Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Savings Bull, Life Bettering and Conduit Search


  • Please log in to reply
11 replies to this topic

#1 IerynEtra

IerynEtra

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 28 February 2014 - 11:22 PM

I am posting this on behalf of a friend as it will be me going through any fixes on her computer.

About a week ago she noticed that her search engine on IE had been changed to conduit search, she hadn't downloaded anything in that time and neither of us can fathom how it got there.  It took over all of her search engines (IE, FF, and Chrome) and now she gets continuous popups on almost every page she visits.

I have removed conduit from her programs list along with a lot of other things I hadn't heard of and seem to have been able to put her search functions back to normal (google mostly) but do not know how to remove these other things.  I try to disable them in the settings menus but they are either not there or they won't be disabled.

I have no idea where these advertisements have hidden themselves but know that many people have been having problems with conduit so I'm hoping someone has found a fix for it.

 

My friend completes surveys on a daily basis to earn extra money but finds it impossible with all these popups that either appear in a new window or hover over the current one.

 

Any help would be appreciated.



BC AdBot (Login to Remove)

 


#2 SparkleJoy

SparkleJoy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 01 March 2014 - 12:20 PM

I too am dealing with savingsbull and lifebettering. I have found a way to disable savingsbull. This has helped me: http://www.anvisoft.com/resources/how-to-remove-ads-by-savingsbull-adware-removal-guide/ hopefully it will be able to help you and your friend too. The download of the startup booster is safe and can help disable savingsbull and others like it, and is free. 



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:31 AM

Posted 01 March 2014 - 05:31 PM

My friend completes surveys on a daily basis to earn extra money

Hello -

The above line shows where this PUP (Potentially Unwanted Program) has been installed from.

 

First -

* Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
* Click on the Clean button (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

Next -

Download Malwarebytes' Anti-Malware Free (aka MBAM): to your desktop.
- Do not accept the Free Trial Version at this time -
* Double-click mbam-setup.exe and follow the prompts to install the program.
* NOTE 1 : At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* NOTE 2 :Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer if requested.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


Edited by noknojon, 01 March 2014 - 05:34 PM.


#4 camplate

camplate

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 02 March 2014 - 07:33 PM

Can I hijack this thread? I have the same problem. It seems like malaware did everything, yet the problem still exists.

Here are the two logs:

# AdwCleaner v3.020 - Report created 02/03/2014 at 15:15:17
# Updated 27/02/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : xxxxxxxx - XXXXXXXX-PC
# Running from : C:\Users\xxxxxxxx\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : Level Quality Watcher

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Level Quality Watcher
Folder Deleted : C:\Windows\system32\AI_RecycleBin
Folder Deleted : C:\Users\xxxxxxxx\AppData\Local\BrowserSafeguard
Folder Deleted : C:\Users\xxxxxxxx\AppData\LocalLow\Industriya
Folder Deleted : C:\Users\xxxxxxxx\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\xxxxxxxx\AppData\Roaming\FinalMediaPlayer
Folder Deleted : C:\Users\xxxxxxxx\AppData\Roaming\Systweak
Folder Deleted : C:\Users\Xxxxx\AppData\Local\AVG Security Toolbar
File Deleted : C:\Users\xxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\3d5jmjmg.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10AD2C61-0898-4348-8600-14A342F22AC3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1ACB5ABE-4890-4747-952C-F13BDB93FB75}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1ACB5ABE-4890-4747-952C-F13BDB93FB75}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Key Deleted : HKCU\Software\AVG SafeGuard toolbar
Key Deleted : HKCU\Software\SearchProtectINT
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\HavingFunOnline
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\systweak
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Homepage Protection Service
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyPC Backup
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C19AC53289098045B06B0DD1D37CBAB
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23D9E9D21B4E77E41B9F50DD22F24E20
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23EEA1F105A7F45449974D9B95E7AC89
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\26982796A8AFD1246B95E00265A95BF9
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\42D92D0D75AFEF74297E03876C8D9D33
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\464AA55239C100F32AF2D438EDDC0F47
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50FFE845C555A6E4BADB7CB7A145BFEB
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5652BA3D5FB98AE31B337BF0AF939856
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\715A3348920B6534690067594BB69F60
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7B7B13B037A7C2A42AC3E3EAF14D7107
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7D05B2942E9CC80499F397F6114DFB35
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8591B8948E1C4A04F90505B3CDEE8555
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86EB95E1AFCBABE3DB9ECCC669B99494
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8D841C5FEC311624CB88D49DB3884FA7
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD746BF3B3B3FD8409B86604BA85982A
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F355F0DB7A2E3A14B8E7A568FBA25937

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16533


-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\xxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\3d5jmjmg.default\prefs.js ]

Line Deleted : user_pref("extensions.privitize.srchPrvdr", "Search The Web (privitize)");

[ File : C:\Users\Karen\AppData\Roaming\Mozilla\Firefox\Profiles\331tikwy.default\prefs.js ]


-\\ Google Chrome v

[ File : C:\Users\xxxxxxxx\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [6644 octets] - [02/03/2014 15:08:41]
AdwCleaner[S0].txt - [6701 octets] - [02/03/2014 15:15:17]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6761 octets] ##########

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.02.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
xxxxxxxx :: XXXXXXXX-PC [administrator]

3/2/2014 3:25:24 PM
mbam-log-2014-03-02 (15-25-24).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 525898
Time elapsed: 3 hour(s), 30 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Optional.Zwangi) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Optional.Zwangi) -> Quarantined and deleted successfully.
HKCU\Software\SavingsBull (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
HKCU\Software\AppDataLow\Software\Savings Bull (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
HKCU\Software\AppDataLow\Software\SavingsBull (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Savings Bull (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Users\xxxxxxxx\AppData\Local\WeatherAlerts (PUP.Optional.WeatherAlerts) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.

Files Detected: 30
C:\Users\xxxxxxxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A5OX187H\spstub[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\xxxxxxxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NHH7J8DG\DesktopWeatherAlertsSetup[1].exe (PUP.Optional.WeatherAlerts.A) -> Quarantined and deleted successfully.
C:\Users\xxxxxxxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NHH7J8DG\cbs_savingsbull_BBA5481A-926B-4561-BD79-249F618495E6[1].exe (PUP.Optional.Savingsbull) -> Quarantined and deleted successfully.
C:\Users\xxxxxxxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QDWM4W0E\DesktopWeatherAlertsSetup[1].exe (PUP.Optional.WeatherAlerts.A) -> Quarantined and deleted successfully.
C:\Users\xxxxxxxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QDWM4W0E\SPSetup[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\xxxxxxxx\Downloads\FinalMediaPlayerSetup.exe (PUP.Optional.InstallIQ.A) -> Quarantined and deleted successfully.
C:\Users\xxxxxxxx\Downloads\FlashPlayer_V.130788756b.exe (PUP.FakeFlash.Domaiq) -> Quarantined and deleted successfully.
C:\Users\xxxxxxxx\Downloads\SoftwareInstallation.exe (PUP.Optional.Outbrowse) -> Quarantined and deleted successfully.
C:\Users\xxxxxxxx\Downloads\Ibycus_Canada_Topo_Maps_3.2.exe (PUP.Optional.BundleInstaller) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe.vir (PUP.Optional.Savingsbull) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe.vir (PUP.Optional.Savingsbull) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\background.js (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\bootstrap.js (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\bootstrap.js.old (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\CustomActionInstall (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\CustomActionUninstall (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\ff_main.js.old (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\icon128.png (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\icon16.png (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\icon32.png (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\icon48.png (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\icon64.png (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\icon8.png (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\IEOptimizer.dll (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\IEOptimizer64.dll (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\manifest.json (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\marcopolo.js (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\Microsoft.Deployment.WindowsInstaller.dll (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\Microsoft.Deployment.WindowsInstaller.xml (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
C:\Program Files\SavingsBull\SendJson.dll (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.

(end)

 



#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:31 AM

Posted 02 March 2014 - 09:58 PM

@ camplate

Read your Malwarebytes Anti-Malware Log and you will see that many of these are actually removed.

Update and Re-Run the Full Scan, and post another log back here to see if most of these are removed now.

 

Note that You have installed these from downloading programs without reading the conditions involved.
Registry Keys Detected: 6
Folders Detected: 2
Files Detected: 30 .

All of these contain similar items to these below and are stage 1 in the cleanup

HKCU\Software\AppDataLow\Software\SavingsBull (PUP.Optional.SavingsBull.A)
Settings\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Optional.Zwangi)
SPSetup[1].exe (PUP.Optional.Conduit.A)

 

C:\AdwCleaner\Quarantine\C\Program Files\Level Quality Watcher <=This is cleaning out the quarantined AdwCleaner folder

 

Re-open AdwCleaner and hit Uninstall to remove the program and all items in its quarantine.

 

 

Run ESETOnlineScanner Please use Internet Explorer as the scanner uses ActiveX
If you will not use Internet Explorer, please see 3 - 1 & 3 - 2

Read and follow How To Temporarily Disable Your Anti-virus
1 . Hold down Control (Ctrl) key, and click on This link to open ESET OnlineScan in a new window.
2 . Click the Eset online button.
3 . For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
3 - 1 . Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
3 - 2 . Double click on esetsmartinstaller_enu on your desktop.

. - . Windows 7 and Vista must Right Click on it and select Run as administrator
4 . Check "YES, I accept the Terms of Use."
5 . Click the Start button.
6 . Accept any security warnings from your browser.
7 . Under scan settings, check "Scan Archives" and "Remove found threats"
8 . Click Advanced settings and select the following:
* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology

9 . ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time.
* My last scan on my XP 80% free space took 1.20 hours
10 . When the scan completes, click List Threats
11 . Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12 . Click the Back button.
13 . Click the Finish button.
* NOTE:Sometimes if ESET Scanner finds no infections it will not create a log.



#6 IerynEtra

IerynEtra
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 03 March 2014 - 02:54 PM

AdwCleaner result:
 
# AdwCleaner v3.020 - Report created 03/03/2014 at 19:07:33
# Updated 27/02/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Christine Case-Leng - CHRISPCAWESOME
# Running from : C:\Users\Christine Case-Leng\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
Service Deleted : CltMngSvc
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\Program Files (x86)\SearchProtect
Folder Deleted : C:\Users\Christine Case-Leng\AppData\Local\genienext
Folder Deleted : C:\Users\Christine Case-Leng\AppData\Local\Mobogenie
Folder Deleted : C:\Users\Christine Case-Leng\AppData\Local\SearchProtect
Folder Deleted : C:\Users\CHRIST~1\AppData\Local\Temp\AirInstaller
Folder Deleted : C:\Users\CHRIST~1\AppData\Local\Temp\apn
Folder Deleted : C:\Users\CHRIST~1\AppData\Local\Temp\Jump Flip
Folder Deleted : C:\Users\CHRIST~1\AppData\Local\Temp\Smartbar
Folder Deleted : C:\Users\Christine Case-Leng\AppData\Roaming\newnext.me
Folder Deleted : C:\Users\Christine Case-Leng\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mobogenie
Folder Deleted : C:\Users\Christine Case-Leng\Documents\Mobogenie
Folder Deleted : C:\Users\Christine Case-Leng\Documents\Optimizer Pro
File Deleted : C:\END
File Deleted : C:\Users\Christine Case-Leng\AppData\Roaming\Mozilla\Firefox\Profiles\su4x2c5j.default\searchplugins\conduit-search.xml
File Deleted : C:\Users\Christine Case-Leng\AppData\Roaming\Mozilla\Firefox\Profiles\su4x2c5j.default\searchplugins\Web Search.xml
File Deleted : C:\Users\Christine Case-Leng\AppData\Roaming\Mozilla\Firefox\Profiles\su4x2c5j.default\user.js
File Deleted : C:\Windows\System32\Tasks\LaunchApp
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\conduit.com
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [NextLive]
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [mobilegeni daemon]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10AD2C61-0898-4348-8600-14A342F22AC3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10AD2C61-0898-4348-8600-14A342F22AC3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\SoftwareUpdater
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16518
 
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [Default_Search_URL]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Search [SearchAssistant]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [Default]
 
-\\ Mozilla Firefox v27.0.1 (en-US)
 
[ File : C:\Users\Christine Case-Leng\AppData\Roaming\Mozilla\Firefox\Profiles\su4x2c5j.default\prefs.js ]
 
Line Deleted : user_pref("browser.newtab.url", "hxxp://search.conduit.com/?ctid=CT3323129&octid=EB_ORIGINAL_CTID&SearchSource=69&CUI=&SSPV=&Lay=1&UM=4&UP=SP98179AAB-5D98-46FA-BA3C-12B33E6E726A");
Line Deleted : user_pref("browser.search.defaultenginename", "Conduit Search");
Line Deleted : user_pref("browser.search.selectedEngine", "Conduit Search");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3323129&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP98179AAB-5D98-46FA-BA3C-12B33E6E726A&SSPV=");
Line Deleted : user_pref("extensions.crossrider.bic", "144683afe9f601cfb8e208c193bba0f7");
Line Deleted : user_pref("extensions.wajam.affiliate_id", "3008");
Line Deleted : user_pref("extensions.wajam.firstrun", "false");
Line Deleted : user_pref("extensions.wajam.install_timestamp", "1393267765");
Line Deleted : user_pref("extensions.wajam.landing_page_done", "true");
Line Deleted : user_pref("extensions.wajam.landing_page_on_first_run", "true");
Line Deleted : user_pref("extensions.wajam.log_send_info", "true");
Line Deleted : user_pref("extensions.wajam.machine_id", "cbb131e5053777ed80c0aff1c489ca23");
Line Deleted : user_pref("extensions.wajam.mappingListJsonString", "{\"version\":\"0.21088\",\"update_interval\":973,\"base_url\":\"hxxp:\\/\\/www.wajam.com\\/\",\"update_url\":\"hxxp:\\/\\/www.wajam.com\\/addon\\/m[...]
Line Deleted : user_pref("extensions.wajam.no_trace", "false");
Line Deleted : user_pref("extensions.wajam.server_current_mapping_version", "0.21088");
Line Deleted : user_pref("extensions.wajam.trace_log", "1393523244271 - processSiteLookup - getMatchingSiteName return: null\n1393523244271 - processSiteLookup - Not a supported site:hxxps://www.facebook.com/?ref=tn[...]
Line Deleted : user_pref("extensions.wajam.unique_id", "86FC0E46EDB855E624BABA17E30411CA");
Line Deleted : user_pref("extensions.wajam.user_current_mapping_version", "0");
Line Deleted : user_pref("extensions.wajam.version", "1.27");
 
-\\ Google Chrome v33.0.1750.117
 
[ File : C:\Users\Christine Case-Leng\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted : homepage
Deleted : search_url
Deleted : suggest_url
Deleted : keyword
 
*************************
 
AdwCleaner[R0].txt - [7629 octets] - [03/03/2014 19:05:49]
AdwCleaner[S0].txt - [6470 octets] - [03/03/2014 19:07:33]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6530 octets] ##########
 
 
The malwarebytes did not save a report, nor is there a log folder, though it did find and remove problems and so far so good.
 


#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:31 AM

Posted 03 March 2014 - 04:31 PM

The malwarebytes did not save a report, nor is there a log folder

@ IerynEtra
 

With Malwarebytes Anti-Malware the log can also be found here:
 C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
 Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or you can open the program and click Logs across the top of the face
Any previous logs are stored in order by date

 

Also run the ESET Online Scanner as listed above -



#8 camplate

camplate

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 03 March 2014 - 09:45 PM

ESETOnlineScanner

 

C:\ProgramData\Spybot - Search & Destroy\Recovery\USTechSupportMyCleanPC.zip    Win32/Bagle.gen.zip worm    
C:\Users\All Users\Spybot - Search & Destroy\Recovery\USTechSupportMyCleanPC.zip    Win32/Bagle.gen.zip worm    
C:\Users\camplate\Music\wont get fooled again - bonus track.mp3    a variant of WMA/TrojanDownloader.GetCodec.gen trojan    
C:\VPNIPSecClient.exe    Win32/PrcView potentially unsafe application    deleted - quarantined
C:\Documents and Settings\All Users\Spybot - Search & Destroy\Recovery\USTechSupportMyCleanPC.zip    Win32/Bagle.gen.zip worm    cleaned by deleting - quarantined
C:\Documents and Settings\camplate\Music\wont get fooled again - bonus track.mp3    a variant of WMA/TrojanDownloader.GetCodec.gen trojan    cleaned - quarantined
C:\Program Files\Cisco Systems\VPN Client\Process.exe    Win32/PrcView potentially unsafe application    deleted - quarantined
C:\Program Files\LimeWire\.NetworkShare\LimeWireWin5.5.14.exe    a variant of Win32/Bundled.Toolbar.Ask.A potentially unsafe application    deleted - quarantined
C:\Program Files\LimeWire\.NetworkShare\LimeWireWin5.5.16.exe    probably a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
C:\Program Files\LimeWire\.NetworkShare\LimeWireWin5.5.8.exe    a variant of Win32/Bundled.Toolbar.Ask.A potentially unsafe application    deleted - quarantined
C:\Program Files\Trend Micro\HijackThis\backups\backup-20101030-075746-186.dll    a variant of Win32/PriceGong.A potentially unwanted application    deleted - quarantined
C:\Temp\t.msi    Win32/AdWare.Adpeak.B application    deleted - quarantined

 

Still having issues. Thanks.



#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:31 AM

Posted 04 March 2014 - 06:02 AM

@ camplate -
Your computer is badly infected (as you jumped in halfway through)
I never did the basic diagnostics first and you just posted 2 Logs -

 

Please follow the instructions in THIS PREP GUIDE starting at Step #6.

NOTE - If you cannot complete a step, skip it and continue.

 

 Once the proper DDS logs are created, then make a NEW TOPIC and post it to =>
Virus, Trojan, Spyware, and Malware Removal Logs. area -

 

They can use more tools to find the problem than I can not use in this area.

 

NOTE that the "average wait time" for the Malware Experts is about 1 to 3 days so be patient.

 

If HelpBot replies, please follow its Step #1 so the Malware Removal team will be notified.

 

When you post the new topic, please link it back here, and I will follow it there -



#10 camplate

camplate

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 05 March 2014 - 05:33 AM

http://www.bleepingcomputer.com/forums/t/526548/infected-with-savingsbull-and-others/

 

Thank you.



#11 IerynEtra

IerynEtra
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 20 March 2014 - 02:33 PM

I had to re-run the scan after re-downloading the software as it said it needed and update and then wouldn't work, this is what the log came up with.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.20.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
Christine Case-Leng :: CHRISPCAWESOME [administrator]

20/03/2014 19:24:10
mbam-log-2014-03-20 (19-24-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217308
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Christine Case-Leng\AppData\Local\Temp\ICReinstall_nsg4442.tmp (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.
C:\Users\Christine Case-Leng\AppData\Local\Temp\nsbC37F.tmp (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.
C:\Users\Christine Case-Leng\AppData\Local\Temp\nsg4442.tmp (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.

(end)



#12 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:31 AM

Posted 21 March 2014 - 03:06 AM

Hello IerynEtra -
Sorry that your topic was overrun by others, but I am unable to remove their posts.

There were a couple of small items removed, but not what I was looking for.

 

Print or copy this post so that you can follow it .........
 

 

Run ESETOnlineScanner Please use Internet Explorer as the scanner uses ActiveX
If you will not use Internet Explorer, please see 3 - 1 & 3 - 2

Read and follow How To Temporarily Disable Your Anti-virus

1 . Hold down Control (Ctrl) key, and click on This link to open ESET OnlineScan in a new window.
2 . Click the Eset online button.
3 . For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
3 - 1 . Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
3 - 2 . Double click on esetsmartinstaller_enu on your desktop.

NOTE - . Windows 7 and Vista should Right Click on it and select Run as administrator
4 . Check "YES, I accept the Terms of Use."
5 . Click the Start button.
6 . Accept any security warnings from your browser.
7 . Under scan settings, check "Scan Archives" and "Remove found threats"
8 . Click Advanced settings and select the following:
* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology

9 . ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time.
10 . When the scan completes, click List Threats
11 . Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12 . Click the Back button.
13 . Click the Finish button.
* NOTE:Sometimes if ESET Scanner finds no infections it will not create a log (just tell me).






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users