Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2 Registry Conduits keep coming back


  • This topic is locked This topic is locked
41 replies to this topic

#1 SotFoun

SotFoun

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 20 December 2017 - 06:44 AM

Hi guys!Four months ago my mom pressed a 'download' thing that put adware in my computer.I was able to delete it with the help of Malwarebytes but since then I have been experiencing the same thing.I run AdwCleaner by Malwarebytes and it finds to Registry Entries that are Conduits.I succesfully delete them and restart my PC and ecerything seems normal,I run scans nothing is found.Then after two three days even a week later the same 2 Conduits will show up again.This has been happening for 2-3 months straight...My gaming PC works fine i haven't spotted anything strange but I just don't know what to do anymore.Please help me solve this but I don't want to do anything extreme if it's not needed.If I know that my information is secure then I don't have a problem just being there.I don't want to damage a good functioning computer.I also have another question.In a scan I run with the RogueKiller,it popped up two PUM that you can see in the .txt below.What should I do with those? I didn't delete them but I don't know if the should be deleted or not.I will attach three  .txt of the scans I run with AdwCleaner,RogueKiller and Hitman Pro.I am an amateur so be patient with me.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 20 December 2017 - 10:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I thing is only a Syncing issue.
To remove it you will have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

Keep me posted.

#3 SotFoun

SotFoun
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 20 December 2017 - 10:47 AM

Hi thanks for the quick reply.I don't know if it's that because they don't come right back after I use Chrome.As I said it may pass 2-3 days and then this registry keys will come back.Also could you please tell me what to do with these two PUM that RogueKiller found?

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-413046443-2366773428-2868612137-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-413046443-2366773428-2868612137-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
What are they?Should I just let them because no other application show these two.
I deleted two applications and I will do what you said with Chrome.But can you please advice about this thing?


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 20 December 2017 - 11:15 AM

Hi,

If you delete them the default value will be set.

#5 SotFoun

SotFoun
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 20 December 2017 - 11:27 AM

Ohhhh so it's safe to delete these two PUM or something may mulfunction?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 20 December 2017 - 02:01 PM

YES!

#7 SotFoun

SotFoun
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 20 December 2017 - 02:30 PM

Ok ok I am just a little bit anxious.I don't want to harm my computer in any way,because it's functioning good now.So to sum up,I delete these two Registry Values through the RogueKiller and I delete the Sync of Chrome and then I get back to you?



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 21 December 2017 - 07:23 AM

YES

#9 SotFoun

SotFoun
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 21 December 2017 - 07:24 AM


Edited by SotFoun, 21 December 2017 - 07:28 AM.


#10 SotFoun

SotFoun
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 21 December 2017 - 07:28 AM

Hi again Nasdaq and thanks again for your help! 
I found another thread where you helped a person with almost the identical problem as me! Here is the link: https://www.bleepingcomputer.com/forums/t/630227/hkcu-software-conduit/
I see that in a response you say: 
p.s.

The key is a remnant of some malware.
The key is empty nothing can come of it. 

Does that mean that these two keys can do nothing bad? I did what you said and now nothing suspicious pops up in the scans but that was the case several other times so we should wait for a few days and see if it really worked.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 21 December 2017 - 08:51 AM

Hi,

What I said was correct. We now know that It's a Syncing issue.
To remove it you will have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#12 SotFoun

SotFoun
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 21 December 2017 - 12:16 PM

Thanks you very much for your help I really appreciate it.Last but not least could you tell me if these two Registry Entries and to be specific these two: 

PUP.Optional.Conduit, [Key] - HKU\S-1-5-21-413046443-2366773428-2868612137-1000\Software\Conduit
PUP.Optional.Conduit, [Key] - HKCU\Software\Conduit
Could you please tell me if these two can harm in any way my Computer by themselves?I mean they have been there for at least 4 months,I delete them,they come back after a few days so they have been there for quite a time,but I have never experienced anything crazy.Can in any way these two keys harm my PC or even if they are there they can't do anything?


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 21 December 2017 - 02:31 PM

They cannot do anything. The programs has been removed but the Registry key is still there.

There is no need to clean the registry on these items.

#14 SotFoun

SotFoun
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 21 December 2017 - 04:16 PM

Thank you I have one last question and I won't bother you anymore.I run FRST and I see two things in Registry which they have "Attention" beside them.It is the follow:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
Are these something to worry about?Sorry if this is kind of silly but I want to be 100% sure that everything is fine.
 



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:41 AM

Posted 22 December 2017 - 08:15 AM

Hi,


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Wait for further instructions.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users