Hello, I am looking for help in removing some malware that has made my browsing experience a nightmare. My online banking site will no longer load at all, it is redirected to a blank white page and there are hundreds of random characters in the address field. Same thing happens when I try to log in to online billing sites. I had the Trovi redirect and SearchProtect malware, every time I opened a new tab the trovi search page came up. By resetting browser to default I got rid of this problem, however many web sites are now no longer functional, I get redirected to a blank white page. This never happened before this malware got onto my system, I just want my computer to go back to the experience I used to have, now so many websites that I use most often like online banking and bill paying I can’t even access. I don’t know what to do. When I run the Avast scan it says WIN 32 conduit, but it tells me it will delete the files after restart, when I restart and run scan again it is still there. I followed all the instructions in this thread, I have attached all the logs of the scans I was instructed to run. Any help in repairing my computer would be greatly appreciated.

Also run AdwCleaner and attach log www.bleepingcomputer.com/download/adwcleaner/

Removers will be back online tomorrow

Thanks! AdwCleaner log attached.

You had a ridiculous amount of Adware on your System. can you confirm that Conduit is still there as MBAM and adwcleaner should have targeted it.

Install Unchecky: It’ll keep your system clean 99% of the time from Adware like Conduit.

Link: http://unchecky.com/

Yeah, it’s still there.

Could you let me know what problems remain after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll File Not Found AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC32Loader.dll => "C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC32Loader.dll" File Not Found CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled. ProxyServer: [.DEFAULT] => http=127.0.0.1:50484;https=127.0.0.1:50484 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3332201&octid=EB_ORIGINAL_CTID&ISID=M16E08126-907C-4788-85D7-D6039B3E519F&SearchSource=55&CUI=&UM=8&UP=SP4F1EDB34-B362-4A9C-808B-C62D941F161E&SSPV= Task: {4A549D69-2DA0-4113-9BE9-C37E545AADC7} - \GPUP No Task File <==== ATTENTION Task: {ECA43F03-63A7-4583-A213-CBB64F562910} - \Jelbrus Secure Web Task No Task File <==== ATTENTION Hosts: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thanks, log attached. Also, I’m noticing now that I’m getting several advertisements for avast.com daily deals, need help with avast?, beneath them it says ad by CouponDropDown. Is this normal? I wasn’t seeing these before.

I get all this new adware now that wasn’t there before, and the original problems of certain web pages not loading remain.

Adware everywhere now.

Is that chrome that it is showing in ?

Could you run a fresh FRST scan for me please

Firefox. Do I select the addition.txt and shortcut.txt boxes before I run the scan and attach those logs?

Logs attached. I forgot to run as administrator this time. Should I do it again but as administrator?

Did you set the proxy on your internet connection ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Sorry, I’m not sure what that means or how to do it. I’m following the Combofix instructions now.

OK if you don’t know then you did not set it

Here is the Combo log. It did not reboot automatically after it was done, so I manually rebooted.

OK lets now repair the proxy

Download Windows All In One Repair from Tweaking.com to your desktop
Install the programme and run
Select Step 5 : Back up your registry and create a system restore point

https://dl.dropboxusercontent.com/u/73555776/waiobackup.JPG

Then select the Repairs tab

https://dl.dropboxusercontent.com/u/73555776/waiorepairs.JPG

Select Open repairs

Select the following repair number items :

13
15

Click Start

https://dl.dropboxusercontent.com/u/73555776/waiorepair.JPG

Once it has completed then reboot the system

Ok, I followed the instructions to repair the proxy. I’m still having the same problems. The original problems were web pages loading to a blank white page, not all, mostly banking and bill paying. After we did the FRST fix earlier I started having new problems with all these ads. I’ve attached some photos if that helps. There are banner ads, a large amount, on all web pages now, and many words in the web pages are all CAPS, and have been turned into hyperlinks, and if you hover over them with the mouse a larger ad appears.

Could you run a fresh FRST please I want to see if the proxy is still there. Also is this only in Firefox or all browsers

The older problems of URLs being redirected to blank white pages that had hundreds of characters of gibberish in the address bar were happening on chome, firefox, IE, and safari. The newer problems, of banner ads and words on the web page being turned into all caps hyperlinks, with ads that display if you hover over them, so far are only happening on firefox. Also so far only happening on firefox are these full page tab ads, where I click on something, say the google search result for avast forum, and along with opening up the avast forum it opens up another tab with a full page ad. It just happened again when I clicked on more attachments on this page. The fresh FRST scan logs are attached below.