So in the last month I'm having problems with redirects. They seem to be Conduit, and BeesQ. I've tried the simple things such as running CC Cleaner, UnInstalling, and running Malware, but I think I have a bigger problems on my hands with Roots/Trojans. Any help you can give me would be really appreciated!
Conduit Redirect
- Thread starter Melbee
- Start date
Fiery
Level 1
- Jan 11, 2011
- 2,007
Hi and welcome to MalwareTips! 
I'm Fiery and I would gladly assist you in removing the malware on your computer.
PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.
Before we start:
<hr>
Open OTL. Under custom scan/fixes, copy and paste the following:
Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.
Next, Please download AdwCleaner by Xplode onto your desktop.
Please download Junkware Removal Tool to your desktop from here
I'm Fiery and I would gladly assist you in removing the malware on your computer.
PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.
Before we start:
- Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
- Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
- Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
- Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
- The absence of symptoms does not mean your PC is fully disinfected.
- If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
- Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.
<hr>
Open OTL. Under custom scan/fixes, copy and paste the following:
Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.
Next, Please download AdwCleaner by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
- Click delete
- Please post the content of that logfile with your next reply.
- You can find the logfile at C:\AdwCleaner[S1].txt
Please download Junkware Removal Tool to your desktop from here
- Turn off your antivirus software now to avoid potential conflicts
- Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
- The tool will open and start scanning your system
- Please be patient as this can take a while to complete depending on your system's specifications
- On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
- Post the contents of JRT.txt into your next reply
Thanks for helping me with this! Here are the results:
# AdwCleaner v2.306 - Logfile created 08/16/2013 at 17:18:57
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Melbee - MR_FANTASTIC
# Boot Mode : Normal
# Running from : C:\Users\Melbee\Downloads\AdwCleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
File Deleted : C:\END
File Deleted : C:\Users\Melbee\AppData\Roaming\Mozilla\Firefox\Profiles\be1qz4m5.default\searchplugins\Conduit.xml
File Deleted : C:\Users\Melbee\AppData\Roaming\Mozilla\Firefox\Profiles\be1qz4m5.default\searchplugins\delta.xml
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Melbee\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Melbee\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Melbee\AppData\Roaming\Mozilla\Firefox\Profiles\be1qz4m5.default\jetpack
Folder Deleted : C:\Users\Melbee\AppData\Roaming\OpenCandy
***** [Registry] *****
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\Vid-Saver
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3303001
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3309758
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Vid-Saver_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Vid-Saver_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pgmfkblbflahhponhjmkcnpjinenhlnc
Key Deleted : HKLM\SOFTWARE\Tarma Installer
***** [Internet Browsers] *****
-\\ Internet Explorer v10.0.9200.16660
[OK] Registry is clean.
-\\ Mozilla Firefox v22.0 (en-US)
File : C:\Users\Melbee\AppData\Roaming\Mozilla\Firefox\Profiles\be1qz4m5.default\prefs.js
C:\Users\Melbee\AppData\Roaming\Mozilla\Firefox\Profiles\be1qz4m5.default\user.js ... Deleted !
Deleted : user_pref("CT3303001_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("CT3309758_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3309758&octid=CT330975[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");
Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=C[...]
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3309758");
Deleted : user_pref("extensions.delta.admin", false);
Deleted : user_pref("extensions.delta.aflt", "babsst");
Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Deleted : user_pref("extensions.delta.autoRvrt", "false");
Deleted : user_pref("extensions.delta.dfltLng", "en");
Deleted : user_pref("extensions.delta.excTlbr", false);
Deleted : user_pref("extensions.delta.ffxUnstlRst", true);
Deleted : user_pref("extensions.delta.id", "4ced4cef00000000000090e6baca2627");
Deleted : user_pref("extensions.delta.instlDay", "15831");
Deleted : user_pref("extensions.delta.instlRef", "sst");
Deleted : user_pref("extensions.delta.newTab", false);
Deleted : user_pref("extensions.delta.prdct", "delta");
Deleted : user_pref("extensions.delta.prtnrId", "delta");
Deleted : user_pref("extensions.delta.rvrt", "false");
Deleted : user_pref("extensions.delta.smplGrp", "none");
Deleted : user_pref("extensions.delta.tlbrId", "base");
Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
Deleted : user_pref("extensions.delta.vrsn", "1.8.16.16");
Deleted : user_pref("extensions.delta.vrsnTs", "1.8.16.1613:39:29");
Deleted : user_pref("extensions.delta.vrsni", "1.8.16.16");
Deleted : user_pref("smartbar.machineId", "2MR2QY9FHDUQPBIJU9KCKYQCAZ4MX+BCPSGBIYVY0GLEDBIYQIHLHW5+J2QDVLHYGGT[...]
-\\ Google Chrome v28.0.1500.95
File : C:\Users\Melbee\AppData\Local\Google\Chrome\User Data\Default\Preferences
Deleted [l.72] : icon_url = "hxxp://search.conduit.com/fav.ico",
Deleted [l.75] : keyword = "search.conduit.com",
Deleted [l.79] : search_url = "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN35[...]
Deleted [l.80] : suggest_url = "hxxp://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}&CUI=U[...]
Deleted [l.2718] : homepage = "hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN35977758353241520&UM[...]
Deleted [l.3535] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI[...]
*************************
AdwCleaner[R1].txt - [33221 octets] - [09/10/2012 13:15:36]
AdwCleaner[R2].txt - [36131 octets] - [27/01/2013 19:46:26]
AdwCleaner[R3].txt - [2276 octets] - [23/07/2013 14:52:38]
AdwCleaner[S1].txt - [36723 octets] - [27/01/2013 19:46:52]
AdwCleaner[S2].txt - [2312 octets] - [23/07/2013 14:53:08]
AdwCleaner[S3].txt - [6048 octets] - [16/08/2013 17:18:57]
########## EOF - C:\AdwCleaner[S3].txt - [6108 octets] ##########
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.4.6 (08.15.2013:1)
OS: Windows 7 Home Premium x64
Ran by Melbee on Fri 08/16/2013 at 18:32:03.24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskSLib_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskSLib_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\TaskScheduler_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\TaskScheduler_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskSLib_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskSLib_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\TaskScheduler_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\TaskScheduler_RASMANCS
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "C:\ProgramData\pc1data"
Successfully deleted: [Folder] "C:\Users\Melbee\AppData\Roaming\pc cleaners"
Successfully deleted: [Folder] "C:\Users\Melbee\AppData\Roaming\pcpro"
Successfully deleted: [Folder] "C:\Users\Melbee\AppData\Roaming\startnow toolbar"
Successfully deleted: [Folder] "C:\Users\Melbee\appdata\local\cre"
Successfully deleted: [Folder] "C:\Program Files (x86)\mypc backup"
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{101758F4-6A4A-4BF7-9578-B96338C5E1B0}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{10A785D3-EE9E-4E74-AD22-55545D2AF7CA}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{249A60BB-7B16-4C66-BD8D-56DB1C2E4328}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{2B33B948-EFD7-4663-AAD6-8802F75A3CCD}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{4DB02853-589C-4D5C-A501-4E1C99EB24AE}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{5B1F3A71-56CD-4880-B5BF-356B1D726CEB}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{68938339-31DE-4B98-AF11-B3553C953A0D}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{964BA085-A1BC-443B-BBD6-44D077315C7D}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{A72FD78E-3DAF-400B-9466-48E592BEF236}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{AA79BF5D-9E17-40DE-AC10-AEDC61A7AB9F}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{B0C616F7-C4C9-49AB-85D2-D2C2192EF695}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{D0A32925-52A1-4F9A-A01E-D60EA17F6C3A}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{DCF06D7F-2B39-4C6D-A3A4-92DF6831C25F}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{EE075814-4890-4414-89FA-E798DBDD9F5A}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{FC158D91-7A8F-4D61-B373-DDB5B6B85BB6}
~~~ FireFox
Failed to delete: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml.old"
Successfully deleted: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml.old"
Successfully deleted: [File] C:\Users\Melbee\AppData\Roaming\mozilla\firefox\profiles\be1qz4m5.default\extensions\kfxtbfbvkt@kfxtbfbvkt.org.xpi [Tracur]
Successfully deleted: [File] C:\Users\Melbee\AppData\Roaming\mozilla\firefox\profiles\be1qz4m5.default\invalidprefs.js
Successfully deleted the following from C:\Users\Melbee\AppData\Roaming\mozilla\firefox\profiles\be1qz4m5.default\prefs.js
user_pref("extensions.crossrider.bic", "13810fd64f8a2f5ee563b179c7eac559");
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.update_url", "hxxp://tbupdate.zugo.com/ztb/update?partner_id={partner_id}&product_id={product_id}&affiliate_id={affiliate_id}
Emptied folder: C:\Users\Melbee\AppData\Roaming\mozilla\firefox\profiles\be1qz4m5.default\minidumps [22 files]
~~~ Chrome
Dumping contents of C:\Users\Melbee\appdata\local\Google\Chrome\User Data\Default\Default
C:\Users\Melbee\appdata\local\Google\Chrome\User Data\Default\Default\aadededcdgdidbdedggfgbdadegbdade
C:\Users\Melbee\appdata\local\Google\Chrome\User Data\Default\Default\aadededcdgdidbdedggfgbdadegbdade\manifest.json
Successfully deleted: [Folder] C:\Users\Melbee\appdata\local\Google\Chrome\User Data\Default\Default [Default Extension 1.0]
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 08/16/2013 at 18:37:07.61
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
All processes killed
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{96FC3743-190E-4316-9EBD-42573AD134BC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3743-190E-4316-9EBD-42573AD134BC}\ not found.
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3309758&CUI=UN26994649939650276&UM=2&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3309758&SearchSource=2&CUI=UN26994649939650276&UM=2&q=" removed from keyword.URL
Prefs.js: "TrustWorthy Customized Web Search" removed from browser.search.defaultenginename
Prefs.js: "TrustWorthy Customized Web Search" removed from browser.search.defaultthis.engineName
File C:\Users\Melbee\AppData\Roaming\mozilla\firefox\profiles\be1qz4m5.default\searchplugins\conduit.xml not found.
Use Chrome's Settings page to remove the default_search_provider items.
Use Chrome's Settings page to remove the default_search_provider items.
Use Chrome's Settings page to remove the default_search_provider items.
Use Chrome's Settings page to change the HomePage.
C:\Users\Melbee\AppData\Local\Conduit folder moved successfully.
C:\Program Files (x86)\Conduit\CT3309758\plugins folder moved successfully.
C:\Program Files (x86)\Conduit\CT3309758 folder moved successfully.
C:\Program Files (x86)\Conduit\CT3303001\plugins folder moved successfully.
C:\Program Files (x86)\Conduit\CT3303001 folder moved successfully.
C:\Program Files (x86)\Conduit\Community Alerts folder moved successfully.
C:\Program Files (x86)\Conduit folder moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Melbee
->Temp folder emptied: 91704093 bytes
->Temporary Internet Files folder emptied: 5651045 bytes
->Java cache emptied: 2991697 bytes
->FireFox cache emptied: 87484720 bytes
->Google Chrome cache emptied: 334777466 bytes
->Flash cache emptied: 6671 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 83410027 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 42328155 bytes
RecycleBin emptied: 43281387088 bytes
Total Files Cleaned = 41,895.00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 08162013_170647
Files\Folders moved on Reboot...
C:\Users\Melbee\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Windows\temp\TMP0000000112F2CFDDB58DDB31 not found!
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
# AdwCleaner v2.306 - Logfile created 08/16/2013 at 17:18:57
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Melbee - MR_FANTASTIC
# Boot Mode : Normal
# Running from : C:\Users\Melbee\Downloads\AdwCleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
File Deleted : C:\END
File Deleted : C:\Users\Melbee\AppData\Roaming\Mozilla\Firefox\Profiles\be1qz4m5.default\searchplugins\Conduit.xml
File Deleted : C:\Users\Melbee\AppData\Roaming\Mozilla\Firefox\Profiles\be1qz4m5.default\searchplugins\delta.xml
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Melbee\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Melbee\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Melbee\AppData\Roaming\Mozilla\Firefox\Profiles\be1qz4m5.default\jetpack
Folder Deleted : C:\Users\Melbee\AppData\Roaming\OpenCandy
***** [Registry] *****
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\Vid-Saver
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3303001
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3309758
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Vid-Saver_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Vid-Saver_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pgmfkblbflahhponhjmkcnpjinenhlnc
Key Deleted : HKLM\SOFTWARE\Tarma Installer
***** [Internet Browsers] *****
-\\ Internet Explorer v10.0.9200.16660
[OK] Registry is clean.
-\\ Mozilla Firefox v22.0 (en-US)
File : C:\Users\Melbee\AppData\Roaming\Mozilla\Firefox\Profiles\be1qz4m5.default\prefs.js
C:\Users\Melbee\AppData\Roaming\Mozilla\Firefox\Profiles\be1qz4m5.default\user.js ... Deleted !
Deleted : user_pref("CT3303001_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("CT3309758_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3309758&octid=CT330975[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");
Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=C[...]
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3309758");
Deleted : user_pref("extensions.delta.admin", false);
Deleted : user_pref("extensions.delta.aflt", "babsst");
Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Deleted : user_pref("extensions.delta.autoRvrt", "false");
Deleted : user_pref("extensions.delta.dfltLng", "en");
Deleted : user_pref("extensions.delta.excTlbr", false);
Deleted : user_pref("extensions.delta.ffxUnstlRst", true);
Deleted : user_pref("extensions.delta.id", "4ced4cef00000000000090e6baca2627");
Deleted : user_pref("extensions.delta.instlDay", "15831");
Deleted : user_pref("extensions.delta.instlRef", "sst");
Deleted : user_pref("extensions.delta.newTab", false);
Deleted : user_pref("extensions.delta.prdct", "delta");
Deleted : user_pref("extensions.delta.prtnrId", "delta");
Deleted : user_pref("extensions.delta.rvrt", "false");
Deleted : user_pref("extensions.delta.smplGrp", "none");
Deleted : user_pref("extensions.delta.tlbrId", "base");
Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
Deleted : user_pref("extensions.delta.vrsn", "1.8.16.16");
Deleted : user_pref("extensions.delta.vrsnTs", "1.8.16.1613:39:29");
Deleted : user_pref("extensions.delta.vrsni", "1.8.16.16");
Deleted : user_pref("smartbar.machineId", "2MR2QY9FHDUQPBIJU9KCKYQCAZ4MX+BCPSGBIYVY0GLEDBIYQIHLHW5+J2QDVLHYGGT[...]
-\\ Google Chrome v28.0.1500.95
File : C:\Users\Melbee\AppData\Local\Google\Chrome\User Data\Default\Preferences
Deleted [l.72] : icon_url = "hxxp://search.conduit.com/fav.ico",
Deleted [l.75] : keyword = "search.conduit.com",
Deleted [l.79] : search_url = "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN35[...]
Deleted [l.80] : suggest_url = "hxxp://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}&CUI=U[...]
Deleted [l.2718] : homepage = "hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN35977758353241520&UM[...]
Deleted [l.3535] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI[...]
*************************
AdwCleaner[R1].txt - [33221 octets] - [09/10/2012 13:15:36]
AdwCleaner[R2].txt - [36131 octets] - [27/01/2013 19:46:26]
AdwCleaner[R3].txt - [2276 octets] - [23/07/2013 14:52:38]
AdwCleaner[S1].txt - [36723 octets] - [27/01/2013 19:46:52]
AdwCleaner[S2].txt - [2312 octets] - [23/07/2013 14:53:08]
AdwCleaner[S3].txt - [6048 octets] - [16/08/2013 17:18:57]
########## EOF - C:\AdwCleaner[S3].txt - [6108 octets] ##########
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.4.6 (08.15.2013:1)
OS: Windows 7 Home Premium x64
Ran by Melbee on Fri 08/16/2013 at 18:32:03.24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskSLib_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskSLib_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\TaskScheduler_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\TaskScheduler_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskSLib_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskSLib_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\TaskScheduler_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\TaskScheduler_RASMANCS
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "C:\ProgramData\pc1data"
Successfully deleted: [Folder] "C:\Users\Melbee\AppData\Roaming\pc cleaners"
Successfully deleted: [Folder] "C:\Users\Melbee\AppData\Roaming\pcpro"
Successfully deleted: [Folder] "C:\Users\Melbee\AppData\Roaming\startnow toolbar"
Successfully deleted: [Folder] "C:\Users\Melbee\appdata\local\cre"
Successfully deleted: [Folder] "C:\Program Files (x86)\mypc backup"
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{101758F4-6A4A-4BF7-9578-B96338C5E1B0}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{10A785D3-EE9E-4E74-AD22-55545D2AF7CA}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{249A60BB-7B16-4C66-BD8D-56DB1C2E4328}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{2B33B948-EFD7-4663-AAD6-8802F75A3CCD}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{4DB02853-589C-4D5C-A501-4E1C99EB24AE}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{5B1F3A71-56CD-4880-B5BF-356B1D726CEB}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{68938339-31DE-4B98-AF11-B3553C953A0D}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{964BA085-A1BC-443B-BBD6-44D077315C7D}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{A72FD78E-3DAF-400B-9466-48E592BEF236}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{AA79BF5D-9E17-40DE-AC10-AEDC61A7AB9F}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{B0C616F7-C4C9-49AB-85D2-D2C2192EF695}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{D0A32925-52A1-4F9A-A01E-D60EA17F6C3A}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{DCF06D7F-2B39-4C6D-A3A4-92DF6831C25F}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{EE075814-4890-4414-89FA-E798DBDD9F5A}
Successfully deleted: [Empty Folder] C:\Users\Melbee\appdata\local\{FC158D91-7A8F-4D61-B373-DDB5B6B85BB6}
~~~ FireFox
Failed to delete: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml.old"
Successfully deleted: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml.old"
Successfully deleted: [File] C:\Users\Melbee\AppData\Roaming\mozilla\firefox\profiles\be1qz4m5.default\extensions\kfxtbfbvkt@kfxtbfbvkt.org.xpi [Tracur]
Successfully deleted: [File] C:\Users\Melbee\AppData\Roaming\mozilla\firefox\profiles\be1qz4m5.default\invalidprefs.js
Successfully deleted the following from C:\Users\Melbee\AppData\Roaming\mozilla\firefox\profiles\be1qz4m5.default\prefs.js
user_pref("extensions.crossrider.bic", "13810fd64f8a2f5ee563b179c7eac559");
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.update_url", "hxxp://tbupdate.zugo.com/ztb/update?partner_id={partner_id}&product_id={product_id}&affiliate_id={affiliate_id}
Emptied folder: C:\Users\Melbee\AppData\Roaming\mozilla\firefox\profiles\be1qz4m5.default\minidumps [22 files]
~~~ Chrome
Dumping contents of C:\Users\Melbee\appdata\local\Google\Chrome\User Data\Default\Default
C:\Users\Melbee\appdata\local\Google\Chrome\User Data\Default\Default\aadededcdgdidbdedggfgbdadegbdade
C:\Users\Melbee\appdata\local\Google\Chrome\User Data\Default\Default\aadededcdgdidbdedggfgbdadegbdade\manifest.json
Successfully deleted: [Folder] C:\Users\Melbee\appdata\local\Google\Chrome\User Data\Default\Default [Default Extension 1.0]
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 08/16/2013 at 18:37:07.61
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
All processes killed
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{96FC3743-190E-4316-9EBD-42573AD134BC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{96FC3743-190E-4316-9EBD-42573AD134BC}\ not found.
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3309758&CUI=UN26994649939650276&UM=2&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3309758&SearchSource=2&CUI=UN26994649939650276&UM=2&q=" removed from keyword.URL
Prefs.js: "TrustWorthy Customized Web Search" removed from browser.search.defaultenginename
Prefs.js: "TrustWorthy Customized Web Search" removed from browser.search.defaultthis.engineName
File C:\Users\Melbee\AppData\Roaming\mozilla\firefox\profiles\be1qz4m5.default\searchplugins\conduit.xml not found.
Use Chrome's Settings page to remove the default_search_provider items.
Use Chrome's Settings page to remove the default_search_provider items.
Use Chrome's Settings page to remove the default_search_provider items.
Use Chrome's Settings page to change the HomePage.
C:\Users\Melbee\AppData\Local\Conduit folder moved successfully.
C:\Program Files (x86)\Conduit\CT3309758\plugins folder moved successfully.
C:\Program Files (x86)\Conduit\CT3309758 folder moved successfully.
C:\Program Files (x86)\Conduit\CT3303001\plugins folder moved successfully.
C:\Program Files (x86)\Conduit\CT3303001 folder moved successfully.
C:\Program Files (x86)\Conduit\Community Alerts folder moved successfully.
C:\Program Files (x86)\Conduit folder moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Melbee
->Temp folder emptied: 91704093 bytes
->Temporary Internet Files folder emptied: 5651045 bytes
->Java cache emptied: 2991697 bytes
->FireFox cache emptied: 87484720 bytes
->Google Chrome cache emptied: 334777466 bytes
->Flash cache emptied: 6671 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 83410027 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 42328155 bytes
RecycleBin emptied: 43281387088 bytes
Total Files Cleaned = 41,895.00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 08162013_170647
Files\Folders moved on Reboot...
C:\Users\Melbee\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Windows\temp\TMP0000000112F2CFDDB58DDB31 not found!
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
Fiery
Level 1
- Jan 11, 2011
- 2,007
Any more redirect?
Please download Malwarebytes' Anti-Malware from here to your desktop.
Run Eset NOD32 Online AntiVirus here
Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
Please download Malwarebytes' Anti-Malware from here to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
- then click Finish.
- If an update is found, it will download and install the latest version.
- When it prompts you to try their 30-day trail, click decline
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Run Eset NOD32 Online AntiVirus here
Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the activex control to install
- Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
- Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
- Scan unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Click Scan
- Wait for the scan to finish
- When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
- Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
- The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
Similar threads
-
- Locked
-
- Locked
