Jump to content

Removal instructions for Dotdo-Audio

Metallica
 Share

Recommended Posts

  • Staff
Metallica

Metallica

Posted
  • Staff
Posted (edited)
What is Dotdo-Audio?

The Malwarebytes research team has determined that Dotdo-Audio is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the effected browser visits their site or one of their choice.
This one uses a "man in the middle" method on Chrome and Firefox. It also uses audio advertisements.

How do I know if my computer is affected by Dotdo-Audio?
  • Your computer will slow down considerably.
  • You may hear audio advertisements even when there are no browser windows open.
  • You may notice hidden and renamed files in the Chrome and Firefox application folders.
    hiddenexe.png
    hiddenexe2.png
    The renamed and hidden files are the original browser executables.
  • You may have seen a few command prompts during install:

    warning1.png
    Using taskkill to shut down Chrome and Firefox processes, so it can replace them.

    And you may find a few Scheduled Tasks similar to these:

    warning3.png

    How did Dotdo-Audio get on my computer?

    Browser hijackers use different methods for distributing themselves. This particular one was installed by a trojan.

    How do I remove Dotdo-Audio?

    Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
    • Please download Malwarebytes Anti-Malware to your desktop.
    • Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
    • At the end, be sure a check-mark is placed next to:
      Launch Malwarebytes Anti-Malware
    • Then click Finish.
    • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
    • If an update is available, it will be implemented before the rest of the scanning procedure.
    • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
    • Restart your computer when prompted to do so.
    Is there anything else I need to do to get rid of Dotdo-Audio?
    • No, Malwarebytes' Anti-Malware removes Dotdo-Audio completely.
    • This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
    • This PUP disables the Windows Defender service. You may want to run services.msc to open Services Manager. Ensure that the Windows Defender service is started and set to Automatic.
    How would the full version of Malwarebytes Anti-Malware help protect me?

    We hope our application and this guide have helped you eradicate this hijacker.

    As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Dotdo-Audio hijacker. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.


    protection1.png

    It also stops some of the outgoing connections the adware tries to make:


    protection2.png

    Technical details for experts

    Signs in a FRST logs:
      
     () C:\Program Files (x86)\micra\sacrosanct.exe
 () C:\Program Files (x86)\umm\rickshaws.exe
 HKLM\...\Run: [micrometer] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] ()
 HKLM-x32\...\Run: [amputate] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] ()
 HKCU\...\Run: [finish] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] ()
 HKCU\...\Run: [varmints] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] ()
 HKCU\...\Run: [sacrosanct] => C:\Program Files (x86)\micra\sacrosanct.exe [36766 2016-07-19] ()
 HKCU\...\Run: [ens] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] ()
 Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\heaton.lnk [2016-08-10]
 ShortcutTarget: heaton.lnk -> C:\Program Files (x86)\umm\rickshaws.exe ()
 S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 C:\Windows\System32\Tasks\49902965
 C:\Windows\System32\Tasks\Pa4990296549902965
 C:\Program Files (x86)\umm
 C:\Program Files (x86)\micra
 C:\Windows\scid.exe
 C:\Windows\settings.dll
 C:\Users\{username}\AppData\Local\66534719.exe
 C:\Users\{username}\AppData\Local\10262.exe

Task: {7183CE50-E79D-43B0-A322-408A35C16BD7} - System32\Tasks\49902965 => C:\Program Files (x86)\umm\rickshaws.exe [2016-07-19] () <==== ATTENTION
Task: {7BFBE69C-F99A-4C34-B03B-E764BFEB6C29} - System32\Tasks\Pa4990296549902965 => C:\Program Files (x86)\umm\rickshaws.exe [2016-07-19] ()
() C:\Users\{username}\AppData\Local\Temp\nseEFCF.tmp\ExecCmd.dll
FirewallRules: [{C9C8C4B7-05CB-4F44-B1B7-35C179711A21}] => (Allow) C:\Program Files (x86)\umm\rickshaws.exe
    Alterations made by the installer:
      
    File system details [View: All details] (Selection)
---------------------------------------------------
    In the existing folder C:\Program Files (x86)\Google\Chrome\Application
       Alters the file chrome.exe
        8/3/2016 2:20 AM, 961352 bytes, A ==> 7/19/2016 4:01 AM, 406393 bytes, A
       Adds the file chrome334.exe"="8/3/2016 2:20 AM, 961352 bytes, H
    Adds the folder C:\Program Files (x86)\micra
       Adds the file sacrosanct.exe"="7/19/2016 4:01 AM, 36766 bytes, A
    In the existing folder C:\Program Files (x86)\Mozilla Firefox
       Alters the file firefox.exe
        6/20/2016 11:22 AM, 392136 bytes, A ==> 7/19/2016 4:01 AM, 406396 bytes, A
       Adds the file firefox334.exe"="6/20/2016 11:22 AM, 392136 bytes, H
    Adds the folder C:\Program Files (x86)\umm
       Adds the file Microsoft.Win32.TaskScheduler.dll"="6/26/2015 9:08 PM, 294400 bytes, A
       Adds the file rickshaws.exe"="7/19/2016 4:01 AM, 10752 bytes, A
       Adds the file settings.dll"="7/19/2016 4:01 AM, 6656 bytes, A
    In the existing folder C:\Users\{username}\AppData\Local
       Adds the file 10262.exe"="7/19/2016 4:00 AM, 34157 bytes, A
       Adds the file 66534719.exe"="7/19/2016 4:00 AM, 127638 bytes, A
    In the existing folder C:\Users\{username}\AppData\Local\Microsoft\Media Player
       Alters the file CurrentDatabase_372.wmdb
        7/20/2016 11:30 AM, 1331200 bytes, A ==> 8/10/2016 8:32 AM, 1331200 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
       Adds the file heaton.lnk"="8/10/2016 8:18 AM, 762 bytes, A
    In the existing folder C:\Windows
       Adds the file scid.exe"="7/19/2016 4:01 AM, 10752 bytes, A
       Adds the file settings.dll"="7/19/2016 4:01 AM, 6656 bytes, A
    In the existing folder C:\Windows\System32\Tasks
       Adds the file 49902965"="8/10/2016 8:19 AM, 3808 bytes, A
       Adds the file Pa4990296549902965"="8/10/2016 8:19 AM, 3662 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
       "micrometer"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
       "DisableAntiSpyware"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
       "amputate"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe""
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\www.everclips.net]
       "(Default)"="REG_DWORD", 119
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\www.govids.net]
       "(Default)"="REG_DWORD", 119
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
       "ens"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe""
       "finish"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe""
       "sacrosanct"="REG_SZ", ""C:\Program Files (x86)\micra\sacrosanct.exe""
       "varmints"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe""
    Malwarebytes Anti-Malware log:
      
    Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/10/2016
Scan Time: 9:35 AM
Logfile: mbamDotdoAudio.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.08.10.03
Rootkit Database: v2016.08.09.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 317334
Time Elapsed: 10 min, 55 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 3
PUP.Optional.DotDo, C:\Program Files (x86)\micra\sacrosanct.exe, 2100, Delete-on-Reboot, [e3881b2efaa038fe8e73219692726e92]
PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\rickshaws.exe, 3176, Delete-on-Reboot, [8fdc7dcc99014ee88286be20ac558e72]
PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\rickshaws.exe, 2360, Delete-on-Reboot, [8fdc7dcc99014ee88286be20ac558e72]

Modules: 0
(No malicious items detected)

Registry Keys: 4
PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7183CE50-E79D-43B0-A322-408A35C16BD7}, Delete-on-Reboot, [4922aa9f504a91a5881142882fd31be5], 
PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7BFBE69C-F99A-4C34-B03B-E764BFEB6C29}, Delete-on-Reboot, [4b20fe4b7e1ce353d2c833972ad80ff1], 
PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\49902965, Delete-on-Reboot, [0d5e0c3d1684c2746834e5e57c861de3], 
PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Pa4990296549902965, Delete-on-Reboot, [f17aea5f4753bb7b4d5004c6c9399967], 

Registry Values: 8
PUP.Optional.DotDo, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|sacrosanct, "C:\Program Files (x86)\micra\sacrosanct.exe", Quarantined, [e3881b2efaa038fe8e73219692726e92]
PUP.Optional.DotDo.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|micrometer, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72]
PUP.Optional.DotDo.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|amputate, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72]
PUP.Optional.DotDo.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|finish, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72]
PUP.Optional.DotDo.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|varmints, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72]
PUP.Optional.DotDo.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ens, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72]
PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7183CE50-E79D-43B0-A322-408A35C16BD7}|Path, \49902965, Delete-on-Reboot, [4922aa9f504a91a5881142882fd31be5]
PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7BFBE69C-F99A-4C34-B03B-E764BFEB6C29}|Path, \Pa4990296549902965, Delete-on-Reboot, [4b20fe4b7e1ce353d2c833972ad80ff1]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 10
PUP.Optional.DotDo, C:\Program Files (x86)\micra\sacrosanct.exe, Delete-on-Reboot, [e3881b2efaa038fe8e73219692726e92], 
PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\rickshaws.exe, Delete-on-Reboot, [8fdc7dcc99014ee88286be20ac558e72], 
Trojan.Agent, C:\Users\{username}\Desktop\DotdoSetup.exe, Quarantined, [44271f2acbcfe74f0e7dbea8e51d9769], 
PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\settings.dll, Delete-on-Reboot, [363573d6b3e7c86ea24a4e80ec1531cf], 
Trojan.Agent, C:\Users\{username}\AppData\Local\10262.exe, Quarantined, [e08b8abfff9b9d99bdcefb6b02008b75], 
PUP.Optional.DotDo.PrxySvrRST, C:\Windows\scid.exe, Quarantined, [f576df6af6a4f83ed236c816778ad828], 
PUP.Optional.DotDo.PrxySvrRST, C:\Windows\settings.dll, Quarantined, [f17a66e3702afd39ea024985738e17e9], 
PUP.Optional.MultiPlug.PrxySvrRST, C:\Windows\System32\Tasks\49902965, Quarantined, [cba02f1a14863cfa2a699535689ab050], 
PUP.Optional.MultiPlug.PrxySvrRST, C:\Windows\System32\Tasks\Pa4990296549902965, Quarantined, [8edde4651b7fd56173213892da28af51], 
PUP.Optional.DotDo, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\heaton.lnk, Quarantined, [6308fd4c7c1edd593ad4a710788c8d73], 

Physical Sectors: 0
(No malicious items detected)


(end)
    As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
    We use different ways of protecting your computer(s):
    • Dynamically Blocks Malware Sites & Servers
    • Malware Execution Prevention
    Save yourself the hassle and get protected.
Edited by Metallica
Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.