toolbar malware keeps showing up? how?

[macgig]

this PC I have I rarely use. do very little web surfing on it. almost never. today I run spybot SD, and it's showing malware and adware entries...

Montera.toolbar
Delta.toolbar.

delta.toolbar I've seen many times on multiple PCs...

my question is, where is this coming from? I don't install or use toolbars, so why is this here? I use firefox... is their some setting I can use to stop this junk from installing? (if it's coming from the web or web surfing that is)?. it's got to be coming from the very little web surfing I do since I also rarely install programs on this machine. only programs I've installed recently were IMGburn and CDBurnerXP. could it have came from those programs?

thanks.

 

[DavidE]

Unfortunately installing anything can try to install other software such as toolbars.
You must read each screen in the installation process and make sure to uncheck anything that is checked by default to install other software.
In some cases in the Terms it states other software will be installed...I would cancel the install if I ever see that.
It can also make a difference where you downloaded the installer from.
Some sites may package the installer with things you don't want.

 

[macgig]

I went slow on the installs, didn't see anything I had to uncheck that would install extra junk. so i'm just trying to figure out what im doing to get this on there, especially the delta toolbar... thats been on here many times.

it makes no sense really, I rarely use this pc... very little web surfing but somehow this stuff gets on here... crazy. lol

 

[DavidE]

Where do you download from?
Here is something I found trying to find out how Delta Toolbar gets installed.

You may get the search and toolbar installed on your PC along with certain software downloaded from well-known websites such as Cnet or Softonic.

Source: Delta Search Redirection and Toolbar Removal Guide

 

[macgig]

I used cnet once I think, can't recall. also used tucows which really was a mistake. the other PC got infected bad after grabbing a program from tucows. thanks for the link I'll check it out.

 

[DavidE]

The only other advice I can think of is when you have choices of "Quick Install" and "Custom Install", NEVER choose Quick Install.
That will most likely install other things without any choice to opt-out by the user.

 

[macgig]

I never use custom, but looks like I will now. makes perfect sense. thanks.

 

[Jacee]

Get rid of the junk you didn't invite with AdwCleaner:

Download AdWareCleaner AdwCleaner Download to your desktop
1.Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
2.Click on Delete button.
3.Confirm each time with OK.
4.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

After, you've done that, clean all temporary files with TFC:
Download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

 

[macgig]

looks like it's gone, spybot and malwarebytes says all is gone. should I still run adwcleaner?

 

[Jacee]

Yes, just to see if more junk is there.

 

[macgig]

will do thanks.

 

[macgig]

contents of that file...

# AdwCleaner v2.303 - Logfile created 06/10/2013 at 13:10:40
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : user - ale
# Boot Mode : Normal
# Running from : C:\Users\user\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\5aedb88b468bf40
Key Deleted : HKCU\Software\Ask.com.tmp
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{39CB8175-E224-4446-8746-00566302DF8D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16576

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

*************************

AdwCleaner[S1].txt - [1695 octets] - [10/06/2013 13:10:40]

########## EOF - C:\AdwCleaner[S1].txt - [1755 octets] ##########

 

[Jacee]

See? You did have more junk

 

[macgig]

yeah. spybot and malwarebytes reported nothing else. interesting. running on my laptop, same thing. more junk.

 

[macgig]

here is the one for my laptop... conduit search.... again spybot and Malwarebytes said it removed that. guess not. :sarc:


# AdwCleaner v2.303 - Logfile created 06/10/2013 at 13:26:28
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : user - ALELAPTOP
# Boot Mode : Normal
# Running from : C:\Users\user\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\WNLT
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3295465
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\PIP

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16576

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={9D61DA01-BD86-11E2-9FE8-001B3838B947} --> hxxp://www.google.com

-\\ Mozilla Firefox v21.0 (en-US)

*************************

AdwCleaner[S1].txt - [1915 octets] - [10/06/2013 13:26:28]

########## EOF - C:\AdwCleaner[S1].txt - [1975 octets] ##########

 

[Jacee]

Some of this stuff is "whitelisted" (like an opt-in) .... so it's not detected by some anti-malware scanners.

Whitelist - Wikipedia, the free encyclopedia

 

[DavidE]

Some of this stuff is "whitelisted" (like an opt-in) .... so it's not detected by some anti-malware scanners.

Whitelist - Wikipedia, the free encyclopedia

Hope you don't mind me jumping back in with a question!
Is this "whitelist" on a user PC, or is it somehow a Global whitelist so some scanners don't detect it for anyone?

 

[Jacee]

It depends on what scanner is used. There are people who actually install these search BHO's :shock: