Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of 'Conduit' registry keys


  • Please log in to reply
15 replies to this topic

#1 Conduit_go_away

Conduit_go_away

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 19 July 2015 - 02:21 AM

I'm usually perfectly able to get rid of spyware, adware and viruses on my computer with the help of google + some common sense, but this is the first time in my life that I can't seem to solve this problem no matter what I try - I would really appreciate it if someone would help me with it.

 

AdwCleaner keeps finding these registry keys after scanning:

 

HKCU\Software\Conduit
HKCU64\Software\Conduit

 

That's it. The program continues to delete them without any problem, but if I check one or two days later the registry keys are back again; again I delete them, again they are back one or two days later. I've repeated this cycle for months (years?) now - since Coduit is classified as Adware it doesn't seem to be a big threat - but now I'd like to get rid of this once and for all.

 

I'm running Windows 7 64 bit (Ultimate).

 

I've tried:

- Full system scans with AdwCleaner, HitmanPro, Malwarebytes, Windows Defender and AVG. Only AdwCleaner and HitmanPro picked up the Conduit keys, otherwise my computer seems to be clean. No adware, no viruses, no spyware is found, other than the Conduit keys.

- Resetting all my browsers (FF and IE) + uninstalling Chrome. I only have add-ons for firefox that have a good reputation: https-everywhere, NoScript, Self-Destructing Cookies and uBlock.

- Checking Taskmanager + msconfig + 'Programs and features' for processes/programs that seem out of place. I didn't find anything that shouldn't be there.

- Googled for countless of hours, but I only could find solutions to deal with the full-blown Conduit adware (the toolbar + browser hijacking). My computer doesn't have any of those syptoms - just the registry keys.

 

Again, any help is appreciated. Below is the AdwCleaner log. It is partly in Dutch but I translated a couple of words for better understanding.

 

I figure some program on my computer must be the culprit, but I have no idea how I can find out which one is to blame.

 

-----------------------------

 

 

# AdwCleaner v4.208 - Logbestand aangemaakt 19/07/2015 op 08:43:52
# Laatste update 09/07/2015 door Xplode
# Database : 2015-07-15.1 [Server]
# Besturingssysteem : Windows 7 Ultimate Service Pack 1 (x64)
# Gebruikersnaam :
# Gestart vanuit : D:\Downloads\adwcleaner_4.208.exe
# Optie : Scannen

***** [ Services ] *****


***** [ Files / Directories] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\Conduit

***** [ Webbrowsers ] *****

-\\ Internet Explorer v11.0.9600.17909


-\\ Mozilla Firefox v


*************************

AdwCleaner[R2].txt - [758 bytes] - [18/07/2015 16:36:59]
AdwCleaner[R3].txt - [906 bytes] - [19/07/2015 08:23:31]
AdwCleaner[R4].txt - [824 bytes] - [19/07/2015 08:43:52]

########## EOF - C:\AdwCleaner\AdwCleaner[R4].txt - [882 bytes] ##########
 


Edited by Conduit_go_away, 19 July 2015 - 02:38 AM.


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:12 AM

Posted 19 July 2015 - 02:26 AM

Hi there,

If you run AdwCleaner and choose Cleaning for both detections, do they return?

#3 Conduit_go_away

Conduit_go_away
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 19 July 2015 - 02:31 AM

Hi there,

If you run AdwCleaner and choose Cleaning for both detections, do they return?

 

Thanks for replying. To answer your question: yes, unfortunately. They don't seem to return immediately or after a fresh reboot, but when I check back a couple of days later they are back al right.


Edited by Conduit_go_away, 19 July 2015 - 02:34 AM.


#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:12 AM

Posted 19 July 2015 - 02:33 AM

We'll see what else is there.

MiniToolbox by Farbar

Avast users please disable your antivirus before downloading!
Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (choose Errors only)
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

===

Security Check by screen317
  • Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt. Please copy and paste the contents of the log in your next reply.

Regards,
Alex

#5 Conduit_go_away

Conduit_go_away
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 19 July 2015 - 02:44 AM

*edited because of personal information, like IP adresses.*


Edited by Conduit_go_away, 19 July 2015 - 06:05 AM.


#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:12 AM

Posted 19 July 2015 - 02:51 AM

Hello,

Do you have an antivirus installed? I don't see one anywhere on the logs.

Error: (07/18/2015 08:53:59 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Looks like an external hard drive of some sorts... do you have one?

Please run these.

Junkware Removal Tool by Malwarebytes Corporation

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
===

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
Regards,
Alex

#7 Conduit_go_away

Conduit_go_away
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 19 July 2015 - 02:56 AM

To answer your first questions: I'll only install virus scanners when I do a full system scan, and after that I uninstall them. In the recent past I've installed AVG, Malwarebytes, HitmanPro and Windows Defender (the last one is of course still on my computer).

 

And yes, I have a couple of external drives. 2 USB sticks (the one plugged in now is a Kinston 16 gb) + 1 external harddrive, a WD My Passport Ultra 500gb.

 

I will now run the two programs you've posted. I think I've run Junkware Removal Tool in the past for this very problem, if I'm not mistaken. We'll see what it says.


Edited by Conduit_go_away, 19 July 2015 - 02:58 AM.


#8 Conduit_go_away

Conduit_go_away
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 19 July 2015 - 03:19 AM

The results:

 

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.1 (07.16.2015:1)
OS: Windows 7 Ultimate x64
Ran by Bart on zo 19-07-2015 at  9:59:22,62
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on zo 19-07-2015 at 10:01:48,03
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

E-Emergency Kit (translated a bit, it automatically selected Dutch for the output):

 

Emsisoft Emergency Kit - Versie 10.0
Laatste Update: 19-7-2015 10:09:37
Gebruikersaccount: Primair\Bart

Scan settings:

Scan mode: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detectect PUPs: On
Scan archives: off
ADS Scan: off
Bestandsextensiefilter: off
Advanced cache: on
Direct disc access: off

Scan gestart:    19-7-2015 10:10:27
Value: HKEY_USERS\S-1-5-21-1193772974-3490971497-62214273-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     found: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-1193772974-3490971497-62214273-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     found: Setting.DisableRegistryTools (A)
Key: HKEY_USERS\S-1-5-21-1193772974-3490971497-62214273-1000\SOFTWARE\CONDUIT     found: Application.InstallAd (A)

Scanned:    73212
Found:    3

Scan geëindigd:    19-7-2015 10:14:26
Scantijd:    0:03:59

Key: HKEY_USERS\S-1-5-21-1193772974-3490971497-62214273-1000\SOFTWARE\CONDUIT    Placed in quarantine Application.InstallAd (A)
Value: HKEY_USERS\S-1-5-21-1193772974-3490971497-62214273-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    Placed in quarantine Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1193772974-3490971497-62214273-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR    Placed in quarantineSetting.DisableTaskMgr (A)

Placed in quarantine    3


 


Edited by Conduit_go_away, 19 July 2015 - 03:20 AM.


#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:12 AM

Posted 19 July 2015 - 03:25 AM

No need to translate logs since I can understand what they mean. :)

You should install an antivirus and keep it updated - antivirus software is meant to be proactive (stopping malware before they infest your computer), not reactive (cleaning up the infection). Prevention is always better than cure - some malware are easy to stop before they install just by blocking the dropper, but once they have installed on your system it is very difficult to remove (rootkits and some PUPs). Not to mention that file infectors will completely destroy your computer if they are not prevented in the first place.

Also remember to run an antimalware software alongside an antivirus.

Malwarebytes Anti-Malware

Download Malwarebytes Anti-Malware from here.

Double click on the file mbam-setup-2.x.x.xxxx.exe to install the application. (x.x.xxxx is the version)
  • Follow the prompt. At the end place a checkmark in Launch Malwarebytes Anti-Malware, then choose Finish.
  • When MBAM opens it will says Your database is out of date. Choose Fix Now.
  • Click on the Scan tab at the top of the window, choose Threat Scan, then Scan Now.
  • If you receive a message that updates are available, choose Update Now button (the scan will start after updates are completed).
  • Please be patient as the scan will take some time.
  • If MBAM detected threats, choose Quarantine for all items, then click Apply Actions.
  • While still on the Scan tab, choose View detailed log. In the window that opens, click the Export button, choose Text file (*.txt) and save the log to your Desktop.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


===

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Regards,
Alex

#10 Conduit_go_away

Conduit_go_away
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 19 July 2015 - 03:35 AM

Thanks again for the advice and help, Alex. In retrospect, you're - of course! - totally right concerning the proactive attitude; I'll definitely take it to heart from now on.

I'll now take the next step and run MBAM and Eset Online Scanner.


Edited by Conduit_go_away, 19 July 2015 - 03:38 AM.


#11 Conduit_go_away

Conduit_go_away
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 19 July 2015 - 04:40 AM

Done...

 

Eset didn't find anything at all, so there was no log file available.

 

MBAB also came up clean (see below).

 

Everything looks good for now, but this was also the case with the previous (countless) scans: registry keys are found and deleted by AdwCleaner, then they are back again in a couple of days.

 

Any idea what could cause this, or what I could do to prevent the keys from coming back? Of course it would be easy to do a fresh install of Windows if the problem should persist, but I have the feeling this might've come from one of the programs I'm using - thus my computer could get infected in the future again.

 

However, I have no idea which program would cause this. The only program I don't trust completely on my computer is uTorrent, since it has been known to install adware with later versions such as a bitcoin miner. The version I'm using (v2.2.1 build 25203), however, has been widely known to be the last good version - it should be clean.

 

 

--------------------

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 19-7-2015
Scan Time: 10:33
Logfile: mbab.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.18.05
Rootkit Database: v2015.07.17.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Bart

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 332107
Time Elapsed: 12 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Edited by Conduit_go_away, 19 July 2015 - 04:46 AM.


#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:12 AM

Posted 19 July 2015 - 04:42 AM

Reset your browsers using instructions here.

Also, remember to install an antivirus and keep it updated. For antimalware software you can choose between Emsisoft Anti-Malware or Malwarebytes Anti-Malware.

Let me know how it goes.

Regards,
Alex

#13 Conduit_go_away

Conduit_go_away
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 19 July 2015 - 04:51 AM

Reset your browsers using instructions here.

Also, remember to install an antivirus and keep it updated. For antimalware software you can choose between Emsisoft Anti-Malware or Malwarebytes Anti-Malware.

Let me know how it goes.

Regards,
Alex

 

I've reset my browsers yesterday, after AdwCleaner removed the registry keys. Is it still necessary to do this?

 

I'll keep MBAM + an antivirus activited from now on. Any tips when it comes to free antivirus programs? AVG seems bloated lately, I think I'll try Microsoft Security Essentials or Avast Free.

 

Thank you for your help so far Alex, amazing you help people like me in your spare time :)

I'll keep the thread updated in the next couple of weeks, see if the registry keys return


Edited by Conduit_go_away, 19 July 2015 - 05:06 AM.


#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:12 AM

Posted 19 July 2015 - 05:09 AM

If you already resetted your browsers then that is okay.

I recommend that you use Malwarebytes Anti-Malware Premium if possible, as it will stop these kinds of things from happening in the future. Avast is a good choice for free antivirus, but remember to untick anything it offers you if you decide to use it.

Malwarebytes can run with all other antivirus software, so no worries.

#15 Conduit_go_away

Conduit_go_away
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 19 July 2015 - 06:05 AM

If you already resetted your browsers then that is okay.

I recommend that you use Malwarebytes Anti-Malware Premium if possible, as it will stop these kinds of things from happening in the future. Avast is a good choice for free antivirus, but remember to untick anything it offers you if you decide to use it.

Malwarebytes can run with all other antivirus software, so no worries.

 

 

Al right, thanks again!

 

I've bought MBAM Premium, and I'm still debating with myself if I should buy a license to Avira, Kaspersky or Nod32. A free version of Avira is scanning my computer right now and all looks well.

 

What I've also changed is that I've enabled User Account Control Settings ('always notify') and I've created a separate user account for causual computing. That should also decrease my chance of catching some nasty spy/adware in the future.


Edited by Conduit_go_away, 19 July 2015 - 06:07 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users