Removing search.conduit help

Ok so I ran your OTL scan and i have two notepads OTL.txt and Extras.txt

I think you said that I needed to post them somewhere to get help. And about attaching them on here, I tried searching the file name OTL and it didn’t find anything. I’m running windows XP

actually I got them! :slight_smile:

also attach Malwarebytes log…

This?

%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
C:\Windows\assembly\tmp\U*.* /s

no… see guide here. http://forum.avast.com/index.php?topic=53253.0

instructions just above OTL…

my bad, sorry I’m new at this stuff :-\

that is aswMBR log…

we want Malwarebytes log
try this. http://filehippo.com/download_malwarebytes_anti_malware/

I’m sure you needed that one too right? :-[ ok, here’s the other one

seems you have a Adware city in there.

your Malwarebytes log say no action taken … did you not click the remove selected button after scan?
if not, run a new quick scan, make sure evrything is marked for removal and click remove selected button

removal experts are notified and should be online soon…

@theateam

Follow Pondus directions.

Attach here fresh created MBAM log as I need to see is MBAM does remove them or not…

Then …

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

Alright removed all the selected programs on the malware scanner and then i did combo fix

Open notepad and copy/paste the text present inside the code box below:

ClearJavaCache::

Folder::
c:\documents and settings\abs12\Local Settings\Application Data\SearchProtect
c:\documents and settings\All Users\Application Data\Conduit
c:\documents and settings\abs12\Local Settings\Application Data\SweetPacks_A14
c:\documents and settings\abs12\Local Settings\Application Data\Conduit
c:\documents and settings\abs12\Local Settings\Application Data\CRE
c:\program files\Conduit
c:\windows\system32\jmdp
c:\documents and settings\All Users\Application Data\PC Optimizer Pro
c:\documents and settings\abs12\Application Data\Mozilla\Firefox\Profiles\0gk5xjkn.default\extensions\{ecf9d4ae-b571-42c2-9745-74fdb8b0d27a}
c:\documents and settings\abs12\Local Settings\Application Data\Mozilla Firefox\extensions\linksicle@linksicle.com

Registry::
[-HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[-HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[-HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[-HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"=-

Firefox::
FF - ProfilePath - c:\documents and settings\abs12\Application Data\Mozilla\Firefox\Profiles\0gk5xjkn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3307181&CUI=UN70409537211810264&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3307181&CUI=UN70409537211810264&UM=2&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3307181&SearchSource=2&CUI=UN70409537211810264&UM=2&q=
FF - ExtSQL: 2013-11-10 20:34; TidyNetwork@TidyNetwork; c:\documents and settings\abs12\Application Data\Mozilla\Firefox\Profiles\0gk5xjk


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

===== Next =====

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

Tell me how is your compuer running now?

Here are the logs for that second run

Wow, I think that got it! You guys are awesome! Now this same virus is also on my mom’s computer so I’m gonna have to do the same thing, would you like me to start a new post?

you can do that…but wait untill Magna give you OK
he will also remove the tools used when done

Looks good, Yes. :slight_smile:

For re-checking, re-run OTL, just hit QuickScan button and post me fresh OTL.txt logreport.

Ok, I’m on a different computer now with the same Conduit problem but from what the malware report showed, there was only 1 object infected. So definitely not as bad

Detected object is deleted file in recycle bin, non-active file, deleted file if you will.

Set the Chrome home page:
https://support.google.com/chrome/answer/95314?hl=en

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [Xritohilonorapu] rundll32.exe "C:\WINDOWS\alemupagidimeqa.dll",Startup File not found
:FILES
C:\Documents and Settings\L-4\Desktop\*.tmp
C:\WINDOWS\System32\*.tmp
:COMMANDS
[EMPTYTEMP]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

How is your computer running now?

Well, I went ahead and did that Google Chrome setting since you said the Conduit thing was inactive. So that solved the problem. I did what you said and pressed Run Fix and left it there and it froze my entire computer up and I had to do a hard reboot.

and then you should attach the New log as instructions say :wink: