Friday
2012-10-10, 13:24
The following instructions have been created to help you to get rid of "Claro.Toolbar" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
adware
Description:
Claro Toolbar gets installed by other software. This toolbar installs itself to the system, the Internet Explorer and where applicable to the Firefox and Google Chrome browsers.
Removal Instructions:
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "{74AF34F6-ACF4-438C-9C7E-FA0307B60E45}".
Products that have a key or property named "claro".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\bh\claro.dll".
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\claroApp.dll".
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\claroEng.dll".
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\clarosrv.exe".
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\claroTlbr.dll".
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\escortShld.dll".
The file at "<$PROGRAMFILES>\Claro LTD\claro\ClaroTB.xpi".
Make sure you set your file manager to display hidden and system files. If Claro.Toolbar uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$APPDATA>\IClaro".
The directory at "<$LOCALSETTINGS>\Temp\mt_ffx\Claro LTD\claro\1.6.4.1".
The directory at "<$LOCALSETTINGS>\Temp\mt_ffx\Claro LTD\claro".
The directory at "<$LOCALSETTINGS>\Temp\mt_ffx\Claro LTD".
The directory at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\bh".
The directory at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1".
The directory at "<$PROGRAMFILES>\Claro LTD\claro".
The directory at "<$PROGRAMFILES>\Claro LTD".
Make sure you set your file manager to display hidden and system files. If Claro.Toolbar uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
A key in HKEY_CLASSES_ROOT\ named "c", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.claroappCore.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.claroappCore", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.clarodskBnd.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.clarodskBnd", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.claroHlpr.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.claroHlpr", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "esrv.claroESrvc.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "esrv.claroESrvc", plus associated values.
Delete the registry key "{000F18F2-09EB-4A59-82B2-5AE4184C39C3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{000F18F2-09EB-4A59-82B2-5AE4184C39C3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{05340575-7D2A-4266-9A84-7EEBDC476884}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{16466D47-74A8-4928-B8B2-07CD79ABFC9F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{26D5CC0A-7A46-4D86-AF45-2EFA320B0C54}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2D13AC8F-037E-40C5-ADA6-231BA74EA2F4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{322EDCF5-9E7D-4021-8C67-F3FFE4961A38}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{3E254398-828F-4D51-A39E-3F6B6D96A12C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{442DAF0C-7EAD-48D9-ABEA-E0036470D6D5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{58EB187D-24F8-4423-BD6C-655CE4C416BD}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{60295942-9E5F-4EE8-B785-3A655904D24F}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
Delete the registry key "{6BEB066C-A791-4A21-B934-7783533FE888}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9E131A93-EED7-4BEB-B015-A0ADB30B5646}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{A07612DF-B1DD-484F-A1C3-36CA4CE919D2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A76F97B2-2C56-456A-A29E-72741595C2E8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A903AC15-686E-4D67-A355-86FCBE9F60DA}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{B19D9D96-E59C-4936-B283-8A831CDB3A53}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C3110516-8EFC-49D6-8B72-69354F332062}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{CCC3E766-7BA9-4629-AC1A-7F4B7F362E65}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{CCC3E766-7BA9-4629-AC1A-7F4B7F362E65}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{DC8AAABA-3F8B-4866-8B3A-D9368133A478}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E15519AE-99BE-42DD-BE60-FFC3C183F443}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EE4FC43F-84CE-4E20-88C2-2188525B47FB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{F398D871-ED00-42A8-BEAA-0209E9E59FCC}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "175C300D9A9FB725484BA7DCEE4B56B8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "6F43FA474FCAC834C9E7AF30706BE054" at "HKEY_CLASSES_ROOT\Installer\Features\".
Delete the registry key "6F43FA474FCAC834C9E7AF30706BE054" at "HKEY_CLASSES_ROOT\Installer\Products\".
Delete the registry key "6F43FA474FCAC834C9E7AF30706BE054" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
Delete the registry key "Claro LTD" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "Claro LTD" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "E5C8B5FB7CB5DD447A0BAAAF637FBD77" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "EF96568971BEAC14B8815883832BD484" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "IClaroDirectory" at "HKEY_CURRENT_USER\Software\Microsoft\".
Delete the registry value "{9E131A93-EED7-4BEB-B015-A0ADB30B5646}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
If Claro.Toolbar uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Browser:
The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer).
Please check your bookmarks for links to "claro-search.com".
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
adware
Description:
Claro Toolbar gets installed by other software. This toolbar installs itself to the system, the Internet Explorer and where applicable to the Firefox and Google Chrome browsers.
Removal Instructions:
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "{74AF34F6-ACF4-438C-9C7E-FA0307B60E45}".
Products that have a key or property named "claro".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\bh\claro.dll".
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\claroApp.dll".
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\claroEng.dll".
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\clarosrv.exe".
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\claroTlbr.dll".
The file at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\escortShld.dll".
The file at "<$PROGRAMFILES>\Claro LTD\claro\ClaroTB.xpi".
Make sure you set your file manager to display hidden and system files. If Claro.Toolbar uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$APPDATA>\IClaro".
The directory at "<$LOCALSETTINGS>\Temp\mt_ffx\Claro LTD\claro\1.6.4.1".
The directory at "<$LOCALSETTINGS>\Temp\mt_ffx\Claro LTD\claro".
The directory at "<$LOCALSETTINGS>\Temp\mt_ffx\Claro LTD".
The directory at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1\bh".
The directory at "<$PROGRAMFILES>\Claro LTD\claro\1.6.4.1".
The directory at "<$PROGRAMFILES>\Claro LTD\claro".
The directory at "<$PROGRAMFILES>\Claro LTD".
Make sure you set your file manager to display hidden and system files. If Claro.Toolbar uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
A key in HKEY_CLASSES_ROOT\ named "c", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.claroappCore.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.claroappCore", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.clarodskBnd.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.clarodskBnd", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.claroHlpr.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "claro.claroHlpr", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "esrv.claroESrvc.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "esrv.claroESrvc", plus associated values.
Delete the registry key "{000F18F2-09EB-4A59-82B2-5AE4184C39C3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{000F18F2-09EB-4A59-82B2-5AE4184C39C3}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{05340575-7D2A-4266-9A84-7EEBDC476884}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{16466D47-74A8-4928-B8B2-07CD79ABFC9F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{26D5CC0A-7A46-4D86-AF45-2EFA320B0C54}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{2D13AC8F-037E-40C5-ADA6-231BA74EA2F4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{322EDCF5-9E7D-4021-8C67-F3FFE4961A38}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{3E254398-828F-4D51-A39E-3F6B6D96A12C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{442DAF0C-7EAD-48D9-ABEA-E0036470D6D5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{58EB187D-24F8-4423-BD6C-655CE4C416BD}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{60295942-9E5F-4EE8-B785-3A655904D24F}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
Delete the registry key "{6BEB066C-A791-4A21-B934-7783533FE888}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9E131A93-EED7-4BEB-B015-A0ADB30B5646}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{A07612DF-B1DD-484F-A1C3-36CA4CE919D2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A76F97B2-2C56-456A-A29E-72741595C2E8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A903AC15-686E-4D67-A355-86FCBE9F60DA}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{B19D9D96-E59C-4936-B283-8A831CDB3A53}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C3110516-8EFC-49D6-8B72-69354F332062}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{CCC3E766-7BA9-4629-AC1A-7F4B7F362E65}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{CCC3E766-7BA9-4629-AC1A-7F4B7F362E65}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{DC8AAABA-3F8B-4866-8B3A-D9368133A478}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E15519AE-99BE-42DD-BE60-FFC3C183F443}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EE4FC43F-84CE-4E20-88C2-2188525B47FB}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{F398D871-ED00-42A8-BEAA-0209E9E59FCC}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "175C300D9A9FB725484BA7DCEE4B56B8" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "6F43FA474FCAC834C9E7AF30706BE054" at "HKEY_CLASSES_ROOT\Installer\Features\".
Delete the registry key "6F43FA474FCAC834C9E7AF30706BE054" at "HKEY_CLASSES_ROOT\Installer\Products\".
Delete the registry key "6F43FA474FCAC834C9E7AF30706BE054" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\".
Delete the registry key "Claro LTD" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "Claro LTD" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "E5C8B5FB7CB5DD447A0BAAAF637FBD77" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "EF96568971BEAC14B8815883832BD484" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\".
Delete the registry key "IClaroDirectory" at "HKEY_CURRENT_USER\Software\Microsoft\".
Delete the registry value "{9E131A93-EED7-4BEB-B015-A0ADB30B5646}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
If Claro.Toolbar uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Browser:
The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer).
Please check your bookmarks for links to "claro-search.com".
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.