Files (x86)\Optimizer Pro\OptProCrashSvc.dll [186496 2014-03-18] ()
  
  C:\Program Files (x86)\Optimizer Pro
  c:\Program Files (x86)\InternetSpeedTracker_9t
  C:\Users\Damian\AppData\Roaming\Optimizer Pro
  C:\Users\Damian\AppData\Local\IAC
  C:\Users\Damian\AppData\Local\InternetSpeedTracker_9t

  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
• Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

• If not existing, please download Malwarebytes' Anti-Malware to your desktop.
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

• Run Malwarebytes Antimalware
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location.
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Post that log back here.

[DC1955]

 mbam-log-2014-03-18 (16-06-47).txt   4.23KB   220 downloads  Fixlog.txt   6.07KB   269 downloadsHi Marius,

 

I have followed your instructions and have created 2 files (please see attachments)

 

1. fixlog.txt

2. Malwarebytes log file

 

Thanks and Regards

DC1955

[----------------]

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
  
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• If any threats were found, click the 'List of found threats' , then click Export to text file....
• Save it to your desktop, then please copy and paste that log as a reply to this topic.

[DC1955]

Hi Marius,

before I ran the ESET program, I noticed the files I wanted to delete have gone from Windows Explorer. I ran the ESET software and it appears to have picked up the FRST quarantine files

Here is the contents of the ESET text file:

C:\FRST\Quarantine\C\Program Files (x86)\InternetSpeedTracker_9t\InternetSpeedTracker_9t\bar\1.bin\9tskin.dll probably a variant of Win32/Toolbar.MyWebSearch.P potentially unwanted application
C:\FRST\Quarantine\C\Program Files (x86)\InternetSpeedTracker_9t\InternetSpeedTracker_9t\bar\1.bin\AppIntegrator64.exe a variant of Win64/Toolbar.MyWebSearch.A potentially unwanted application
C:\FRST\Quarantine\C\Program Files (x86)\InternetSpeedTracker_9t\InternetSpeedTracker_9t\bar\1.bin\AppIntegratorStub64.dll a variant of Win64/Toolbar.MyWebSearch.A potentially unwanted application
C:\FRST\Quarantine\C\Program Files (x86)\InternetSpeedTracker_9t\InternetSpeedTracker_9t\bar\1.bin\Hpg64.dll a variant of Win64/Toolbar.MyWebSearch.A potentially unwanted application
C:\FRST\Quarantine\C\Program Files (x86)\Optimizer Pro\OptProCrash.dll a variant of Win32/SProtector.E potentially unwanted application
C:\FRST\Quarantine\C\Program Files (x86)\Optimizer Pro\OptProCrashSvc.dll a variant of Win32/SProtector.F potentially unwanted application
C:\FRST\Quarantine\C\Program Files (x86)\Optimizer Pro\OptProCrash_x64.dll a variant of Win64/SProtector.A potentially unwanted application

Kind Regards
DC1955

[----------------]

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.

• Run adwcleaner.exe
• Hit Scan and wait for the scan to finish.
• Confirm the message but don´t uncheck anything.
• Hit Clean
• When the run is finished, it will open up a text file
• Please post its contents within your next reply
• You´ll find the log file at C:\AdwCleaner[S1].txt also

Delete junk with JRT

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

SecurityCheck
 
Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

• Save it to your desktop, start it and follow the instructions in the window.
• After the scan finished the (checkup.txt) will open. Copy its content to your thread.

[DC1955]

Hi Marius,

 

I downloaded and ran the Adwcleaner program and got the txt file.

 

I disabled my Norton 360 as per your instructions. I then used the link to download the JRT program. BUT, from the download I have now got 2 versions of something called Install Converter on my desktop and I now have Optimizer Pro back on my desktop!!!!!

Help!. Whats going on here?

 

This is the Adwcleaner txt

 

# AdwCleaner v3.022 - Report created 19/03/2014 at 16:53:10
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Damian - DAMIAN-PC
# Running from : C:\Users\Damian\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\optimizer pro v3.2
Folder Deleted : C:\Users\Damian\AppData\LocalLow\iac
File Deleted : C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\mpxh24f6.default\.autoreg
File Deleted : C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\mpxh24f6.default\searchplugins\Askcom.xml
File Deleted : C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\mpxh24f6.default\searchplugins\safesearch.xml

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InstallConverter bundle uninstaller\InstallConverter bundle uninstaller.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\DynConIE
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521

-\\ Mozilla Firefox v3.6 (en-US)

[ File : C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\mpxh24f6.default\prefs.js ]

Line Deleted : user_pref("browser.search.defaultengine", "Ask.com");

-\\ Google Chrome v33.0.1750.154

[ File : C:\Users\Damian\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : icon_url
Deleted : search_url

*************************

AdwCleaner[R0].txt - [3399 octets] - [19/03/2014 16:51:38]
AdwCleaner[S0].txt - [2932 octets] - [19/03/2014 16:53:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2992 octets] ##########

[DC1955]

Hi Marius,

 

Another thing is that my IE Homepage has been changed to :

 

http://www.trovigo.c...85895B335A=

[----------------]

Please run the other tools and post the logs.

Let´s have alook to the logs before we talk about the next steps.