1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Unwanted surveys, red & blue highlited links and Zone Alarm home page on IE

Discussion in 'Virus & Other Malware Removal' started by exfarmer, Jul 3, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. nunped

    nunped Malware Specialist

    Joined:
    Sep 20, 2012
    Messages:
    234
    Hi exfarmer,

    We'll get rid of it along with otshot.
    Can you tell me from where did you downloaded Firefox or what sites did you visit right after the installation? It appears you got some Potentially Unwanted Programs (PUP's) installed at 2013/07/22 11:16:36, right after installing Firefox. This shouldn't happen if you downloaded it from the official site...
    If you want to know more about these kind of software, please read Bundled Software.

    I strongly recommend you to visit mywot.com and install the plugin from there. Avoid sites with bad reputation, and don't download anything from those.
    Each website/forum is different. Here at TSG, you should click "My Account" at the top of the webpage; Then "edit your details" at the left side; Then click the button "edit e-mail and password". He should enter your old password and then your new password two times.

    Next:
    AdwCleaner


    • Close all open programs and internet browsers.
    • Right click on adwcleaner.exe and select " Run as administrator " to run it.
    • Click on Delete.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    OTL fix

    • Right click OTL.exe and select "Run as Administrator" to launch the program.
    • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
    Code:
    :commands 
    [createrestorepoint]  
    :OTL 
    SRV - [2013/05/08 00:18:34 | 000,097,056 | ---- | M] (Conduit) [Auto | Running] -- C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe -- (CltMngSvc) 
    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} 
    IE - HKLM\..\SearchScopes,DefaultScope = {0A787087-6364-4973-868E-249CFF0B81EB} 
    IE - HKCU\..\SearchScopes,DefaultScope = {0A787087-6364-4973-868E-249CFF0B81EB} 
    IE - HKCU\..\SearchScopes\{0A787087-6364-4973-868E-249CFF0B81EB}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3304782&CUI=UN3686625 0717933323&UM=2
    FF - prefs.js..CT3304781.browser.search.defaultthis.engineName: "true" 
    FF - prefs.js..browser.search.defaultenginename: "KeyBar 1.8 Customized Web Search" 
    FF - prefs.js..browser.search.defaultthis.engineName: "KeyBar 1.8 Customized Web Search" 
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3304781&CUI=UN11365923892890297&UM=2&SearchSource=3& q={searchTerms}" 
    FF - prefs.js..browser.search.selectedEngine: "KeyBar 1.8 Customized Web Search" 
    FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3304781&octid=CT3304781&SearchSource=61&CUI=UN11365923892890297&UM= 2&UP=SPADF15FA6-7251-4827-9D56-075C8BBE0D3B" 
    FF - prefs.js..extensions.enabledAddons: %7B9ed31f84-c8b3-4926-b950-dff74047ff79%7D:10.16.7.25 
    FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3304781&SearchSource=2&CUI=UN11365923892890297&UM=2& q=" 
    [2013/07/22 11:17:35 | 000,000,000 | ---D | M] (KeyBar 1.8) -- C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\ph0o9php.default\ext ensions\{9ed31f84-c8b3-4926-b950-dff74047ff79} 
    [2013/07/22 11:17:36 | 000,000,997 | ---- | M] () -- C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\ph0o9php.default\sea rchplugins\conduit.xml 
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. 
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. 
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. 
    O4 - HKLM..\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe (Conduit) 
    O4 - HKCU..\Run: [SearchProtect] C:\Users\Marc\AppData\Roaming\SearchProtect\bin\cltmng.exe (Conduit)  
    
    :files 
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot.lnk 
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\OtShot.lnk 
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\OtShot 
    C:\Users\Marc\AppData\Local\Temp\HotShot_installerNewNoStartUp.exe 
    C:\Users\Marc\AppData\Local\VirtualStore\Program Files (x86)\OtShot 
    C:\Users\Marc\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\OtShot.lnk 
    C:\Windows\Prefetch\HOTSHOT_INSTALLERNEWNOSTARTUP-E8DC355D.pf 
    C:\Windows\Prefetch\OTSHOT.EXE-49C2F560.pf 
    C:\Windows\Prefetch\OTSHOTCOMPONENT7.EXE-F9F1EF8E.pf 
    C:\Windows\Prefetch\OTSHOTINSTALLER7.EXE-1B5F36C3.pf 
    C:\Users\Marc\AppData\Local\VirtualStore\Program Files (x86)\OtShot
    C:\Program Files (x86)\Conduit
    C:\Users\Marc\AppData\Local\Conduit
    C:\Program Files (x86)\SearchProtect
    C:\Users\Marc\AppData\Roaming\SearchProtect
    C:\Users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OtShot 
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot 
    C:\Program Files (x86)\OtShot
    C:\Users\Marc\Application Data\Microsoft\Internet Explorer\Quick Launch\OtShot.lnk C:\Users\Marc\Desktop\OtShot.lnk
    
    :reg 
    [-HKEY_CURRENT_USER\Software\OtShot] 
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\OtshotInstaller7_ RASAPI32] 
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\OtshotInstaller7_ RASMANCS] 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 
    "OtShot"=- 
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OtShot] 
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ZalmanInstaller_otshot] 
    [-HKEY_USERS\S-1-5-21-2276055165-237249705-202170281-1000\Software\OtShot]  
    
    :commands 
    [emptytemp]
    • Click the Run Fix button.
    • OTL will now process the instructions.
    • When finished a box will open asking you to open the fix log, click OK.
    • The fix log will open.
    • Copy/Paste the log in your next reply please.

    Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.
     
  2. exfarmer

    exfarmer Thread Starter

    Joined:
    Nov 4, 2009
    Messages:
    68
    # AdwCleaner v2.306 - Logfile created 07/24/2013 at 10:07:34
    # Updated 19/07/2013 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Marc - MARC-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Marc\Downloads\adwcleaner.exe
    # Option [Delete]




    ***** [Services] *****




    ***** [Files / Folders] *****


    ***** [Registry] *****


    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.7601.17514

    [OK] Registry is clean.

    -\\ Mozilla Firefox v22.0 (en-US)

    File : C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\ph0o9php.default\prefs.js

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [4763 octets] - [24/07/2013 08:30:11]
    AdwCleaner[S2].txt - [725 octets] - [24/07/2013 10:07:34]

    ########## EOF - C:\AdwCleaner[S2].txt - [784 octets] ##########

    Please note that these are the results from second time that I have run Adwcleaner today. I lost the logfile of the first scan. The first scan removed KeyBar from Firefox.

    I did manage to change my pw's.


    OTL logfile created on: 24/07/2013 8:38:01 AM - Run 2
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Marc\Downloads
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7601.17514)
    Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

    4.00 Gb Total Physical Memory | 2.63 Gb Available Physical Memory | 65.84% Memory free
    8.00 Gb Paging File | 6.63 Gb Available in Paging File | 82.91% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 342.43 Gb Total Space | 277.25 Gb Free Space | 80.97% Space Free | Partition Type: NTFS
    Drive D: | 342.43 Gb Total Space | 342.34 Gb Free Space | 99.97% Space Free | Partition Type: NTFS
    Drive G: | 1.88 Gb Total Space | 1.84 Gb Free Space | 98.01% Space Free | Partition Type: FAT

    Computer Name: MARC-PC | User Name: Marc | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/07/24 08:29:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Marc\Downloads\OTL.com
    PRC - [2013/06/18 08:21:12 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    PRC - [2013/02/26 00:32:22 | 001,260,320 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    PRC - [2013/01/18 08:14:20 | 000,383,264 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    PRC - [2012/10/18 07:27:06 | 004,386,816 | ---- | M] () -- C:\Program Files (x86)\OtShot\otshot.exe
    PRC - [2009/08/12 16:04:44 | 000,062,208 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
    PRC - [2009/08/12 15:58:28 | 000,261,888 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
    PRC - [2009/08/09 23:36:04 | 000,629,280 | ---- | M] () -- C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe
    PRC - [2009/08/06 11:18:54 | 000,311,592 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe
    PRC - [2009/08/06 11:18:42 | 000,349,480 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
    PRC - [2009/08/03 23:09:34 | 000,199,464 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe
    PRC - [2009/07/03 19:47:12 | 000,240,160 | ---- | M] (Acer) -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe
    PRC - [2009/06/04 07:04:50 | 001,150,496 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Acer\Registration\GregHSRW.exe


    ========== Modules (No Company Name) ==========

    MOD - [2013/06/18 08:21:31 | 003,285,912 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
    MOD - [2012/10/18 07:27:06 | 004,386,816 | ---- | M] () -- C:\Program Files (x86)\OtShot\otshot.exe
    MOD - [2009/08/09 23:36:04 | 000,629,280 | ---- | M] () -- C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe
    MOD - [2009/08/09 20:49:40 | 000,019,968 | ---- | M] () -- C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyHook.dll
    MOD - [2009/02/02 18:33:56 | 000,460,199 | ---- | M] () -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\sqlite3.dll


    ========== Services (SafeList) ==========

    SRV:64bit: - [2013/01/27 11:34:32 | 000,379,360 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2013/01/27 11:34:32 | 000,022,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV:64bit: - [2009/10/16 16:06:40 | 001,039,360 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysNative\lxducoms.exe -- (lxdu_device)
    SRV:64bit: - [2009/07/13 19:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/07/03 19:47:12 | 000,240,160 | ---- | M] (Acer) [Auto | Running] -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe -- (Updater Service)
    SRV:64bit: - [2009/04/19 09:34:48 | 000,625,184 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)
    SRV:64bit: - [2009/04/19 09:34:48 | 000,207,904 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp)
    SRV - [2013/06/18 08:21:21 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2013/02/26 00:32:22 | 001,260,320 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
    SRV - [2013/01/18 08:14:20 | 000,383,264 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
    SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/08/12 16:04:44 | 000,062,208 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe -- (NTI IScheduleSvc)
    SRV - [2009/08/06 11:18:54 | 000,311,592 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe -- (MWLService)
    SRV - [2009/07/28 13:25:34 | 000,935,208 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
    SRV - [2009/06/10 15:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
    SRV - [2009/06/04 07:04:50 | 001,150,496 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Acer\Registration\GregHSRW.exe -- (Greg_Service)
    SRV - [2009/05/22 12:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe -- (GameConsoleService)

    I am having problems loading my contacts into windows live mail from back up which is on an SD card or from my laptop. Also having same problem trying to import bookmarks to firefox. In both cases when I try to import the say there are no matches.
     
  3. nunped

    nunped Malware Specialist

    Joined:
    Sep 20, 2012
    Messages:
    234
    Hi exfarmer,

    The first log of AdwCleaner should be at C:\AdwCleaner[S1].txt.
    Please post it in your next reply.

    The OTL fix didn't run. You probably clicked "Run Scan" instead of "Run Fix".
    Please, follow the instructions in my previous post to the "OTL fix" confirming you click on "Run Fix". And post me the log in your next reply
     
  4. exfarmer

    exfarmer Thread Starter

    Joined:
    Nov 4, 2009
    Messages:
    68
    Sorry for the mix up. I tried to run OTL Fix but it says "no fix has been provided please load from files". When I click OK it says "cannot open file. It is possible that I did not download Firefox from the original site I don't remember. Here is the AdwCleaner file.

    # AdwCleaner v2.306 - Logfile created 07/24/2013 at 08:30:11
    # Updated 19/07/2013 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Marc - MARC-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Marc\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****

    Stopped & Deleted : CltMngSvc
    Stopped & Deleted : Partner Service

    ***** [Files / Folders] *****

    File Deleted : C:\END
    File Deleted : C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\ph0o9php.default\searchplugins\Conduit.xml
    File Deleted : C:\Users\Public\Desktop\eBay.lnk
    Folder Deleted : C:\Program Files (x86)\Conduit
    Folder Deleted : C:\Program Files (x86)\SearchProtect
    Folder Deleted : C:\ProgramData\Partner
    Folder Deleted : C:\Users\Marc\AppData\Local\Conduit
    Folder Deleted : C:\Users\Marc\AppData\Local\Temp\boost_interprocess
    Folder Deleted : C:\Users\Marc\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Marc\AppData\LocalLow\PriceGong
    Folder Deleted : C:\Users\Marc\AppData\Roaming\SearchProtect

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
    Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
    Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    Key Deleted : HKCU\Software\SearchProtect
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{28A88B70-D874-4F73-BBBA-9B2B222FB7D6}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\kt_bho_dll.dll
    Key Deleted : HKLM\SOFTWARE\Classes\kt_bho.KettleBho
    Key Deleted : HKLM\SOFTWARE\Classes\kt_bho.KettleBho.1
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3304782
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{86676E13-D6D8-4652-9FCF-F2047F1FB000}
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
    Key Deleted : HKLM\Software\SearchProtect
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [searchprotect]
    Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.7601.17514

    [OK] Registry is clean.

    -\\ Mozilla Firefox v22.0 (en-US)

    File : C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\ph0o9php.default\prefs.js

    Deleted : user_pref("CT3304781_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
    Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3304781&octid=CT330478[...]
    Deleted : user_pref("Smartbar.ConduitSearchEngineList", "KeyBar 1.8 Customized Web Search");
    Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3304781[...]
    Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
    Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3304781");
    Deleted : user_pref("browser.search.defaultenginename", "KeyBar 1.8 Customized Web Search");
    Deleted : user_pref("browser.search.defaultthis.engineName", "KeyBar 1.8 Customized Web Search");
    Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3304781&CUI[...]
    Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3304781&octid=CT3304781&Sea[...]
    Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3304781&SearchSource=2&CU[...]
    Deleted : user_pref("smartbar.machineId", "TF01O4DX9JUO3K5KCMKMRC2OGBFI8GAW2ZD8H102BC9BJNDZTBUZFTC7/81MMGF70CB[...]

    *************************

    AdwCleaner[S1].txt - [4638 octets] - [24/07/2013 08:30:11]

    ########## EOF - C:\AdwCleaner[S1].txt - [4698 octets] ##########
     
  5. nunped

    nunped Malware Specialist

    Joined:
    Sep 20, 2012
    Messages:
    234
    Hi exfarmer!
    No worries. It happens.
    Did you paste the code in the "Custom Scans/Fixes" box as instructed?

    Let's try again, following these steps:

    • Right click OTL.exe and select "Run as Administrator" to launch the program.
    • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
    Code:
    :commands 
    [createrestorepoint]  
    
    :OTL 
    SRV - [2013/05/08 00:18:34 | 000,097,056 | ---- | M] (Conduit) [Auto | Running] -- C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe -- (CltMngSvc) 
    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} 
    IE - HKLM\..\SearchScopes,DefaultScope = {0A787087-6364-4973-868E-249CFF0B81EB} 
    IE - HKCU\..\SearchScopes,DefaultScope = {0A787087-6364-4973-868E-249CFF0B81EB} 
    IE - HKCU\..\SearchScopes\{0A787087-6364-4973-868E-249CFF0B81EB}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3304782&CUI=UN3686625 0717933323&UM=2
    FF - prefs.js..CT3304781.browser.search.defaultthis.engineName: "true" 
    FF - prefs.js..browser.search.defaultenginename: "KeyBar 1.8 Customized Web Search" 
    FF - prefs.js..browser.search.defaultthis.engineName: "KeyBar 1.8 Customized Web Search" 
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3304781&CUI=UN11365923892890297&UM=2&SearchSource=3& q={searchTerms}" 
    FF - prefs.js..browser.search.selectedEngine: "KeyBar 1.8 Customized Web Search" 
    FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3304781&octid=CT3304781&SearchSource=61&CUI=UN11365923892890297&UM= 2&UP=SPADF15FA6-7251-4827-9D56-075C8BBE0D3B" 
    FF - prefs.js..extensions.enabledAddons: %7B9ed31f84-c8b3-4926-b950-dff74047ff79%7D:10.16.7.25 
    FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3304781&SearchSource=2&CUI=UN11365923892890297&UM=2& q=" 
    [2013/07/22 11:17:35 | 000,000,000 | ---D | M] (KeyBar 1.8) -- C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\ph0o9php.default\ext ensions\{9ed31f84-c8b3-4926-b950-dff74047ff79} 
    [2013/07/22 11:17:36 | 000,000,997 | ---- | M] () -- C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\ph0o9php.default\sea rchplugins\conduit.xml 
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. 
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. 
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. 
    O4 - HKLM..\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe (Conduit) 
    O4 - HKCU..\Run: [SearchProtect] C:\Users\Marc\AppData\Roaming\SearchProtect\bin\cltmng.exe (Conduit)  
    
    :files 
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot.lnk 
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\OtShot.lnk 
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\OtShot 
    C:\Users\Marc\AppData\Local\Temp\HotShot_installerNewNoStartUp.exe 
    C:\Users\Marc\AppData\Local\VirtualStore\Program Files (x86)\OtShot 
    C:\Users\Marc\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\OtShot.lnk 
    C:\Windows\Prefetch\HOTSHOT_INSTALLERNEWNOSTARTUP-E8DC355D.pf 
    C:\Windows\Prefetch\OTSHOT.EXE-49C2F560.pf 
    C:\Windows\Prefetch\OTSHOTCOMPONENT7.EXE-F9F1EF8E.pf 
    C:\Windows\Prefetch\OTSHOTINSTALLER7.EXE-1B5F36C3.pf 
    C:\Users\Marc\AppData\Local\VirtualStore\Program Files (x86)\OtShot
    C:\Users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OtShot 
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot 
    C:\Program Files (x86)\OtShot
    C:\Users\Marc\Application Data\Microsoft\Internet Explorer\Quick Launch\OtShot.lnk 
    C:\Users\Marc\Desktop\OtShot.lnk
    
    :reg 
    [-HKEY_CURRENT_USER\Software\OtShot] 
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\OtshotInstaller7_ RASAPI32] 
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\OtshotInstaller7_ RASMANCS] 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 
    "OtShot"=- 
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OtShot] 
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ZalmanInstaller_otshot] 
    [-HKEY_USERS\S-1-5-21-2276055165-237249705-202170281-1000\Software\OtShot]  
    
    :commands 
    [emptytemp]
    
    • Click the Run Fix button.
    • OTL will now process the instructions.
    • When finished a box will open asking you to open the fix log, click OK.
    • The fix log will open.
    • Copy/Paste the log in your next reply please.

    Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

    How is your computer behaving now?
     
  6. nunped

    nunped Malware Specialist

    Joined:
    Sep 20, 2012
    Messages:
    234
    Hi exfarmer,

    Do you still need help?
     
  7. exfarmer

    exfarmer Thread Starter

    Joined:
    Nov 4, 2009
    Messages:
    68
    Sorry I didn't reply sooner. I was waiting for notification via email that you had posted. Apparently a setting has changed so I didn't get an email, I'll check.

    here is the OTL log

    All processes killed
    ========== COMMANDS ==========
    Restore point Set: OTL Restore Point
    ========== OTL ==========
    Error: No service named CltMngSvc was found to stop!
    Service\Driver key CltMngSvc not found.
    File C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe not found.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0A787087-6364-4973-868E-249CFF0B81EB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A787087-6364-4973-868E-249CFF0B81EB}\ not found.
    Prefs.js: "true" removed from CT3304781.browser.search.defaultthis.engineName
    Prefs.js: "KeyBar 1.8 Customized Web Search" removed from browser.search.defaultenginename
    Prefs.js: "KeyBar 1.8 Customized Web Search" removed from browser.search.defaultthis.engineName
    Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3304781&CUI=UN11365923892890297&UM=2&SearchSource=3& q={searchTerms}" removed from browser.search.defaulturl
    Prefs.js: "KeyBar 1.8 Customized Web Search" removed from browser.search.selectedEngine
    Prefs.js: "http://search.conduit.com/?ctid=CT3304781&octid=CT3304781&SearchSource=61&CUI=UN11365923892890297&UM= 2&UP=SPADF15FA6-7251-4827-9D56-075C8BBE0D3B" removed from browser.startup.homepage
    Prefs.js: %7B9ed31f84-c8b3-4926-b950-dff74047ff79%7D:10.16.7.25 removed from extensions.enabledAddons
    Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3304781&SearchSource=2&CUI=UN11365923892890297&UM=2& q=" removed from keyword.URL
    Folder C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\ph0o9php.default\ext ensions\{9ed31f84-c8b3-4926-b950-dff74047ff79}\ not found.
    File C:\Users\Marc\AppData\Roaming\Mozilla\Firefox\Profiles\ph0o9php.default\sea rchplugins\conduit.xml not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtectAll not found.
    File C:\Program Files (x86)\SearchProtect\bin\cltmng.exe not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtect not found.
    File C:\Users\Marc\AppData\Roaming\SearchProtect\bin\cltmng.exe not found.
    ========== FILES ==========
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot.lnk moved successfully.
    File\Folder C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\OtShot.lnk not found.
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\OtShot folder moved successfully.
    C:\Users\Marc\AppData\Local\Temp\HotShot_installerNewNoStartUp.exe moved successfully.
    C:\Users\Marc\AppData\Local\VirtualStore\Program Files (x86)\OtShot folder moved successfully.
    C:\Users\Marc\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\OtShot.lnk moved successfully.
    File\Folder C:\Windows\Prefetch\HOTSHOT_INSTALLERNEWNOSTARTUP-E8DC355D.pf not found.
    File\Folder C:\Windows\Prefetch\OTSHOT.EXE-49C2F560.pf not found.
    File\Folder C:\Windows\Prefetch\OTSHOTCOMPONENT7.EXE-F9F1EF8E.pf not found.
    File\Folder C:\Windows\Prefetch\OTSHOTINSTALLER7.EXE-1B5F36C3.pf not found.
    File\Folder C:\Users\Marc\AppData\Local\VirtualStore\Program Files (x86)\OtShot not found.
    C:\Users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OtShot folder moved successfully.
    File\Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot not found.
    C:\Program Files (x86)\OtShot\ui\new\new\image folder moved successfully.
    C:\Program Files (x86)\OtShot\ui\new\new folder moved successfully.
    C:\Program Files (x86)\OtShot\ui\new folder moved successfully.
    C:\Program Files (x86)\OtShot\ui\belv\image folder moved successfully.
    C:\Program Files (x86)\OtShot\ui\belv folder moved successfully.
    C:\Program Files (x86)\OtShot\ui folder moved successfully.
    C:\Program Files (x86)\OtShot\signed folder moved successfully.
    C:\Program Files (x86)\OtShot\signatures folder moved successfully.
    C:\Program Files (x86)\OtShot\sample folder moved successfully.
    C:\Program Files (x86)\OtShot\frames folder moved successfully.
    C:\Program Files (x86)\OtShot folder moved successfully.
    File\Folder C:\Users\Marc\Application Data\Microsoft\Internet Explorer\Quick Launch\OtShot.lnk not found.
    C:\Users\Marc\Desktop\OtShot.lnk moved successfully.
    ========== REGISTRY ==========
    Registry key HKEY_CURRENT_USER\Software\OtShot\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\OtshotInstaller7_ RASAPI32\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\OtshotInstaller7_ RASMANCS\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\OtShot deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OtShot\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ZalmanInstaller_otshot\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-2276055165-237249705-202170281-1000\Software\OtShot\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Marc
    ->Temp folder emptied: 50052948 bytes
    ->Temporary Internet Files folder emptied: 33647868 bytes
    ->FireFox cache emptied: 218203784 bytes
    ->Flash cache emptied: 8261 bytes

    User: Public

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 167404283 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
    RecycleBin emptied: 4428340 bytes

    Total Files Cleaned = 452.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 07302013_191854

    Files\Folders moved on Reboot...
    C:\Users\Marc\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File\Folder C:\Users\Marc\AppData\Local\Temp\~DF2C275D1A401BF6F0.TMP not found!
    File\Folder C:\Users\Marc\AppData\Local\Temp\~DF4BC5F3399973361F.TMP not found!
    File\Folder C:\Users\Marc\AppData\Local\Temp\~DF5CA54555E1927D4B.TMP not found!
    File\Folder C:\Users\Marc\AppData\Local\Temp\~DF72469C97C3876188.TMP not found!
    File\Folder C:\Users\Marc\AppData\Local\Temp\~DF84C03CADE1BE2C47.TMP not found!
    File\Folder C:\Users\Marc\AppData\Local\Temp\~DF8567A48D09E6C7CB.TMP not found!
    File\Folder C:\Users\Marc\AppData\Local\Temp\~DF8DF677EFE334762E.TMP not found!
    File\Folder C:\Users\Marc\AppData\Local\Temp\~DFB273A7C39DB433D1.TMP not found!
    File\Folder C:\Users\Marc\AppData\Local\Temp\~DFB5BA07B44AFD39FE.TMP not found!
    File\Folder C:\Users\Marc\AppData\Local\Temp\~DFF472D0BC539DC224.TMP not found!

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  8. exfarmer

    exfarmer Thread Starter

    Joined:
    Nov 4, 2009
    Messages:
    68
    So has this fixed the problems?
     
  9. nunped

    nunped Malware Specialist

    Joined:
    Sep 20, 2012
    Messages:
    234
    Hi exfarmer!

    Sorry for the late reply...

    Some of them, at least.

    Are you experiencing any issues now?
     
  10. exfarmer

    exfarmer Thread Starter

    Joined:
    Nov 4, 2009
    Messages:
    68
    I think everything is working fine now. The only problems I'm having now is trying to get my contact list reinstalled in Windows live mail and my bookmarks into Firefox. Thanks for your patience and help.
     
  11. nunped

    nunped Malware Specialist

    Joined:
    Sep 20, 2012
    Messages:
    234
    Hi exfarmer,

    Your computer appears to be free from malware :).

    Just a few clean-up steps:

    OTL-Cleanup
    You should still have this on your desktop, if so, please ignore the download instructions.
    Please download OTL Save it to your Desktop.

    1. Right click on OTL.exe select "Run As Administrator" to run it.
    2. Press the CleanUp button.
    3. When done, you will be prompted to reboot your system to finish file removal... please select OK to reboot your computer.

    If you did not reboot your computer normally, please do so now, before continuing.

    Update your Antivirus programs and other programs regularly. This is one good way to avoid new threats. The following websites can be used to check if you need any update.
    Secunia Personal Software Inspector
    F-secure Health Check
    FileHippo.com Update Checker - © Copyright FileHippo.com

    Some free programs that can improve your computer security:
    Malwarebytes Anti-malware
    This is a great anti-malware application that can remove a good percentage of infections. You should run a scan with it at least once week, after you download the latest updates.
    You can find information and Download it from HERE

    SiteAdvisor
    SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
    You can find more information and download it from Here

    WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
    For more information, please visit HERE

    Stay informed.
    To help minimize the chances of becoming re-infected, please read.
    Computer Security - a short guide to staying safer online

    If your computer is running slowly after your clean up, please read.
    What to do if your Computer is running slowly

    Please reply to this post so I know you have read it. If you don't have any further questions this thread will be closed.

    Safe surfing! ;)
     
  12. exfarmer

    exfarmer Thread Starter

    Joined:
    Nov 4, 2009
    Messages:
    68
    Do I need SiteAdvisor if I have MyWot or are they different?

    Malwarebytes found 1 malware and removed it (PUP.Optional.lBryte)

    I tried to run Secunia but it says: a script on this page is causing to run slowly and may cause your computer to become unresponsive. Should I just try one of the other updaters?
     
  13. nunped

    nunped Malware Specialist

    Joined:
    Sep 20, 2012
    Messages:
    234
    One is enough. I personally use MyWot and get nervous when surfing without it :)

    Keep it updated and run a scan once a week. It's a really good help.

    Go ahead and try one of other ones.

    These are all optional. Feel free to experiment and use what you think fits your needs.

    Any further questions, before this one goes "solved"? :)
     
  14. exfarmer

    exfarmer Thread Starter

    Joined:
    Nov 4, 2009
    Messages:
    68
    Thanks so much for all your help! We can mark it solved.
     
  15. nunped

    nunped Malware Specialist

    Joined:
    Sep 20, 2012
    Messages:
    234
    You're very welcome.

    Safe surfing!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1102707