Conduit Back

Viruses and worms
1

Just found out through MalwareBytes that Conduit.A keeps coming back on my computer. I noticed this after web sites started running slow. I supposedly quarantined it with that program, but if I run it again, MWB finds it again. How do I get rid of this garbage, once and for all? I’ve attached the logs from MWB, OTL and aswMBR.

2

open malwarebytes > settings > detection and protection … see None-Malware detection > PUP …is it sett to warn user about detections?

if so change it to Treat detection as malware …scan again

did that help?

3

when done, also run AdwCleaner …click clean and post log http://www.bleepingcomputer.com/download/adwcleaner/

when done, run and attach a new OTL log …malware expert will review it tomorrow when online

4

MWB was set to the settings you mentioned. Ran AdwCleaner, and rebooted. Started my Chrome browser again, ran MBW again, and it still finds this garbage on my system. I attached the AdwCleaner log if it means anything.

5

Reset Google Chrome by perusing this.

6

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4};c
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

7

I believe I’ve tried that already.

8

Argus, those links you gave me are being blocked as malware themselves by Avast.

9
[*] Temporarily disable your [b]AntiVirus[/b] program. ([i]If necessary[/i]) If you are unsure how to do this please read [url=http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html][b][i]this[/i][/b][/url] or [url=http://www.bleepingcomputer.com/forums/topic114351.html][i][b]this[/b][/i][/url] Instruction.

Avast!

Right click on the Avast icon in the system tray
Scroll up to Avast! shields control
Select the desired option from the list

10 minutes,
1 hour,
until the computer is restarted or
[b]permanently[/b].

Reverse to enable.

10

Are you sure? Why would it be reported as malware if it is not?

11

malware removal tools have virus like behavior…and are often detected… and it is called a False Positive http://antivirus.about.com/od/antivirusglossary/g/falsepositive.htm
these tools are used evry day here by the malware removal team …surf viruses and worms forum section and see

name of those in Malware removal team is listed here http://forum.avast.com/index.php?topic=53253.0

12

From the link that argus posted which you should have perused –

These tools have been carefully created and tested by security experts so if your anti-virus or anti-malware program flags them as malware, the detection is what's known as a "False Positive". Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases, the removal of these files can have "unpredictable results" and unintentional results.

Source: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

13

Sorry, but I was busy for a couple days and didn’t have time to do this before now. Here’s the log file I got from running zoek.

14

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

autoclean;
emptyallclsid;
emptyalltemp;
ipconfig /flushdns;b
netsh winsock reset;b

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

.

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

15

Ran zoek again, but forgot to turn of AV. Let me know if I need to run it again with it turned off. Anyway, he’s the logs you requested.

16

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Task: {38F6E523-9C98-4807-8B66-C768D3C0E70B} - \BackgroundContainer Startup Task No Task File <==== ATTENTION
HKLM-x32\...\Run: [] => [X]
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No File
FF Extension: AddThis - C:\Users\Tony Nacelewicz\AppData\Roaming\Mozilla\Firefox\Profiles\mpnge7qd.default\Extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79} [2012-08-28]
CHR StartupUrls: "https://www.facebook.com/", "hxxp://www.freep.com/comments/article/20120528/SPORTS02/205280362/detroit-tigers-quintin-berry-bat-speed", "hxxp://www.freep.com/comments/article/20120527/NEWS07/120527005/Report-Officer-kills-naked-attacker-chewing-man-s-face", "https://www.google.com/search?sugexp=chrome,mod=11&sourceid=chrome&ie=UTF-8&q=Funny+gif", "hxxp://www.freep.com/detroittigers", "hxxp://espn.go.com/mlb/team/roster/_/name/det/detroit-tigers", "https://www.google.com/#hl=en&gs_nf=1&gs_mss=major%20league%20players%20wi&tok=p3U88-1uB-dhXqOjtYWsHg&cp=48&gs_id=69&xhr=t&q=major+league+players+with+no+options+left+raburn&pf=p&newwindow=1&rlz=1C2GGGE_enUS362&sclient=psy-ab&oq=major+league+players+with+no+options+left+raburn&aq=f&aqi=&aql=&gs_l=&pbx=1&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.,cf.osb&fp=b81a72ba78e8176e&biw=1131&bih=569", "hxxp://bleacherreport.com/detroit-tigers", "chrome://newtab/", "https://www.google.com/#hl=en&gs_nf=1&tok=qnIdmlpVHJ2YxvhukqIZIw&cp=12&gs_id=1v&xhr=t&q=seiko+watch+bands&pf=p&newwindow=1&rlz=1C2GGGE_enUS362&sclient=psy-ab&oq=seiko+watchb&aq=0s&aqi=g-s4&aql=&gs_l=&pbx=1&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.,cf.osb&fp=b81a72ba78e8176e&biw=1131&bih=569", "hxxp://www.amazon.com/Seiko-Watch-Band-Original-22mm/dp/B0007L44EU", "https://www.google.com/", "hxxp://www.google.com/", "hxxp://xfinity.comcast.net/?cid=insDate11152013", "hxxp://search.conduit.com/?ctid=CT3306061&SearchSource=48&CUI=UN11236061512295012&UM=2"
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Tony Nacelewicz\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.1.377\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_43.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll No File

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

17

Here’s the fixlog file for the last running of FRST

18

How is the situation now?

19

MWB scan still reports it is there. I also have noticed since I’ve been trying these fixes recommended on here, I now have a rolling circle next to my cursor that keeps popping like something is running. What’s up with that?

20

Reboot your PC and re-run FRST
Attach here log

Attach here MBAM log