Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Machine infected by Conduit and Snap.Do


  • This topic is locked This topic is locked
17 replies to this topic

#1 jcapellupo

jcapellupo

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New York
  • Local time:09:53 AM

Posted 02 March 2015 - 12:26 AM

Hi I am a first time poster and I am working on a PC that has multiple issues, including the infections listed above. I have seen some steps on one of the other malware removal forums here as I am an avid reader of bleeping computer forums. The machine I am working on is :

Windows 7 home Premium 64 bit running Norton 360 (Norton is not my preferred anti-virus program, but its not my machine)

Malwarebytes is also installed, but not able to update the data bases as I keep getting blocked from accessing the internet. Please find my initial scans attached. I have also run Norton 360 prior to running Farbar with no risks detected. I also ran what I could of Malwarebytes (4 times) and Malwarebytes with no luck. I still cannot access webpages in internet explorer, with a full internet connection. I am typing this from my own laptop which is connected to the my internet. The PC I am working on has a full connection, but the browser wont allow me to open a page to type in my password for guest access. I had to uninstall ie11 so I could actually get on the internet on the machine. I am stumped, and short of performing a full system recovery, I figured I would consult here. Thanks for your help. I have included the Farbar reports. Any insight would be appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:53 AM

Posted 02 March 2015 - 01:21 AM

FIRST >>>>
  • Download RogueKiller (by tigzy) on to your desktop
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until the Prescan has finished ...
  • Click on Scan. Once finished, click on Report
  • Please post the contents of the RKreport.txt in your next Reply.
SECOND >>>>

Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
This will produce a log file (Rkill.txt). Please paste this in your next reply also.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#3 jcapellupo

jcapellupo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New York
  • Local time:09:53 AM

Posted 02 March 2015 - 07:39 AM

Thank you. I'm heading to work right now but I will follow those steps and post the log files this evening when I get home.

#4 jcapellupo

jcapellupo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New York
  • Local time:09:53 AM

Posted 02 March 2015 - 08:20 PM

I have attached both the rougekiller scan reports and the rkill reports ,, after running them in the order specified above the computer is ready for the next steps.

 

UPDATE: I walked away from the computer tonight for a few moments and windows update decided to automatically install updates, shut down and restart. when trying to access the internet with a fully connected computer, I received the dreaded ' this page cannot be displayed' - it tells me to sign into my guest internet access page , but since I cannot access the internet , I cant open the page to sign in. I have all reports for roguekiller and rkill saved on my flash drive. here is the most recent. sorry, I am hoping this didn't make things worse. I am actually really good at removing hard to remove malware and viruses normally but this one has me baffled and is stumping me at every turn. I have also rerun Farbar and attached the file since there were changes made to the operating system.  Thanks in advance for the help and insight. Please let me know if it is ok to attach the files, or copy and paste them into the post.

Attached Files


Edited by jcapellupo, 03 March 2015 - 12:13 AM.


#5 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:53 AM

Posted 03 March 2015 - 01:55 AM

Please do not run any tools other than the ones I ask for.  If you are getting help else where, let me know and I will bow out of the picture.  Enough said on that subject....

 

 

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Recipe Hub toolbar
Snap.Do Engine
Strongvault Online Backup

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.  

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

 

 

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpslenkmnr9.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.
 

Attached Files


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#6 jcapellupo

jcapellupo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New York
  • Local time:09:53 AM

Posted 03 March 2015 - 07:51 AM

I could not remove Snap.Do from the add/remove programs, I click uninstall and it just sits there and does nothing. the other two programs you asked me to remove are not in the uninstall list.

Please find the fixlog.txt file attached for your perusal.

Thank you

Attached Files



#7 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:53 AM

Posted 04 March 2015 - 02:05 AM

FIRST

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwCleaner_v4111_zpsn56hzjza.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt
  • Optional:

    NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.



     

    SECOND

    Malwarebytes' Anti-Malware
    • Start Malwarebytes Antimalware from either the Start menu or your desktop shortcut (if you have one).
    • When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link.
    • 2a308da4-c469-4a72-b86c-84c05ca1e6a6_zps
    • Once the program has loaded and updated, select "Scan Now >>" to start the scan.
    • 5f2fe168-2571-4c73-a1e8-945d5aae9e1e_zps
    • The scan may take some time to finish, so please be patient.
    • If any malware is found, make sure that everything is checked, and click Remove Selected.
    • When the scan is complete, click View detailed log >> to view the results.
    • 386d1e7f-0e85-4425-b4dc-fa8ad24a4855_zps
    • The report screen will open.
    • a50e2fb7-0c07-4ff6-917c-19e7329dab8a_zps
    • At the bottom click on Export and select as txt file, save the file to your desktop and click OK. When the export is complete, select OPEN.
    • ExportSaved_zpsac3a71eb.png
    • The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.
    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#8 jcapellupo

jcapellupo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New York
  • Local time:09:53 AM

Posted 04 March 2015 - 07:55 AM

I ran both scans in the order requested, please find both logfiles attached for your perusal and advice. Let me know what the next steps are , and i will complete them when I get home from work tonight. Sorry about the length of time it takes to respond, the time difference and my work gets in the way. I appreciate all the help  

Attached Files



#9 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:53 AM

Posted 04 March 2015 - 08:39 PM

This next step may take a while (just to warn you) .....

ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead. ESET Online does work with IE 10 and earlier.

You can leave your Antivirus enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same

Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.

Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.

-------------------------------------------------------------------------------------------------------------------

Hold down Control key and click on the following link to open ESET OnlineScan in a new window.

Link =>> ESET Online Scanner <<

Click the Run ESET Online Scanner located on the left side of the page (not the free trial).

abfacb96-0c99-4b59-b9e9-9298aa0ee3ec_zps

For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step)
Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop.

Getinstallerpopup2_zps65f446a6.png

Double click on the icon on your desktop.

desktopfile_zps98a1ee89.png

Check (accept) the Terms of Use.

TOU_zps4ecd3406.png

Click the START button.
Accept any security warnings from your browser.

Now in the Computer scan settings window that appears:-
Make sure that the option Enable detection of potentially unwanted applications is selected.
Now click on Advanced Settings and configure the options as follows:

Remove found threats is Not checked
Scan archives is checked
Scan for potentially unsafe applications is checked
Enable Anti-Stealth Technology is checked


Now click on: Start
Loadsettings_2014-08-23_zps3f2d0c88.png



ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

Downloadingsignatures_zps36c38587.png


Scanningdisplay_zpsec3aac14.png

When the scan is finished, if any threats are found you will see the screen below. Click to view the found threats.

Threatsfound_zpsfe95fb4e.png

At the bottom of the listed threats, there is an option to save the results to a text file. Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry).

Exporttotextfile_zps16cb487f.png

Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish.

UninstallcheckedandFinish_zps6fb26ad8.pn

Attach the saved log file in your next reply please. Thanks.
 


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#10 jcapellupo

jcapellupo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New York
  • Local time:09:53 AM

Posted 04 March 2015 - 09:31 PM

Im just about to start running the ESET scanner. Ill post the reports as soon as Im done and let you know how it goes. Thanks! And thanks again for your help. I promised this very nice elderly couple(who clearly are not tech savvy, but hey at least they are trying  :radioactive: lol ) that I would do whatever I could to get their computer running nicely for them, and I really appreciate the help and advice. That being said, reports will be posted in next reply


Edited by jcapellupo, 04 March 2015 - 09:47 PM.


#11 jcapellupo

jcapellupo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New York
  • Local time:09:53 AM

Posted 04 March 2015 - 11:18 PM

I have ran ESET per instructions above and have attached the logfile of scan results for you perusal. I am ready for the next steps. Thanks !

Attached Files



#12 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:53 AM

Posted 04 March 2015 - 11:48 PM

I can certainly understand that and applaud your undertaking! :busy:

 

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpslenkmnr9.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.
 

Attached Files


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#13 jcapellupo

jcapellupo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New York
  • Local time:09:53 AM

Posted 05 March 2015 - 12:42 AM

:smash:  <-- this is how I felt when I first took on this challenge. Ive cleaned out a ton of malware on a ton of machines, but this one by far, was the most challenging one for me, for sure! Its a learning experience with every machine, and the malware is getting much more difficult to remove without some type of assistance! It is good to have forums like these, and people who take time out of their schedules to manage and maintain them and help others. its awesome. I have attached the fixlog below and am ready for next steps

Attached Files



#14 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:53 AM

Posted 05 March 2015 - 11:58 PM

How is the system running now?


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#15 jcapellupo

jcapellupo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New York
  • Local time:09:53 AM

Posted 06 March 2015 - 12:18 AM

  • so far, its much improved~ its much faster than when I first started working with the machine. I have been able to browse sites, I haven't had any pop ups or other issues. there are a few programs I would like to install, and I would like to get rid of her Norton 360 and replace with Microsoft Security Essentials. I have used it, in combination with Malwarebytes as my main anti-virus, anti malware protection on my machines, and have had no issues.
  • I have downloaded Revo Uninstaller, which I have used previously, to get rid of some leftover programs, including Norton 360 as I am going to replace it with Security Essentials. It also removed the Snap.Do engine that was left over in the add/remove programs list. So far so good! If there is anything else you think I should do, please let me know, and I will do it.

Edited by jcapellupo, 06 March 2015 - 12:49 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users