Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: application whitesmoke, Adware.domaiq, adware.goonsquad!rem problems

  1. #11
    Senior Member Edgecrusher's Avatar
    Join Date
    Jan 2009
    Location
    London England
    Posts
    228

    Default

    it worked in safe mode. PC seems to be working fine. PC tools spyware doctor hasnt detected anything which is good, as it found the adware in the first place, where as Microsoft security essentials didnt detect it.


    # AdwCleaner v3.020 - Report created 01/03/2014 at 00:21:58
    # Updated 27/02/2014 by Xplode
    # Operating System : Windows 7 Professional Service Pack 1 (32 bits)
    # Username : Michelle - MICHELLE-PC
    # Running from : C:\Users\Michelle\Downloads\AdwCleaner.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\ProgramData\StarApp
    Folder Deleted : C:\Program Files\Conduit
    Folder Deleted : C:\Program Files\continuetosave
    Folder Deleted : C:\Program Files\goforfiles
    Folder Deleted : C:\Program Files\Nosibay
    Folder Deleted : C:\Users\Michelle\AppData\Local\Conduit
    Folder Deleted : C:\Users\Michelle\AppData\Local\genienext
    Folder Deleted : C:\Users\Michelle\AppData\Local\SwvUpdater
    Folder Deleted : C:\Users\Michelle\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Michelle\AppData\Roaming\goforfiles
    Folder Deleted : C:\Users\Michelle\AppData\Roaming\Nosibay
    Folder Deleted : C:\Users\Michelle\AppData\Roaming\VOPackage
    Folder Deleted : C:\Users\Michelle\Documents\Mobogenie
    File Deleted : C:\END
    File Deleted : C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage
    File Deleted : C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage-journal
    File Deleted : C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage
    File Deleted : C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage-journal
    File Deleted : C:\Windows\System32\Tasks\GoforFilesUpdate

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    [#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7E0C3095-1B99-4495-9F12-FD726C059FBB}
    [#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7E0C3095-1B99-4495-9F12-FD726C059FBB}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wsconduit__166_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289847
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\GoforFiles
    Key Deleted : HKCU\Software\InstallCore
    Key Deleted : HKCU\Software\Nosibay
    Key Deleted : HKCU\Software\YahooPartnerToolbar
    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
    Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\Software\GoforFiles
    Key Deleted : HKLM\Software\InstallCore
    Key Deleted : HKLM\Software\SP Global
    Key Deleted : HKLM\Software\SProtector
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.16518

    Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

    -\\ Mozilla Firefox v20.0.1 (en-GB)

    [ File : C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\lvyu5r43.default\prefs.js ]

    Line Deleted : user_pref("CT3289847.FF19Solved", "true");
    Line Deleted : user_pref("CT3289847.UserID", "UN18795518042419810");
    Line Deleted : user_pref("CT3289847.browser.search.defaultthis.engineName", "true");
    Line Deleted : user_pref("CT3289847.installDate", "28/5/2013 22:56:55");
    Line Deleted : user_pref("CT3289847.installSessionId", "-1");
    Line Deleted : user_pref("CT3289847.installSp", "TRUE");
    Line Deleted : user_pref("CT3289847.installerVersion", "1.4.2.3");
    Line Deleted : user_pref("CT3289847.keyword", "true");
    Line Deleted : user_pref("CT3289847.originalHomepage", "www.google.co.uk");
    Line Deleted : user_pref("CT3289847.originalSearchAddressUrl", "");
    Line Deleted : user_pref("CT3289847.originalSearchEngine", "");
    Line Deleted : user_pref("CT3289847.searchRevert", "true");
    Line Deleted : user_pref("CT3289847.searchUserMode", "2");
    Line Deleted : user_pref("CT3289847.smartbar.homepage", "true");
    Line Deleted : user_pref("CT3289847.versionFromInstaller", "10.16.2.9");
    Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3289847&octid=CT3289847&SearchSource=61&CUI=UN18795518042419810&UM=2&UP=SP6955092B-CFFF-4B5D-929F-123F490952F8");
    Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
    Line Deleted : user_pref("browser.search.defaultthis.engineName", "WhiteSmoke New Customized Web Search");
    Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&CUI=UN18795518042419810&UM=2&SearchSource=3&q={searchTerms}");
    Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3289847");
    Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN18795518042419810&UM=2&SearchSource=13,hxxp://search.conduit.com/?ctid=CT3289847&octid=CT3289847&SearchSource[...]
    Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CUI=UN18795518042419810&UM=2&q=");
    Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3289847");
    Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3289847");
    Line Deleted : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN18795518042419810&UM=2&SearchSource=13");

    -\\ Google Chrome v33.0.1750.117

    [ File : C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\preferences ]


    *************************

    AdwCleaner[R0].txt - [7102 octets] - [28/02/2014 00:08:15]
    AdwCleaner[R1].txt - [7221 octets] - [28/02/2014 00:43:06]
    AdwCleaner[R2].txt - [7340 octets] - [28/02/2014 00:53:52]
    AdwCleaner[R3].txt - [7400 octets] - [01/03/2014 00:19:39]
    AdwCleaner[S0].txt - [346 octets] - [28/02/2014 00:10:51]
    AdwCleaner[S1].txt - [692 octets] - [28/02/2014 00:45:06]
    AdwCleaner[S2].txt - [7359 octets] - [01/03/2014 00:21:58]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [7419 octets] ##########

  2. #12
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,814

    Default

    OK, now we'll check for remnants.

    Please Run TFC by OldTimer to clear temporary files:

    Download TFC from here http://oldtimer.geekstogo.com/TFC.exe
    and save it to your desktop.

    Close any open programs and Internet browsers.
    Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
    Please be patient as clearing out temp files may take a while.
    Once it completes you may be prompted to restart your computer, please do so.
    Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

    Then restart the computer.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~

    Go here to run an online scanner from ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activeX control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • When the scan completes, press the LIST OF THREATS FOUND button
    • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
    • Include the contents of this report in your next reply.
    • Press the BACK button.
    • Press Finish
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #13
    Senior Member Edgecrusher's Avatar
    Join Date
    Jan 2009
    Location
    London England
    Posts
    228

    Default

    i ran TFC. didnt have to restart the computer.

    C:\AdwCleaner\Quarantine\C\Program Files\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Users\Michelle\AppData\Roaming\VOPackage\VOPackage.exe.vir Win32/VuuPc.A potentially unwanted application
    C:\FRST\Quarantine\AskSLib.dll28-02-2014_00-04-39 a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
    C:\FRST\Quarantine\ConduitInstaller.exe28-02-2014_00-04-39 Win32/Toolbar.Conduit.S potentially unwanted application
    C:\FRST\Quarantine\tbWhit.dll28-02-2014_00-04-41 a variant of Win32/Toolbar.Conduit.X potentially unwanted application
    C:\FRST\Quarantine\toolbar2078984.exe28-02-2014_00-04-41 Win32/OutBrowse.G potentially unwanted application
    C:\FRST\Quarantine\26hwqjjcwova@koy-.co.uk28-02-2014_00-04-32\content\bg.js Win32/Adware.MultiPlug.H application
    C:\FRST\Quarantine\hkjkdolbihmdoeipcbgcejfockiihdng28-02-2014_00-04-34\1\51a5282e1d6750.25904125.js Win32/Adware.MultiPlug.H application
    C:\FRST\Quarantine\klibnahbojhkanfgaglnlalfkgpcppfi28-02-2014_00-04-34\10.26.7.519_1\APISupport\APISupport.dll a variant of Win32/Toolbar.Conduit.Z potentially unwanted application
    C:\FRST\Quarantine\Mobogenie28-02-2014_00-04-37\Version\OldVersion\Mobogenie2.2.0.zip a variant of Win32/Mobogenie.A potentially unwanted application
    C:\FRST\Quarantine\Mobogenie28-02-2014_00-04-37\Version\OldVersion\Mobogenie\DaemonProcess.exe a variant of Win32/Mobogenie.A potentially unwanted application
    C:\FRST\Quarantine\Mobogenie28-02-2014_00-04-37\Version\OldVersion\Mobogenie\Mobogenie.exe a variant of Win32/Mobogenie.A potentially unwanted application
    C:\FRST\Quarantine\Mobogenie28-02-2014_00-04-37\Version\OldVersion\Mobogenie\nengine.dll Win32/NextLive.A potentially unwanted application
    C:\FRST\Quarantine\Mobogenie28-02-2014_00-04-37\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe a variant of Win32/Mobogenie.A potentially unwanted application
    C:\Users\Michelle\Downloads\avira_free_antivirus_en.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application

  4. #14
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,814

    Default

    This looks good everything was already in a quarantine folder except one file that came in with Avira.
    You can uninstall ASK toobar in add/remove programs list and delete the file below.

    C:\Users\Michelle\Downloads\avira_free_antivirus_en.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application

    Tell me how is the computer now?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  5. #15
    Senior Member Edgecrusher's Avatar
    Join Date
    Jan 2009
    Location
    London England
    Posts
    228

    Default

    i've deleted the file now. but didnt see ASK toolbar in control panel add/remove.

    computer still seems to be running fine.

  6. #16
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,814

    Default

    Good deal
    Don't worry about the ask toolbar.

    Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

    Run FRST/FRST64 and press the Fix button just once and wait.
    no needed to post the log this time.
    start
    DeleteQuarantine:
    end
    ~~~~~~~~~~~~~~~~~~~~~~~

    1. Download Delfix from here
    2. Ensure Remove disinfection tools is ticked
      Also tick:
    3. Purge system restore



    • Click Run


    Any other tools used and existing folders simply delete.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~`

    Your good to go, good job!

    Please take the time to read over a few of my preventive tips.

    Computer Security
    http://malwareremoval.com/forum/view...557960#p557960
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Be prepared for CryptoLocker:

    Cryptolocker Ransomware: What You Need To Know

    CryptoLocker Ransomware Information Guide and FAQ

    to help protect your computer in the future I recommend that you get the following free programmes:

    CryptoPrevent install this programme to lock down and prevent crypto ransome ware



    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


    Firefox 3
    The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
    *NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

    AdblockPlus
    • AdblockPlus, Surf the web without annoying ads!
    • Blocks banners, pop-ups and video ads - even on Facebook and YouTube
    • Protects your online privacy
    • Two-click installation, It's free!
    • click the icon that corresponds to your browser and download.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

    Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #17
    Senior Member Edgecrusher's Avatar
    Join Date
    Jan 2009
    Location
    London England
    Posts
    228

    Default

    i have now run the two steps.

  8. #18
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,814

    Default

    You should be good to go!
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  9. #19
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,814

    Default

    Glad we could help.

    Since this issue appears resolved ... this Topic is closed.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •