BitGuard/DeltaSearch/Conduit +etc. Need to verify I'm clean...

Hello

I have a Dell 1545 laptop with Windows 7 x64 that now belongs to my 6th grade son.

In August, I installed a brand new scorpio black hard drive in it and had barely finished setting up the operating system before he anxiously wanted to use it to play Roblox, Minecraft and program his Lego NXT. In October, around the 19th, he unwisely ignored my many warnings and lessons about downloading from the internet and risked trying to install Cheats for Clash of Clans. Of course it was like a nail bomb going off inside the laptop and I found over 17 various malware programs and search bar hijackers. The primary ones as far as I can tell were BitGuard, Delta Search, Conduit's Searchprotect, and a few other things I think from Babylon. Also something called LyricSing, etc. Many system settings were changed and not functioning correctly.

I have been working all weekend trying to get rid of it all without having to do a reformat because I don’t have the time; my sons starts a brand new school tomorrow morning and needs this laptop at school for a handwriting disability. Prior to coming to this site, I found a site that specifically addressed removal of the "BitGuard win32 b protector delta search" , on Wintips.org, which appeared to be the exact offender I have. I followed their instructions which seemed to work rather well, but I wanted to follow your malware removal method to be absolutely sure my son wouldn't run into any problems using it at school and to verify this laptop was clean.

I have run, in the order of your recommendation, your scans and attached their logs as specified (as is indicated in Step 13 below.) I first need to include extra logs as I had run a couple of these scan programs before when following Wintips’ guide, in addition to others not in your instructions, and those logs contained the details of much of the malware I was infected with; very few were left by the time I ran them for you so you wouldn't have seen them in those logs. Following is the order of troubleshooting events I have taken so far:

1. My automatic weekly Malwarebytes full scan took place on Oct 20th and detected multitudes of items, yet took no action as I did not have my PUP settings set for quarantine/removal.

I ran it again in step 8 with the settings changed to quarantine when I followed the Wintips.org instructions last night.​

2. Last night I began to follow Wintips.org instructions and booted into safe mode. Using RevoUninstaller, I uninstalled various rogue toolbars and programs.

I have attached a file called “Wintips - RevoUninstaller BackUpData.txt” with details. ‘Wintips’ is representing logs created by following the wintips.org removal guide.​

3. I ran RogueKiller version x64.

Attached is a file called “Wintips - RogueKiller.zip” which contains three logs:

a) the log after removal
b) the log after I selected “repair Hosts file”
c) and a quarantine folder detailing removed items.​

4. I ran AdwCleaner.

Attached is a file called “Wintips - AdwCleaner Results.zip” which contains three logs:

a) The log after the first time I ran it
b) The log when run a second time selecting CLEAN
c) The log after running it a third time when it still found additional items​

5. I ran JRT – Junkware Removal Tool.

Attached is a log file called “Wintips - JRT first run.txt”​

6. I removed Delta-Search settings from my Chrome browser wherever it took hostages.

7. I deleted all hidden files I was able to find manually belonging to BitGuard, Delta-Search, Conduit, misc toolbars, smartbar, LyricSing, GoForFiles, QuickShare and Babylon… oy!

8. I was instructed to run Malawarebytes at this point.

I have attached logs in a zip file called “Wintips - MBAM.zip.” Within this zip file are:​

a) the MBAM log from the automatic weekly full scan on 10/20 before I began removal
b) the MBAM log from running a quick scan at 2AM today 10/27 with quarantine settings
c) a screenprint of the files which ended up in quarantine which I later deleted via MBAM​

9. I ran CCleaner for temporary files, application files, cookies, and registry entries. When I ran the registry cleaner, I ran it separately for each different group so that I could have a backup prior to each one.

I have attached a file called “Wintips - CCleaner.zip” which contains those nine logs.​

10. I restarted my system…ooops, was supposed to after step 8 and forgot...well, at least only one step late.

11. I downloaded and ran TDSKiller on my own having used it in the past.

I have attached a log named “Solo - TDSSKiller.3.0.0.14_27.10.2013_01.57.46_log” with ‘solo’ representing a log created by an action I took on my own not following any guide.​

12. At 8:00 am this morning, I ran as a precaution sfc.exe /scannow using a command prompt.

I have attached a log called “Solo - sfc scan with CBS log.zip” with two files:​

a) A screen print of the cmd window after sfc.exe ran showing it found corrupt files and repaired them and that I could view results in the CBS.log file in the Windows directory.
b) The CBS.log file it referred to – BUT I do not see anything from 8:00-8:10 am this morning for 10/27/2013 in this log. It appears the earliest was 3:30pm this afternoon. Very bizzare so I don’t see the log as any help whatsoever and don’t know where Windows wrote results after sfc.exe ran nor what files it repaired.​

13. This afternoon, I proceeded to follow Majorgeeks Malware Removal Guide and booted normally (not in safe mode) to do so.

I have attached the following logs as per this guide:​

a) RKreport[0.txt from Rogue Killer.txt (My RK didn’t generate RKreport”[1]” either time I ran it, it always created a log with “[0]” after the name.)
b) mbam-log 10-27-2013 Quick scan for Mgeeks.txt
c) TDSSKiller.3.0.0.14_27.10.2013_16.27.55_log.txt
d) HitmanPro_20131027_1640.log
e) MGlogs.zip
f) MBAM AntiRootkit mbar-log-2013-10-27 (18-19-04).txt (This evening, about 2 hours later, I ran this for good measure as I saw it in my MBAM “other tools” tab…please keep in mind my son has to take this laptop to school tomorrow, and I am trying to do what I can to limit his problems – if any…)​

Since I can only upload 5 attachments per post, I will add more posts with 5 attachments each until all listed here have been added to my thread. Hopefully they'll be in the order they are mentioned...

Thank you so very much for your kindness in assisting people like me on this site. My son will take this tomorrow morning, and I will continue to test on it tomrrow evening when he returns. Hopefully I will have some sort of reply or action plan from you by then, but I will not be able to have access to the laptop until after 4:00 pm tomorrow, 10/28/2013. Until then, I wish you success in analyzing my logs and my case.

With gratitude,
Judy

 

My next 4 attachements.
Next post will have my 5 Majorgeeks Malware Removal attachments...

 

Following are the 5 requested attachments for support from this site.

Thanks - Please Help!!

 

One last thing to add...I kept the laptop home one more day to work on things, but I'm afraid I still have problems lurking somewhere that will grow in the future.

I use Chrome Browser on all my devices. I never use IE and rarely spend any time "customizing" it. Since this is my son's laptop, I don't like toggling between my gmail and his on Chrome because it screws up our settings. Just now I logged into Internet Explorer to access my own gmail account and the minute I entered www.gmail.com and hit <enter>, Spybot Search & Destroy's SDHelper flew up a warning that it detected a malicious URL that is very dangerous or possibly hiding it's true nature and that I shouldn't continue. It happens every time. Clicking deny navigates me away from gmail. When I just clicked 'allow', the SD message went away and I was at my inbox, but I am too nervous to trust things this soon and so I just closed IE althogether.

I think that the warning message is valid and I need to know if it is a direct result from all this malware infecting my laptop and there still being something left behind.

The error message precisely was:



All my logs are in the above posts along with the history of my problem. I'm using the laptop right now without anything else odd happening, but I've only been in Chrome today so I haven't tried too much else. Early this morning (2:30 am) I did an Eset Nod32 Online scan of the system and went to bed. It only found 1 threat and it was one of the programs inside the MGTools folder. I restored it. Nothing else was found.

I can't thank those of you enough that are taking any time to study my post in order to help me.

Judy :heart

 

:confused Update: I'm confused, I just posted a reply including an image of an error I just received by SDHelper when I opened IE to go to my gmail account from this laptop... but I can't find the post and it's not here in the thread. ??? It gave me the message "thank you for your post" and redirected me.

My replies above with my extra links posted immediately. I don't know if I should remake the post or if it will then end up posting twice?? Sorry for the newbie drama - I just want to make sure the most recent problem is included with this thread early on.

 

Thank you for your help! I really appreciate being made aware of how "bumping" works as I had no idea whatsoever and may not have read that post had I come across it on my own considering it's title; I wouldnt "bump" my posts so rudely. Now I see I did :-o and I certainly did not do it intentionally. I was unable to post my subsequent attachments for several hours as I had to wait for my initial post to be approved for posting. Then I had to get those uploaded. I guess my "update" post about the Internet Explorer SDHelper popup also had to be approved first which is why I didn't see it initially and was confused. I now understand that "follow ups" being posted to my thread before receiving a reply will only hurt me and why I would need to first wait for a reply. Thank you for your kind guidance on this matter.

I followed your instructions and have only used the computer for about an hour and a half since. I immediately rebooted my computer first and then I wanted to check if the IE concern was still there. I have also been using the Chrome browser 99% of the time without "visible" problems.

Here is what has happened so far:

I received a warning on reboot that the system could not connect to all network locations. When clicking on the notification bubble , it opened Computer in Explorer and the Network Location category only had one item in it : Z: MEMORYCARD (\\EPSONA86164) with a red X through it's icon. I double-checked Start>Devices and Printers and my Epson printer was still listed there, active and default. Could be related to Epson's event watcher?? Maybe this is normal when no memory card is in the printer?

I still get the SDHelper detection error of a malicious URL when I try to go to www.gmail.com in Internet Explorer. My version is IE10. I do not use IE anywhere, ever, except for on my son's laptop (to access my own email separate from his Chrome Browser.) I do not get any types of malicious URL warnings when browsing on Chrome. I've pasted a screenprint of the popup below:

​

The IE error when I try to go to my gmail is worrisome. Is it a "competition" thing that Microsoft likes to hose any attempts to use Google from IE? Or is it indeed something rogue going on in the background like the warning states: "possible URL spoofing" ?

Do you need me to attach any logs?
Is it safe to run Windows Update now? (I installed Microsoft Office 2007 yesterday and there are a couple dozen updates because of that...)

One last thing: I immediately went to Jinx and ordered a couple Majorgeeks items to support you guys - I purchased a t-shirt last year, but I wanted the the other one anyway. I feel your assistance is worth hundreds more, but if I could afford that, I would have called Geek Squad to my home. Are there other financial ways to support you guys and your site where you get 100% of the donation and not just a percentage of a "sale"? (however small the amount, it feels better to directly support you for something I know is so valuable.)

Thanks,
Judith

 

Yes, I understand; and I'm trying not to do anything unnecessary. But I had to finally send the laptop to school with my son yesterday (he needed it as of Monday...) and MSOffice had to be installed for his needs. Google Docs wasn't cutting it for their environment and neither was the already installed OpenOffice suite. I also had to purchase and install a printer for his use in his classroom. For everything else, I tried to find ways for him to use online sites to accomplish things and created dials in his Speeddial rather than install anymore software. (i.e. required typing program, etc.)
I kept the laptop home today to try to continue with troubleshooting.

Below is what I have done:

1. I used Revouninstaller to uninstall Spybot completely.
2. I restarted the computer to complete it's uninstall.
3. I downloaded OTL; I downloaded hitman again to make sure I had the newest version from your site as a precaution.
4. I ran just a scan with hitman.
5. I remembered I had to enable protection software for school use yesterday, so I disabled MBAM and MSE before running OTL.
6. I disabled all unnecessary processes or background apps such as Epson software and MS Live crap
7. I ran OTL as directed.
8. All logs are attached.

​

Thank you!