Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create a FREE account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you sign in.
Create an Account Login to Account

Removal instructions for Laflurla


  • Please log in to reply

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 30,573 posts
  • MVP
Content is republished with permission from Malwarebytes.

What is Laflurla?

The Malwarebytes research team has determined that Laflurla is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the effected browser visits their site or one of their choice. This one also displays advertisements.

How do I know if my computer is effected by Laflurla?

You may see these toolbars/add-ons:

Posted Image

Posted Image

or this warning:

Posted Image

How did Laflurla get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Laflurla?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. You will need Malwarebytes Anti-Malware version 2.00 (beta) or newer to disable the Chrome and Firefox extensions.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-consumer.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:

    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.


Is there anything else I need to do to get rid of Laflurla?

  • The Firefox extension can now safely be removed. Open the "Extensions" tab under "Add-ons" and click "Remove" and "Restart" to complete the removal.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Laflurla hijacker. It would have warned you before the browser helper object could install itself, giving you a chance to stop it before it became too late.


Posted Image

Technical details for experts

Signs in a HijackThis log:
O2 - BHO: Laflurla - {b4a89cd3-c5f5-49c4-abcf-5f26d636476f} - C:\Program Files\Laflurla\Laflurlabho.dll
O23 - Service: Update Laflurla - Unknown owner - C:\Program Files\Laflurla\updateLaflurla.exe

Alterations made by the installer:
File system details
---------------------------------------------
    Adds the folder C:\Program Files\Laflurla
       Adds the file 7za.exe"="3/8/2014 12:43 AM, 536064 bytes, A
       Adds the file Laflurla.FirstRun.exe"="3/10/2014 8:59 PM, 1765152 bytes, A
       Adds the file Laflurla.ico"="3/10/2014 8:59 PM, 1150 bytes, A
       Adds the file LaflurlaBHO.dll"="3/10/2014 8:59 PM, 249632 bytes, A
       Adds the file LaflurlaUninstall.exe"="3/12/2014 8:52 PM, 242800 bytes, A
       Adds the file updateLaflurla.exe"="3/10/2014 8:59 PM, 112416 bytes, A
       Adds the file updateLaflurla.InstallState"="3/12/2014 8:51 PM, 5012 bytes, A
    Adds the folder C:\Users\Malwarebytes\AppData\Roaming\Mozilla\Firefox\Profiles\joxsq3f5.default\extensions
       Adds the file {6b320d34-648f-46d8-8353-a4300db1c49c}.xpi"="3/10/2014 8:59 PM, 7929 bytes, A
    In the existing folder C:\Users\Malwarebytes\AppData\Roaming\Mozilla\Firefox\Profiles\joxsq3f5.default\webapps
       Alters the file webapps.json
        11/9/2013 12:15 PM, 2 bytes, A ==> 3/12/2014 8:52 PM, 2 bytes, A

Registry details 
------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
       "(Default)"="REG_SZ, "6AB74664-26C6-45D8-9F41-4FB63481E310"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}]
       "(Default)"="REG_SZ, "9BC747BE-9E86-4DA5-B200-EFADF6B0B439"
       "id"="REG_SZ, "171"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}]
       "(Default)"="REG_SZ, "Laflurla"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\InprocServer32]
       "(Default)"="REG_SZ, "C:\Program Files\Laflurla\Laflurlabho.dll"
       "ThreadingModel"="REG_SZ, "Apartment"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\Programmable]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\TypeLib]
       "(Default)"="REG_SZ, "{f1ec172a-3fec-4fef-a218-13f15e1b8c8d}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\Version]
       "(Default)"="REG_SZ, "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}]
       "(Default)"="REG_SZ, "ILaflurlaBHO"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}\ProxyStubClsid]
       "(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}\ProxyStubClsid32]
       "(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}\TypeLib]
       "(Default)"="REG_SZ, "{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}"
       "Version"="REG_SZ, "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0]
       "(Default)"="REG_SZ, "LaflurlaIEClientLib"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0\0\win32]
       "(Default)"="REG_SZ, "C:\Program Files\Laflurla\Laflurlabho.dll"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0\FLAGS]
       "(Default)"="REG_SZ, "0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0\HELPDIR]
       "(Default)"="REG_SZ, "C:\Program Files\Laflurla"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Laflurla\Chrome]
       "sgc"="REG_SZ, "true"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Laflurla\Firefox]
       "sff"="REG_SZ, "false"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Laflurla\Internet Explorer]
       "sie"="REG_SZ, "false"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Laflurla_RASAPI32]
       "ConsoleTracingMask"="REG_DWORD, -65536
       "EnableConsoleTracing"="REG_DWORD, 0
       "EnableFileTracing"="REG_DWORD, 0
       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
       "FileTracingMask"="REG_DWORD, -65536
       "MaxFileSize"="REG_DWORD, 1048576
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Laflurla_RASMANCS]
       "ConsoleTracingMask"="REG_DWORD, -65536
       "EnableConsoleTracing"="REG_DWORD, 0
       "EnableFileTracing"="REG_DWORD, 0
       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
       "FileTracingMask"="REG_DWORD, -65536
       "MaxFileSize"="REG_DWORD, 1048576
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateLaflurla_RASAPI32]
       "ConsoleTracingMask"="REG_DWORD, -65536
       "EnableConsoleTracing"="REG_DWORD, 0
       "EnableFileTracing"="REG_DWORD, 0
       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
       "FileTracingMask"="REG_DWORD, -65536
       "MaxFileSize"="REG_DWORD, 1048576
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateLaflurla_RASMANCS]
       "ConsoleTracingMask"="REG_DWORD, -65536
       "EnableConsoleTracing"="REG_DWORD, 0
       "EnableFileTracing"="REG_DWORD, 0
       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
       "FileTracingMask"="REG_DWORD, -65536
       "MaxFileSize"="REG_DWORD, 1048576
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}]
       "(Default)"="REG_SZ, "Laflurla"
       "NoExplorer"="REG_DWORD, 1
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Laflurla]
       "DisplayIcon"="REG_SZ, "C:\Program Files\Laflurla\Laflurla.ico"
       "DisplayName"="REG_SZ, "Laflurla"
       "DisplayVersion"="REG_SZ, "2014.03.10.195912"
       "EstimatedSize"="REG_DWORD, 2606
       "HelpLink"="REG_SZ, "mailto:support@laflurla.com"
       "InstallLocation"="REG_SZ, "C:\Program Files\Laflurla"
       "InstallTime"="REG_SZ, "2014-03-12 20:51:47"
       "NoModify"="REG_DWORD, 1
       "NoRepair"="REG_DWORD, 1
       "Publisher"="REG_SZ, "Laflurla"
       "QuietUninstallString"="REG_SZ, "C:\Program Files\Laflurla\Laflurlauninstall.exe /S"
       "UninstallString"="REG_SZ, "C:\Program Files\Laflurla\Laflurlauninstall.exe"
       "URLInfoAbout"="REG_SZ, "http://laflurla.com/support"
       "URLUpdateInfo"="REG_SZ, "http://laflurla.com"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Update Laflurla]
       "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update Laflurla]
       "DisplayName"="REG_SZ, "Update Laflurla"
       "ErrorControl"="REG_DWORD, 1
       "FailureActions"="REG_BINARY, ......................
       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\Laflurla\updateLaflurla.exe""
       "ObjectName"="REG_SZ, "LocalSystem"
       "Start"="REG_DWORD, 2
       "Type"="REG_DWORD, 16
    [HKEY_CURRENT_USER\Software\Laflurla]
       "id"="REG_SZ, "2014-03-12 20:51:47"
       "iid"="REG_SZ, "def_Laflurla"
       "is"="REG_SZ, "def_Laflurla"
    [HKEY_CURRENT_USER\Software\Laflurla\Firefox]
       "ug"="REG_SZ, "1EF2573A-A05C-4726-94F4-065FB190DB5F"
    [HKEY_CURRENT_USER\Software\Laflurla\Internet Explorer]
       "ug"="REG_SZ, "14EF5A3B-E715-4A57-A8D2-8C2151E4234E"



Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/12/2014
Scan Time: 9:05:07 PM
Logfile: mbamLaflurla.txt
Administrator: Yes

Version: 2.00.0.1000
Malware Database: v2014.03.12.10
Rootkit Database: v2014.02.20.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Malwarebytes

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 200495
Time Elapsed: 2 min, 50 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 2
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\updateLaflurla.exe, 7564, Delete-on-Reboot, [8dddbf432952b1859f1c9018f60b23dd]
PUP.Optional.Sambreel.A, C:\Program Files\Laflurla\Laflurla.FirstRun.exe, 3012, Delete-on-Reboot, [da909c66bac1b581221e3c5ca1600ef2]

Modules: 0
(No malicious items detected)

Registry Keys: 13
PUP.Optional.Laflurla.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Update Laflurla, Quarantined, [8dddbf432952b1859f1c9018f60b23dd], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{f1ec172a-3fec-4fef-a218-13f15e1b8c8d}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{50A6B23F-0055-41B7-AF2D-6689B24022A0}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\CLSID\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}\INPROCSERVER32, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.BrowseFox.A, HKLM\SOFTWARE\CLASSES\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}, Quarantined, [b9b1fc064833c571ca499be1f50d53ad], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Laflurla, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\Laflurla, Quarantined, [4228b64cb1caa690292273214fb38080], 
PUP.Optional.Ligtning.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [ce9cad556c0fc1752742c6d4c240f20e], 
PUP.Optional.Laflurla.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Laflurla, Quarantined, [85e58a7889f2b77f9baf385c6a98cf31], 

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 4
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla, Delete-on-Reboot, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log, Quarantined, [2248b151f48772c48302dbbf18eaa35d], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 

Files: 18
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\updateLaflurla.exe, Delete-on-Reboot, [8dddbf432952b1859f1c9018f60b23dd], 
PUP.Optional.Sambreel.A, C:\Program Files\Laflurla\Laflurla.FirstRun.exe, Delete-on-Reboot, [da909c66bac1b581221e3c5ca1600ef2], 
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\LaflurlaBHO.dll, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, C:\Users\{username}\Desktop\Laflurla.exe, Quarantined, [dc8e4bb7c5b6f145685267410ff2c838], 
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\Laflurla.ico, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\7za.exe, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\LaflurlaUninstall.exe, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\updateLaflurla.InstallState, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log\eGdpSvc.LOG, Quarantined, [2248b151f48772c48302dbbf18eaa35d], 
PUP.Optional.NewTab.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\newtab.crx, Quarantined, [ed7d43bfa5d62a0c8778fb9f5fa3e21e], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.html, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\data.json, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\icon128.png, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\jquery.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\manifest.json, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xa.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xagainit.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 

Physical Sectors: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured