Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

Removal instructions for Jotzey

- - - - -

  • Please log in to reply
No replies to this topic

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,943 posts
Content is republished with permission from Malwarebytes.

What is Jotzey?

The Malwarebytes research team has determined that Jotzey is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the effected browser visits their site or one of their choice. This one also displays advertisements.

How do I know if my computer is effected by Jotzey?

This is how the start- and search-page looks:

Posted Image

And you may see these toolbars:

Posted Image

Posted Image

or this warning:

Posted Image

How did Jotzey get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Jotzey?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-consumer.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:

    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.


Is there anything else I need to do to get rid of Jotzey?

  • No, but for a full removal of the Firefox add-on you will need Malwarebytes Anti-Malware 2.00 beta or newer.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Jotzey rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.


Posted Image

Technical details for experts

Signs in a HijackThis log:
O2 - BHO: Jotzey - {63a20a19-b1e6-4355-ab4c-28553af40ca2} - C:\Program Files\Jotzey\Jotzeybho.dll
O23 - Service: Update Jotzey - Unknown owner - C:\Program Files\Jotzey\updateJotzey.exe

Alterations made by the installer:
File system details
---------------------------------------------
    Adds the folder C:\Program Files\Jotzey
       Adds the file Jotzey.ico"="2/13/2014 2:30 AM, 1150 bytes, A
       Adds the file JotzeyBHO.dll"="2/13/2014 2:30 AM, 249624 bytes, A
       Adds the file JotzeyUninstall.exe"="2/17/2014 6:59 PM, 240933 bytes, A
       Adds the file updateJotzey.exe"="2/13/2014 2:30 AM, 80152 bytes, A
       Adds the file updateJotzey.InstallState"="2/17/2014 6:59 PM, 5012 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\joxsq3f5.default\extensions
       Adds the file {59981518-8b2b-431e-90db-17dacc8cfa86}.xpi"="2/13/2014 2:30 AM, 9764 bytes, A

Registry details [View: All details] (All)
------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
       "(Default)"="REG_SZ, "D1BB43C5-38EB-4790-AE05-5D88479FB101"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}]
       "(Default)"="REG_SZ, "D0142FC6-7B07-42F5-A441-ECFDF3F5C139"
       "id"="REG_SZ, "151"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63a20a19-b1e6-4355-ab4c-28553af40ca2}]
       "(Default)"="REG_SZ, "Jotzey"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63a20a19-b1e6-4355-ab4c-28553af40ca2}\InprocServer32]
       "(Default)"="REG_SZ, "C:\Program Files\Jotzey\Jotzeybho.dll"
       "ThreadingModel"="REG_SZ, "Apartment"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63a20a19-b1e6-4355-ab4c-28553af40ca2}\Programmable]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63a20a19-b1e6-4355-ab4c-28553af40ca2}\TypeLib]
       "(Default)"="REG_SZ, "{4e1ca9b1-c816-4b8a-bd4c-546fbc5008de}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63a20a19-b1e6-4355-ab4c-28553af40ca2}\Version]
       "(Default)"="REG_SZ, "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{682E055E-0863-4334-918C-29CD4F3F4D96}]
       "(Default)"="REG_SZ, "IJotzeyBHO"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{682E055E-0863-4334-918C-29CD4F3F4D96}\ProxyStubClsid]
       "(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{682E055E-0863-4334-918C-29CD4F3F4D96}\ProxyStubClsid32]
       "(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{682E055E-0863-4334-918C-29CD4F3F4D96}\TypeLib]
       "(Default)"="REG_SZ, "{4E1CA9B1-C816-4B8A-BD4C-546FBC5008DE}"
       "Version"="REG_SZ, "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1CA9B1-C816-4B8A-BD4C-546FBC5008DE}\1.0]
       "(Default)"="REG_SZ, "JotzeyIEClientLib"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1CA9B1-C816-4B8A-BD4C-546FBC5008DE}\1.0\0\win32]
       "(Default)"="REG_SZ, "C:\Program Files\Jotzey\Jotzeybho.dll"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1CA9B1-C816-4B8A-BD4C-546FBC5008DE}\1.0\FLAGS]
       "(Default)"="REG_SZ, "0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1CA9B1-C816-4B8A-BD4C-546FBC5008DE}\1.0\HELPDIR]
       "(Default)"="REG_SZ, "C:\Program Files\Jotzey"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Jotzey\Chrome]
       "sgc"="REG_SZ, "true"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Jotzey\Firefox]
       "sff"="REG_SZ, "false"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Jotzey\Internet Explorer]
       "sie"="REG_SZ, "false"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateJotzey_RASAPI32]
       "ConsoleTracingMask"="REG_DWORD, -65536
       "EnableConsoleTracing"="REG_DWORD, 0
       "EnableFileTracing"="REG_DWORD, 0
       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
       "FileTracingMask"="REG_DWORD, -65536
       "MaxFileSize"="REG_DWORD, 1048576
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateJotzey_RASMANCS]
       "ConsoleTracingMask"="REG_DWORD, -65536
       "EnableConsoleTracing"="REG_DWORD, 0
       "EnableFileTracing"="REG_DWORD, 0
       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
       "FileTracingMask"="REG_DWORD, -65536
       "MaxFileSize"="REG_DWORD, 1048576
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63a20a19-b1e6-4355-ab4c-28553af40ca2}]
       "(Default)"="REG_SZ, "Jotzey"
       "NoExplorer"="REG_DWORD, 1
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Jotzey]
       "DisplayIcon"="REG_SZ, "C:\Program Files\Jotzey\Jotzey.ico"
       "DisplayName"="REG_SZ, "Jotzey"
       "DisplayVersion"="REG_SZ, "2014.02.13.012613"
       "EstimatedSize"="REG_DWORD, 328
       "HelpLink"="REG_SZ, "mailto:[email protected]"
       "InstallLocation"="REG_SZ, "C:\Program Files\Jotzey"
       "InstallTime"="REG_SZ, "2014-02-17 18:59:27"
       "NoModify"="REG_DWORD, 1
       "NoRepair"="REG_DWORD, 1
       "Publisher"="REG_SZ, "Jotzey"
       "QuietUninstallString"="REG_SZ, "C:\Program Files\Jotzey\Jotzeyuninstall.exe /S"
       "UninstallString"="REG_SZ, "C:\Program Files\Jotzey\Jotzeyuninstall.exe"
       "URLInfoAbout"="REG_SZ, "http://jotzey.net/support"
       "URLUpdateInfo"="REG_SZ, "http://jotzey.net"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Update Jotzey]
       "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update Jotzey]
       "ErrorControl"="REG_DWORD, 1
       "FailureActions"="REG_BINARY, ......................
       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\Jotzey\updateJotzey.exe""
       "ObjectName"="REG_SZ, "LocalSystem"
       "Start"="REG_DWORD, 2
       "Type"="REG_DWORD, 16
    [HKEY_CURRENT_USER\Software\Jotzey]
       "id"="REG_SZ, "2014-02-17 18:59:27"
       "iid"="REG_SZ, "def_Jotzey"
       "is"="REG_SZ, "def_Jotzey"
    [HKEY_CURRENT_USER\Software\Jotzey\Firefox]
       "ug"="REG_SZ, "3F43DBCF-EA9A-4B88-9AD5-F799E5A4B54B"
    [HKEY_CURRENT_USER\Software\Jotzey\Internet Explorer]
       "ug"="REG_SZ, "4656EECA-0BEE-46CD-A1CB-115B535BE683"


Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/17/2014
Scan Time: 7:10:12 PM
Logfile: mbamJotzey.txt
Administrator: Yes

Version: 2.00.0.0503
Malware Database: v2014.02.17.06
Rootikt Database: v2013.12.18.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Malwarebytes

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 195544
Time Elapsed: 2 min, 57 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Process, PUP.Optional.Jotzey.A, C:\Program Files\Jotzey\updateJotzey.exe, Delete-on-Reboot, [a4a6fde06515ed498daf6238c53c8878], 

Modules: 0
(No malicious items detected)

Registry Keys: 13
Registry Key, PUP.Optional.Jotzey.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Update Jotzey, Quarantined, [a4a6fde06515ed498daf6238c53c8878], 
Registry Key, PUP.Optional.Jotzey.A, HKLM\SOFTWARE\CLASSES\CLSID\{63a20a19-b1e6-4355-ab4c-28553af40ca2}, Quarantined, [74d65588d1a96dc982b96436dc2527d9], 
Registry Key, PUP.Optional.Jotzey.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{4e1ca9b1-c816-4b8a-bd4c-546fbc5008de}, Quarantined, [74d65588d1a96dc982b96436dc2527d9], 
Registry Key, PUP.Optional.Jotzey.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{682E055E-0863-4334-918C-29CD4F3F4D96}, Quarantined, [74d65588d1a96dc982b96436dc2527d9], 
Registry Key, PUP.Optional.Jotzey.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{63A20A19-B1E6-4355-AB4C-28553AF40CA2}, Quarantined, [74d65588d1a96dc982b96436dc2527d9], 
Registry Key, PUP.Optional.Jotzey.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{63A20A19-B1E6-4355-AB4C-28553AF40CA2}, Quarantined, [74d65588d1a96dc982b96436dc2527d9], 
Registry Key, PUP.Optional.Jotzey.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{63A20A19-B1E6-4355-AB4C-28553AF40CA2}, Quarantined, [74d65588d1a96dc982b96436dc2527d9], 
Registry Key, PUP.Optional.Jotzey.A, HKLM\SOFTWARE\CLASSES\CLSID\{63A20A19-B1E6-4355-AB4C-28553AF40CA2}\INPROCSERVER32, Quarantined, [74d65588d1a96dc982b96436dc2527d9], 
Registry Key, PUP.Optional.BrowseFox.A, HKLM\SOFTWARE\CLASSES\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}, Quarantined, [1e2cb62793e78da9d5279ec88e7430d0], 
Registry Key, PUP.Optional.Jotzey.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Jotzey, Quarantined, [15356b722654ac8a6ee9027b1ee45fa1], 
Registry Key, PUP.Optional.Jotzey.A, HKCU\SOFTWARE\Jotzey, Quarantined, [f1596776304ae452aeaaf984e81a17e9], 
Registry Key, PUP.Optional.Jotzey.A, HKLM\SOFTWARE\Jotzey, Quarantined, [1b2f637a027884b22237621bfc0614ec], 
Registry Key, PUP.Optional.Ligtning.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [67e33ba2a7d3c67069280e7121e14bb5], 

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 4
Folder, PUP.Optional.Jotzey.A, C:\Program Files\Jotzey, Delete-on-Reboot, [15356b722654ac8a6ee9027b1ee45fa1], 
Folder, PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log, Quarantined, [50fa904d1c5ea88e49642e5115ed7789], 
Folder, PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [86c46875ea900b2b270de894c042cd33], 
Folder, PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0, Quarantined, [86c46875ea900b2b270de894c042cd33], 

Files: 16
File, PUP.Optional.Jotzey.A, C:\Program Files\Jotzey\updateJotzey.exe, Delete-on-Reboot, [a4a6fde06515ed498daf6238c53c8878], 
File, PUP.Optional.Jotzey.A, C:\Program Files\Jotzey\JotzeyBHO.dll, Quarantined, [74d65588d1a96dc982b96436dc2527d9], 
File, PUP.Optional.Jotzey.A, C:\Users\{username}\Desktop\Jotzey.exe, Quarantined, [74d6924b5624fb3bce6d1684fd04c53b], 
File, PUP.Optional.Jotzey.A, C:\Program Files\Jotzey\Jotzey.ico, Quarantined, [15356b722654ac8a6ee9027b1ee45fa1], 
File, PUP.Optional.Jotzey.A, C:\Program Files\Jotzey\JotzeyUninstall.exe, Quarantined, [15356b722654ac8a6ee9027b1ee45fa1], 
File, PUP.Optional.Jotzey.A, C:\Program Files\Jotzey\updateJotzey.InstallState, Quarantined, [15356b722654ac8a6ee9027b1ee45fa1], 
File, PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log\eGdpSvc.LOG, Quarantined, [50fa904d1c5ea88e49642e5115ed7789], 
File, PUP.Optional.NewTab.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\newtab.crx, Quarantined, [4bff65784e2c1d19c860a6da0101916f], 
File, PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.html, Quarantined, [86c46875ea900b2b270de894c042cd33], 
File, PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.js, Quarantined, [86c46875ea900b2b270de894c042cd33], 
File, PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\data.json, Quarantined, [86c46875ea900b2b270de894c042cd33], 
File, PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\icon128.png, Quarantined, [86c46875ea900b2b270de894c042cd33], 
File, PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\jquery.js, Quarantined, [86c46875ea900b2b270de894c042cd33], 
File, PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\manifest.json, Quarantined, [86c46875ea900b2b270de894c042cd33], 
File, PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xa.js, Quarantined, [86c46875ea900b2b270de894c042cd33], 
File, PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xagainit.js, Quarantined, [86c46875ea900b2b270de894c042cd33], 

Physical Sectors: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
  • 0

Advertisements





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.