Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Conduit infection


  • Please log in to reply
30 replies to this topic

#16 BenKenobi18

BenKenobi18
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 05 February 2014 - 10:29 AM

FSS Log? You mean Farber? I found all three registry programs. Just about to run them now. Ok, I ran the three registry files, had no trouble merging them to the registry. Let me know if it's Farber and I'll run that. The longer scan might have to wait for this afternoon.  


Edited by BenKenobi18, 05 February 2014 - 10:47 AM.


BC AdBot (Login to Remove)

 


#17 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 05 February 2014 - 10:52 AM

Sorry, run the Repair tool as suggested in post no. 8.

It may take some time.

#18 BenKenobi18

BenKenobi18
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 05 February 2014 - 11:29 AM

No worries. Just asking for clarification. Ok, I have to meet with a client. I'll run it this afternoon. 



#19 BenKenobi18

BenKenobi18
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 05 February 2014 - 06:23 PM

Ok, ran it, it hung when trying to rename a folder that was too long, in Content.IE5. Same as before. Let it run for 3+ hours. 



#20 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 06 February 2014 - 08:34 AM


Delete all the files in your Content.IE folder.
http://www.f-prot.com/support/windows/fpwin_faq/122.html

Restart the computer after completion.

#21 BenKenobi18

BenKenobi18
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 06 February 2014 - 09:12 AM

What am I doing wrong? Is there something off with my syntax? I copied exactly what they said to do.
 
This is the folder I need to delete:
 
"C:\Users\SeanO\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYY6C8GB"       
 
Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32>cd c:/
 
c:\>cd users
 
c:\Users>cd SeanO
 
c:\Users\SeanO>cd Appdata
 
c:\Users\SeanO\AppData>cd Local
 
c:\Users\SeanO\AppData\Local>cd Microsoft
 
c:\Users\SeanO\AppData\Local\Microsoft>cd Windows
 
c:\Users\SeanO\AppData\Local\Microsoft\Windows>cd Temporary Internet Files
 
c:\Users\SeanO\AppData\Local\Microsoft\Windows\Temporary Internet Files>cd Conte
nt.IE5
 
c:\Users\SeanO\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.
IE5>dir /a
 Volume in drive C is Windows
 Volume Serial Number is 1C71-E493
 
 Directory of c:\Users\SeanO\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Content.IE5
 
02/04/2014  01:55 AM    <DIR>          .
02/04/2014  01:55 AM    <DIR>          ..
01/29/2014  09:44 PM    <DIR>          MYY6C8GB
               0 File(s)              0 bytes
               3 Dir(s)  230,307,024,896 bytes free
 
c:\Users\SeanO\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.
IE5> del MYY6C8GB
 
And it just sits there. I never get the Y/N Prompt. 
 
 

Edited by BenKenobi18, 06 February 2014 - 09:38 AM.


#22 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 06 February 2014 - 11:40 AM


Make sure you can see hidden files.
How to show hidden files in Windows 7
http://www.bleepingcomputer.com/tutorials/tutorial151.html
===

Use this connand. It will delete the temporary files in all profiles.

To make the Content.IE5 folder to be visible in Temporary Internet Files directory
Please note that it is not necessary to make the Content.IE5 folder to be visible in Temporary Internet Files directory when deleting files in the Content.IE5 folder.
Press Start and select Run.
Type cmd.
At the command prompt, type
dir /a "%Userprofile%\Local Settings\Temporary Internet Files\*.*"

#23 BenKenobi18

BenKenobi18
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 06 February 2014 - 12:04 PM

It is exactly as written, or do I type in the username?

 

Edit, yes, I can see hidden files. You put me through that awhile ago. I wasn't seeing them but now I am.

 
 
"Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32>dir /a "%Userprofile%\Local Settings\Temporary Internet File
s\*.*"
 Volume in drive C is Windows
 Volume Serial Number is 1C71-E493
 
 Directory of C:\Users\SRO\Local Settings\Temporary Internet Files
 
File Not Found
 
C:\Windows\system32>"
 
I get FNF doing it this way. And we don't want SRO, that profile is fine. It's the old userprofile of SeanO that's giving me all the headaches. (C:/users/SeanO).

Edited by BenKenobi18, 06 February 2014 - 12:11 PM.


#24 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 06 February 2014 - 02:00 PM

Delete one or more files.
Syntax
DEL [options] [/A:file_attributes] files_to_delet

http://ss64.com/nt/del.html

At a Dos prompt try this.
DEL /F c:\Users\SeanO\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYY6C8GB

There are other options that you can try.

#25 BenKenobi18

BenKenobi18
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 06 February 2014 - 03:08 PM

Oh nice. 

 

I'm sorry this is such a frustrating problem. Ok, lemme try /F

 

Interestingly, it didn't hang. CMD reports that the request could not be performed because of an I/O device error. 


Edited by BenKenobi18, 06 February 2014 - 03:30 PM.


#26 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 07 February 2014 - 09:21 AM

What is an I/O Device Error?
http://www.tune-your-pc.com/blog/what-is-an-io-device-error-and-how-to-fix-it/

It might just be that you need to perform a Check disk and Defrag your hard drive.

To repair errors, locate bad sectors, and recover readable information, at the command prompt, type chkdsk c: /r and then press Enter. (Make sure you have a space before the /r option.

When done do a Defrag.
How to:
http://helpdesk.its.uiowa.edu/windows/instructions/defrag.htm

When done try the last command to delete the Temporary files.

#27 BenKenobi18

BenKenobi18
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 February 2014 - 05:10 PM

Here's an idea. Is it possible that I've got a folder that loops with something else, and there's nothing actually in that file? c:/users/SeanO is a folder with a lock on it. It would explain why the system cannot open MYY68GB, and why the system hangs when attempting to open it?

 

Ran CKDSK, and it ran successfully. Defrag ran successfully, but no change with the file.


Edited by BenKenobi18, 07 February 2014 - 05:23 PM.


#28 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 08 February 2014 - 09:17 AM

Download and run this Unlocker tool.
http://www.filehippo.com/download_unlocker/

Can you delete it now?

#29 BenKenobi18

BenKenobi18
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 08 February 2014 - 06:43 PM

ok, let me try. Apologies for the delay. 

 

Edit, it drills down just fine to the MYY6C8GB folder,

 

Error 0x80070091 (the directory is not empty), when trying to delete the entire userprofile of C:User/SeanO. Same with AppData and the subfolders. *sigh*. 


Edited by BenKenobi18, 08 February 2014 - 07:03 PM.


#30 BenKenobi18

BenKenobi18
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 09 February 2014 - 04:13 AM

Uh, Nasdaq - you need to remove that file link immediately. 

 

It has PUP on it. My system slowed to a halt, but MalwareBytes successfully picked up the malware. 

 

Can we please not be loading malware onto a clean system?

 
 
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.01.30.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16750
SRO :: E6510-403STM1 [administrator]
 
2/9/2014 2:42:55 AM
mbam-log-2014-02-09 (02-42-55).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207884
Time elapsed: 26 minute(s), 36 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 4
C:\Users\SRO\Desktop\Unlocker1.9.2.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\SRO\AppData\Local\Temp\DeltaTB.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\SRO\AppData\Local\Temp\0BFFB74B-BAB0-7891-8C9B-1D5A67420687\Latest\BExternal.dll (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\SRO\Downloads\Unlocker1.9.2.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
 
(end)

Edited by BenKenobi18, 09 February 2014 - 04:21 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users