TechSpot

Win64/patched.a

Solved
By mossimo654
Nov 4, 2012
  1. mossimo654

    mossimo654 TS Rookie Topic Starter Posts: 22

    # AdwCleaner v2.006 - Logfile created 11/04/2012 at 13:18:58
    # Updated 30/10/2012 by Xplode
    # Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
    # User : Kyle - KYLE-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Kyle\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Deleted : C:\Program Files (x86)\Conduit
    Folder Deleted : C:\Users\Kyle\AppData\Local\Conduit
    Folder Deleted : C:\Users\Kyle\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\tt6i0gtg.default\Smartbar

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468 --> hxxp://www.google.com

    -\\ Mozilla Firefox v16.0.2 (en-US)

    Profile name : default
    File : C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\tt6i0gtg.default\prefs.js

    Deleted : user_pref("CT3220468.BT_Stats", "{\"last_log\":1346634322,\"uuid\":983825999615698,\"seq_id\":1,\"ss[...]
    Deleted : user_pref("CT3220468.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
    Deleted : user_pref("CT3220468.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
    Deleted : user_pref("CT3220468.FirstTime", "true");
    Deleted : user_pref("CT3220468.FirstTimeFF3", "true");
    Deleted : user_pref("CT3220468.UserID", "UN50889360411858629");
    Deleted : user_pref("CT3220468.addressBarTakeOverEnabledInHidden", "true");
    Deleted : user_pref("CT3220468.autoDisableScopes", -1);
    Deleted : user_pref("CT3220468.cbcountry_001", "US");
    Deleted : user_pref("CT3220468.cbfirsttime", "Sun Sep 02 2012 18:05:22 GMT-0700 (Pacific Daylight Time)");
    Deleted : user_pref("CT3220468.defaultSearch", "FALSE");
    Deleted : user_pref("CT3220468.embeddedsData", "[{\"appId\":\"129813684258939747\",\"apiPermissions\":{\"cross[...]
    Deleted : user_pref("CT3220468.enableAlerts", "always");
    Deleted : user_pref("CT3220468.enableSearchFromAddressBar", "FALSE");
    Deleted : user_pref("CT3220468.firstTimeDialogOpened", "true");
    Deleted : user_pref("CT3220468.fixPageNotFoundError", "true");
    Deleted : user_pref("CT3220468.fixPageNotFoundErrorInHidden", "true");
    Deleted : user_pref("CT3220468.fixUrls", true);
    Deleted : user_pref("CT3220468.installId", "fftB25E.tmp.exe");
    Deleted : user_pref("CT3220468.installType", "XPE");
    Deleted : user_pref("CT3220468.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
    Deleted : user_pref("CT3220468.isNewTabEnabled", true);
    Deleted : user_pref("CT3220468.isPerformedSmartBarTransition", "true");
    Deleted : user_pref("CT3220468.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
    Deleted : user_pref("CT3220468.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
    Deleted : user_pref("CT3220468.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"anti spyware\",\"EB_MAIN_FRAME_U[...]
    Deleted : user_pref("CT3220468.openThankYouPage", "true");
    Deleted : user_pref("CT3220468.openUninstallPage", "FALSE");
    Deleted : user_pref("CT3220468.search.searchAppId", "129813684258939747");
    Deleted : user_pref("CT3220468.search.searchCount", "0");
    Deleted : user_pref("CT3220468.searchInNewTabEnabledInHidden", "true");
    Deleted : user_pref("CT3220468.searchProtector.notifyChanges", "{\"dataType\":\"string\",\"data\":\"true\"}");
    Deleted : user_pref("CT3220468.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
    Deleted : user_pref("CT3220468.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
    Deleted : user_pref("CT3220468.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"2\[...]
    Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
    Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
    Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
    Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
    Deleted : user_pref("CT3220468.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data[...]
    Deleted : user_pref("CT3220468.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1346634320667");
    Deleted : user_pref("CT3220468.serviceLayer_services_appsMetadata_lastUpdate", "1346634320504");
    Deleted : user_pref("CT3220468.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1346634320618");
    Deleted : user_pref("CT3220468.serviceLayer_services_login_10.10.27.6_lastUpdate", "1346634320877");
    Deleted : user_pref("CT3220468.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1346634320672");
    Deleted : user_pref("CT3220468.serviceLayer_services_searchAPI_lastUpdate", "1346634320548");
    Deleted : user_pref("CT3220468.serviceLayer_services_serviceMap_lastUpdate", "1346634320223");
    Deleted : user_pref("CT3220468.serviceLayer_services_toolbarContextMenu_lastUpdate", "1346634320646");
    Deleted : user_pref("CT3220468.serviceLayer_services_toolbarSettings_lastUpdate", "1346634320332");
    Deleted : user_pref("CT3220468.serviceLayer_services_translation_lastUpdate", "1346634320506");
    Deleted : user_pref("CT3220468.settingsINI", true);
    Deleted : user_pref("CT3220468.shouldFirstTimeDialog", "false");
    Deleted : user_pref("CT3220468.smartbar.CTID", "CT3220468");
    Deleted : user_pref("CT3220468.smartbar.Uninstall", "1");
    Deleted : user_pref("CT3220468.smartbar.homepage", true);
    Deleted : user_pref("CT3220468.smartbar.toolbarName", "uTorrentControl_v2 ");
    Deleted : user_pref("CT3220468.startPage", "TRUE");
    Deleted : user_pref("CT3220468.toolbarBornServerTime", "4-9-2012");
    Deleted : user_pref("CT3220468.toolbarCurrentServerTime", "4-9-2012");
    Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=1[...]

    *************************

    AdwCleaner[R1].txt - [6720 octets] - [04/11/2012 13:18:07]
    AdwCleaner[S1].txt - [6621 octets] - [04/11/2012 13:18:58]

    ########## EOF - C:\AdwCleaner[S1].txt - [6681 octets] ##########
     
  2. mossimo654

    mossimo654 TS Rookie Topic Starter Posts: 22

    C:\Users\Kyle\Desktop\New folder\Image_Line_Vocodex_VST_v1_0_keygen_by_AiR.zip a variant of Win32/Kryptik.AODG trojan
    C:\_OTL\MovedFiles\11042012_131003\C_FRST\Quarantine\{0aaae9d4-1845-58c1-a35b-3b645d409b85}\U\00000004.@ Win64/Conedex.C trojan
    C:\_OTL\MovedFiles\11042012_131003\C_FRST\Quarantine\{0aaae9d4-1845-58c1-a35b-3b645d409b85}\U\00000008.@ Win64/Agent.BA trojan
    C:\_OTL\MovedFiles\11042012_131003\C_FRST\Quarantine\{0aaae9d4-1845-58c1-a35b-3b645d409b85}\U\000000cb.@ Win64/Conedex.B trojan
    C:\_OTL\MovedFiles\11042012_131003\C_FRST\Quarantine\{0aaae9d4-1845-58c1-a35b-3b645d409b85}\U\80000000.@ Win64/Sirefef.AW trojan
    C:\_OTL\MovedFiles\11042012_131003\C_FRST\Quarantine\{0aaae9d4-1845-58c1-a35b-3b645d409b85}\U\80000032.@ probably a variant of Win32/Sirefef.FD trojan
    C:\_OTL\MovedFiles\11042012_131003\C_FRST\Quarantine\{0aaae9d4-1845-58c1-a35b-3b645d409b85}\U\80000064.@ a variant of Win64/Sirefef.AN trojan
     
  3. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
     
  4. mossimo654

    mossimo654 TS Rookie Topic Starter Posts: 22

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Kyle
    ->Temp folder emptied: 1416615 bytes
    ->Temporary Internet Files folder emptied: 34214 bytes
    ->FireFox cache emptied: 105615401 bytes
    ->Flash cache emptied: 1410 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 102.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Kyle
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Kyle

    User: Public

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.69.0 log created on 11042012_142725

    Files\Folders moved on Reboot...
    C:\Users\Kyle\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  5. mossimo654

    mossimo654 TS Rookie Topic Starter Posts: 22

    Computer's doing fine. Virus warnings have disappeared, and I've done scans with AVG now too that have located and destroyed the same trojans that the others were finding. Thanks so much for your help! Is there any way to delete this thread so that my personal computer information isn't available for others to see?

    Once again you have been a HUGE help. Is this a profession or a hobby for you?
     
  6. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Hobby :)

    Way to go!! [​IMG]
    Good luck and stay safe :)

    PM one of the mods regarding topic deletion.
     
  7. mossimo654

    mossimo654 TS Rookie Topic Starter Posts: 22

    Thanks man you rock
     
  8. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    You're very welcome [​IMG]
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.