Solved Help With Albireo Virus

[Callender]

Thanks Bunga. The only thing that shows up in Firefox is:

Your profile folder contains a user.js file, which includes preferences that were not created by Firefox.

user.js is sometimes created by malware. Sometimes it's created by the user (yourself) on purpose to over-ride some settings in Firefox.

If you didn't create the user.js file:

Navigate to your FF Profile. Example:

"C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\950pdgql.default\user.js"

So for your machine navigate to

C:\Users\Bunga\AppData\Roaming\Mozilla\Firefox\Profiles\

Click on your Profile folder and find user.js. Copy the file to your desktop.

Find the user.js file on your desktop and rename it to user.txt.

Upload it for us to look at please.

 

[Bunga]

There are no profiles listed in the folder nor any js. files. There are json files (login, addons , extensions) but nothing with my name or anyone else.

 

[Callender]

Okay I need rest. Will check back tomorrow. In the meantime you could also download MiniToolbox:

MiniToolBox Download

Run it with these settings:

​

It will save a file named "results.txt" to your desktop. Would you upload the file? Thanks.

 

[Callender]

There are no profiles listed in the folder nor any js. files. There are json files (login, addons , extensions) but nothing with my name or anyone else.

Your report directly from Firefox says that there is a user.js file in your profile. Like this one:

​

If you can't see it - go to your profile folder - right click it then choose "copy as path"

Paste into notepad and let us know what the path is. I can write a script to delete the user.js file.

​

Edit: Sorry - getting tired. Had to swap image as the original showed the wrong folder!

 

[Bunga]

Here she is. Thanks for your patience and assistance.

 

[Callender]

Here she is. Thanks for your patience and assistance.

That looks okay. Check to see if you still have the same issue in Firefox since proxy settings were reset.

Will check back tomorrow.

 

[Callender]

From your posted Firefox report:

user.js Preferences

Your profile folder contains a user.js file, which includes preferences that were not created by Firefox.

Would like to get a look at that user.js file.

From your MiniToolbox report:

NetBIOS over Tcpip. . . . . . . . : Enabled

It should be disabled.

Control Panel > Network and Sharing Center

Select "Change Adapter Settings"

Double click on your active connection then "Properties"

Then see if you can follow the numbered steps in this screenhot:

​

 

[Callender]

Would you also try another browser to see if you get the same issue?

Download Cyberfox Portable Intel Optimized 32 bit version here:

https://sourceforge.net/projects/cyberfoxportabl/files/Zipped Format/

It's the fourth one in the download list.

It's portable so runs without install and uses it's own profile. It's a Firefox 32bit variant.

If it works and doesn't suffer the same problem then I guess we will have to clean install Firefox after backing up bookmarks and extensions.

Add/ Remove Programs will not fully remove firefox to allow a clean install so if you want to try clean installing Firefox let us know and I'll post the steps needed.

 

[Callender]

Another request:

Download Farbar Recovery Scan Tool 64bit version: Farbar Recovery Scan Tool Download

Save it to your Desktop. Double-click the downloaded file to run it.
When the tool opens, click Yes to the disclaimer.
Press the Scan button.

When done, the tool makes two logs, FRST.txt and Addition.txt, in the same directory (Your Desktop).

Upload FRST.txt and Addition.txt in your reply.

If it detects anything that needs fixing I can upload a fixlist and you can use the tool to run the fixes.

 

[mdd1963]

SPyhunter? LOL!

 

[Callender]

SPyhunter? LOL!

Indeed!

 

[Bunga]

FarBar Recovery et al

I ran the Farbar tool scan. Txt files are uploaded for your review. I also ran CyberFox Portable and it has worked its way into that program as well. The Albeiro toolbar came up a few times but not as many as with FireFox. It also does it on Internet Explorer.

 

[Callender]

Items of concern from your Farbar report:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-3696031867-1153337989-4056362340-1002] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-21-3696031867-1153337989-4056362340-500] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-21-3696031867-1153337989-4056362340-501] ATTENTION => Default URLSearchHook is missing

========

FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\A87C39FC8F0CF859B51630DDD792240FA87C [2015-12-18] <==== ATTENTION

2016-05-08 09:49 - 2016-04-02 15:42 - 00000000 ____D C:\Program Files\Juwjadnaza

Files to move or delete:
====================
C:\ProgramData\pclunst.exe

Do you have any idea what this is?

C:\Program Files\Juwjadnaza

I can find no reference to it anywhere. If you know what it is and need it remove the line from the list below shown in the CODE box.

RE: C:\ProgramData\pclunst.exe

https://herdprotect.com/pclunst.exe-708e76a72941373dc37d541b8aaf5b4f2c4e997a.aspx

Suggest the following:

Please open a Notepad document (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the Farbar script below
Save it to your Desktop and name it: fixlist.txt

start

CHR HKLM\SOFTWARE\Policies\Google:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer:
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer:
URLSearchHook: [S-1-5-21-3696031867-1153337989-4056362340-1002]
URLSearchHook: [S-1-5-21-3696031867-1153337989-4056362340-500]
URLSearchHook: [S-1-5-21-3696031867-1153337989-4056362340-501]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\A87C39FC8F0CF859B51630DDD792240FA87C [2015-12-18]
C:\Program Files\Juwjadnaza
C:\ProgramData\pclunst.exe

end

Run Farbar again and this time choose the "Fix" button. Upload the Fixlog.txt file that will show up on your desktop.

Thanks.

 

[Bunga]

Callender:

It's gone!! I did exactly as you said in your last post and I have not had any hijacking, extra toolbars, ads or malware! You are the Tech! Again, thank you so much for your time, patience and assistance!

 

[Callender]

Great! Thanks for letting us know.