smartinf.ru / Mail.Ru Help

[Vogler]

Good evening. I've become infected with a russian browser hijacker known as "smartinf.ru" and/or "Mail.Ru." I've scoured all night for answers for this (including here), and while some helped, it seemed to not completely erase the problem.

 

I have scrubbed away seemingly all traces from add-ons and settings from my browsers and refreshed them, deleted/uninstalled suspected files upon detection, even scanned twice over... but still, somehow, it still automatically opens its homepage by itself with my default browser (firefox) every time I restart. Which I must infer means that this malware is still active somewhere.

 

Now, because of the cleaning I've done, I can disregard this bug after the initial startup... but having this active on my PC is a looming threat I cannot bare. Please if there are any suggestions to clear this completely, let me know as soon as you can. Thank you.

[deeprybka]

Hi &

My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

• My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
• Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.

P2P/Piracy Warning:

• If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
• Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
• If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Step 1

Please run a FRST scan. This will help us diagnose your problem.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)

• Start FRST with administator privileges.
• Make sure the option Addition.txt is checked and press the Scan button.
• When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
• Please copy and paste these logs in your next reply.

[Vogler]

Okay, here are the results:
Addition.txt

FRST.txt

 

 

[deeprybka]

Step 1



Scan with Malwarebytes Anti-Malware.

• Please open Malwarebytes Anti-Malware and update the database.
• Click "Settings" [1] and go to "Detection and Protection" [2]
• Make sure "Scan for Rootkits" is checked.
• Click on Dashboard [3], then click on Scan Now [4] to start the scan.
  :exclame: If Malware or Potentially Unwanted Programs [PUPs] are found, you will receive a prompt:
  
• Click on "Remove Selected" [5].
• Then click "Save Results" [6] and select
  

• Return to our forum. Paste your log into your next reply and then click Finish [7].

Step 2

Scan with AdwCleaner (by Xplode).

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select "Run As Administrator"
• Click on the Scan button.
• After the scan has finished, click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  Copy and paste the contents of that logfile in your next reply.

Step 3



Start FRST with administator privileges.

• Make sure the following option is checked:
• Press the Scan button.
• When finished, FRST will produce two logs (FRST.txt and Shortcut.txt) in the same directory the tool was run from.
  Please copy and paste the content of Shortcut.txt in your next reply.

[Vogler]

I've already scanned with the first two before, but I did again like you asked for assurance purposes.

 

MalScanResult.txt

 

 

# AdwCleaner v5.014 - Logfile created 24/10/2015 at 10:25:48
# Updated 18/10/2015 by Xplode
# Database : 2015-10-18.5 [server]
# Operating system : Windows 10 Home  (x64)
# Username : Taylor - PATRICIA
# Running from : C:\Users\Taylor\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****

[x] File Not Deleted : C:\Users\Taylor\Desktop\eBay.lnk
***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [685 bytes] ##########
 

 

FRST.txt

 

Shortcut.txt

 

 

[deeprybka]

I've already scanned with the first two before...

I know.

But I wanted the logs.

Step 1

Press the + R on your keyboard at the same time. Type notepad and click OK.

• Copy the entire content of the codebox below and paste into the notepad document:

  CloseProcesses:HKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-2166905351-2847742161-3976409908-1004\...\Run: [lvznaumnbi] => explorer SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO-x32: Ïîèñê@Mail.Ru -> {8E8F97CD-60B5-456F-A201-73065652D099} -> C:\Users\Taylor\AppData\Local\Mail.Ru\Sputnik\IESearchPlugin.dll => No FileCHR HomePage: Profile 1 -> mail.ru/cnt/11956636CHR DefaultSearchURL: Profile 1 -> hxxp://go.mail.ru/search?q={searchTerms}&fr=xtn10CHR DefaultSearchKeyword: Profile 1 -> mail.ruCHR DefaultSuggestURL: Profile 1 -> hxxp://suggests.go.mail.ru/chrome?q={searchTerms}2015-10-24 00:38 - 2015-10-24 06:31 - 00000000 ____D C:\ProgramData\ContentDefender2015-10-24 00:36 - 2015-10-24 00:36 - 00000000 ____D C:\Users\Taylor\AppData\Local\Поиcк в Интeрнете2015-10-24 00:35 - 2015-10-24 06:31 - 00000000 ____D C:\Users\Taylor\AppData\Local\SystemDirInternetURL: C:\Users\Taylor\Favorites\Mail.Ru Агент - используй для общения!.url -> hxxp://agent.mail.ruInternetURL: C:\Users\Taylor\Favorites\Mail.Ru.url -> hxxp://www.mail.ruAlternateDataStreams: C:\ProgramData\Temp:373E1720Task: {0941C44D-F322-4D82-BC0A-2F976EB0F0BB} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File Task: {0F268AF8-AE4B-4B8E-9A9C-FB6B7BB95F1D} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File Task: {7DF993EF-57D9-48B7-B286-7552E6E6786B} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File Task: {9BB1D8EF-D719-4D66-921C-00AFB7D4B14B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File Task: {A06E792A-2AC2-4E61-8C0B-8FA27E7BBE9F} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File Task: {B803785F-DB5A-42F0-A975-ADC6DF41521D} - \Norton WSC Integration -> No File Task: {C0F44158-F6C7-4487-B0AD-D80C9840C504} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File Task: {C2E0BA5D-3958-468A-AE19-6D1C44A79ACC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File Task: {DFEA0DE9-50DB-448A-87A2-BFACDC482243} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File Task: {ED80BCE0-9D74-4175-B6D2-F0244E484FBB} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File Task: {FC97D79E-3A94-4FB4-8A70-42317DFEF897} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File Task: {FFE2234E-BFB5-43CF-B091-5B2CBD0671F4} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File EmptyTemp:

• Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

[Vogler]

Ah, wunderbar! It didn't show up when I restarted! Thank you my German friend, you are a live saver!

 

Here is the log:
Fixlog.txt

 

If there is nothing else to task, I'll take my leave. If somehow it shows up again, I'll return here. But it seems to have disappeared and I can finally rest. Thanks again so much!

[deeprybka]

You are welcome! But, we're not done yet.

Step 1

Please downloadOnline Scanner and save it to your Desktop.

• Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
• Start with administartor privileges.
• Select the option Yes, I accept the Terms of Use and click on Start.
• Choose the following settings:

• Click on Start. The virus signature database will begin to download. This may take some time.
• When completed the Online Scan will begin automatically.

  Note: This scan might take a long time! Please be patient.

• When completed, click on Finish.
• A log fileis created at

  Copy and paste the content of this log file in your next reply.

Note: Do not forget to re-enable your antivirus application after running the above scan!

[Vogler]

Well after a painfully slow near 6 hours and this scanning program is finally done. That was grueling.

 

I believe this is what you're looking for:

log.txt

 

If not, I saw an option to copy the threat list:

ESETthreats.txt

[deeprybka]

This looks good indeed. The stuff that ESET has found is already in quarantine or just some remnants, but no more active malware.
 

 
 
That's it!
Your logs look clean to me at the moment. :thumbup2:
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody, however...
If I have helped you fix your PC, then please consider donating to continue the fight against malware:
Thank you!


Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

• You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
• Download DelFix (by Xplode) and save it to your Desktop.
  • Close all running programs and start delfix.exe.
  • Make sure that all available options are checked.
  • Click on Run
  • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
• If there is still something left you can delete it manually.

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefore it's very important to always keep your software up-to-date.


I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.

[Vogler]

Again, thank you immensely. This forum is a great service.

 

Will certainly be more careful in the future, this scared me pretty good lol. Goodbye and hopefully I won't have to return here.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!