Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

browser homepage was changed with malicious program.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

browser homepage was changed with malicious program.

Unread postby MESA » December 10th, 2017, 6:55 pm

Hi there.
I had to use a back up recently to restore windows due some problems I was having with windows updates.Computer was running great again but I had to reinstall some programs as they were out of date.Somewhere along the line lavasoft web companion managed to install itself on my computer without my knowledge and changed my internet homepage.I did manage to uninstall it and ran malwarebytes and adaware to get rid of any leftover remenants and there were also some pup's found.
I would really appreciate if someone could have a look through to see if there is anything still lurking.There are no redirects or pop ups happening but I would like peace of mind that it hasn't altered anything else or done any harm?
Thank you in advance.
You do not have the required permissions to view the files attached to this post.
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm
Advertisement
Register to Remove

Re: browser homepage was changed with malicious program.

Unread postby mAL_rEm018 » December 10th, 2017, 7:02 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 3 days will result in this thread being closed.


Hello MESA,

Welcome back to Malware Removal! My name is mAL_rEm018, but feel free to call me mAL. I will be helping you with your malware related problems :)

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Because of this, I advise you to backup any personal files and folders before you start.

To make sure everything goes smoothly, I would like you to observe the following rules:
  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread. Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum. Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

I am currently reviewing your logs and will return as soon as possible, with additional instructions. In the meantime I would like you to read and get acquainted with the following topic: HOW TO GET HELP IN THIS FORUM - everyone must read this, where the conditions for receiving help here are explained.
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 1323
Joined: November 11th, 2013, 6:26 pm
Location: Canada

Re: browser homepage was changed with malicious program.

Unread postby mAL_rEm018 » December 11th, 2017, 7:03 am

Hello MESA,

Backup your registry using TCRB
  • Please download TCRB to your Desktop.
  • Open Tweaking.com Registry Backup.
  • Click on the Backup Registry tab and ensure that all options are checked.
  • Press on Backup Now.
  • Wait until the backup is complete and exit the program.

It is clear from the logs that you've supplied that you have made several attempts at self-help prior to coming here to Malwareremoval. It appears you've run a number of tools, and I need to see the logs that those tools created.

That does not mean I want you to run those tools again, it means I need to see the logs that were created when you ran them earlier.

Each will have created a report, and unless you have deleted them, or moved them, then you should be able to access them by following the instructions below ....

If you can't find them, then please let me know.


C:\users\%userprofile%\appdata\local\temp\log.txt

Open the Start menu and copy/paste the above inside the Search programs and files box and press enter. If a log was created, please post it in your next reply.

Next..

  • Open Malwarebytes Anti-Malware and click on Reports.
  • Double-click on the Scan Report by looking at the timestamp (it should be in the following order: Day/Month/Year Time)
  • Click Export and select Text file (*.txt).
  • In the File name: box, please write MBAM Log and save it to your desktop.
  • Once the process is over, a message will appear stating that the file has been successfully exported. Click OK.
  • Please post the contents of MBAM Log.txt in your next reply.

Next..

  • Open AdwCleaner and click on Logfiles.
  • Double-click on the log by looking at the timestamp (it should be in the following order: Year/Month/day Time)
  • A notepad window will open. Please copy/paste the contents in your next reply.



-----------------------------------------
In your next reply, I would like to see..
  • Did you have any problem following the instructions?
  • ESET log
  • MBAM report
  • AdwCleaner report

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 1323
Joined: November 11th, 2013, 6:26 pm
Location: Canada

Re: browser homepage was changed with malicious program.

Unread postby MESA » December 11th, 2017, 8:25 am

Hi mAL
I scan nearly every day with my anti malware tools always erring on the side of caution.It was while scanning with adaware and malwarebytes that I became aware of this web companion and I let them clean delete it.
there is no eset log.
I uninstalled adwcleaner and let it delete the quarantine folder so the latest adwcleaner file is clean.
Here is the Malwarebytes log
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/10/17
Scan Time: 2:37 AM
Log File: 042c8026-dd53-11e7-adbb-001999cf762d.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3454
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 249849
Threats Detected: 6
Threats Quarantined: 6
Time Elapsed: 2 min, 48 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
PUP.Optional.Conduit, HKU\S-1-5-21-298761936-1198288888-1608458099-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [520], [236865],1.0.3454
PUP.Optional.Conduit, HKU\S-1-5-21-298761936-1198288888-1608458099-1005\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}, Quarantined, [520], [236865],1.0.3454

Registry Value: 2
PUP.Optional.Conduit, HKU\S-1-5-21-298761936-1198288888-1608458099-1005\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, Quarantined, [520], [236865],1.0.3454
PUP.Optional.Conduit, HKU\S-1-5-21-298761936-1198288888-1608458099-1005\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TOPRESULTURL, Quarantined, [520], [236865],1.0.3454

Registry Data: 1
PUP.Optional.Conduit, HKU\S-1-5-21-298761936-1198288888-1608458099-1005\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [520], [293058],1.0.3454

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
PUP.Optional.Conduit, C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\9R2R1A1S.DEFAULT-1511608532483\PREFS.JS, Replaced, [520], [301520],1.0.3454

Physical Sector: 0
(No malicious items detected)


(end)
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: browser homepage was changed with malicious program.

Unread postby mAL_rEm018 » December 11th, 2017, 4:20 pm

Hi MESA,

MESA wrote:I uninstalled adwcleaner and let it delete the quarantine folder so the latest adwcleaner file is clean.

For future reference.. If you ever get infected again, and decide to run different tools to rid your computer of the infection(s), don't delete any of the logs created. It makes it easier for us to analyze the situation, and take the correct course of action. Also, if you intend on fixing things on your own, which I advise against, then you should always make a backup of your computer, a system restore point, as well as a backup of your registry. This will save you a lot of headaches in case anything goes wrong.

MESA wrote:there is no eset log.

I can see that you recently ran a scan with ESET Online Scanner. Did it flag anything?
2017-12-10 21:25 - 2017-12-10 21:25 - 006968952 _____ (ESET spol. s r.o.) C:\Users\Paul\Downloads\esetonlinescanner_enu.exe
2017-11-23 19:19 - 2017-11-23 19:19 - 000000000 ____D C:\Users\Paul\AppData\Local\ESET



Let's run a search using FRST..

  • Double click Frst64.exe to launch it.
  • FRST will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Copy/Paste or Type the following line into the Search: box.
    babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;Istartsurf;kelkoopartners;Luckysearches;QuickSurf;Searchnu;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;whitesmoke;Wordinator;WordSurfer

    • Press the Search Registry button.
    • When finished searching a log will open on your Desktop ... SearchReg.txt
    • Please post it in your next reply.


-----------------------------------------
In your next reply, I would like to see..
  • Answer to my question.
  • SearchReg.txt
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 1323
Joined: November 11th, 2013, 6:26 pm
Location: Canada

Re: browser homepage was changed with malicious program.

Unread postby MESA » December 11th, 2017, 4:38 pm

Hi mAL.
I'll keep that in mind for future reference.
Eset found 1 thing and it was the same a variant of win32/web companion.
I basically deleted all the stuff as I panicked and wanted it off my computer and I knew that I had a safe back up of my computer as a last resort.
The purpose of this post was just to make sure that there was no nasties still lurking or that any changes had been made.
All my anti malware programs are coming back clean now.

Here is the log you requested.
Farbar Recovery Scan Tool (x64) Version: 11-12-2017
Ran by Paul (11-12-2017 20:37:01)
Running from C:\Users\Paul\Desktop
Boot Mode: Normal

================== Search Registry: "babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;Istartsurf;kelkoopartners;Luckysearches;QuickSurf;Searchnu;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;whitesmoke;Wordinator;WordSurfer" ===========


===================== Search result for "babylon" ==========


===================== Search result for "Bandoo" ==========


===================== Search result for "CleverSearch" ==========


===================== Search result for "conduit" ==========


===================== Search result for "datamngr" ==========


===================== Search result for "Fun4IM" ==========


===================== Search result for "iLivid" ==========


===================== Search result for "Istartsurf" ==========


===================== Search result for "kelkoopartners" ==========


===================== Search result for "Luckysearches" ==========


===================== Search result for "QuickSurf" ==========


===================== Search result for "Searchnu" ==========


===================== Search result for "Searchqu" ==========


===================== Search result for "SharkManCoupon" ==========


===================== Search result for "sushileads" ==========


===================== Search result for "SweetIM" ==========


===================== Search result for "SweetPacks" ==========


===================== Search result for "TidyNetwork" ==========


===================== Search result for "trolltech" ==========


===================== Search result for "whitesmoke" ==========


===================== Search result for "Wordinator" ==========


===================== Search result for "WordSurfer" ==========

====== End of Search ======
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: browser homepage was changed with malicious program.

Unread postby mAL_rEm018 » December 12th, 2017, 3:15 pm

Hi MESA,

My apologies for the delay. I didn't get a chance to go on the computer today, so I haven't been able to post a reply. I'll have a post ready for you as soon as possible.

mAL
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 1323
Joined: November 11th, 2013, 6:26 pm
Location: Canada

Re: browser homepage was changed with malicious program.

Unread postby mAL_rEm018 » December 12th, 2017, 6:10 pm

Hi MESA,

Please run the following fix..

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank notepad file named fixlist.txt will open.
  • Copy and paste the following into it ....
Code: Select all
CreateRestorePoint:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-298761936-1198288888-1608458099-1005\...\MountPoints2: {710d8cd7-502d-11e2-bf2d-806e6f6e6963} - "E:\WD SmartWare.exe" autoplay=true
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [No File]
U1 aswbdisk; no ImagePath
2017-11-22 04:48 - 2017-12-10 22:10 - 000003260 _____ C:\Windows\System32\Tasks\{13A80A86-065B-441C-A635-6DAFE9158DE9}
Task: {E7B8538C-BA16-4E60-8C77-9778584760FD} - System32\Tasks\{13A80A86-065B-441C-A635-6DAFE9158DE9} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\VS Revo Group\Revo Uninstaller\Revouninstaller.exe" -d "C:\Program Files (x86)\VS Revo Group\Revo Uninstaller"
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [62]
VirusTotal: C:\Program Files (x86)\dsengine.cfg

EmptyTemp:

  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST
  • Please post me the log

How is your computer behaving?

-----------------------------------------
In your next reply, I would like to see..
  • fixlog.txt
  • Update on your computer's behaviour.
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 1323
Joined: November 11th, 2013, 6:26 pm
Location: Canada

Re: browser homepage was changed with malicious program.

Unread postby MESA » December 13th, 2017, 6:37 am

Hi mAL.
Sorry I wasn't able to log on yesterday either.
I ran the fix and the computer appears to be functioning ok.
Is there anything going on that shouldn't be?
I see a couple of entries in the fix weren't able to be removed.
Here's the log.
Thank you.
You do not have the required permissions to view the files attached to this post.
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: browser homepage was changed with malicious program.

Unread postby mAL_rEm018 » December 13th, 2017, 5:17 pm

Hi MESA,

MESA wrote:Is there anything going on that shouldn't be?
I see a couple of entries in the fix weren't able to be removed.

This is nothing to worry about. Your computer appears to be free from malware. :) Please follow the steps below and then you'll be all set to go.

Let's remove the tools we have been using so far..
  • Please download Delfix to your desktop.
  • Right-click on delfix_1.013.exe and select Run as administrator.
  • Check the following boxes:
    • Remove disinfection tools
    • Purge system restore
  • You can now safely remove any tools and/or logs that may remain on your computer.

2017-11-30 21:29 - 2017-11-30 21:29 - 000006014 _____ C:\Users\Paul\Documents\cc_20171130_212907.reg
2017-11-30 09:20 - 2017-11-30 09:20 - 000003978 _____ C:\Users\Comet\Documents\cc_20171130_092015.reg
2017-11-29 19:57 - 2017-11-29 19:57 - 000015292 _____ C:\Users\Paul\Documents\cc_20171129_195737.reg
2017-11-22 05:25 - 2017-11-22 05:25 - 000008690 _____ C:\Users\Comet\Documents\cc_20171122_052536.reg
CCleaner (HKLM\...\CCleaner) (Version: 5.37 - Piriform)

CCleaner is a great program for clearing out temporary files and folders, however you should stay away from the built-in Registry Cleaner. Feel free to look at the following article for more information regarding the use of Registry Cleaners: Link

You should also read and get acquainted with the following topic: COMPUTER SECURITY - a short guide to staying safer online , which goes into depth on how to keep your computer secure. I bookmarked it for easy reference and so should you.

If you have any question, please feel free to ask. Otherwise, let me know that you have seen this post, and I will close this topic.
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 1323
Joined: November 11th, 2013, 6:26 pm
Location: Canada

Re: browser homepage was changed with malicious program.

Unread postby MESA » December 14th, 2017, 8:49 am

Hi mAL.
Thanks again for your help.
Was there any leftover bits of malware on the computer?
There are a couple of log files on the desktop after the clean up.Should I just go ahead and delete them manually?
There is in my program and files folder called dsengine.cfg and I have no idea what it is.Do you know?It's not related to any installed programs.
I had a read through the computer security guide link you provided and I'm happy to report that I already here by most of those instructions and I'm as careful as can possibly be.
Thank you.
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: browser homepage was changed with malicious program.

Unread postby mAL_rEm018 » December 14th, 2017, 2:31 pm

Hi MESA,

MESA wrote:Thanks again for your help.

It's my pleasure. :)

MESA wrote:Was there any leftover bits of malware on the computer?

No, I didn't see anything of concern in your logs.

MESA wrote:There are a couple of log files on the desktop after the clean up.Should I just go ahead and delete them manually?

Yes, feel free to delete them manually.

MESA wrote:There is in my program and files folder called dsengine.cfg and I have no idea what it is.Do you know?It's not related to any installed programs.

.cfg is used for files that store settings and configurations. I don't have any idea to what it is related to, which is why I uploaded it for analysis while performing the fixlist. The file is legit, and you can see the results here: Link

MESA wrote:I had a read through the computer security guide link you provided and I'm happy to report that I already here by most of those instructions and I'm as careful as can possibly be.

I have absolutely no doubt that you follow safe habits while using your computer. The only thing I would like to mention, and that I've mentioned before, is that you should make sure to keep a good backup of your data, as well as frequent Restore Points. If you also intend on using AdwCleaner, Malwarebytes, and ESET Online Scanner again in the future, please keep Tweaking Registry Backup installed, and don't forget to make a backup before any scan/removal.


If you have anymore questions, feel free to ask. Otherwise, please let me know that it's OK to close this topic.

mAL
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 1323
Joined: November 11th, 2013, 6:26 pm
Location: Canada

Re: browser homepage was changed with malicious program.

Unread postby Gary R » December 14th, 2017, 5:52 pm

Just for your information.

dsengine.cfg looks to be a configuration file related to IBM's Data Stage Engine, used in IBM InfoSphere DataStage ... https://www.ibm.com/support/knowledgece ... layer.html

IMO you should leave this file alone.
User avatar
Gary R
Administrator
Administrator
 
Posts: 22930
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: browser homepage was changed with malicious program.

Unread postby MESA » December 16th, 2017, 6:27 am

Thanks for your help Mal.
P.s I deleted that file and kept it in the recycle bin as I noticed it was created at the same time as the malware appeared.
No unwanted symptoms thus far.
Thank you for all your help.
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: browser homepage was changed with malicious program.

Unread postby mAL_rEm018 » December 16th, 2017, 8:39 am

Hi MESA,

MESA wrote:Thank you for all your help.

You're welcome. :)

MESA wrote:P.s I deleted that file and kept it in the recycle bin as I noticed it was created at the same time as the malware appeared.
No unwanted symptoms thus far.

You should still restore the file, since as you've been told more than once that it's legit. "No unwanted symptoms now" doesn't mean no unwanted symptoms later.

Since you don't have any questions I will go ahead and close this topic.


As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 1323
Joined: November 11th, 2013, 6:26 pm
Location: Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 76 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware