Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

getting tons of popups when browsing


  • Please log in to reply
12 replies to this topic

#1 scalvert

scalvert

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 18 August 2015 - 09:31 PM

Hello all, I have a friends computer that I'm trying to fix.  I scanned it with Malwarebytes and it found 1000 objects but couldn't remove them.  one is a conduit program.  can someone help me fix this computer?

 

thanks

scott



BC AdBot (Login to Remove)

 


#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:48 AM

Posted 19 August 2015 - 02:56 AM

Hello scalvert,

 

Do you receive some error message from MBAM?

 

----------

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe
http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

§  Double-click on the Rkill desktop icon to run the tool.

§  If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.

§  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

§  If not, delete the file, then download and use the one provided in Link 2.

§  Do not reboot until instructed.

§  If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

 

-----------

 

Download Security Check from here or here and save it to your Desktop.

§  Double-click SecurityCheck.exe

§  Follow the onscreen instructions inside of the black box.

§  Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

-------

 

Kaspersky Virus Removal Tool

Please download Kaspersky Virus Removal Tool from here.

§  Right click on KVRT.exe and select Run as Administrator.

§  Read the EULA, then select Accept.

§  Wait for Kaspersky Virus Removal Tool to initialize.

§  In the main screen, select Change parameters, place a checkmark in System drive, then click OK.

§  Click Start scan.

§  Wait for Kaspersky Virus Removal Tool to complete scanning.

§  When the scan is finished, select Neutralize all for all detected objects.

§  Close Kaspersky Virus Removal Tool when done.

Informe me if something is detected.

 

-------

 

Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  Click on Scan button.

§  When the scan has finished click on Clean button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[S0].txt as well.

 

------------------------

 

Please download Junkware Removal Tool to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.

 

------------------

 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 scalvert

scalvert
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 19 August 2015 - 09:28 PM

Yes I did receive some messages from MBAM about Updater.exe was blocked and Firefoxhelper.exe and IEhelper.exe and Chromehelper.exe were being blocked.

below are the text files.

rkill.txt

Rkill 2.8.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/19/2015 08:26:35 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 08/19/2015 08:27:41 AM
Execution time: 0 hours(s), 1 minute(s), and 5 seconds(s)

 

Checkup notepad

 Results of screen317's Security Check version 1.007
 Windows 7 Service Pack 1 x64 (UAC is enabled)
 Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!
Norton 360 Premier Edition 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 30
 Java version 32-bit out of Date!
 Adobe Reader 10.1.9 Adobe Reader out of Date!
 Google Chrome 31.0.1650.63 Google Chrome out of date!
````````Process Check: objlist.exe by Laurent````````
 Norton ccSvcHst.exe
 Malwarebytes Anti-Malware mbamservice.exe
 Malwarebytes Anti-Malware mbam.exe
 Malwarebytes Anti-Malware mbamscheduler.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 5%
````````````````````End of Log``````````````````````

 

Kaspersky Virus Removal Tool found nothing

 

AdwCleaner txt

# AdwCleaner v5.002 - Logfile created 19/08/2015 at 18:03:02
# Updated 18/08/2015 by Xplode
# Database : 2015-08-18.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Owner - OWNER-PC
# Running from : C:\Users\Owner\Downloads\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\SearchProtect
[-] Folder Deleted : C:\Program Files (x86)\Video downloader
[-] Folder Deleted : C:\Program Files (x86)\WowaCoupoun
[-] Folder Deleted : C:\Program Files (x86)\Common Files\337
[-] Folder Deleted : C:\ProgramData\eSafe
[-] Folder Deleted : C:\ProgramData\Updater
[-] Folder Deleted : C:\ProgramData\WowaCoupoun
[-] Folder Deleted : C:\ProgramData\b21b5dfb57ee18a2
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video downloader
[-] Folder Deleted : C:\Users\Owner\AppData\LocalLow\Conduit
[-] Folder Deleted : C:\windows\SysWOW64\SearchProtect

***** [ Files ] *****

[-] File Deleted : C:\END
[-] File Deleted : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dhhjmlmdpcpiojiffodbldlkgcnaeogp

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\speedupmypc
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DeskSvc
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WsysSvc
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{FED6A736-129B-49C7-857E-25FC91E87DB3}]
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
[-] Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[-] Key Deleted : HKCU\Software\Conduit
[-] Key Deleted : HKCU\Software\InstalledThirdPartyPrograms
[-] Key Deleted : HKCU\Software\AppDataLow\Toolbar
[-] Key Deleted : HKCU\Software\AppDataLow\Software\BackgroundContainer
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKLM\SOFTWARE\Desksvc
[-] Key Deleted : HKLM\SOFTWARE\eSafeSecControl
[-] Key Deleted : HKLM\SOFTWARE\hdcode
[-] Key Deleted : HKLM\SOFTWARE\Uniblue
[!] Key Not Deleted : HKLM\SOFTWARE\Uniblue\DriverScanner
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B8A71D1-31D4-EE6A-C32F-836E0BFFA6D3}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Downloader_is1
[!] Key Not Deleted : [x64] HKCU\Software\Conduit
[!] Key Not Deleted : [x64] HKCU\Software\InstalledThirdPartyPrograms
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3152E1F19977892449DC968802CE8964
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Search [Default_Search_URL]
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Search [SearchAssistant]
[-] Data Restored : HKU\S-1-5-21-2486826578-421308133-1340030850-1000\Software\Microsoft\Internet Explorer\Search [Default_Search_URL]
[-] Data Restored : HKU\S-1-5-21-2486826578-421308133-1340030850-1000\Software\Microsoft\Internet Explorer\Search [SearchAssistant]

***** [ Web browsers ] *****

[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask
[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : search.snapdo.com
[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : askws
[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : conduit.search

*************************

:: Proxy settings cleared
:: Winsock settings cleared
:: Chrome policies deleted

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [4587 bytes] ##########

 

JRT .txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.7 (08.18.2015:1)
OS: Windows 7 Home Premium x64
Ran by Owner on 19/08/2015 at 22:13:41.53
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Tasks

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Update melondrea
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Util melondrea

 

~~~ Files

Successfully deleted: [File] C:\windows\SysWOW64\sho350C.tmp

 

~~~ Folders

Successfully deleted: [Folder] C:\ProgramData\google

 

~~~ Chrome

[C:\Users\Owner\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Owner\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Owner\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Owner\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 19/08/2015 at 22:21:04.48
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 



#4 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:48 AM

Posted 20 August 2015 - 04:56 AM

Run MBAM again:

 

§  On the Dashboard, click the 'Update Now >>' link.

§  After the update completes, on Settings tab, set under Detection and Protection next options: 

1. 'Scan for rootkits'

2. Non-Malware Protection, for 'PUP detections', check, 'Threat detections as malware' option.

§  Return to Dashboard, click the Scan Now >> button.

§  A Threat Scan will begin.

§  When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

§  In most cases, a restart will be required.

§  Wait for the prompt to restart the computer to appear, than click on Yes.

§  After the restart once you are back at your desktop, open MBAM once more.

§  Click on the History tab > Application Logs.

§  Double click on the Scan Log which shows the Date and time of the scan just performed.

§  Click 'Export'.

§  Click 'Copy to Clipboard'

§  Paste the contents of the clipboard into your reply.

-------

 

 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#5 scalvert

scalvert
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 20 August 2015 - 08:24 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 20/08/2015
Scan Time: 8:21 AM
Logfile: mbam.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.20.03
Rootkit Database: v2015.08.16.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 366368
Time Elapsed: 28 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)



#6 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:48 AM

Posted 20 August 2015 - 08:26 AM

Do you still have popup problem?


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#7 scalvert

scalvert
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 20 August 2015 - 08:27 AM

Nope, all gone!



#8 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:48 AM

Posted 20 August 2015 - 08:31 AM

Great.  :thumbup2:

 

Empty your temp folders using TFC (Temporary File Cleaner)

§  Please download TFC by Old Timer and save it to your desktop.
alternate download link

§  Save any unsaved work. (TFC will close ALL open programs including your browser!)

§  Double-click on TFC.exe to run it. (If you are using Vista or above, right-click on the file and choose "Run As Administrator".)

§  Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

§  Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.

----------

 

This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download  DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

§  Activate UAC (optional; some users prefer to keep it off)

§  Remove disinfection tools

§  Create registry backup

§  Purge System Restore

Now click "Run" and wait patiently.
Once finished, a logfile will be created. You don't have to attach it to your next reply.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#9 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:48 AM

Posted 20 August 2015 - 08:47 AM

Also, update Chrome, Java and Adobe Reader. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#10 scalvert

scalvert
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 20 August 2015 - 08:52 AM

It won't let me download delfix.exe. keeps saying I don't have admin rights.

#11 scalvert

scalvert
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 20 August 2015 - 08:57 AM

Got it, it was antivirous software

#12 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:48 AM

Posted 20 August 2015 - 09:42 AM

Ok.  :thumbup2:


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#13 scalvert

scalvert
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 20 August 2015 - 09:43 AM

Yep, all good. Thanks for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users