Browsers Hijacked and HijackThis unable to remove entries

**tinkertailor** · 2013-01-06, 14:46

All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\HP\Desktop\cmd.bat deleted successfully.
C:\Users\HP\Desktop\cmd.txt deleted successfully.
C:\Program Files (x86)\sweetpacks bundle uninstaller folder moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: HP
->Temp folder emptied: 79243546 bytes
->Temporary Internet Files folder emptied: 146193568 bytes
->Java cache emptied: 10412 bytes
->FireFox cache emptied: 122213884 bytes
->Google Chrome cache emptied: 186035060 bytes
->Flash cache emptied: 18826 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 64692752 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 106863 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50506 bytes
RecycleBin emptied: 462096 bytes

Total Files Cleaned = 571.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 01062013_213654

Files\Folders moved on Reboot...
C:\Users\HP\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\HP\AppData\Local\Temp\~DF5D091389D5620BDC.TMP moved successfully.
C:\Windows\temp\ZLT058e0.TMP moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

*****************************

Computer appeared to be back to normal now. the hjacked browser tabs are gone and the system seem faster now. Let me reboot and play around with it for some time. Thanks for your marvellous assistance.

**ken545** · 2013-01-06, 15:32

Do that, we can dig deeper if need be.

Let me tell you about downloading programs, you need to take the time and read what your getting, for profits even some legit programs are starting to add bundled software, a good example is about month ago a friend sent me a PowerPoint presentation, I didn't have PP on the computer I was on so I wanted to download the free PowerPoint Reader, the first site I went into after I started reading it wanted to install Babylon Toolbar and make it my default search engine, its difficult to remove, needless to say I got out of that site real quick, I finally found the legit version right on the Microsoft site, so be careful what you download, Read, Read Read what your getting

**tinkertailor** · 2013-01-07, 14:22

thanks for the kind words and advice. everything running smoothly now but I still got one related issue to resolve. In the process of preparing the system for the malware removal process, I have ran ERUNT as instructed, which is meant to backup my registry. It seem the malware has disrupted its ability to backup that registry and I got an error message whenever the system boot up, stating the registry cannot be backup. entry. But I am still getting the message with the malware removed now and everything resolved. I am thinking it may due to a boot-up process being stalled earlier by the infection and is now stuck in a loop that need to be manually removed. do you have any idea ?

**ken545** · 2013-01-07, 18:31

We need to run CleanUp thats built into OTL, is should remove ERUNT .

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.

Let me know how it went

**tinkertailor** · 2013-01-09, 00:30

I am still getting the messages on booting up. I have attached the screen capture of the three initial messages. Hope you have some idea how to resolve it. Thanks.

**ken545** · 2013-01-09, 01:38

Sorry your still having problems

You need the 64 bit version, we can delete the file but lets see where it wants to start from

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64 Bit Version

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
erunt

:folderfind
erunt

:Regfind
erunt
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

**tinkertailor** · 2013-01-09, 20:46

systemlook.txt content :

SystemLook 30.07.11 by jpshortstuff
Log created at 03:43 on 10/01/2013 by HP
Administrator - Elevation successful

========== filefind ==========

Searching for "erunt"
No files found.

========== folderfind ==========

Searching for "erunt"
C:\Program Files (x86)\ERUNT d------ [09:28 29/12/2012]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT d------ [09:28 29/12/2012]
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\ERUNT d------ [09:28 29/12/2012]

========== Regfind ==========

Searching for "erunt"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\HP\Desktop\erunt-setup.exe"="ERUNT Setup "
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\ProgID]
@="WorkspaceRuntime.Workspace.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\VersionIndependentProgID]
@="WorkspaceRuntime.Workspace"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{10E2414A-EC59-49D2-BC51-5ADD2C36FEBC}]
@="IProvideRuntimeContext"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1B8D8AE1-A595-4687-A7AD-9E3828E09B79}\1.0]
@="WorkspaceRuntime 1.0 Type Library"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WorkspaceRuntime.Workspace]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WorkspaceRuntime.Workspace\CurVer]
@="WorkspaceRuntime.Workspace.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WorkspaceRuntime.Workspace.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\ProgID]
@="WorkspaceRuntime.Workspace.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\VersionIndependentProgID]
@="WorkspaceRuntime.Workspace"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E2414A-EC59-49D2-BC51-5ADD2C36FEBC}]
@="IProvideRuntimeContext"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F21BCAA-6F6A-4B68-B2BE-A1B1902AB236}]
@="IGrooveRunTimeComponentContainer"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}]
@="IVbeRuntimeHost"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1B8D8AE1-A595-4687-A7AD-9E3828E09B79}\1.0]
@="WorkspaceRuntime 1.0 Type Library"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-t..aceruntimeproxystub_31bf3856ad364e35_none_3b27e5fa6f664a28]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-t..ceruntime.resources_31bf3856ad364e35_en-us_9e9605f9112461ed]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_none_c19e747ed3130870]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft-windows-t..aceruntimeproxystub_31bf3856ad364e35_none_df094a76b708d8f2]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1]
"Inno Setup: App Path"="C:\Program Files (x86)\ERUNT"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1]
"InstallLocation"="C:\Program Files (x86)\ERUNT\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1]
"Inno Setup: Icon Group"="ERUNT"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1]
"Inno Setup: Deselected Tasks"="eruntdesktopicon,ntregoptdesktopicon,eruntquicklaunchicon,ntregoptquicklaunchicon,installgermanlanguagefiles"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1]
"DisplayName"="ERUNT 1.1j"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1]
"UninstallString"=""C:\Program Files (x86)\ERUNT\unins000.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1]
"QuietUninstallString"=""C:\Program Files (x86)\ERUNT\unins000.exe" /SILENT"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1]
"HelpLink"="http://www.larshederer.homepage.t-online.de/erunt"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1]
"URLUpdateInfo"="http://www.larshederer.homepage.t-online.de/erunt"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\ProgID]
@="WorkspaceRuntime.Workspace.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\VersionIndependentProgID]
@="WorkspaceRuntime.Workspace"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{10E2414A-EC59-49D2-BC51-5ADD2C36FEBC}]
@="IProvideRuntimeContext"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{4F21BCAA-6F6A-4B68-B2BE-A1B1902AB236}]
@="IGrooveRunTimeComponentContainer"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}]
@="IVbeRuntimeHost"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{1B8D8AE1-A595-4687-A7AD-9E3828E09B79}\1.0]
@="WorkspaceRuntime 1.0 Type Library"
[HKEY_USERS\S-1-5-21-2208690772-3602456008-4151856646-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\HP\Desktop\erunt-setup.exe"="ERUNT Setup "
[HKEY_USERS\S-1-5-21-2208690772-3602456008-4151856646-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\HP\Desktop\erunt-setup.exe"="ERUNT Setup "

-= EOF =-

**ken545** · 2013-01-09, 22:52

Hi,

If ERUNT is still on your desktop, drag it to the trash.

You need to have windows show all files and folders

Here's how to display hidden files and folders.

Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.

Click the View tab.

Under Advanced settings, click Show hidden files, folders, and drives, and then click OK.

Delete the erunt files in Red

C:\Program Files (x86)\ERUNT
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\ERUNT

Let me know how it went

**ken545** · 2013-01-13, 19:54

Still with me ?

Thread: Browsers Hijacked and HijackThis unable to remove entries

Thread Tools

Display

Posting Permissions