Problem with incomplete Conduit Softonic toolbar programs...

Hi essexboy,

Hereby the attached OTS file for the issue we discussed in my recent PM…

Damian

Hi Damian could you resave as ASNI please ;D

Hi essexboy,

Saved as such. By-the-way this browser hijacker-crap-feeder is becoming a real pain in the neck, I have read.
Liked the PicPick program, but what that served up through the downloader yesterday, even as I started it up with avast sandbox, startled even me and I am not a frist class n00b,

Damian

OK I think I got them all - let me know if I missed one

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: URLSearchHooks\\"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: URLSearchHooks\\"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< FireFox Settings [Prefs.js] > -> C:\Users\mysz\AppData\Roaming\Mozilla\FireFox\Profiles\syue97pt.default\prefs.js
YN -> browser.search.defaultthis.engineName -> "Freecorder Customized Web Search"
YN -> browser.search.defaulturl -> "http://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}"
YN -> browser.search.selectedEngine -> "Freecorder Customized Web Search"
YN -> browser.startup.homepage -> "http://search.conduit.com/?ctid=CT1060933&SearchSource=13"
YN -> extensions.enabledItems -> {27a03cf3-856f-46b8-91cb-7289f58c7e6e}:3.007
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{0BF43445-2F28-4351-9252-17FE6E806AA0}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  ConduitEngine -> C:\Program Files\ConduitEngine
[Empty Temp Folders]
[EmptyFlash]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Hi essexboy,

Ta, mate, thanks a bunch, for others as a warning not to do what I have done, getting the Softonic toolbar nastiness, here is the ThreatExpert info for this malware: http://www.threatexpert.com/report.aspx?md5=9946be7a78b297f9b7918a99717dc9a2

polonus

Essexboy,

I thanked you for the script a bit prematurely, well it did not do the job completely, see attached files. First it left behind two desktop.ini files at the desktop, secondly the software still in program files but with another date. See attached files,

Damian

Attached the appContextMenu file as a txt file,

polonus

C:\Program Files\ConduitEngine
OTS should have taken that out ???

Can you manually delete ? The desktop ini are system hidden files - just reset to hide

Hi esexboy,

I have manually deleted the unwanted program from Program Files, and did a full run with ClearProg for the temp files, changed the search page settings for Firefox and the Softonic Find bar in IE is idle, just have to take that out,
The desktop ini files are marked hidden, but still visible. How to change that in Vista that they do no longer show up?
Think I am good to continue now, but this software is “lo tov”,

Damian

Hide hidden is basically the same in Vista go to control panel > folder options and it is under the view tab

Hi Essexboy,

Done that via configuration panel. It was OTS’s doing, now all is fine. The browser hijacker toolbars etc (Conduit Engine Findbar & Softonic-Eng7-Findbar) have gone) the empty entries are still in explorer bars. Maybe have to reset IE for that.
All this started with the downloader for the pcpick software from here hxtp://ab623c63-download.picpick.org/picpick_inst.exe
The program was OK, only the installer came packed with the additional Softonic “goodies”, which can be problematic as we experienced and are certainly PUP BHO’s and adware-malware. Did a resetting and cleansing of Firefox and reset to default settings. The browser hijacker is installed in both IE and Firefox. Flock browser is not affected.
Only the empty toolbar names are still in IE explorer bar, but empty and void…
Funny was when I ran the OTS script the first time, part of the script had run and the desktop went all black, the first part of the script went in a jiffy, the Conduit Engine delete part hung for quite some time and would not go, I then restarted and on running OTS with the same script for the third time all was cleansed like you predicted. I could have had been warned when I installed the installer for picpick because avast would only let it run in the avast 6 sandbox, but as I have this software for years and never a problem with this free program, I was not expecting the developers made some deal with a crap launcher like Softonic. Anyways glad I am rid of it on my comp, and a good warning for all the other boys and gals here on the forums not to use such a kind of installer.
So folks, if avast alerts and wants to run something only through the sandbox, first come here for advice, that is the lesson learnt, because then something “fishy” is happening,

polonus

P.S. Also see these two ThreatExpert reports for this kind of crapware:
http://www.threatexpert.com/report.aspx?md5=e269b52a679e9cc07c5441a5bd78097b
and more recently this one:
http://www.threatexpert.com/report.aspx?md5=e7222762a4b5a8ea1b31c992362ea474

D