TechSpot

Trojan trouble

By David Templeton
Jul 26, 2012
  1. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 35

    Yes
     
  2. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    Let's start with IE.
    Open it go Tools>Internet options>Advanced tab and click on "Reset" button.
    Restart IE.
    Same issue?
     
  3. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 35

    Yes, same issue.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.
     
  5. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 35

    # AdwCleaner v2.003 - Logfile created 10/02/2012 at 15:40:31
    # Updated 23/09/2012 by Xplode
    # Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
    # User : OWNER - GIFTFROMGOD
    # Boot Mode : Normal
    # Running from : C:\Users\OWNER\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
    Folder Deleted : C:\Program Files\Conduit
    Folder Deleted : C:\ProgramData\Ask
    Folder Deleted : C:\Users\OWNER\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\OWNER\AppData\Roaming\Mozilla\Firefox\Profiles\71jlrk59.default\Conduit
    Folder Deleted : C:\Users\OWNER\AppData\Roaming\Mozilla\Firefox\Profiles\gnc54s2q.default-1342793624225\extensions\staged

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2438727
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Deleted : HKLM\SOFTWARE\Software

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    -\\ Mozilla Firefox v15.0.1 (en-US)

    Profile name : default
    File : C:\Users\OWNER\AppData\Roaming\Mozilla\Firefox\Profiles\71jlrk59.default\prefs.js

    C:\Users\OWNER\AppData\Roaming\Mozilla\Firefox\Profiles\71jlrk59.default\user.js ... Deleted !

    Deleted : user_pref("CT2438727.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
    Deleted : user_pref("CT2438727.CTID", "CT2438727");
    Deleted : user_pref("CT2438727.CurrentServerDate", "17-1-2012");
    Deleted : user_pref("CT2438727.DialogsAlignMode", "LTR");
    Deleted : user_pref("CT2438727.DownloadReferralCookieData", "");
    Deleted : user_pref("CT2438727.FirstServerDate", "17-1-2012");
    Deleted : user_pref("CT2438727.FirstTime", true);
    Deleted : user_pref("CT2438727.FirstTimeFF3", true);
    Deleted : user_pref("CT2438727.FirstTimeSettingsDone", true);
    Deleted : user_pref("CT2438727.FixPageNotFoundErrors", true);
    Deleted : user_pref("CT2438727.GroupingServerCheckInterval", 1440);
    Deleted : user_pref("CT2438727.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
    Deleted : user_pref("CT2438727.Initialize", true);
    Deleted : user_pref("CT2438727.InitializeCommonPrefs", true);
    Deleted : user_pref("CT2438727.InstallationAndCookieDataSentCount", 1);
    Deleted : user_pref("CT2438727.InstalledDate", "Mon Jan 16 2012 17:34:29 GMT-0500 (Eastern Standard Time)");
    Deleted : user_pref("CT2438727.IsGrouping", false);
    Deleted : user_pref("CT2438727.IsMulticommunity", false);
    Deleted : user_pref("CT2438727.IsOpenThankYouPage", true);
    Deleted : user_pref("CT2438727.IsOpenUninstallPage", true);
    Deleted : user_pref("CT2438727.LanguagePackLastCheckTime", "Mon Jan 16 2012 17:34:29 GMT-0500 (Eastern Standar[...]
    Deleted : user_pref("CT2438727.LanguagePackReloadIntervalMM", 1440);
    Deleted : user_pref("CT2438727.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
    Deleted : user_pref("CT2438727.LastLogin_2.7.1.3", "Mon Jan 16 2012 17:34:38 GMT-0500 (Eastern Standard Time)"[...]
    Deleted : user_pref("CT2438727.LatestVersion", "3.9.0.3");
    Deleted : user_pref("CT2438727.Locale", "en");
    Deleted : user_pref("CT2438727.LoginCache", 4);
    Deleted : user_pref("CT2438727.MCDetectTooltipHeight", "83");
    Deleted : user_pref("CT2438727.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
    Deleted : user_pref("CT2438727.MCDetectTooltipWidth", "295");
    Deleted : user_pref("CT2438727.SearchEngine", "Search||hxxp://search.conduit.com/Results.aspx?q=UCM_SEARCH_TER[...]
    Deleted : user_pref("CT2438727.SearchFromAddressBarIsInit", true);
    Deleted : user_pref("CT2438727.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT243[...]
    Deleted : user_pref("CT2438727.SearchInNewTabEnabled", true);
    Deleted : user_pref("CT2438727.SearchInNewTabIntervalMM", 1440);
    Deleted : user_pref("CT2438727.SearchInNewTabLastCheckTime", "Mon Jan 16 2012 17:34:38 GMT-0500 (Eastern Stand[...]
    Deleted : user_pref("CT2438727.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
    Deleted : user_pref("CT2438727.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usa[...]
    Deleted : user_pref("CT2438727.SettingsCheckIntervalMin", 120);
    Deleted : user_pref("CT2438727.SettingsLastCheckTime", "Mon Jan 16 2012 17:34:27 GMT-0500 (Eastern Standard Ti[...]
    Deleted : user_pref("CT2438727.SettingsLastUpdate", "1326723880");
    Deleted : user_pref("CT2438727.ThirdPartyComponentsInterval", 504);
    Deleted : user_pref("CT2438727.ThirdPartyComponentsLastCheck", "Mon Jan 16 2012 17:34:26 GMT-0500 (Eastern Sta[...]
    Deleted : user_pref("CT2438727.ThirdPartyComponentsLastUpdate", "1312887586");
    Deleted : user_pref("CT2438727.TrusteLinkUrl", "hxxp://trust.conduit.com/EB_ORIGINAL_CTID");
    Deleted : user_pref("CT2438727.UserID", "UN51974067775422374");
    Deleted : user_pref("CT2438727.alertChannelId", "832836");
    Deleted : user_pref("CT2438727.clientLogIsEnabled", true);
    Deleted : user_pref("CT2438727.clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asm[...]
    Deleted : user_pref("CT2438727.myStuffEnabled", true);
    Deleted : user_pref("CT2438727.myStuffPublihserMinWidth", 400);
    Deleted : user_pref("CT2438727.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
    Deleted : user_pref("CT2438727.myStuffServiceIntervalMM", 1440);
    Deleted : user_pref("CT2438727.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
    Deleted : user_pref("CT2438727.uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Reg[...]
    Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://search.yahoo.com/search?fr=ffds1&[...]
    Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2438727");
    Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2438727");
    Deleted : user_pref("browser.search.defaultengine", "Ask.com");
    Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
    Deleted : user_pref("browser.search.order.1", "Ask.com");
    Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");
    Deleted : user_pref("extensions.asktb.AviraIDW-TS", "1342739296419");
    Deleted : user_pref("extensions.asktb.AviraIDW-XML", "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<button xm[...]
    Deleted : user_pref("extensions.asktb.InstallDir", "C:\\Program Files\\Ask.com\\");
    Deleted : user_pref("extensions.asktb.apn_dbr", "ff_14.0.1");
    Deleted : user_pref("extensions.asktb.cbid", "^ABY");
    Deleted : user_pref("extensions.asktb.config-updated", false);
    Deleted : user_pref("extensions.asktb.crumb", "2012.07.19+15.55.45-toolbar010iad-US-TW91bnQgTGF1cmVsLE5KLFVuaX[...]
    Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://avira.ask.com/web?q={query}&o={o}&l={[...]
    Deleted : user_pref("extensions.asktb.domain", "avira.ask.com");
    Deleted : user_pref("extensions.asktb.domainName", "avira.ask.com");
    Deleted : user_pref("extensions.asktb.dtid", "^YYYYYY^YY^US");
    Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "hxxp://isearch.avg.com/search?cid=%7B3311fec5[...]
    Deleted : user_pref("extensions.asktb.fresh-install", false);
    Deleted : user_pref("extensions.asktb.guid", "5e3a6592-3e9c-4ea3-8ec1-d152309dc2bd");
    Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...]
    Deleted : user_pref("extensions.asktb.if", "first");
    Deleted : user_pref("extensions.asktb.l", "dis");
    Deleted : user_pref("extensions.asktb.last-config-req", "1342739261774");
    Deleted : user_pref("extensions.asktb.locale", "en_US");
    Deleted : user_pref("extensions.asktb.localePref", true);
    Deleted : user_pref("extensions.asktb.location", "Mount Laurel,NJ,United States");
    Deleted : user_pref("extensions.asktb.notification-shown", true);
    Deleted : user_pref("extensions.asktb.o", "APN10400");
    Deleted : user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
    Deleted : user_pref("extensions.asktb.qsrc", "2871");
    Deleted : user_pref("extensions.asktb.r", "2");
    Deleted : user_pref("extensions.asktb.sa", "YES");
    Deleted : user_pref("extensions.asktb.saguid", "A92791F2-8C29-4461-B432-950296D07240");
    Deleted : user_pref("extensions.asktb.search-plugin-suggestions-url", "hxxp://ss.websearch.ask.com/query?qsrc=[...]
    Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true);
    Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false);
    Deleted : user_pref("extensions.asktb.socialmini-native-on", true);
    Deleted : user_pref("extensions.asktb.themeid", "");
    Deleted : user_pref("extensions.asktb.timeinstalled", "7/19/2012 6:57:01 PM");
    Deleted : user_pref("extensions.asktb.to", "");
    Deleted : user_pref("extensions.asktb.v", "3.15.4.100013");
    Deleted : user_pref("extensions.asktb.version", "5.15.4.23930");
    Deleted : user_pref("extensions.enabledAddons", "SkipScreen@SkipScreen:0.6.4,support@lastpass.com:1.90.6,{5F59[...]
    Deleted : user_pref("extensions.skipscreen.hostMatchStr", "hxxp://www.4shared.com/(get|audio|file|document|dir[...]
    Deleted : user_pref("extensions.toolbar@ask.com.install-event-fired", true);
    Deleted : user_pref("keyword.URL", "hxxp://isearch.avg.com/search?cid=%7B3311fec5-f47a-416d-a17b-20e4810c2272%[...]

    Profile name : default-1342793624225 [Profil par défaut]
    File : C:\Users\OWNER\AppData\Roaming\Mozilla\Firefox\Profiles\gnc54s2q.default-1342793624225\prefs.js

    Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [10942 octets] - [02/10/2012 15:39:15]
    AdwCleaner[S1].txt - [11335 octets] - [02/10/2012 15:40:31]

    ########## EOF - C:\AdwCleaner[S1].txt - [11396 octets] ##########
     
  6. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    How are things now?
     
  7. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 35

    Same results.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    Which browsers did you try?
    What does exactly happen when you try to access it?
     
  9. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 35

  10. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
     
  11. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 35

    During the scan, this program showed about 4 items as found, but then appeared to crash, then a blue screen ensued. I tried to run it a couple more times, but had the same result. Not wanting to damage the contents of my hard drive, I stopped there.

    Nevertheless, on the bright side, as of just now, I'm able to access www.google.com sites??!?!??!

    What do you think?
     
  12. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    Good news :)
    I guess it was some botched registry setting which RK fixed.

    Good luck :)
     
  13. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 35

    I'm a bit concerned about the fact that it found 4 items that I didn't get removed. Since RK did not get to finish the scan nor run the delete portion of its functionality, is there something I should do to be sure that was fully resolved?
     
  14. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    Try to re-run it from safe mode.
     
  15. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 35

    Sorry it took me so long. I seem to have google access now. Even though I had the blue screen crashes. Didn't run yet in safe mode. Will try that next. Btw, what is the best way to "clean up" a pc? Is there a tool or several tools that you use to keep clutter down and performance up? Thanks!
     
  16. Broni

    Broni Malware Annihilator Posts: 52,747   +342

    Did RogueKiller eventually run?
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...