Jump to content
Sign in to follow this  
Metallica

Removal instructions for TermTrident

Recommended Posts

What is TermTrident?

The Malwarebytes research team has determined that TermTrident is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by TermTrident?

You may see this entry in your list of installed programs:

warning4.png

and these warnings during install:

main.png

warning1.png

warning2.png

these scheduled tasks:

warning3.png

and this type of advertisements:

warning5.png

How did TermTrident get on my computer?

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove TermTrident?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of TermTrident?
  • No, Malwarebytes' Anti-Malware removes TermTrident completely.
  • This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this adware application.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the TermTrident adware. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

You will see these signs in a HijackThis log:

O23 - Service: TermTrident 1.10.0.22 Client Service (ttrsvc_1.10.0.22) - TermTrident - C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe
You may see these signs in FRST logs:

 (TermTrident) C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe R2 ttrsvc_1.10.0.22; C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe [300120 2015-08-14] (TermTrident) R1 ttrfd_vt_1_10_0_22; C:\Windows\System32\drivers\ttrfd_vt_1_10_0_22.sys [61312 2015-08-14] (TermTrident) C:\Windows\System32\Tasks\TermTrident Auto Updater 1.10.0.22 Pending Update C:\Windows\System32\Tasks\TermTrident Auto Updater 1.10.0.22 Core C:\Program Files (x86)\TermTrident_1.10.0.22 (TermTrident) C:\Windows\system32\Drivers\ttrfd_vw_1_10_0_22.sys (TermTrident) C:\Windows\system32\Drivers\ttrfd_vt_1_10_0_22.sysTermTrident 1.10.0.22 (HKLM-x32\...\TermTrident_1.10.0.22) (Version: 1.10.0.22 - TermTrident)Task: {6CE6900B-779D-462C-9604-332D4947C70C} - System32\Tasks\TermTrident Auto Updater 1.10.0.22 Pending Update => C:\Program Files (x86)\TermTrident_1.10.0.22\Update\TermTridentAutoUpdateClient.exe [2015-08-14] (TermTrident)Task: {79A47644-D4E9-4C1F-BB38-0E6CC56854F2} - System32\Tasks\TermTrident Auto Updater 1.10.0.22 Core => C:\Program Files (x86)\TermTrident_1.10.0.22\Update\TermTridentAutoUpdateClient.exe [2015-08-14] (TermTrident)
Alterations made by the installer:

File system details [View: All details] (Selection)---------------------------------------------------    Adds the folder C:\Program Files (x86)\TermTrident_1.10.0.22       Adds the file terms-of-service.rtf"="06/08/2015 23:33, 24207 bytes, A       Adds the file Uninstall.exe"="14/08/2015 20:57, 314736 bytes, A    Adds the folder C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses       Adds the file buildcrx-license.txt"="19/05/2014 21:10, 7074 bytes, A       Adds the file Info-ZIP-license.txt"="19/05/2014 21:10, 2944 bytes, A       Adds the file JSON-simple-license.txt"="30/10/2014 02:55, 11558 bytes, A       Adds the file nsJSON-license.txt"="19/05/2014 21:10, 809 bytes, A       Adds the file Nustache-license.txt"="30/10/2014 02:55, 1079 bytes, A       Adds the file TaskScheduler-license.txt"="30/10/2014 02:55, 0 bytes, A       Adds the file UAC-license.txt"="19/05/2014 21:10, 956 bytes, A    Adds the folder C:\Program Files (x86)\TermTrident_1.10.0.22\Service       Adds the file ttrsvc.exe"="14/08/2015 20:57, 300120 bytes, A    Adds the folder C:\Program Files (x86)\TermTrident_1.10.0.22\Update       Adds the file Microsoft.Win32.TaskScheduler.dll"="30/10/2014 02:55, 185856 bytes, A       Adds the file Nustache.Core.dll"="30/10/2014 02:55, 28672 bytes, A       Adds the file TermTridentAutoUpdateClient.exe"="14/08/2015 20:56, 66136 bytes, A       Adds the file TermTridentAutoUpdateClient.exe.config"="30/10/2014 02:55, 256 bytes, A    In the existing folder C:\Windows\System32\drivers       Adds the file ttrfd_vt_1_10_0_22.sys"="14/08/2015 20:56, 61312 bytes, A       Adds the file ttrfd_vw_1_10_0_22.sys"="14/08/2015 20:57, 57728 bytes, A    In the existing folder C:\Windows\System32\Tasks       Adds the file TermTrident Auto Updater 1.10.0.22 Core"="20/08/2015 13:16, 4174 bytes, A       Adds the file TermTrident Auto Updater 1.10.0.22 Pending Update"="20/08/2015 13:16, 4186 bytes, ARegistry details [View: All details] (Selection)------------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\TermTridentAutoUpdateClient_RASAPI32]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\TermTridentAutoUpdateClient_RASMANCS]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TermTrident_1.10.0.22]       "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\TermTrident_1.10.0.22\Uninstall.exe"       "DisplayName"="REG_SZ", "TermTrident 1.10.0.22"       "DisplayVersion"="REG_SZ", "1.10.0.22"       "NoModify"="REG_DWORD", 1       "NoRepair"="REG_DWORD", 1       "Publisher"="REG_SZ", "TermTrident"       "UninstallString"="REG_SZ", "C:\Program Files (x86)\TermTrident_1.10.0.22\Uninstall.exe"       "URLInfoAbout"="REG_SZ", "http://www.termtrident.com"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TermTrident_1.10.0.22]       "cr-at"="REG_SZ", ""       "cr-pid"="REG_SZ", ""       "cr-ver"="REG_SZ", "44.0.2403.155"       "dbsr"="REG_SZ", "firefox"       "features"="REG_SZ", "0x01000000"       "ff-at"="REG_SZ", ""       "ff-pid"="REG_SZ", ""       "ff-ver"="REG_SZ", "38.0.5 (x86 en-GB)"       "hid"="REG_SZ", "1FB0C54E-C74D-AB91-A3A6-1983589F206E"       "ie-at"="REG_SZ", ""       "ie-pid"="REG_SZ", ""       "ie-ver"="REG_SZ", "11.0.9600.17959"       "iid"="REG_SZ", "00000000-0000-0000-0000-000000000000"       "itm"="REG_SZ", "2015-08-20T11:16:22Z"       "nf-at"="REG_SZ", "88BA34F4-9256-204E-6665-A8069C8CED26"       "nf-pid"="REG_SZ", "E7B0C775-DAAE-48B8-924C-662EBC63EE40"       "nid"="REG_SZ", "7D5BAFA9-43AD-43BF-9BAE-D2823A38F2CB"       "osn"="REG_SZ", "Windows 7 Ultimate"       "ost"="REG_SZ", "x64"       "osv"="REG_SZ", "6.1.7601"       "user_sid"="REG_SZ", "S-1-5-21-612512518-1730918975-1677248042-1002"       "ver"="REG_SZ", "1.10.0.22"    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ttrfd_vt_1_10_0_22]       "DisplayName"="REG_SZ", "ttrfd_vt_1_10_0_22"       "ErrorControl"="REG_DWORD", 1       "Group"="REG_SZ", "PNP_TDI"       "ImagePath"="REG_EXPAND_SZ, "system32\drivers\ttrfd_vt_1_10_0_22.sys"       "Start"="REG_DWORD", 1       "Tag"="REG_DWORD", 10       "Type"="REG_DWORD", 1       "WOW64"="REG_DWORD", 1    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ttrfd_vt_1_10_0_22\Enum]       "0"="REG_SZ", "Root\LEGACY_TTRFD_VT_1_10_0_22\0000"       "Count"="REG_DWORD", 1       "NextInstance"="REG_DWORD", 1    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ttrsvc_1.10.0.22]       "Description"="REG_SZ", "This service enables TermTrident 1.10.0.22 on HTTP websites"       "DisplayName"="REG_SZ", "TermTrident 1.10.0.22 Client Service"       "ErrorControl"="REG_DWORD", 1       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe""       "ObjectName"="REG_SZ", "LocalSystem"       "Start"="REG_DWORD", 2       "Type"="REG_DWORD", 16       "WOW64"="REG_DWORD", 1
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 20/08/2015Scan Time: 13:23Logfile: mbamTermTrident.txtAdministrator: YesVersion: 2.1.8.1057Malware Database: v2015.08.20.03Rootkit Database: v2015.08.16.01License: PremiumMalware Protection: DisabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: {username}Scan Type: Threat ScanResult: CompletedObjects Scanned: 330128Time Elapsed: 4 min, 4 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 1PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe, 2028, Delete-on-Reboot, [f81b48c3acdf1e180b26701b7c897888]Modules: 0(No malicious items detected)Registry Keys: 6PUP.Optional.TermTrident.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ttrsvc_1.10.0.22, Quarantined, [f81b48c3acdf1e180b26701b7c897888], PUP.Optional.TermTrident.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TermTrident_1.10.0.22, Quarantined, [7f94e823fe8d9a9c8ea336558184a060], PUP.Optional.TermTrident.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\TermTrident Auto Updater 1.10.0.22 Core, Delete-on-Reboot, [080b23e8e6a5b383ab1c2c8a19eb5ca4], PUP.Optional.TermTrident.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\TermTrident Auto Updater 1.10.0.22 Pending Update, Delete-on-Reboot, [26edf01b4d3e3ef855726155897b54ac], PUP.Optional.TermTrident.A, HKLM\SOFTWARE\WOW6432NODE\TermTrident_1.10.0.22, Quarantined, [3dd6af5ccebd6dc9f4d510a63fc5946c], PUP.Optional.Vitruvian.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TTRFD_VT_1_10_0_22, Quarantined, [58bba16a6d1e1125e5df9d1214f0e21e], Registry Values: 2PUP.Optional.Vitruvian.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ttrfd_vt_1_10_0_22|ImagePath, system32\drivers\ttrfd_vt_1_10_0_22.sys, Quarantined, [58bba16a6d1e1125e5df9d1214f0e21e]PUP.Optional.Vitruvian.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ttrsvc_1.10.0.22|ImagePath, "C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe", Quarantined, [9d7661aaaae1330369fa6d39689ce11f]Registry Data: 0(No malicious items detected)Folders: 4PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22, Delete-on-Reboot, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Service, Delete-on-Reboot, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Update, Quarantined, [bf5485867813181e1e4355c457ac6e92], Files: 24PUP.Optional.TermTrident.A, C:\WINDOWS\SYSTEM32\drivers\ttrfd_vt_1_10_0_22.sys, Delete-on-Reboot, [eb46f2a0ef3d5bb09ea85d6b35153c54], PUP.Optional.TermTrident.A, C:\WINDOWS\SYSTEM32\drivers\ttrfd_vw_1_10_0_22.sys, Delete-on-Reboot, [2f3df9f23cf9c7f4c33b197c8bf4b065], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe, Delete-on-Reboot, [f81b48c3acdf1e180b26701b7c897888], PUP.Optional.TermTrident.A, C:\Users\{username}\Desktop\TermTrident.exe, Quarantined, [b1628982513a2f07ee43e8a36c99ff01], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Uninstall.exe, Quarantined, [7f94e823fe8d9a9c8ea336558184a060], PUP.Optional.Vitruvian.A, C:\Users\{username}\AppData\Local\Temp\vitruvian-installer-hardwareprofile-v0001, Quarantined, [69aa9378becd41f5e8e5198151b33fc1], PUP.Optional.Vitruvian.A, C:\Users\{username}\AppData\Local\Temp\vitruvian-installer-install-v0003, Quarantined, [f61d98735932b4824d801d7da163cc34], PUP.Optional.Vitruvian.A, C:\Users\{username}\AppData\Local\Temp\vitruvian-installer-processes-v0002, Quarantined, [e72c69a2aedde3539c3162381fe5f10f], PUP.Optional.Vitruvian.A, C:\Users\{username}\AppData\Local\Temp\vitruvian-installer-scheduledtasks-v0001, Quarantined, [c74c56b5b3d81a1cf8d5e7b38c785ca4], PUP.Optional.Vitruvian.A, C:\Users\{username}\AppData\Local\Temp\vitruvian-installer-softwareregkeys-v0002, Quarantined, [8291b55628632a0c7e4f8812cc3820e0], PUP.Optional.TermTrident.A, C:\Windows\System32\Tasks\TermTrident Auto Updater 1.10.0.22 Core, Quarantined, [799a68a3fd8e9f974e762f877490ce32], PUP.Optional.TermTrident.A, C:\Windows\System32\Tasks\TermTrident Auto Updater 1.10.0.22 Pending Update, Quarantined, [c64d8f7c3952db5b7b4934823aca33cd], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\terms-of-service.rtf, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\buildcrx-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\Info-ZIP-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\JSON-simple-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\nsJSON-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\Nustache-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\TaskScheduler-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\UAC-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Update\Microsoft.Win32.TaskScheduler.dll, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Update\Nustache.Core.dll, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Update\TermTridentAutoUpdateClient.exe, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Update\TermTridentAutoUpdateClient.exe.config, Quarantined, [bf5485867813181e1e4355c457ac6e92], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.