Jump to content


Create Account Login to Account

Removal instructions for Laflurla

- - - - -

  • Please log in to reply

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,041 posts
  • MVP
Content is republished with permission from Malwarebytes.

What is Laflurla?

The Malwarebytes research team has determined that Laflurla is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the effected browser visits their site or one of their choice. This one also displays advertisements.

How do I know if my computer is effected by Laflurla?

You may see these toolbars/add-ons:

Posted Image

Posted Image

or this warning:

Posted Image

How did Laflurla get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Laflurla?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. You will need Malwarebytes Anti-Malware version 2.00 (beta) or newer to disable the Chrome and Firefox extensions.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-consumer.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:

    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.


Is there anything else I need to do to get rid of Laflurla?

  • The Firefox extension can now safely be removed. Open the "Extensions" tab under "Add-ons" and click "Remove" and "Restart" to complete the removal.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Laflurla hijacker. It would have warned you before the browser helper object could install itself, giving you a chance to stop it before it became too late.


Posted Image

Technical details for experts

Signs in a HijackThis log:
O2 - BHO: Laflurla - {b4a89cd3-c5f5-49c4-abcf-5f26d636476f} - C:\Program Files\Laflurla\Laflurlabho.dll
O23 - Service: Update Laflurla - Unknown owner - C:\Program Files\Laflurla\updateLaflurla.exe

Alterations made by the installer:
File system details
---------------------------------------------
    Adds the folder C:\Program Files\Laflurla
       Adds the file 7za.exe"="3/8/2014 12:43 AM, 536064 bytes, A
       Adds the file Laflurla.FirstRun.exe"="3/10/2014 8:59 PM, 1765152 bytes, A
       Adds the file Laflurla.ico"="3/10/2014 8:59 PM, 1150 bytes, A
       Adds the file LaflurlaBHO.dll"="3/10/2014 8:59 PM, 249632 bytes, A
       Adds the file LaflurlaUninstall.exe"="3/12/2014 8:52 PM, 242800 bytes, A
       Adds the file updateLaflurla.exe"="3/10/2014 8:59 PM, 112416 bytes, A
       Adds the file updateLaflurla.InstallState"="3/12/2014 8:51 PM, 5012 bytes, A
    Adds the folder C:\Users\Malwarebytes\AppData\Roaming\Mozilla\Firefox\Profiles\joxsq3f5.default\extensions
       Adds the file {6b320d34-648f-46d8-8353-a4300db1c49c}.xpi"="3/10/2014 8:59 PM, 7929 bytes, A
    In the existing folder C:\Users\Malwarebytes\AppData\Roaming\Mozilla\Firefox\Profiles\joxsq3f5.default\webapps
       Alters the file webapps.json
        11/9/2013 12:15 PM, 2 bytes, A ==> 3/12/2014 8:52 PM, 2 bytes, A

Registry details 
------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
       "(Default)"="REG_SZ, "6AB74664-26C6-45D8-9F41-4FB63481E310"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}]
       "(Default)"="REG_SZ, "9BC747BE-9E86-4DA5-B200-EFADF6B0B439"
       "id"="REG_SZ, "171"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}]
       "(Default)"="REG_SZ, "Laflurla"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\InprocServer32]
       "(Default)"="REG_SZ, "C:\Program Files\Laflurla\Laflurlabho.dll"
       "ThreadingModel"="REG_SZ, "Apartment"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\Programmable]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\TypeLib]
       "(Default)"="REG_SZ, "{f1ec172a-3fec-4fef-a218-13f15e1b8c8d}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}\Version]
       "(Default)"="REG_SZ, "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}]
       "(Default)"="REG_SZ, "ILaflurlaBHO"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}\ProxyStubClsid]
       "(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}\ProxyStubClsid32]
       "(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50A6B23F-0055-41B7-AF2D-6689B24022A0}\TypeLib]
       "(Default)"="REG_SZ, "{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}"
       "Version"="REG_SZ, "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0]
       "(Default)"="REG_SZ, "LaflurlaIEClientLib"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0\0\win32]
       "(Default)"="REG_SZ, "C:\Program Files\Laflurla\Laflurlabho.dll"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0\FLAGS]
       "(Default)"="REG_SZ, "0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F1EC172A-3FEC-4FEF-A218-13F15E1B8C8D}\1.0\HELPDIR]
       "(Default)"="REG_SZ, "C:\Program Files\Laflurla"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Laflurla\Chrome]
       "sgc"="REG_SZ, "true"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Laflurla\Firefox]
       "sff"="REG_SZ, "false"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Laflurla\Internet Explorer]
       "sie"="REG_SZ, "false"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Laflurla_RASAPI32]
       "ConsoleTracingMask"="REG_DWORD, -65536
       "EnableConsoleTracing"="REG_DWORD, 0
       "EnableFileTracing"="REG_DWORD, 0
       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
       "FileTracingMask"="REG_DWORD, -65536
       "MaxFileSize"="REG_DWORD, 1048576
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Laflurla_RASMANCS]
       "ConsoleTracingMask"="REG_DWORD, -65536
       "EnableConsoleTracing"="REG_DWORD, 0
       "EnableFileTracing"="REG_DWORD, 0
       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
       "FileTracingMask"="REG_DWORD, -65536
       "MaxFileSize"="REG_DWORD, 1048576
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateLaflurla_RASAPI32]
       "ConsoleTracingMask"="REG_DWORD, -65536
       "EnableConsoleTracing"="REG_DWORD, 0
       "EnableFileTracing"="REG_DWORD, 0
       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
       "FileTracingMask"="REG_DWORD, -65536
       "MaxFileSize"="REG_DWORD, 1048576
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateLaflurla_RASMANCS]
       "ConsoleTracingMask"="REG_DWORD, -65536
       "EnableConsoleTracing"="REG_DWORD, 0
       "EnableFileTracing"="REG_DWORD, 0
       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
       "FileTracingMask"="REG_DWORD, -65536
       "MaxFileSize"="REG_DWORD, 1048576
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}]
       "(Default)"="REG_SZ, "Laflurla"
       "NoExplorer"="REG_DWORD, 1
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Laflurla]
       "DisplayIcon"="REG_SZ, "C:\Program Files\Laflurla\Laflurla.ico"
       "DisplayName"="REG_SZ, "Laflurla"
       "DisplayVersion"="REG_SZ, "2014.03.10.195912"
       "EstimatedSize"="REG_DWORD, 2606
       "HelpLink"="REG_SZ, "mailto:support@laflurla.com"
       "InstallLocation"="REG_SZ, "C:\Program Files\Laflurla"
       "InstallTime"="REG_SZ, "2014-03-12 20:51:47"
       "NoModify"="REG_DWORD, 1
       "NoRepair"="REG_DWORD, 1
       "Publisher"="REG_SZ, "Laflurla"
       "QuietUninstallString"="REG_SZ, "C:\Program Files\Laflurla\Laflurlauninstall.exe /S"
       "UninstallString"="REG_SZ, "C:\Program Files\Laflurla\Laflurlauninstall.exe"
       "URLInfoAbout"="REG_SZ, "http://laflurla.com/support"
       "URLUpdateInfo"="REG_SZ, "http://laflurla.com"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Update Laflurla]
       "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update Laflurla]
       "DisplayName"="REG_SZ, "Update Laflurla"
       "ErrorControl"="REG_DWORD, 1
       "FailureActions"="REG_BINARY, ......................
       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\Laflurla\updateLaflurla.exe""
       "ObjectName"="REG_SZ, "LocalSystem"
       "Start"="REG_DWORD, 2
       "Type"="REG_DWORD, 16
    [HKEY_CURRENT_USER\Software\Laflurla]
       "id"="REG_SZ, "2014-03-12 20:51:47"
       "iid"="REG_SZ, "def_Laflurla"
       "is"="REG_SZ, "def_Laflurla"
    [HKEY_CURRENT_USER\Software\Laflurla\Firefox]
       "ug"="REG_SZ, "1EF2573A-A05C-4726-94F4-065FB190DB5F"
    [HKEY_CURRENT_USER\Software\Laflurla\Internet Explorer]
       "ug"="REG_SZ, "14EF5A3B-E715-4A57-A8D2-8C2151E4234E"



Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/12/2014
Scan Time: 9:05:07 PM
Logfile: mbamLaflurla.txt
Administrator: Yes

Version: 2.00.0.1000
Malware Database: v2014.03.12.10
Rootkit Database: v2014.02.20.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Malwarebytes

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 200495
Time Elapsed: 2 min, 50 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 2
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\updateLaflurla.exe, 7564, Delete-on-Reboot, [8dddbf432952b1859f1c9018f60b23dd]
PUP.Optional.Sambreel.A, C:\Program Files\Laflurla\Laflurla.FirstRun.exe, 3012, Delete-on-Reboot, [da909c66bac1b581221e3c5ca1600ef2]

Modules: 0
(No malicious items detected)

Registry Keys: 13
PUP.Optional.Laflurla.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Update Laflurla, Quarantined, [8dddbf432952b1859f1c9018f60b23dd], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\CLSID\{b4a89cd3-c5f5-49c4-abcf-5f26d636476f}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{f1ec172a-3fec-4fef-a218-13f15e1b8c8d}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{50A6B23F-0055-41B7-AF2D-6689B24022A0}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\CLASSES\CLSID\{B4A89CD3-C5F5-49C4-ABCF-5F26D636476F}\INPROCSERVER32, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.BrowseFox.A, HKLM\SOFTWARE\CLASSES\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}, Quarantined, [b9b1fc064833c571ca499be1f50d53ad], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Laflurla, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.Laflurla.A, HKLM\SOFTWARE\Laflurla, Quarantined, [4228b64cb1caa690292273214fb38080], 
PUP.Optional.Ligtning.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [ce9cad556c0fc1752742c6d4c240f20e], 
PUP.Optional.Laflurla.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Laflurla, Quarantined, [85e58a7889f2b77f9baf385c6a98cf31], 

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 4
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla, Delete-on-Reboot, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log, Quarantined, [2248b151f48772c48302dbbf18eaa35d], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 

Files: 18
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\updateLaflurla.exe, Delete-on-Reboot, [8dddbf432952b1859f1c9018f60b23dd], 
PUP.Optional.Sambreel.A, C:\Program Files\Laflurla\Laflurla.FirstRun.exe, Delete-on-Reboot, [da909c66bac1b581221e3c5ca1600ef2], 
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\LaflurlaBHO.dll, Quarantined, [d3979a689ddec96db604ecbcec15ea16], 
PUP.Optional.Laflurla.A, C:\Users\{username}\Desktop\Laflurla.exe, Quarantined, [dc8e4bb7c5b6f145685267410ff2c838], 
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\Laflurla.ico, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\7za.exe, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\LaflurlaUninstall.exe, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.Laflurla.A, C:\Program Files\Laflurla\updateLaflurla.InstallState, Quarantined, [f87272901f5c8fa70148b2e29f6352ae], 
PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log\eGdpSvc.LOG, Quarantined, [2248b151f48772c48302dbbf18eaa35d], 
PUP.Optional.NewTab.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\newtab.crx, Quarantined, [ed7d43bfa5d62a0c8778fb9f5fa3e21e], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.html, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\data.json, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\icon128.png, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\jquery.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\manifest.json, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xa.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xagainit.js, Quarantined, [9bcfa959fc7fd95d1240e3ae56acba46], 

Physical Sectors: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
  • 0

Advertisement





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.