Removal instructions for TermTrident

[Metallica]

What is TermTrident?

The Malwarebytes research team has determined that TermTrident is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by TermTrident?

You may see this entry in your list of installed programs:

and these warnings during install:

these scheduled tasks:

and this type of advertisements:

How did TermTrident get on my computer?

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove TermTrident?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

• Please download Malwarebytes Anti-Malware to your desktop.
• Double-click mbam-setup-version.exe and follow the prompts to install the program.
• At the end, be sure a check-mark is placed next to the following:
  • Enable free trial of Malwarebytes Anti-Malware Premium
  • Launch Malwarebytes Anti-Malware
• Then click Finish.
• If an update is found, you will be prompted to download and install the latest version.
• Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
• When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
• Reboot your computer if prompted.

Is there anything else I need to do to get rid of TermTrident?

• No, Malwarebytes' Anti-Malware removes TermTrident completely.
• This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this adware application.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the TermTrident adware. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

Technical details for experts

You will see these signs in a HijackThis log:

O23 - Service: TermTrident 1.10.0.22 Client Service (ttrsvc_1.10.0.22) - TermTrident - C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe

You may see these signs in FRST logs:

 (TermTrident) C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe R2 ttrsvc_1.10.0.22; C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe [300120 2015-08-14] (TermTrident) R1 ttrfd_vt_1_10_0_22; C:\Windows\System32\drivers\ttrfd_vt_1_10_0_22.sys [61312 2015-08-14] (TermTrident) C:\Windows\System32\Tasks\TermTrident Auto Updater 1.10.0.22 Pending Update C:\Windows\System32\Tasks\TermTrident Auto Updater 1.10.0.22 Core C:\Program Files (x86)\TermTrident_1.10.0.22 (TermTrident) C:\Windows\system32\Drivers\ttrfd_vw_1_10_0_22.sys (TermTrident) C:\Windows\system32\Drivers\ttrfd_vt_1_10_0_22.sysTermTrident 1.10.0.22 (HKLM-x32\...\TermTrident_1.10.0.22) (Version: 1.10.0.22 - TermTrident)Task: {6CE6900B-779D-462C-9604-332D4947C70C} - System32\Tasks\TermTrident Auto Updater 1.10.0.22 Pending Update => C:\Program Files (x86)\TermTrident_1.10.0.22\Update\TermTridentAutoUpdateClient.exe [2015-08-14] (TermTrident)Task: {79A47644-D4E9-4C1F-BB38-0E6CC56854F2} - System32\Tasks\TermTrident Auto Updater 1.10.0.22 Core => C:\Program Files (x86)\TermTrident_1.10.0.22\Update\TermTridentAutoUpdateClient.exe [2015-08-14] (TermTrident)

Alterations made by the installer:

File system details [View: All details] (Selection)---------------------------------------------------    Adds the folder C:\Program Files (x86)\TermTrident_1.10.0.22       Adds the file terms-of-service.rtf"="06/08/2015 23:33, 24207 bytes, A       Adds the file Uninstall.exe"="14/08/2015 20:57, 314736 bytes, A    Adds the folder C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses       Adds the file buildcrx-license.txt"="19/05/2014 21:10, 7074 bytes, A       Adds the file Info-ZIP-license.txt"="19/05/2014 21:10, 2944 bytes, A       Adds the file JSON-simple-license.txt"="30/10/2014 02:55, 11558 bytes, A       Adds the file nsJSON-license.txt"="19/05/2014 21:10, 809 bytes, A       Adds the file Nustache-license.txt"="30/10/2014 02:55, 1079 bytes, A       Adds the file TaskScheduler-license.txt"="30/10/2014 02:55, 0 bytes, A       Adds the file UAC-license.txt"="19/05/2014 21:10, 956 bytes, A    Adds the folder C:\Program Files (x86)\TermTrident_1.10.0.22\Service       Adds the file ttrsvc.exe"="14/08/2015 20:57, 300120 bytes, A    Adds the folder C:\Program Files (x86)\TermTrident_1.10.0.22\Update       Adds the file Microsoft.Win32.TaskScheduler.dll"="30/10/2014 02:55, 185856 bytes, A       Adds the file Nustache.Core.dll"="30/10/2014 02:55, 28672 bytes, A       Adds the file TermTridentAutoUpdateClient.exe"="14/08/2015 20:56, 66136 bytes, A       Adds the file TermTridentAutoUpdateClient.exe.config"="30/10/2014 02:55, 256 bytes, A    In the existing folder C:\Windows\System32\drivers       Adds the file ttrfd_vt_1_10_0_22.sys"="14/08/2015 20:56, 61312 bytes, A       Adds the file ttrfd_vw_1_10_0_22.sys"="14/08/2015 20:57, 57728 bytes, A    In the existing folder C:\Windows\System32\Tasks       Adds the file TermTrident Auto Updater 1.10.0.22 Core"="20/08/2015 13:16, 4174 bytes, A       Adds the file TermTrident Auto Updater 1.10.0.22 Pending Update"="20/08/2015 13:16, 4186 bytes, ARegistry details [View: All details] (Selection)------------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\TermTridentAutoUpdateClient_RASAPI32]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\TermTridentAutoUpdateClient_RASMANCS]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TermTrident_1.10.0.22]       "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\TermTrident_1.10.0.22\Uninstall.exe"       "DisplayName"="REG_SZ", "TermTrident 1.10.0.22"       "DisplayVersion"="REG_SZ", "1.10.0.22"       "NoModify"="REG_DWORD", 1       "NoRepair"="REG_DWORD", 1       "Publisher"="REG_SZ", "TermTrident"       "UninstallString"="REG_SZ", "C:\Program Files (x86)\TermTrident_1.10.0.22\Uninstall.exe"       "URLInfoAbout"="REG_SZ", "http://www.termtrident.com"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TermTrident_1.10.0.22]       "cr-at"="REG_SZ", ""       "cr-pid"="REG_SZ", ""       "cr-ver"="REG_SZ", "44.0.2403.155"       "dbsr"="REG_SZ", "firefox"       "features"="REG_SZ", "0x01000000"       "ff-at"="REG_SZ", ""       "ff-pid"="REG_SZ", ""       "ff-ver"="REG_SZ", "38.0.5 (x86 en-GB)"       "hid"="REG_SZ", "1FB0C54E-C74D-AB91-A3A6-1983589F206E"       "ie-at"="REG_SZ", ""       "ie-pid"="REG_SZ", ""       "ie-ver"="REG_SZ", "11.0.9600.17959"       "iid"="REG_SZ", "00000000-0000-0000-0000-000000000000"       "itm"="REG_SZ", "2015-08-20T11:16:22Z"       "nf-at"="REG_SZ", "88BA34F4-9256-204E-6665-A8069C8CED26"       "nf-pid"="REG_SZ", "E7B0C775-DAAE-48B8-924C-662EBC63EE40"       "nid"="REG_SZ", "7D5BAFA9-43AD-43BF-9BAE-D2823A38F2CB"       "osn"="REG_SZ", "Windows 7 Ultimate"       "ost"="REG_SZ", "x64"       "osv"="REG_SZ", "6.1.7601"       "user_sid"="REG_SZ", "S-1-5-21-612512518-1730918975-1677248042-1002"       "ver"="REG_SZ", "1.10.0.22"    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ttrfd_vt_1_10_0_22]       "DisplayName"="REG_SZ", "ttrfd_vt_1_10_0_22"       "ErrorControl"="REG_DWORD", 1       "Group"="REG_SZ", "PNP_TDI"       "ImagePath"="REG_EXPAND_SZ, "system32\drivers\ttrfd_vt_1_10_0_22.sys"       "Start"="REG_DWORD", 1       "Tag"="REG_DWORD", 10       "Type"="REG_DWORD", 1       "WOW64"="REG_DWORD", 1    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ttrfd_vt_1_10_0_22\Enum]       "0"="REG_SZ", "Root\LEGACY_TTRFD_VT_1_10_0_22\0000"       "Count"="REG_DWORD", 1       "NextInstance"="REG_DWORD", 1    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ttrsvc_1.10.0.22]       "Description"="REG_SZ", "This service enables TermTrident 1.10.0.22 on HTTP websites"       "DisplayName"="REG_SZ", "TermTrident 1.10.0.22 Client Service"       "ErrorControl"="REG_DWORD", 1       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe""       "ObjectName"="REG_SZ", "LocalSystem"       "Start"="REG_DWORD", 2       "Type"="REG_DWORD", 16       "WOW64"="REG_DWORD", 1

Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 20/08/2015Scan Time: 13:23Logfile: mbamTermTrident.txtAdministrator: YesVersion: 2.1.8.1057Malware Database: v2015.08.20.03Rootkit Database: v2015.08.16.01License: PremiumMalware Protection: DisabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: {username}Scan Type: Threat ScanResult: CompletedObjects Scanned: 330128Time Elapsed: 4 min, 4 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 1PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe, 2028, Delete-on-Reboot, [f81b48c3acdf1e180b26701b7c897888]Modules: 0(No malicious items detected)Registry Keys: 6PUP.Optional.TermTrident.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ttrsvc_1.10.0.22, Quarantined, [f81b48c3acdf1e180b26701b7c897888], PUP.Optional.TermTrident.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TermTrident_1.10.0.22, Quarantined, [7f94e823fe8d9a9c8ea336558184a060], PUP.Optional.TermTrident.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\TermTrident Auto Updater 1.10.0.22 Core, Delete-on-Reboot, [080b23e8e6a5b383ab1c2c8a19eb5ca4], PUP.Optional.TermTrident.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\TermTrident Auto Updater 1.10.0.22 Pending Update, Delete-on-Reboot, [26edf01b4d3e3ef855726155897b54ac], PUP.Optional.TermTrident.A, HKLM\SOFTWARE\WOW6432NODE\TermTrident_1.10.0.22, Quarantined, [3dd6af5ccebd6dc9f4d510a63fc5946c], PUP.Optional.Vitruvian.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TTRFD_VT_1_10_0_22, Quarantined, [58bba16a6d1e1125e5df9d1214f0e21e], Registry Values: 2PUP.Optional.Vitruvian.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ttrfd_vt_1_10_0_22|ImagePath, system32\drivers\ttrfd_vt_1_10_0_22.sys, Quarantined, [58bba16a6d1e1125e5df9d1214f0e21e]PUP.Optional.Vitruvian.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ttrsvc_1.10.0.22|ImagePath, "C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe", Quarantined, [9d7661aaaae1330369fa6d39689ce11f]Registry Data: 0(No malicious items detected)Folders: 4PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22, Delete-on-Reboot, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Service, Delete-on-Reboot, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Update, Quarantined, [bf5485867813181e1e4355c457ac6e92], Files: 24PUP.Optional.TermTrident.A, C:\WINDOWS\SYSTEM32\drivers\ttrfd_vt_1_10_0_22.sys, Delete-on-Reboot, [eb46f2a0ef3d5bb09ea85d6b35153c54], PUP.Optional.TermTrident.A, C:\WINDOWS\SYSTEM32\drivers\ttrfd_vw_1_10_0_22.sys, Delete-on-Reboot, [2f3df9f23cf9c7f4c33b197c8bf4b065], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Service\ttrsvc.exe, Delete-on-Reboot, [f81b48c3acdf1e180b26701b7c897888], PUP.Optional.TermTrident.A, C:\Users\{username}\Desktop\TermTrident.exe, Quarantined, [b1628982513a2f07ee43e8a36c99ff01], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Uninstall.exe, Quarantined, [7f94e823fe8d9a9c8ea336558184a060], PUP.Optional.Vitruvian.A, C:\Users\{username}\AppData\Local\Temp\vitruvian-installer-hardwareprofile-v0001, Quarantined, [69aa9378becd41f5e8e5198151b33fc1], PUP.Optional.Vitruvian.A, C:\Users\{username}\AppData\Local\Temp\vitruvian-installer-install-v0003, Quarantined, [f61d98735932b4824d801d7da163cc34], PUP.Optional.Vitruvian.A, C:\Users\{username}\AppData\Local\Temp\vitruvian-installer-processes-v0002, Quarantined, [e72c69a2aedde3539c3162381fe5f10f], PUP.Optional.Vitruvian.A, C:\Users\{username}\AppData\Local\Temp\vitruvian-installer-scheduledtasks-v0001, Quarantined, [c74c56b5b3d81a1cf8d5e7b38c785ca4], PUP.Optional.Vitruvian.A, C:\Users\{username}\AppData\Local\Temp\vitruvian-installer-softwareregkeys-v0002, Quarantined, [8291b55628632a0c7e4f8812cc3820e0], PUP.Optional.TermTrident.A, C:\Windows\System32\Tasks\TermTrident Auto Updater 1.10.0.22 Core, Quarantined, [799a68a3fd8e9f974e762f877490ce32], PUP.Optional.TermTrident.A, C:\Windows\System32\Tasks\TermTrident Auto Updater 1.10.0.22 Pending Update, Quarantined, [c64d8f7c3952db5b7b4934823aca33cd], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\terms-of-service.rtf, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\buildcrx-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\Info-ZIP-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\JSON-simple-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\nsJSON-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\Nustache-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\TaskScheduler-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\3rd Party Licenses\UAC-license.txt, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Update\Microsoft.Win32.TaskScheduler.dll, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Update\Nustache.Core.dll, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Update\TermTridentAutoUpdateClient.exe, Quarantined, [bf5485867813181e1e4355c457ac6e92], PUP.Optional.TermTrident.A, C:\Program Files (x86)\TermTrident_1.10.0.22\Update\TermTridentAutoUpdateClient.exe.config, Quarantined, [bf5485867813181e1e4355c457ac6e92], Physical Sectors: 0(No malicious items detected)(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
• Malware Execution Prevention

Save yourself the hassle and get protected.