Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Conduit Removal


  • Please log in to reply
10 replies to this topic

#1 BecuzIMURMother

BecuzIMURMother

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 27 April 2014 - 05:09 PM

So, my kids somehow ended up infecting my computer with Conduit browser hijack.  Every time I open IE, it redirects me back to conduit.com.  I've changed my start page, reset IE, uninstalled & reinstalled IE, upgraded & downgraded IE, and still it's there.  I've run AdAware, Malwarebytes, Spybot, AVG, JRT, Adware Removal Tool, ADWCleaner, Hack Cleaner, CCleaner, PC Decrapifier, Hijack This, and TDS Killer.  I've even tweaked the registry by deleting all the Conduit entries (except for two that still show the Conduit redirect and won't let me change them or delete them, which is what Malwarebytes picks up.) So far, everything is clean except for Spybot & Malwarebytes picking up Conduit. 

 

Malwarebytes picks up this: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.Conduit.A) -> Bad: (http://search.conduit.com/?ctid=CT3319613&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP388F4554-8F8F-46F7-8384-51EFA3B887B7&SSPV=) Good: (http://www.google.com) -> Delete on reboot.
 

Spybot picks up this:Win32.Downloader.gen: [SBI $F03796FC] IE start page (Registry change, fixing failed)
  HKEY_USERS\S-1-5-21-4088896248-3822548509-672843849-1000\Software\Microsoft\Internet Explorer\Main\Start Page=about:blank

 

Both Malwarebytes and Spybot both want to restart the computer to remove the threat, but they never remove it.  Spybot always wants to run on startup, and I let it, and an hour or so later it's still not removed anything.

 

I'm at a loss.  I've uninstalled Google Chrome, because it was doing the same thing as IE.  I've already checked for and uninstalled the Conduit toolbar from my computer.  At this point, I've removed IE from the computer, but I know that it will make Windows unstable without it, so I plan on putting it back.  I'm currently running version 9.  In the past, I have tried updating that to 10 & 11, without success, likely due to Conduit.  I've tried everything under the sun beyond wiping the whole system and starting fresh, which I'm really trying to avoid.  I'm not a novice user, but this bug is kicking my butt. 

 

I'm running Windows 7 Professional, Service Pack 1.  I generally use Firefox (current version 27), which is not being affected by the bug.  If anyone has any suggestions for me to try, I'll certainly do so.  Thanks for your help!



BC AdBot (Login to Remove)

 


#2 mainer21

mainer21

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oregon
  • Local time:08:31 PM

Posted 27 April 2014 - 05:28 PM

Take a look here.

"Conduit Search & Conduit Apps Toolbar”

http://www.wintips.org/remove-conduit-search-apps-toolbar/



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:31 PM

Posted 27 April 2014 - 07:37 PM

Hello -

Please ignore the post above, it includes very odd "removal tools" that we do not use here.

 

Download Security Check from HERE or HERE and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note:: If any security program requests permission to access the Internet, allow it to do so.

 

 

Next -

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

NOTE - If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.
NOTE. rKill.txt log will also be present on your desktop.

 

Do not reboot till this program has completed.

 

* Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.

** Check the listed programs, but most will need removal ............
* NOW :Click on the Clean button (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After Auto rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Please include :

Security Check txt.

RKill.txt

and AdwCleaner Log Files

Also report on the computers operation -



#4 BecuzIMURMother

BecuzIMURMother
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 27 April 2014 - 07:44 PM

Take a look here.

"Conduit Search & Conduit Apps Toolbar”

http://www.wintips.org/remove-conduit-search-apps-toolbar/

Thanks for the help, but I've already done all of this, with no success.



#5 BecuzIMURMother

BecuzIMURMother
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 27 April 2014 - 07:45 PM

noknojon - Working on this now.

#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:31 PM

Posted 27 April 2014 - 07:49 PM

Please use this as Step 2 -

 

Based on what you describe, the next thing I would have you do is to check and remove / disable browser extensions.

If you are still having issues after that, the next step is to try resetting browser settings to default.
How to reset your browser settings to default in Internet Explorer, Firefox, Google Chrome, Opera, Safari



#7 BecuzIMURMother

BecuzIMURMother
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 27 April 2014 - 07:53 PM

 Results of screen317's Security Check version 0.99.82  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
AVG AntiVirus Free Edition 2014   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File  
 Out of date HijackThis  installed!
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300  
 HijackThis 1.99.1    
 AVG Web TuneUp   
 Java 7 Update 51  
 Java version out of Date!
 Adobe Flash Player 13.0.0.182  
 Adobe Reader XI  
 Mozilla Firefox (27.0)
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/27/2014 08:49:18 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * DNS Client (Dnscache) is not Running.
   Startup Type set to: Disabled

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.

 * HOSTS file entries found:

  127.0.0.1   000007.ru
  127.0.0.1   000cc.com
  127.0.0.1   000e05b38ca37fe7e4b82cc63d6c2865.co.cc
  127.0.0.1   0055ebba60b74c3603c00cfc2334f5fc.co.cc
  127.0.0.1   02begorlae.info
  127.0.0.1   02c20c8.netsolhost.com
  127.0.0.1   02c8dac.netsolhost.com
  127.0.0.1   02d72c3.netsolhost.com
  127.0.0.1   0313879956.kt.io
  127.0.0.1   033ad83.netsolhost.com
  127.0.0.1   0354.ru
  127.0.0.1   03e09dd8757e9dddb1c4570307076a8b.co.cc
  127.0.0.1   04309.com
  127.0.0.1   04597.com
  127.0.0.1   0577yy.com
  127.0.0.1   08zs.com
  127.0.0.1   09384xi.cu.cc
  127.0.0.1   09452.com
  127.0.0.1   094t8g.qktsnwukvi.webhop.net
  127.0.0.1   09cd.co.kr

  20 out of 27119 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 04/27/2014 08:50:25 PM
Execution time: 0 hours(s), 1 minute(s), and 7 seconds(s)
 



#8 BecuzIMURMother

BecuzIMURMother
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 27 April 2014 - 08:01 PM

# AdwCleaner v3.204 - Report created 27/04/2014 at 20:55:40
# Updated 26/04/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Jones - JONES-PC
# Running from : C:\Firefox Downloads\AdwCleaner(1).exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\strongvaultapp_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\strongvaultapp_rasmancs
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{28C02550-6572-401a-A2AE-5BC703C9BBA6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A1CCCE0D-AE21-42A2-BE58-8E6109410995}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CD4D7B0F-45C6-4bb2-A1E7-54D1754E7FC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-

E9021F207706}
Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16545


-\\ Mozilla Firefox v27.0 (en-US)

[ File : C:\Users\Jones\AppData\Roaming\Mozilla\Firefox\Profiles\1rmjpis8.default-1373724460305\prefs.js ]


[ File : C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\b1rnoijx.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [7073 octets] - [20/02/2014 21:23:43]
AdwCleaner[R1].txt - [2623 octets] - [22/02/2014 18:54:40]
AdwCleaner[R4].txt - [4224 octets] - [27/04/2014 20:54:25]
AdwCleaner[S0].txt - [6620 octets] - [20/02/2014 21:25:04]
AdwCleaner[S1].txt - [2253 octets] - [22/02/2014 18:59:31]
AdwCleaner[S4].txt - [3983 octets] - [27/04/2014 20:55:40]

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [4043 octets] ##########
 



#9 BecuzIMURMother

BecuzIMURMother
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 27 April 2014 - 08:07 PM

The computer itself runs as normal.  It's not running any slower, and I'm not seeing any oddball error messages or BSODs.  I've already checked for Conduit under the add-ons in IE and Firefox (although Firefox does not show any signs of infection), but I checked again.  It's still not there, and pretty much the only thing enabled is Google as my "default" search provider.  I also have reset IE before, but I just did it again, with no changes.



#10 BecuzIMURMother

BecuzIMURMother
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 27 April 2014 - 08:09 PM

Please note, way back in the beginning of my removal attempt, Conduit was listed in the add-ons, but I had removed it.



#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:31 PM

Posted 27 April 2014 - 08:28 PM

Hi -

A few extras for you -

 

Out of date HijackThis  installed! You may as well delete this. It is not much use on your 64bit Windows7 -

 

 

You can Delete / Empty AdwCleaner now. Open the program and hit Uninstall, if asked to confirm, just click OK. This will remove the program and any items it may still have in quarantine. I treat it as a "Use once / Delete" tool since there is no Update functions included.

 

 

 

 

Malwarebytes Anti-Malware version 1.75.0.1300 has now been upgraded to Version 2.0.1

Please follow Free version removal methods. (link is to Malwarebytes site)

* Download Malwarebytes Anti-Malware Free and save it to your desktop
* Double click the desktop icon, click Run, then OK
* Click Next
* Select I accept the agreement then continue to click Next then finally click Install
** Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
* If you are notified the Database is out of date click Update Now
* Click Scan Now >>
----------
** Note: If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
* Click Start (Start, Search, All files and folders for Windows XP) then type mbam
* Double click one of the four following files (if one does not work try the next one, and so on) - A black command window will open. Follow those instructions until the Malwarebytes program starts the scan

mbam-chameleon.scr
mbam-chameleon
mbam-chameleon.exe
mbam-chameleon.com
----------
** When completed click the down arrow on Export Log and select Text file (*.txt)
* Save the file to your desktop as MBAM
* Click Apply Actions then restart your computer if requested
* Copy and past the contents of MBAM.txt in your reply

 

 

Would you like more help just now, or will you leave it for a few Reboots to see if it changes.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users