Sign in to follow this  
Followers 0
Metallica

Removal instructions for Laflurla

1 post in this topic

What is Laflurla?

The Malwarebytes research team has determined that Laflurla is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the effected browser visits their site or one of their choice. This one also displays advertisements.

How do I know if my computer is effected by Laflurla?

You may see these toolbars/add-ons:

warning2.png

warning3.png

or this warning:

main.png

How did Laflurla get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Laflurla?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. You will need Malwarebytes Anti-Malware version 2.00 (beta) or newer to disable the Chrome and Firefox extensions.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-consumer.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of Laflurla?
  • The Firefox extension can now safely be removed. Open the "Extensions" tab under "Add-ons" and click "Remove" and "Restart" to complete the removal.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Laflurla hijacker. It would have warned you before the browser helper object could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

Signs in a HijackThis log:

O2 - BHO: Laflurla - {b4a89cd3-c5f5-49c4-abcf-5f26d636476f} - C:\Program Files\Laflurla\Laflurlabho.dllO23 - Service: Update Laflurla - Unknown owner - C:\Program Files\Laflurla\updateLaflurla.exe
Alterations made by the installer:

File system details---------------------------------------------    Adds the folder C:\Program Files\Laflurla       Adds the file 7za.exe"="3/8/2014 12:43 AM, 536064 bytes, A       Adds the file Laflurla.FirstRun.exe"="3/10/2014 8:59 PM, 1765152 bytes, A       Adds the file Laflurla.ico"="3/10/2014 8:59 PM, 1150 bytes, A       Adds the file LaflurlaBHO.dll"="3/10/2014 8:59 PM, 249632 bytes, A       Adds the file LaflurlaUninstall.exe"="3/12/2014 8:52 PM, 242800 bytes, A       Adds the file updateLaflurla.exe"="3/10/2014 8:59 PM, 112416 bytes, A       Adds the file updateLaflurla.InstallState"="3/12/2014 8:51 PM, 5012 bytes, A    Adds the folder C:\Users\Malwarebytes\AppData\Roaming\Mozilla\Firefox\Profiles\joxsq3f5.default\extensions       Adds the file {6b320d34-648f-46d8-8353-a4300db1c49c}.xpi"="3/10/2014 8:59 PM, 7929 bytes, A    In the existing folder C:\Users\Malwarebytes\AppData\Roaming\Mozilla\Firefox\Profiles\joxsq3f5.default\webapps       Alters the file webapps.json        11/9/2013 12:15 PM, 2 bytes, A ==> 3/12/2014 8:52 PM, 2 bytes, ARegistry details ------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]       "(Default)"="REG_SZ, "6AB74664-26C6-45D8-9F41-4FB63481E310"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}]       "(Default)"="REG_SZ, "9BC747BE-9E86-4DA5-B200-EFADF6B0B439"       "id"="REG_SZ, "171"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}]       "(Default)"="REG_SZ, "Laflurla"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\InprocServer32]       "(Default)"="REG_SZ, "C:\Program Files\Laflurla\Laflurlabho.dll"       "ThreadingModel"="REG_SZ, "Apartment"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\Programmable]    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\TypeLib]       "(Default)"="REG_SZ, "{f1ec172a-3fec-4fef-a218-13f15e1b8c8d}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\Version]       "(Default)"="REG_SZ, "1.0"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}]       "(Default)"="REG_SZ, "ILaflurlaBHO"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}\ProxyStubClsid]       "(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}\ProxyStubClsid32]       "(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}\TypeLib]       "(Default)"="REG_SZ, "{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}"       "Version"="REG_SZ, "1.0"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0]       "(Default)"="REG_SZ, "LaflurlaIEClientLib"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0\0\win32]       "(Default)"="REG_SZ, "C:\Program Files\Laflurla\Laflurlabho.dll"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0\FLAGS]       "(Default)"="REG_SZ, "0"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0\HELPDIR]       "(Default)"="REG_SZ, "C:\Program Files\Laflurla"    [HKEY_LOCAL_MACHINE\SOFTWARE\Laflurla\Chrome]       "sgc"="REG_SZ, "true"    [HKEY_LOCAL_MACHINE\SOFTWARE\Laflurla\Firefox]       "sff"="REG_SZ, "false"    [HKEY_LOCAL_MACHINE\SOFTWARE\Laflurla\Internet Explorer]       "sie"="REG_SZ, "false"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Laflurla_RASAPI32]       "ConsoleTracingMask"="REG_DWORD, -65536       "EnableConsoleTracing"="REG_DWORD, 0       "EnableFileTracing"="REG_DWORD, 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD, -65536       "MaxFileSize"="REG_DWORD, 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Laflurla_RASMANCS]       "ConsoleTracingMask"="REG_DWORD, -65536       "EnableConsoleTracing"="REG_DWORD, 0       "EnableFileTracing"="REG_DWORD, 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD, -65536       "MaxFileSize"="REG_DWORD, 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateLaflurla_RASAPI32]       "ConsoleTracingMask"="REG_DWORD, -65536       "EnableConsoleTracing"="REG_DWORD, 0       "EnableFileTracing"="REG_DWORD, 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD, -65536       "MaxFileSize"="REG_DWORD, 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateLaflurla_RASMANCS]       "ConsoleTracingMask"="REG_DWORD, -65536       "EnableConsoleTracing"="REG_DWORD, 0       "EnableFileTracing"="REG_DWORD, 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD, -65536       "MaxFileSize"="REG_DWORD, 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}]       "(Default)"="REG_SZ, "Laflurla"       "NoExplorer"="REG_DWORD, 1    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Laflurla]       "DisplayIcon"="REG_SZ, "C:\Program Files\Laflurla\Laflurla.ico"       "DisplayName"="REG_SZ, "Laflurla"       "DisplayVersion"="REG_SZ, "2014.03.10.195912"       "EstimatedSize"="REG_DWORD, 2606       "HelpLink"="REG_SZ, "mailto:support@laflurla.com"       "InstallLocation"="REG_SZ, "C:\Program Files\Laflurla"       "InstallTime"="REG_SZ, "2014-03-12 20:51:47"       "NoModify"="REG_DWORD, 1       "NoRepair"="REG_DWORD, 1       "Publisher"="REG_SZ, "Laflurla"       "QuietUninstallString"="REG_SZ, "C:\Program Files\Laflurla\Laflurlauninstall.exe /S"       "UninstallString"="REG_SZ, "C:\Program Files\Laflurla\Laflurlauninstall.exe"       "URLInfoAbout"="REG_SZ, "http://laflurla.com/support"       "URLUpdateInfo"="REG_SZ, "http://laflurla.com"    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Update Laflurla]       "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update Laflurla]       "DisplayName"="REG_SZ, "Update Laflurla"       "ErrorControl"="REG_DWORD, 1       "FailureActions"="REG_BINARY, ......................       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\Laflurla\updateLaflurla.exe""       "ObjectName"="REG_SZ, "LocalSystem"       "Start"="REG_DWORD, 2       "Type"="REG_DWORD, 16    [HKEY_CURRENT_USER\Software\Laflurla]       "id"="REG_SZ, "2014-03-12 20:51:47"       "iid"="REG_SZ, "def_Laflurla"       "is"="REG_SZ, "def_Laflurla"    [HKEY_CURRENT_USER\Software\Laflurla\Firefox]       "ug"="REG_SZ, "1EF2573A-A05C-4726-94F4-065FB190DB5F"    [HKEY_CURRENT_USER\Software\Laflurla\Internet Explorer]       "ug"="REG_SZ, "14EF5A3B-E715-4A57-A8D2-8C2151E4234E"
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 3/12/2014Scan Time: 9:05:07 PMLogfile: mbamLaflurla.txtAdministrator: YesVersion: 2.00.0.1000Malware Database: v2014.03.12.10Rootkit Database: v2014.02.20.01License: TrialMalware Protection: DisabledMalicious Website Protection: DisabledChameleon: DisabledOS: Windows 7 Service Pack 1CPU: x86File System: NTFSUser: MalwarebytesScan Type: Threat ScanResult: CompletedObjects Scanned: 200495Time Elapsed: 2 min, 50 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledShuriken: EnabledPUP: EnabledPUM: EnabledProcesses: 2PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\updateLaflurla.exe, 7564, Delete-on-Reboot, [8dddbf432952b1859f1c9018f60b23dd]PUP.Optional.Sambreel.A, C:\Program Files\Laflurla\Laflurla.FirstRun.exe, 3012, Delete-on-Reboot, [da909c66bac1b581221e3c5ca1600ef2]Modules: 0(No malicious items detected)Registry Keys: 13PUP.Optional.Laflurla.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Update Laflurla, Quarantined, [8dddbf432952b1859f1c9018f60b23dd], PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{f1ec172a-3fec-4fef-a218-13f15e1b8c8d}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{50A6B23F-0055-41B7-AF2D-6689B24022A0}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], PUP.Optional.Laflurla.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], PUP.Optional.Laflurla.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], PUP.Optional.Laflurla.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\CLSID\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}\INPROCSERVER32, Quarantined, [d3979a689ddec96db604ecbcec15ea16], PUP.Optional.BrowseFox.A, HKLM\SOFTWARE\CLASSES\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}, Quarantined, [b9b1fc064833c571ca499be1f50d53ad], PUP.Optional.Laflurla.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Laflurla, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], PUP.Optional.Laflurla.A, HKLM\SOFTWARE\Laflurla, Quarantined, [4228b64cb1caa690292273214fb38080], PUP.Optional.Ligtning.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [ce9cad556c0fc1752742c6d4c240f20e], PUP.Optional.Laflurla.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Laflurla, Quarantined, [85e58a7889f2b77f9baf385c6a98cf31], Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 4PUP.Optional.Laflurla.A, C:\Program Files\Laflurla, Delete-on-Reboot, [f87272901f5c8fa70148b2e29f6352ae], PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log, Quarantined, [2248b151f48772c48302dbbf18eaa35d], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], Files: 18PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\updateLaflurla.exe, Delete-on-Reboot, [8dddbf432952b1859f1c9018f60b23dd], PUP.Optional.Sambreel.A, C:\Program Files\Laflurla\Laflurla.FirstRun.exe, Delete-on-Reboot, [da909c66bac1b581221e3c5ca1600ef2], PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\LaflurlaBHO.dll, Quarantined, [d3979a689ddec96db604ecbcec15ea16], PUP.Optional.Laflurla.A, C:\Users\{username}\Desktop\Laflurla.exe, Quarantined, [dc8e4bb7c5b6f145685267410ff2c838], PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\Laflurla.ico, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\7za.exe, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\LaflurlaUninstall.exe, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\updateLaflurla.InstallState, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log\eGdpSvc.LOG, Quarantined, [2248b151f48772c48302dbbf18eaa35d], PUP.Optional.NewTab.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\newtab.crx, Quarantined, [ed7d43bfa5d62a0c8778fb9f5fa3e21e], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.html, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\data.json, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\icon128.png, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\jquery.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\manifest.json, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xa.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xagainit.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.