Author Topic: Whats going on with Win32/pricegong adware?? (Read 6927 times)

Amonk · « **on:** February 04, 2013, 02:34:05 AM »

Hello everbody.

I Got the message regarding Win32/pricegong and all i have found on the web is very new and no many information given. Seems to be an adware that infects the computer and compile searching information, install without permission malware and spyware, and send the information back to ads company to get money out of advertisement selected under ur name... Also as far as i read can also get private information from accounts.

Anybody can instruct me more about this... how bad is it... i already try to erase it one... but it appears again... And is @avast aware about this adware? how can i protect my sstem.

Thank you.

Pondus · « **Reply #1 on:** February 04, 2013, 05:12:40 AM »

Quote

Anybody can instruct me more about this... how bad is it..

as you said....Win32/pricegong adware....adware is usually not bad
http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FPriceGong

Quote

And is @avast aware about this adware?

how did you find if not avast did?

Quote

. i already try to erase it one... but it appears again.

follow the guide here and run..... http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes

post logs

did that help?.....if not continue with OTL, attach the log and a removal expert will help you

Amonk · « **Reply #2 on:** February 04, 2013, 02:33:58 PM »

Quote from: Pondus on February 04, 2013, 05:12:40 AM

Quote
And is @avast aware about this adware?
how did you find if not avast did?

Surprisingly widows alert informed me about the threat.

Log from adwcleaner:# AdwCleaner v2.110 - Fichero creado el 04/02/2013 a 13:38:56
# Actualizado el 03/02/2013 por Xplode
# Sistema operativo : Windows 7 Home Premium Service Pack 1 (64 bits)
# Usuario : Jhossett - MARCOPOLO
# Modo de inicio : Normal
# Ejecutado desde : C:\Users\Jhossett\Downloads\adwcleaner.exe
# Opción [Supresión]

***** [Servicios] *****

***** [Ficheros / Carpetas] *****

Carpeta Suprimido : C:\Program Files (x86)\Conduit
Carpeta Suprimido : C:\Program Files (x86)\uTorrentBar_ES
Carpeta Suprimido : C:\ProgramData\Babylon
Carpeta Suprimido : C:\ProgramData\boost_interprocess
Carpeta Suprimido : C:\Users\Jhossett\AppData\Local\Conduit
Carpeta Suprimido : C:\Users\Jhossett\AppData\Local\Ilivid
Carpeta Suprimido : C:\Users\Jhossett\AppData\Local\lollipop
Carpeta Suprimido : C:\Users\Jhossett\AppData\LocalLow\Conduit
Carpeta Suprimido : C:\Users\Jhossett\AppData\LocalLow\ilividtoolbarguid
Carpeta Suprimido : C:\Users\Jhossett\AppData\LocalLow\PriceGong
Carpeta Suprimido : C:\Users\Jhossett\AppData\LocalLow\uTorrentBar_ES
Carpeta Suprimido : C:\Users\Jhossett\AppData\Roaming\Babylon
Fichero Suprimido : C:\Users\Jhossett\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_apps.conduit.com_0.localstorage-journal
Fichero Suprimido : C:\Users\Jhossett\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage-journal
Suprimido al reiniciar : C:\Program Files (x86)\search results toolbar

***** [Registro] *****

Clave Supprimida : HKCU\Software\1ClickDownload
Clave Supprimida : HKCU\Software\APN DTX
Clave Supprimida : HKCU\Software\AppDataLow\Software\Conduit
Clave Supprimida : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Clave Supprimida : HKCU\Software\AppDataLow\Software\PriceGong
Clave Supprimida : HKCU\Software\AppDataLow\Software\SmartBar
Clave Supprimida : HKCU\Software\AppDataLow\Software\uTorrentBar_ES
Clave Supprimida : HKCU\Software\AppDataLow\Toolbar
Clave Supprimida : HKCU\Software\Conduit
Clave Supprimida : HKCU\Software\DataMngr
Clave Supprimida : HKCU\Software\DataMngr_Toolbar
Clave Supprimida : HKCU\Software\ilividtoolbarguid
Clave Supprimida : HKCU\Software\lollipop
Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014}
Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F34C9277-6577-4DFF-B2D7-7D58092F272F}
Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014}
Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F34C9277-6577-4DFF-B2D7-7D58092F272F}
Clave Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\lollipop
Clave Supprimida : HKCU\Software\Softonic
Clave Supprimida : HKCU\Software\5f57d6dbb769ec15
Clave Supprimida : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Clave Supprimida : HKLM\Software\Babylon
Clave Supprimida : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Clave Supprimida : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Clave Supprimida : HKLM\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}
Clave Supprimida : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Clave Supprimida : HKLM\SOFTWARE\Classes\AppID\BrowserConnection.dll
Clave Supprimida : HKLM\SOFTWARE\Classes\Applications\ilividsetup.exe
Clave Supprimida : HKLM\SOFTWARE\Classes\BrowserConnection.Loader
Clave Supprimida : HKLM\SOFTWARE\Classes\BrowserConnection.Loader.1
Clave Supprimida : HKLM\SOFTWARE\Classes\iLividIEHelper.DNSGuard
Clave Supprimida : HKLM\SOFTWARE\Classes\iLividIEHelper.DNSGuard.1
Clave Supprimida : HKLM\SOFTWARE\Classes\Prod.cap
Clave Supprimida : HKLM\SOFTWARE\Classes\Toolbar.CT2851619
Clave Supprimida : HKLM\SOFTWARE\Classes\TypeLib\{1FDC0B61-91AC-4157-9B27-CAD9A09AB67E}
Clave Supprimida : HKLM\SOFTWARE\Classes\TypeLib\{75E8DA27-44AF-40AE-927C-F2EEC99D65B1}
Clave Supprimida : HKLM\Software\Conduit
Clave Supprimida : HKLM\Software\DataMngr
Clave Supprimida : HKLM\Software\iLividSRTB
Clave Supprimida : HKLM\Software\Iminent
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Tracing\iLividMediaBar_RASAPI32
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Tracing\iLividMediaBar_RASMANCS
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetup_RASAPI32
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetup_RASMANCS
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{10468FBA-E711-4F61-9C0C-F57F445F1A40}
Clave Supprimida : HKLM\Software\uTorrentBar_ES
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\5f57d6dbb769ec15
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{10468FBA-E711-4F61-9C0C-F57F445F1A40}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9FF9AE6F-4553-41A7-B645-B0E88850EABF}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CE4DB5A3-58E6-41F1-8761-47238DF4F468}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DB131C55-60C8-4ADC-84DC-9E76AB06E2DC}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F34C9277-6577-4DFF-B2D7-7D58092F272F}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6AC9F23F-1232-4ED8-9A81-484ABC10C047}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CC8FEE20-129C-4E90-9B40-5F8DF2DD5E5B}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F34C9277-6577-4DFF-B2D7-7D58092F272F}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB131C55-60C8-4ADC-84DC-9E76AB06E2DC}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F34C9277-6577-4DFF-B2D7-7D58092F272F}
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ilividtoolbarguid
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Search Results Toolbar
Clave Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentBar_ES Toolbar
Clave Supprimida : HKLM\SOFTWARE\Classes\CLSID\{9FF9AE6F-4553-41A7-B645-B0E88850EABF}
Clave Supprimida : HKLM\SOFTWARE\Classes\CLSID\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014}
Clave Supprimida : HKLM\SOFTWARE\Classes\CLSID\{CE4DB5A3-58E6-41F1-8761-47238DF4F468}
Clave Supprimida : HKLM\SOFTWARE\DataMngr
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Clave Supprimida : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014}
Dato Supprimida : [x64] HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll
Dato Supprimida : [x64] HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll
Valor Supprimida : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{DB131C55-60C8-4ADC-84DC-9E76AB06E2DC}]
Valor Supprimida : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{DB131C55-60C8-4ADC-84DC-9E76AB06E2DC}]
Valor Supprimida : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [lollipop]
Valor Supprimida : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{DB131C55-60C8-4ADC-84DC-9E76AB06E2DC}]
Valor Supprimida : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]
Valor Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{DB131C55-60C8-4ADC-84DC-9E76AB06E2DC}]
Valor Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{F34C9277-6577-4DFF-B2D7-7D58092F272F}]
Valor Supprimida : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [10]
Valor Supprimida : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [10]

***** [Navegadores] *****

-\\ Internet Explorer v9.0.8112.16457

Sustituido : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT2851619 --> hxxp://www.google.com

-\\ Google Chrome v24.0.1312.57

Fichero : C:\Users\Jhossett\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] El fichero no contiene ninguna entrada ilegítima.

*************************

AdwCleaner[R1].txt - [9612 octets] - [04/02/2013 13:38:04]
AdwCleaner[S1].txt - [9639 octets] - [04/02/2013 13:38:56]

########## EOF - C:\AdwCleaner[S1].txt - [9699 octets] ##########

and malware also works perfectly fine!!

Thank you for your help.

Asyn · « **Reply #3 on:** February 04, 2013, 02:55:25 PM »

Quote from: Amonk on February 04, 2013, 02:33:58 PM

Quote from: Pondus on February 04, 2013, 05:12:40 AM
Quote
And is @avast aware about this adware?
how did you find if not avast did?
Surprisingly widows alert informed me about the threat.

Note: To find adware with avast! you've to enable PUP detection..!!

Pondus · « **Reply #4 on:** February 04, 2013, 05:13:06 PM »

did you run a quick scan with mawarebytes?.....post log

is your problem solved?

Amonk · « **Reply #5 on:** February 05, 2013, 03:04:32 AM »

Mawarebytes log:
Malwarebytes Anti-Malware (Versión de Prueba) 1.70.0.1100
www.malwarebytes.org

Versión de la Base de Datos: v2013.02.04.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jhossett :: MARCOPOLO [administrador]

Protección: Habilitado

04/02/2013 13:54:29
mbam-log-2013-02-04 (13-54-29).txt

Tipos de Análisis: Análisis Rápido
Opciones de análisis activado: Memoria | Inicio | Registro | Sistema de archivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opciones de análisis desactivados: P2P
Objetos examinados: 217222
Tiempo transcurrido: 3 minuto(s), 52 segundo(s)

Procesos en Memoria Detectados: 0
(No se han detectado elementos maliciosos)

Módulos de Memoria Detectados: 0
(No se han detectado elementos maliciosos)

Claves del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Valores del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Carpetas Detectadas: 0
(No se han detectado elementos maliciosos)

Archivos Detectados: 1
C:\Users\Jhossett\Downloads\installer_ccleaner_Spanish.exe (Adware.Downware) -> En cuarentena y eliminado con éxito.

fin)

Yes the problem was succesfully solved. Also the speed of loadin/streaming pags and videos have significately incresed!!!

Thank you very much. for your help

iroc9555 · « **Reply #6 on:** February 05, 2013, 03:12:22 AM »

Amonk.

Glad all is working out for you. Do you see what MBAM detected: installer_ccleaner_Spanish.exe. Well that is not the real CCleaner.

The real CCleaner is here: http://www.piriform.com/products

Amonk · « **Reply #7 on:** February 06, 2013, 01:42:47 AM »

Removed aswell... Yes it was not Ccleaner, it was the .exe to intall and activate the Spanish version for Ccleaner. Thank you very much. for all your help.

Author Topic: Whats going on with Win32/pricegong adware?? (Read 6927 times)

Amonk

Whats going on with Win32/pricegong adware??

Pondus

Re: Whats going on with Win32/pricegong adware??

Amonk

Re: Whats going on with Win32/pricegong adware??

Asyn

Re: Whats going on with Win32/pricegong adware??

Pondus

Re: Whats going on with Win32/pricegong adware??

Amonk

Re: Whats going on with Win32/pricegong adware??

iroc9555

Re: Whats going on with Win32/pricegong adware??

Amonk

Re: Whats going on with Win32/pricegong adware??