Tidaltv malware

[gdwitch]

I keep getting a pop up from Malwarebytes about detecting set.tidaltv.com and I can't make it stop.

 

[flavallee]

Go here, then click the large blue "Download Now @ Bleeping Computer" button to download and save AdwCleaner.exe to your desktop.

Close all open windows first, then double-click AdwCleaner.exe to load its main window.

Click the "Scan" button, then allow the scanning process to finish.
(Note: Several seconds may pass before the scanning process starts, so be patient.)

Click the "Logfile" button.

When the log appears, save it.

Return here to your thread, then copy-and-paste the ENTIRE log here.

Note: After you submit the log, close AdwCleaner. When the warning appears, click "Yes".

-------------------------------------------------------------------

When was the last time you ran a "Threat Scan" with Malwarebytes and allowed it to quarantine everything it found?

-------------------------------------------------------------------

 

[gdwitch]

# AdwCleaner v4.201 - Logfile created 14/04/2015 at 08:35:31
# Updated 08/04/2015 by Xplode
# Database : 2015-04-08.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Lucy - LUCY-PC
# Running from : C:\Users\Lucy\Downloads\adwcleaner_4.201.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ndibdjnfmopecpmkdieinmbadjfpblof_0.localstorage
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
Folder Found : C:\Users\Lucy\Favorites\Coupons
Folder Found : C:\Users\Lucy\Favorites\Coupons

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Found : [x64] HKLM\SOFTWARE\WebBar
Key Found : HKU\.DEFAULT\Software\AVG Secure Search

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689


-\\ Google Chrome v41.0.2272.118

[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://isearch.avg.com/search?cid={6DE74A80-DD07-4B68-9E78-72451B0DD2C0}&mid=7b4c53f7354f86da37b3a9a353dab16f-f4042bf9368560f17731813389c659f9541ec31f&lang=en&ds=AVG&pr=fr&d=2012-11-21 16:17:15&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms}
[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3247201
[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Found [Homepage] : hxxp://search.conduit.com/?ctid=CT3247201&SearchSource=48
[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Found [Startup_URLs] : hxxp://search.conduit.com/?ctid=CT3247201&SearchSource=48

*************************

AdwCleaner[R2].txt - [4402 bytes] - [14/12/2014 15:07:13]
AdwCleaner[R3].txt - [4463 bytes] - [14/12/2014 17:45:26]
AdwCleaner[R4].txt - [4526 bytes] - [14/12/2014 18:09:05]
AdwCleaner[R5].txt - [4514 bytes] - [14/12/2014 19:43:14]
AdwCleaner[R6].txt - [1269 bytes] - [15/12/2014 09:18:18]
AdwCleaner[R7].txt - [4805 bytes] - [15/12/2014 11:42:26]
AdwCleaner[R8].txt - [3620 bytes] - [14/04/2015 08:35:31]
AdwCleaner[S2].txt - [4728 bytes] - [15/12/2014 11:45:11]

########## EOF - C:\AdwCleaner\AdwCleaner[R8].txt - [3738 bytes] ##########

 

[flavallee]

It looks like you used AdwCleaner several times in December, but you didn't allow it to delete the threats it found.

You didn't answer my question in the bottom part of post #2.

--------------------------------------------------------------------

Close all open windows first, then double-click AdwCleaner.exe to load its main window.

Click the "Scan" button, then allow the scanning process to finish.
(Note: Several seconds may pass before the scanning process starts, so be patient.)

Click the "Cleaning" button, then click "OK".

Allow the cleaning process to finish.

When it's finished, click "OK" in each window that appears.

The computer will restart.

When the log appears during restart, save it.

Return here to your thread, then copy-and-paste the ENTIRE log here.

--------------------------------------------------------------------

 

[gdwitch]

Here's the log. I could have sworn I deleted the threats in December. I run an automatic Malwarebytes scan every week and since this problem, I ran it again twice. It's coming up with no threats, yet this tidaltv thing persisted in popping up.

# AdwCleaner v4.201 - Logfile created 14/04/2015 at 12:18:53
# Updated 08/04/2015 by Xplode
# Database : 2015-04-08.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Lucy - LUCY-PC
# Running from : C:\Users\Lucy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M8NKPUAO\adwcleaner_4.201.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Lucy\Favorites\Coupons
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
File Deleted : C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ndibdjnfmopecpmkdieinmbadjfpblof_0.localstorage

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Deleted : HKU\.DEFAULT\Software\AVG Secure Search
Key Deleted : [x64] HKLM\SOFTWARE\WebBar
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689


-\\ Google Chrome v41.0.2272.118

[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://isearch.avg.com/search?cid={6DE74A80-DD07-4B68-9E78-72451B0DD2C0}&mid=7b4c53f7354f86da37b3a9a353dab16f-f4042bf9368560f17731813389c659f9541ec31f&lang=en&ds=AVG&pr=fr&d=2012-11-21 16:17:15&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms}
[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3247201
[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Homepage] : hxxp://search.conduit.com/?ctid=CT3247201&SearchSource=48
[C:\Users\Lucy\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Startup_URLs] : hxxp://search.conduit.com/?ctid=CT3247201&SearchSource=48

*************************

AdwCleaner[R2].txt - [4402 bytes] - [14/12/2014 15:07:13]
AdwCleaner[R3].txt - [4463 bytes] - [14/12/2014 17:45:26]
AdwCleaner[R4].txt - [4526 bytes] - [14/12/2014 18:09:05]
AdwCleaner[R5].txt - [4514 bytes] - [14/12/2014 19:43:14]
AdwCleaner[R6].txt - [1269 bytes] - [15/12/2014 09:18:18]
AdwCleaner[R7].txt - [4805 bytes] - [15/12/2014 11:42:26]
AdwCleaner[R8].txt - [3821 bytes] - [14/04/2015 08:35:31]
AdwCleaner[R9].txt - [3948 bytes] - [14/04/2015 12:16:36]
AdwCleaner[S2].txt - [4728 bytes] - [15/12/2014 11:45:11]
AdwCleaner[S3].txt - [3865 bytes] - [14/04/2015 12:18:53]

########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [3924 bytes] ##########

 

[flavallee]

Download and save and then install the free version of SUPERAntiSpyware 6.0.1186

Make sure to uncheck and decline to install any extras, such as toolbars and homepages, it may offer.

Make sure to uncheck and decline to use the "Pro" or "Trial" version, if it's offered.

After it's installed, do the following with it:

Click "System Tools".

Click "Preferences", then uncheck "Run in the background (system tray)", then click "Done".

Click "Advanced Settings", then uncheck "Follow shortcuts (*.lnk) during scan", then click "OK - Done".

Click "Click here to check for updates".

When the definition files have updated, click "OK".

Click "Scan This Computer", then click Quick Scan.

If problems are found during the scan, the number of them will be highlighted in red.

When the scan is finished, click "Continue".

Make sure that EVERYTHING in the list is selected, then click "Continue".

When the removal process is complete, click "Continue".

If you're prompted to restart to finish the removal process, do so.

Start SUPERAntiSpyware again.

Click "System Tools", then click "Scan Logs".

Select the most current scan log, then click on its magnifying glass icon so it can open and be viewed, then save it on the desktop.

Return here, then copy-and-paste its ENTIRE contents here.

----------------------------------------------------------

 

[gdwitch]

Luckily I already had this program on my computer.

Scan log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/14/2015 at 05:28 PM

Application Version : 6.0.1186
Database Version : 11828

Scan type : Quick Scan
Total Scan Time : 00:01:13

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned : 615
Memory threats detected : 0
Registry items scanned : 57286
Registry threats detected : 0
File items scanned : 8180
File threats detected : 24

Adware.Tracking Cookie
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\XXALI37V.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\XXALI37V.txt [ /track.adform.net ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\QXS86UNI.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\QXS86UNI.txt [ /adform.net ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\5IA788XG.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\5IA788XG.txt [ /doubleclick.net ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\URHPZRQ2.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\URHPZRQ2.txt [ /atdmt.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\DEMDGLW1.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\DEMDGLW1.txt [ /smartadserver.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\AEF2HSA1.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\AEF2HSA1.txt [ /ru4.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\OEYW7B3L.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\OEYW7B3L.txt [ /imrworldwide.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\ROKCV0CH.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\ROKCV0CH.txt [ /ad.360yield.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\3IVUTCAK.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\3IVUTCAK.txt [ /burstnet.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\YL6DGQJL.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\YL6DGQJL.txt [ /247realmedia.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\I2R0H2HX.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\I2R0H2HX.txt [ /revsci.net ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\JS5FRRSW.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\JS5FRRSW.txt [ /advertising.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\NH4N1N83.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\NH4N1N83.txt [ /adtechus.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\MY2G2N0T.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\MY2G2N0T.txt [ /serving-sys.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\9O59DYW4.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\9O59DYW4.txt [ /oasc12.247realmedia.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\K09KRL5K.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\K09KRL5K.txt [ /casalemedia.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\IR5I82TI.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\IR5I82TI.txt [ /ads.undertone.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\L8QVKSCB.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\L8QVKSCB.txt [ /atwola.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\XTL9AZY0.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\XTL9AZY0.txt [ /statse.webtrendslive.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\AQSLXJ91.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\AQSLXJ91.txt [ /amazon-adsystem.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\RJ1A209Y.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\RJ1A209Y.txt [ /bs.serving-sys.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\TXKCVUYW.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\TXKCVUYW.txt [ /mediaplex.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\Y40VKV1E.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\Y40VKV1E.txt [ /oasc17.247realmedia.com ]
C:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\85A10AK2.txtC:\Users\Lucy\AppData\Roaming\Microsoft\Windows\Cookies\Low\85A10AK2.txt [ /zedo.com ]

============
End of Log
============

 

[flavallee]

Go here, then click the large blue "Download Now @ Author's Site" button to download and save TFC.exe (Temp File Cleaner by OldTimer) to your desktop.

After it's downloaded and saved, close all open windows.

Double-click it to load its main window.

Click the "Start" button.

If there are a large number of temp files or if there are multiple user accounts, the temp file deletion process may appear to freeze and may take a few minutes, so don't interfere with or abort it.

After it's finished, restart the computer.

Note: Advise how many temp files in MB's were found and deleted.

---------------------------------------------------------

 

[flavallee]

AFTER you complete the instructions in post #8, do the following:

Click Start, then type MSCONFIG in the search or run box, then press the Enter key.

When the small "System Configuration" window appears, click the "Startup" tab.

Write down ONLY the names in the "Startup Item" column that have a checkmark next to them.

If the "Startup Item" column isn't wide enough to see the entire name of any of them, widen the column.

Submit those names here in a vertical list.

Make sure to spell them EXACTLY as you see them there.

--------------------------------------------------------------

 

[gdwitch]

TFC.exe Total Cleaned 3,249.00 mb

Start up:
Microsoft Security Client
NVIDIA Backend
NVIDIA Geforce Experience
GoogleToolbarNotifier

 

[flavallee]

TFC.exe Total Cleaned 3,249.00 mb

That was a lot of temp files. You might want to put it to use at least once a month.

Start up:
Microsoft Security Client
NVIDIA Backend
NVIDIA Geforce Experience
GoogleToolbarNotifier

----------------------------------------------------------

 

[gdwitch]

okay, so this thing is still popping up after all that.

 

[flavallee]

Open the Programs And Features" window. This is where your installed programs, etc. are located.

If you see any names in the list that you don't recognize, submit their exact names here.

------------------------------------------------------------

 

[gdwitch]

Not too much just:
Host OpenAl
Web IQ Technology Engine

 

[flavallee]

You may need to get help from the gold shield specialists at the Virus & Other Malware Removal section.

Click the orange "Report" button and then request to have your thread moved there.

----------------------------------------------------------