Pay per Click

It’s amazing what kind of garbage can get installed by a “single” innocent click to download an update or free program.

Here’s the scan log from the secretary’s computer.

# AdwCleaner v3.010 – Report created 27/10/2013 at 11:39:26
# Updated 20/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Option : Clean

***** [ Services ] *****

Service Deleted : DefaultTabSearch

***** [ Files / Folders ] *****

Folder Deleted : E:\Documents and Settings\All Users\Application Data\Conduit
Folder Deleted : E:\Documents and Settings\All Users\Application Data\eSafe
Folder Deleted : E:\Program Files\Conduit
Folder Deleted : E:\Program Files\DefaultTab
Folder Deleted : E:\Program Files\Desk 365
Folder Deleted : E:\Program Files\MyPC Backup
Folder Deleted : E:\Program Files\Common Files\337
Folder Deleted : E:\Documents and Settings\Sandy\Local Settings\Application Data\Conduit
Folder Deleted : E:\DOCUME~1\Sandy\LOCALS~1\Temp\CT3303000
Folder Deleted : E:\Documents and Settings\Sandy\Application Data\Desk 365
Folder Deleted : C:\Documents and Settings\Sandy\My Documents\optimizer pro
Folder Deleted : E:\Documents and Settings\Sandy\Application Data\Mozilla\Firefox\Profiles\2ime821w.default\CT3303000
Folder Deleted : E:\Documents and Settings\Sandy\Application Data\Mozilla\Firefox\Profiles\2ime821w.default\Extensions\{37a7edb7-afda-4373-9865-02bf8160e677}
[!] Folder Deleted : E:\Documents and Settings\LocalService\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
File Deleted : E:\END
File Deleted : E:\Documents and Settings\Sandy\Application Data\Mozilla\Firefox\Profiles\2ime821w.default\searchplugins\Conduit.xml
File Deleted : E:\Documents and Settings\Sandy\Application Data\Mozilla\Firefox\Profiles\2ime821w.default\user.js
File Deleted : E:\Documents and Settings\Sandy\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage
File Deleted : E:\Documents and Settings\Sandy\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage-journal

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DeskSvc
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WsysSvc
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0044162.BHO
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0044162.BHO.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0044162.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0044162.Sandbox.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3303000
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ConduitFloatingPlugin_edakhebdfmenljamaknlnnallmchcdei]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110411411162}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550455415562}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660466416662}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440444414462}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110411411162}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110411411162}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110411411162}
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [E:\Documents and Settings\All Users\Application Data\eSafe\eGdpSvc.exe]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\smartbar
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DefaultTab
Key Deleted : HKLM\Software\Desksvc
Key Deleted : HKLM\Software\DomaIQ
Key Deleted : HKLM\Software\InstalledThirdPartyPrograms
Key Deleted : HKLM\Software\V9

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v21.0 (en-US)

[ File : E:\Documents and Settings\Sandy\Application Data\Mozilla\Firefox\Profiles\2ime821w.default\prefs.js ]

Line Deleted : user_pref(“CT3303000.FF19Solved”, “true”);
Line Deleted : user_pref(“CT3303000.UserID”, “UN34203952171980520”);
Line Deleted : user_pref(“CT3303000.browser.search.defaultthis.engineName”, “true”);
Line Deleted : user_pref(“CT3303000.fullUserID”, “UN34203952171980520.IN.20131027094131”);
Line Deleted : user_pref(“CT3303000.installDate”, “27/10/2013 09:41:34”);
Line Deleted : user_pref(“CT3303000.installSessionId”, “{EBF3B54B-9410-4189-A814-3E75CA287852}”);
Line Deleted : user_pref(“CT3303000.installSp”, “TRUE”);
Line Deleted : user_pref(“CT3303000.installerVersion”, “1.8.0.14”);
Line Deleted : user_pref(“CT3303000.keyword”, “true”);
Line Deleted : user_pref(“CT3303000.originalHomepage”, “hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official”);
Line Deleted : user_pref(“CT3303000.originalSearchAddressUrl”, “”);
Line Deleted : user_pref(“CT3303000.originalSearchEngine”, “Search”);
Line Deleted : user_pref(“CT3303000.originalSearchEngineName”, “Funmoods”);
Line Deleted : user_pref(“CT3303000.searchRevert”, “false”);
Line Deleted : user_pref(“CT3303000.searchUserMode”, “2”);
Line Deleted : user_pref(“CT3303000.smartbar.homepage”, “true”);
Line Deleted : user_pref(“CT3303000.toolbarInstallDate”, “27-10-2013 09:41:31”);
Line Deleted : user_pref(“CT3303000.versionFromInstaller”, “10.21.1.7”);
Line Deleted : user_pref(“CT3303000.xpeMode”, “0”);
Line Deleted : user_pref(“Smartbar.SearchFromAddressBarSavedUrl”, “”);
Line Deleted : user_pref(“browser.search.defaultenginename”, “Vafmusic7 Customized Web Search”);
Line Deleted : user_pref(“browser.search.defaultthis.engineName”, “Vafmusic7 Customized Web Search”);
Line Deleted : user_pref(“browser.search.defaulturl”, “hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3303000&CUI=UN34203952171980520&UM=2&SearchSource=3&q={searchTerms}”);
Line Deleted : user_pref(“browser.search.selectedEngine”, “Vafmusic7 Customized Web Search”);
Line Deleted : user_pref(“browser.startup.homepage”, “hxxp://search.conduit.com/?ctid=CT3303000&octid=CT3303000&SearchSource=61&CUI=UN34203952171980520&UM=2&UP=SPF8BD556B-D67C-486E-ADE1-02DF8FDDEA39&SSPV=”);
Line Deleted : user_pref(“extensions.funmoods.aflt”, “iron2”);
Line Deleted : user_pref(“extensions.funmoods.autoRvrt”, false);
Line Deleted : user_pref(“extensions.funmoods.cntry”, “US”);
Line Deleted : user_pref(“extensions.funmoods.cv”, “cv5”);
Line Deleted : user_pref(“extensions.funmoods.dfltLng”, “”);
Line Deleted : user_pref(“extensions.funmoods.dfltSrch”, true);
Line Deleted : user_pref(“extensions.funmoods.dnsErr”, true);
Line Deleted : user_pref(“extensions.funmoods.envrmnt”, “production”);
Line Deleted : user_pref(“extensions.funmoods.excTlbr”, false);
Line Deleted : user_pref(“extensions.funmoods.hdrMd5”, “A2AFB9A01D118DF07B2D648C6159721C”);
Line Deleted : user_pref(“extensions.funmoods.hmpg”, true);
Line Deleted : user_pref(“extensions.funmoods.hmpgUrl”, “hxxp://searchfunmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzutDtDyCtDzyyBtBtD0EyBtA0CtDtCyCtCtN0D0Tzu0CtBzztDtN1L2XzutBtFtBtFtDtFtAyEyE&cr=816550834”)[…]
Line Deleted : user_pref(“extensions.funmoods.id”, “00609720E73C0161”);
Line Deleted : user_pref(“extensions.funmoods.instlDay”, “15620”);
Line Deleted : user_pref(“extensions.funmoods.instlRef”, “iron2”);
Line Deleted : user_pref(“extensions.funmoods.isdcmntcmplt”, true);
Line Deleted : user_pref(“extensions.funmoods.lastVrsnTs”, “1.5.23.229:39:47”);
Line Deleted : user_pref(“extensions.funmoods.mntrvrsn”, “1.3.0”);
Line Deleted : user_pref(“extensions.funmoods.newTab”, true);
Line Deleted : user_pref(“extensions.funmoods.newTabUrl”, “hxxp://searchfunmoods.com/?f=2&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzutDtDyCtDzyyBtBtD0EyBtA0CtDtCyCtCtN0D0Tzu0CtBzztDtN1L2XzutBtFtBtFtDtFtAyEyE&cr=816550834[…]
Line Deleted : user_pref(“extensions.funmoods.prdct”, “funmoods”);
Line Deleted : user_pref(“extensions.funmoods.prtnrId”, “funmoods”);
Line Deleted : user_pref(“extensions.funmoods.sg”, “none”);
Line Deleted : user_pref(“extensions.funmoods.smplGrp”, “none”);
Line Deleted : user_pref(“extensions.funmoods.srchPrvdr”, “Search”);
Line Deleted : user_pref(“extensions.funmoods.tlbrId”, “base”);
Line Deleted : user_pref(“extensions.funmoods.tlbrSrchUrl”, “hxxp://searchfunmoods.com/?f=3&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzutDtDyCtDzyyBtBtD0EyBtA0CtDtCyCtCtN0D0Tzu0CtBzztDtN1L2XzutBtFtBtFtDtFtAyEyE&cr=8165508[…]
Line Deleted : user_pref(“extensions.funmoods.vrsn”, “1.5.23.22”);
Line Deleted : user_pref(“extensions.funmoods.vrsnTs”, “1.5.23.229:39:47”);
Line Deleted : user_pref(“extensions.funmoods.vrsni”, “1.5.23.22”);
Line Deleted : user_pref(“extensions.funmoods_i.newTab”, true);
Line Deleted : user_pref(“extensions.funmoods_i.smplGrp”, “none”);
Line Deleted : user_pref(“extensions.funmoods_i.vrsnTs”, “1.5.23.229:39:47”);
Line Deleted : user_pref(“keyword.URL”, “hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3303000&SearchSource=2&CUI=UN34203952171980520&UM=2&q=”);
Line Deleted : user_pref(“smartbar.addressBarOwnerCTID”, “CT3303000”);
Line Deleted : user_pref(“smartbar.conduitHomepageList”, “hxxp://search.conduit.com/?ctid=CT3303000&CUI=UN34203952171980520&UM=2&SearchSource=13,hxxp://search.conduit.com/?ctid=CT3303000&octid=CT3303000&SearchSource[…]
Line Deleted : user_pref(“smartbar.conduitSearchAddressUrlList”, “hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3303000&SearchSource=2&CUI=UN34203952171980520&UM=2&q=”);
Line Deleted : user_pref(“smartbar.defaultSearchOwnerCTID”, “CT3303000”);
Line Deleted : user_pref(“smartbar.homePageOwnerCTID”, “CT3303000”);
Line Deleted : user_pref(“smartbar.machineId”, “CVL1X4OUKGBQYAESJ0HCSJDCIG4JOOXPTDC1XIFL2YMRK3S7VBEY769REHEDIQ2DYLLBZOAU1E5D01AD4HSWEW”);
Line Deleted : user_pref(“smartbar.originalHomepage”, “hxxp://search.conduit.com/?ctid=CT3303000&CUI=UN34203952171980520&UM=2&SearchSource=13”);

-\\ Google Chrome v

[ File : E:\Documents and Settings\Sandy\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt – [12231 octets] – [27/10/2013 11:37:32]
AdwCleaner[S0].txt – [12317 octets] – [27/10/2013 11:39:26]

########## EOF – E:\AdwCleaner\AdwCleaner[S0].txt – [12378 octets] ##########

Be careful out there kid! It’s a jungle…

Leave a Reply

%d bloggers like this: