TechSpot

Trojan trouble

Solved
By David Templeton
Jul 26, 2012
  1. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 21

  2. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Let's start with IE.
    Open it go Tools>Internet options>Advanced tab and click on "Reset" button.
    Restart IE.
    Same issue?
     
  3. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 21

    Yes, same issue.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.
     
  5. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 21

    # AdwCleaner v2.003 - Logfile created 10/02/2012 at 15:40:31
    # Updated 23/09/2012 by Xplode
    # Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
    # User : OWNER - GIFTFROMGOD
    # Boot Mode : Normal
    # Running from : C:\Users\OWNER\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
    Folder Deleted : C:\Program Files\Conduit
    Folder Deleted : C:\ProgramData\Ask
    Folder Deleted : C:\Users\OWNER\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\OWNER\AppData\Roaming\Mozilla\Firefox\Profiles\71jlrk59.default\Conduit
    Folder Deleted : C:\Users\OWNER\AppData\Roaming\Mozilla\Firefox\Profiles\gnc54s2q.default-1342793624225\extensions\staged

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2438727
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Deleted : HKLM\SOFTWARE\Software

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    -\\ Mozilla Firefox v15.0.1 (en-US)

    Profile name : default
    File : C:\Users\OWNER\AppData\Roaming\Mozilla\Firefox\Profiles\71jlrk59.default\prefs.js

    C:\Users\OWNER\AppData\Roaming\Mozilla\Firefox\Profiles\71jlrk59.default\user.js ... Deleted !

    Deleted : user_pref("CT2438727.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
    Deleted : user_pref("CT2438727.CTID", "CT2438727");
    Deleted : user_pref("CT2438727.CurrentServerDate", "17-1-2012");
    Deleted : user_pref("CT2438727.DialogsAlignMode", "LTR");
    Deleted : user_pref("CT2438727.DownloadReferralCookieData", "");
    Deleted : user_pref("CT2438727.FirstServerDate", "17-1-2012");
    Deleted : user_pref("CT2438727.FirstTime", true);
    Deleted : user_pref("CT2438727.FirstTimeFF3", true);
    Deleted : user_pref("CT2438727.FirstTimeSettingsDone", true);
    Deleted : user_pref("CT2438727.FixPageNotFoundErrors", true);
    Deleted : user_pref("CT2438727.GroupingServerCheckInterval", 1440);
    Deleted : user_pref("CT2438727.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
    Deleted : user_pref("CT2438727.Initialize", true);
    Deleted : user_pref("CT2438727.InitializeCommonPrefs", true);
    Deleted : user_pref("CT2438727.InstallationAndCookieDataSentCount", 1);
    Deleted : user_pref("CT2438727.InstalledDate", "Mon Jan 16 2012 17:34:29 GMT-0500 (Eastern Standard Time)");
    Deleted : user_pref("CT2438727.IsGrouping", false);
    Deleted : user_pref("CT2438727.IsMulticommunity", false);
    Deleted : user_pref("CT2438727.IsOpenThankYouPage", true);
    Deleted : user_pref("CT2438727.IsOpenUninstallPage", true);
    Deleted : user_pref("CT2438727.LanguagePackLastCheckTime", "Mon Jan 16 2012 17:34:29 GMT-0500 (Eastern Standar[...]
    Deleted : user_pref("CT2438727.LanguagePackReloadIntervalMM", 1440);
    Deleted : user_pref("CT2438727.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
    Deleted : user_pref("CT2438727.LastLogin_2.7.1.3", "Mon Jan 16 2012 17:34:38 GMT-0500 (Eastern Standard Time)"[...]
    Deleted : user_pref("CT2438727.LatestVersion", "3.9.0.3");
    Deleted : user_pref("CT2438727.Locale", "en");
    Deleted : user_pref("CT2438727.LoginCache", 4);
    Deleted : user_pref("CT2438727.MCDetectTooltipHeight", "83");
    Deleted : user_pref("CT2438727.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
    Deleted : user_pref("CT2438727.MCDetectTooltipWidth", "295");
    Deleted : user_pref("CT2438727.SearchEngine", "Search||hxxp://search.conduit.com/Results.aspx?q=UCM_SEARCH_TER[...]
    Deleted : user_pref("CT2438727.SearchFromAddressBarIsInit", true);
    Deleted : user_pref("CT2438727.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT243[...]
    Deleted : user_pref("CT2438727.SearchInNewTabEnabled", true);
    Deleted : user_pref("CT2438727.SearchInNewTabIntervalMM", 1440);
    Deleted : user_pref("CT2438727.SearchInNewTabLastCheckTime", "Mon Jan 16 2012 17:34:38 GMT-0500 (Eastern Stand[...]
    Deleted : user_pref("CT2438727.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
    Deleted : user_pref("CT2438727.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usa[...]
    Deleted : user_pref("CT2438727.SettingsCheckIntervalMin", 120);
    Deleted : user_pref("CT2438727.SettingsLastCheckTime", "Mon Jan 16 2012 17:34:27 GMT-0500 (Eastern Standard Ti[...]
    Deleted : user_pref("CT2438727.SettingsLastUpdate", "1326723880");
    Deleted : user_pref("CT2438727.ThirdPartyComponentsInterval", 504);
    Deleted : user_pref("CT2438727.ThirdPartyComponentsLastCheck", "Mon Jan 16 2012 17:34:26 GMT-0500 (Eastern Sta[...]
    Deleted : user_pref("CT2438727.ThirdPartyComponentsLastUpdate", "1312887586");
    Deleted : user_pref("CT2438727.TrusteLinkUrl", "hxxp://trust.conduit.com/EB_ORIGINAL_CTID");
    Deleted : user_pref("CT2438727.UserID", "UN51974067775422374");
    Deleted : user_pref("CT2438727.alertChannelId", "832836");
    Deleted : user_pref("CT2438727.clientLogIsEnabled", true);
    Deleted : user_pref("CT2438727.clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asm[...]
    Deleted : user_pref("CT2438727.myStuffEnabled", true);
    Deleted : user_pref("CT2438727.myStuffPublihserMinWidth", 400);
    Deleted : user_pref("CT2438727.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
    Deleted : user_pref("CT2438727.myStuffServiceIntervalMM", 1440);
    Deleted : user_pref("CT2438727.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
    Deleted : user_pref("CT2438727.uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Reg[...]
    Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://search.yahoo.com/search?fr=ffds1&[...]
    Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2438727");
    Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2438727");
    Deleted : user_pref("browser.search.defaultengine", "Ask.com");
    Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
    Deleted : user_pref("browser.search.order.1", "Ask.com");
    Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");
    Deleted : user_pref("extensions.asktb.AviraIDW-TS", "1342739296419");
    Deleted : user_pref("extensions.asktb.AviraIDW-XML", "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<button xm[...]
    Deleted : user_pref("extensions.asktb.InstallDir", "C:\\Program Files\\Ask.com\\");
    Deleted : user_pref("extensions.asktb.apn_dbr", "ff_14.0.1");
    Deleted : user_pref("extensions.asktb.cbid", "^ABY");
    Deleted : user_pref("extensions.asktb.config-updated", false);
    Deleted : user_pref("extensions.asktb.crumb", "2012.07.19+15.55.45-toolbar010iad-US-TW91bnQgTGF1cmVsLE5KLFVuaX[...]
    Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://avira.ask.com/web?q={query}&o={o}&l={[...]
    Deleted : user_pref("extensions.asktb.domain", "avira.ask.com");
    Deleted : user_pref("extensions.asktb.domainName", "avira.ask.com");
    Deleted : user_pref("extensions.asktb.dtid", "^YYYYYY^YY^US");
    Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "hxxp://isearch.avg.com/search?cid=%7B3311fec5[...]
    Deleted : user_pref("extensions.asktb.fresh-install", false);
    Deleted : user_pref("extensions.asktb.guid", "5e3a6592-3e9c-4ea3-8ec1-d152309dc2bd");
    Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...]
    Deleted : user_pref("extensions.asktb.if", "first");
    Deleted : user_pref("extensions.asktb.l", "dis");
    Deleted : user_pref("extensions.asktb.last-config-req", "1342739261774");
    Deleted : user_pref("extensions.asktb.locale", "en_US");
    Deleted : user_pref("extensions.asktb.localePref", true);
    Deleted : user_pref("extensions.asktb.location", "Mount Laurel,NJ,United States");
    Deleted : user_pref("extensions.asktb.notification-shown", true);
    Deleted : user_pref("extensions.asktb.o", "APN10400");
    Deleted : user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
    Deleted : user_pref("extensions.asktb.qsrc", "2871");
    Deleted : user_pref("extensions.asktb.r", "2");
    Deleted : user_pref("extensions.asktb.sa", "YES");
    Deleted : user_pref("extensions.asktb.saguid", "A92791F2-8C29-4461-B432-950296D07240");
    Deleted : user_pref("extensions.asktb.search-plugin-suggestions-url", "hxxp://ss.websearch.ask.com/query?qsrc=[...]
    Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true);
    Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false);
    Deleted : user_pref("extensions.asktb.socialmini-native-on", true);
    Deleted : user_pref("extensions.asktb.themeid", "");
    Deleted : user_pref("extensions.asktb.timeinstalled", "7/19/2012 6:57:01 PM");
    Deleted : user_pref("extensions.asktb.to", "");
    Deleted : user_pref("extensions.asktb.v", "3.15.4.100013");
    Deleted : user_pref("extensions.asktb.version", "5.15.4.23930");
    Deleted : user_pref("extensions.enabledAddons", "SkipScreen@SkipScreen:0.6.4,support@lastpass.com:1.90.6,{5F59[...]
    Deleted : user_pref("extensions.skipscreen.hostMatchStr", "hxxp://www.4shared.com/(get|audio|file|document|dir[...]
    Deleted : user_pref("extensions.toolbar@ask.com.install-event-fired", true);
    Deleted : user_pref("keyword.URL", "hxxp://isearch.avg.com/search?cid=%7B3311fec5-f47a-416d-a17b-20e4810c2272%[...]

    Profile name : default-1342793624225 [Profil par défaut]
    File : C:\Users\OWNER\AppData\Roaming\Mozilla\Firefox\Profiles\gnc54s2q.default-1342793624225\prefs.js

    Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\OWNER\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [10942 octets] - [02/10/2012 15:39:15]
    AdwCleaner[S1].txt - [11335 octets] - [02/10/2012 15:40:31]

    ########## EOF - C:\AdwCleaner[S1].txt - [11396 octets] ##########
     
  6. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    How are things now?
     
  7. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 21

    Same results.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Which browsers did you try?
    What does exactly happen when you try to access it?
     
  9. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 21

  10. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
     
  11. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 21

    During the scan, this program showed about 4 items as found, but then appeared to crash, then a blue screen ensued. I tried to run it a couple more times, but had the same result. Not wanting to damage the contents of my hard drive, I stopped there.

    Nevertheless, on the bright side, as of just now, I'm able to access www.google.com sites??!?!??!

    What do you think?
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Good news :)
    I guess it was some botched registry setting which RK fixed.

    Good luck :)
     
  13. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 21

    I'm a bit concerned about the fact that it found 4 items that I didn't get removed. Since RK did not get to finish the scan nor run the delete portion of its functionality, is there something I should do to be sure that was fully resolved?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Try to re-run it from safe mode.
     
  15. David Templeton

    David Templeton TS Rookie Topic Starter Posts: 21

    Sorry it took me so long. I seem to have google access now. Even though I had the blue screen crashes. Didn't run yet in safe mode. Will try that next. Btw, what is the best way to "clean up" a pc? Is there a tool or several tools that you use to keep clutter down and performance up? Thanks!
     
  16. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Did RogueKiller eventually run?
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.