PDA

View Full Version : Portalsepeti & iStartSurf two stubborn browser hijackers



CharleZ BronZone
2015-07-01, 13:51
Hi Folks!

http: // search.portalsepeti.com http: // iStartSurf.com

Portalsepeti and iStartSurf are two stubborn browser hijackers. Very annoying! They stick to the Win system and cannot be found easily most of the time. Probably, they change their file names to be hidden.

Any workarounds for those?

Many thanks!

Admin Edit -Link to this forum's FAQ: https://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-(Please-read-this-Procedure-Before-Requesting-Assistance)-Updated

Juliet
2015-07-01, 14:57
Please back up your registry!

Backup the Registry:
Credit: Dakeyras

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.


Please download the installer for Registry Backup from here (http://www.bleepingcomputer.com/download/registry-backup/) or here (http://www.tweaking.com/files/setups/tweaking.com_registry_backup_setup.exe) and save to your desktop.
Right-click on tweaking.com_registry_backup_setup.exe and select Run as Administrator >> Follow the prompts for a default installation
Ensure the option Open "Tweaking.com - Registry Backup" When Install Completes is selected >> Next > >> Finish
Once the GUI(graphical user interface) has appeared/loaded:-

http://i280.photobucket.com/albums/kk173/Dakeyras_album2/TCRB-1.jpg


Click on Backup Now >> once the process is complete the below will be displayed in the GUI:-

http://i280.photobucket.com/albums/kk173/Dakeyras_album2/TBRB-2.jpg


Close Tweaking.com - Registry Backup

Note: There will now be a folder at the root of the Hard-Drive named C:\RegBackup, do not delete this as it is the actual backup just created.

A tutorial for Registry Backup explaining the various features be viewed HERE (http://www.malwareremoval.com/forum/viewtopic.php?f=4&t=61325)


``````````````````````````````````````````````````````

Instruction for producing the Farbar Recovery Scan Tool (FRST) and aswMBR logs

Farbar Log


Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.

Note:
You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

(A simple way to check your system: Start --> Computer (right click) --> Properties
How to determine whether a computer is running a 32-bit version or 64-bit version (http://support.microsoft.com/kb/827218)of the Windows operating system


Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Please make sure All Users is checked



Do not check
*List BCD
*Drivers MD5
*Shortcut txt

Or your logs will be too long to post.



Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please don't run the Farbar Recovery Scan Tool (FRST.txt) from your "Downloads" folder or from "Temporary Internet Files"
Please copy and paste log into your topic.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please attach that along with the FRST.txt into your reply.



aswMBR Log

Important! Please do NOT perform any fix options offered in aswMBR, we just need to see the report.

Please download aswMBR (http://public.avast.com/%7Egmerek/aswMBR.exe) to your desktop.



Double click the aswMBR icon to run it.
If a prompt stating: The computer supports "Virtualization Technology" appears select Yes
Click the Scan button to start scan.
If you are asked to update the Avast Virus database please allow it to do so.
When it finishes, press the Save Log button, save the logfile to your desktop and post its contents in your reply with the Farbar (FRST) log.




If the infection prevents you from obtaining logs please start a topic and make note of the situation, provide details of the computer's current symptoms and wait for a response.
Do not post other logs or use "code wrap" unless requested in that format. :)



---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------

When Spybot - Search & Destroy version 1.6.2 is installed

TeaTimer needs to be disabled so that its protection does not interfere with fixes.

How Spybot - Search & Destroy protects against the installation of Spyware/Malware. (http://forums.spybot.info/showthread.php?t=281)

TeaTimer can be re-enabled once the computer is clean. :)

1. Open Spybot - Search & Destroy in Advanced Mode.
2. If it is not already set to do this go to the "Mode" menu and select "Advanced Mode".
3. On the left hand side, click on "Tools".
4. Then click on the Resident Icon in the List.
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

A Spybot - Search & Destroy Log is Optional

If Spybot - Search & Destroy has detected items it cannot remove, and you want to show this please produce the top of the log showing the items flagged and the version of Spybot - Search & Destroy.
Please do not attempt to post the entire log as it won't fit into the one post and is not needed unless requested.


Open SpyBot.
Check for problems.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Paste (Ctrl+V) those results into your new topic, along with your Farbar (FRST) and aswMBR logs.

`````````````````````````````````````````
Questions regarding Spybot - Search & Destroy support can be asked here: Spybot - Search & Destroy Forums (http://forums.spybot.info/forumdisplay.php?f=4)

Note:
During the running of a Spybot scan ("Check for problems") the status bar in the lower left hand corner of the screen displays the products Spybot - Search & Destroy is currently searching for.

It does not mean that these items are on your PC and is no reason to post a log based solely on the status bar. ;)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Corporate, Government, Small Business or Institutional machines? :) Please see: Personal computers (http://forums.spybot.info/showpost.php?p=25712&postcount=5)

CharleZ BronZone
2015-07-02, 10:08
Dear Juliet,

I thank you very much for your detailed information provided.

I'll keep it.

However, I made a full scan (with latest updates installed), Chrome asked me to reset, and I did, and they are gone for now.

Best,

Erkan

CharleZ BronZone
2015-07-02, 10:38
I am using a Win 8.1 64-bit operating system.

FYI, Farbar Recovery Scan Tool X64 gives a program error, while x32 contains a virus according to 360 total Security.

Juliet
2015-07-02, 16:28
I am using a Win 8.1 64-bit operating system.

FYI, Farbar Recovery Scan Tool X64 gives a program error, while x32 contains a virus according to 360 total Security.

360 total Security is giving a false positive report. Many antivirus do this and what we suggest is to temporarily disable it to run the tools.

CharleZ BronZone
2015-07-02, 22:19
I am so sorry, but Malwarebytes Anti-Malware found the two easily!

SPYBOT should make refinements!

Juliet
2015-07-03, 00:09
Good deal

I can help you further if you will post the logs requested :)

CharleZ BronZone
2015-07-03, 00:41
Dear Juliet,

They are gone from the Registry within minutes! There was 65 entries only! :D: All connected to the Portalsepeti.com. They have EULA records so they are legal.

Tested several times, no residue! Malwarebytes has an amazing engine.

Also, Spybot resets the Chrome Settings when Scan & Fix are done.

Best,

Erkan

Juliet
2015-07-03, 15:01
http://i.imgur.com/AFZxnZc.jpg DelFix

Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix)
or from here http://www.bleepingcomputer.com/download/delfix/ and save the file to your Desktop.
Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:

Activate UAC
Remove disinfection tools


Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

Juliet
2015-07-06, 01:55
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.

tashi
2015-07-06, 01:58
Juliet, thank you for helping. :)

This topic has been archived.