Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uninstalling Conduit SearchProtect deletes NTLDR making Windows XP Unbootable


  • Please log in to reply
77 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,423 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:12 AM

Posted 27 January 2014 - 04:01 PM

A common adware called Conduit SearchProtect, which changes your browser's homepage to Conduit.com, is causing major problems for users of Windows XP who uninstall it. When users uninstall Conduit SearchProtect from Add or Remove Programs in Windows XP, they find on reboot that Windows XP is no longer able to start. Instead they will be greeted with a message stating "NTLDR is missing. Press Ctrl+Alt+Del to restart".
 

xp-ntldr-missing.jpg


This problem occurs because the Conduit uninstall program not only removes it's own Conduit SearchProtect files, but also removes all the files found in the root of the C: drive. In Windows XP the C:\ folder contains two required programs called NTLDR and ntdetect.com that when deleted prevent Windows from starting. As Windows Vista and newer versions do not contain any files in the C:\ folder that are required to start Windows, Windows is able to start normally.

The command that performs this buggy install is:
 
"C:\PROGRA~1\SearchProtect\Main\bin\uninstall.exe" /S
If you have Conduit SearchProtect installed on your computer, do not uninstall it via the Add or Remove Programs control panel. Instead use a program like AdwCleaner or Junkware Removal Tool to remove Conduit SearchProtect. These tools remove the software using their own uninstall routine and are not affected by Conduit's buggy uninstaller. When using the previous links to download AdwCleaner or JRT, just wait a few seconds and the programs will automatically download for you.

For those affected by this bug, you can fix Windows XP by copying the NTLDR and ntdetect.com files from a Windows XP CD. The files are located under the \I386 folder and you can use the Windows Recovery Console or other bootable disk to copy the files to the C:\ folder. Once the files are copied back you should be able to restart your computer and get back into Windows.

Thanks to Cody of TeamRocketOps for bringing this to my attention!


BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,684 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:12 AM

Posted 27 January 2014 - 04:25 PM

Thanks Larry, this crapola from Israel is a real PITA, about 3/4ths of the logs I take are infected with this garbage


mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:09:12 AM

Posted 27 January 2014 - 04:41 PM

VERY good to know. Currently working with a user infected with Conduit running Windows XP.

 

Thanks for the post!  :thumbup2:


CCNACCENT | Network+  |  B.S. - Information Technology | System Administrator

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#4 DarkD

DarkD

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 27 January 2014 - 04:42 PM

THANK YOU!!!!  Saved me a real nightmare...  I was just deleting this piece of garbage from my computer following another websites guide which recommended using the add/remove programs thing....  Thankfully I hadn't restarted my computer yet.  Sure enough my C: folder was cleaned out.  

 

My computer is something of a fixer upper which I've been holding together with duct tape for many years now and so my install process isn't quite as clean as a normal persons.  I was wondering if I did this properly.  My problem is I am afraid to restart my computer now.  Do I have anything to worry about in my situation:  

 

1) I'm not sure I'm using the same windows xp install CD I did when I installed onto this computer.  Does that matter?

2) I copied and pasted from the CD rather than through the recovery console.  Is that it?  I can just copy and paste them without any fancy extractors or anything?



#5 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:12 AM

Posted 27 January 2014 - 05:00 PM

I have yet (that I'm aware of) to run into this issue when uninstalling Conduit.

 

However I'm increasing relying on Revo Uninstaller when working on clients' systems.



#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:12 AM

Posted 27 January 2014 - 06:01 PM

Thanks, Grinler!

 

Just had a friend bring over her XP ThinkPad with this issue.

 

Great timing! :hello:


Old duck...


#7 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 27 January 2014 - 06:09 PM

I believe there is more than one "conduit" issue.  It is the conduit SearchProtect uninstaller that is the problem here.  This program is advertised as protecting you from home page hijackers.

 

You may find other Conduit products such as Search Conduit which will hijack your homepage to search.conduit.com.  This is installed when utorrent is installed (as well as several other programs.)

 

Personally... if it says conduit... I want it gone.


Posted Image

#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,423 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:12 AM

Posted 27 January 2014 - 06:18 PM

I have not tested other Conduit uninstallers. I only had access to that one.

#9 MissLizz

MissLizz

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Western Arkansas
  • Local time:08:12 AM

Posted 27 January 2014 - 08:47 PM

From what I read in BC's virus removal section,  search conduit.com and conduit search protect  seem to be two separate infections and could be more.  I've met the first one and it's bad enough; I hope never to meet the second.



#10 quietech

quietech

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:05:12 AM

Posted 27 January 2014 - 09:38 PM

I have now run into this issue on four computers.

Here is the exact procedure I followed to repair this issue.

 

Boot to your Windows XP disk.  Enter Recovery Console.  At the command prompt, type in copy d:\i386\ntldr c:\ then press enter.  Then type copy d:\i386\ntdetect.com c:\ then press enter.  Of course, replace the drive letters shown previously with your own if you operating system differs from C or your CD drive differs from D.

 

Next, type at the command prompt: bootcfg /rebuild then press enter.  Wait for it to scan for installations.  When it prompts "Add installation to boot list?" type Y then press enter.  When it prompts for load identifier, type in the EXACT name of your OS, such as "Windows XP Professional" or "Windows XP Home Edition", then press enter.  At the final prompt for OS Load Options, type in /Fastdetect then press enter.

 

Type exit, then enter, which will restart the computer.

 

Windows should be back up and running!



#11 tagy

tagy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 27 January 2014 - 11:19 PM

I have had 6 machines this week come in like this. Making me money but I haven't seen one this busy since the birth of the FBI virus. We have had great luck just copying the two files above. Thanks for all your hard work! You all make my life that much easier. 



#12 Klausito

Klausito

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:12 PM

Posted 28 January 2014 - 02:10 AM

Please take advice that Conduit Search Protect does not only harm Windows XP Platforms. I used Windows 8.0 when the virus attacked me. I tried to remove it by using the programs and features function. Trying to reboot the system I got the prompt: "No operating system found. Press Ctrl+Alt+Del to restart."

#13 Condobloke

Condobloke

    Outback Aussie @ 33.0886 S, 147.1494 E


  • Members
  • 4,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 28 January 2014 - 02:34 AM

Revo Uninstaller would exacerbate the problem ....because it uses the products built in installer.......Correct..?


Condobloke

Outback Australian

 

29fyz2u.jpg

  I rate W10 use, somewhere between drunk driving and hair-drying in the bathtub.

Yes....I mean that....I now run LINUX MINT 17.3 Exclusively. NO windows os at all.(except in Virtual machine for testing and forum work)

In a world without walls and fences, who needs windows and gates?

Linux is not the wave of the future. It is the tsunami of the future.

You have moved the mouse. Windows must be restarted for the changes to take effect.....

 

 


#14 Klausito

Klausito

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:12 PM

Posted 28 January 2014 - 03:04 AM

I don't know. I woudn't use the Revo-Uninstaller. In an other blog they wrote MBAM or AdwCleaner can uninstall the junk without harming the boot-sector. By the way: I didn't repair my system. I bought a new hard disc, installed all the software and copied the data from the previous disc. I think this is more secure. Because you never know if everyting of a virus in the root is killed after repairing it.



#15 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,684 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:09:12 AM

Posted 28 January 2014 - 03:17 AM

I fixed my downstairs neighbors Win 7 Ultimate system by using AdwCleaner, Junkware Removal Tool, Combofix and Malwarebytes with no ill effects.  Of course from what I have been reading on this forum I appear to be lucky


mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users