saxman10 Posted April 23, 2014 Share Posted April 23, 2014 I'm running Windows 7, 64 and I have several anti-virus and malware software programs running on my system. Nevertheless it appears I picked up a virus, the pup.optional conduit a. The virus was initially discovered by Malwarebytes Anti-malware. I downloaded Adwcleaner and JRT. I ran the software and removed the required registry entries. I thought I had removed the virus. However, the next day when Malwarebytes ran its scheduled scan I discovered that the virus had returned. Obviously I, missed something. I've attached the logs from JRT, Malwarebytes and Hijackthis. These logs are from scans completed after the second discovery. Hopefully you can help. JRT.txt malwarebyteslog.txt Link to comment Share on other sites More sharing options...
Juliet Posted April 23, 2014 Share Posted April 23, 2014 Hi and welcome Let's see if we can find remnants. Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com) There are 6 different versions. If one of them won't run then download and try to run the other one. Vista and Win7 users need to right click and choose Run as Admin You only need to get one of them to run, not all of them. rkill.exe rkill.com rkill.scr rkill.pif WiNlOgOn.exe uSeRiNiT.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please download Farbar Recovery Scan Tool http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ (use correct version for your system.....Which system am I using?) Tutorial http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer. Press Scan button. It will produce a log called FRST.txt in the same directory the tool is run from. Please copy and paste log back here. The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply. Link to comment Share on other sites More sharing options...
saxman10 Posted April 23, 2014 Author Share Posted April 23, 2014 Hi Juliet and thanks for your help. Here are the log files. Ken B Addition.txt FRST.txt Rkill.txt Link to comment Share on other sites More sharing options...
Juliet Posted April 23, 2014 Share Posted April 23, 2014 Please uninstall: blekko search bar <-- If found. The following script will reboot your machine please don't be alarmed. Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. save it to the Desktop as fixlist.txt NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow) start SearchScopes: HKLM - DefaultScope {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B} URL = CHR StartupUrls: "hxxp://my.yahoo.com/?_bc=1", "hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=9EFC29EC85428CBE6B2B9D4FC384AF1F&tbp=homepage", "hxxp://isearch.avg.com/?cid={8BEDEB96-2076-4378-BF0F-AB0376955300}&mid=a38608d5f8fd47d0a206c593af2cd221-2b2fa0f2dac447bb054e8ec30d4dc20080487df2&lang=en&ds=od011&pr=sa&d=2012-07-05 17:15:14&v=11.1.0.12&sap=hp", "hxxp://www.google.com/ig/redirectdomain?brand=ASUT&bmod=ASUT", "hxxp://www.google.com/", "hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1Qzu0EtD0Bzy0AyD0AyB0DzzyEtA0BtA0A0BtN0D0Tzu0CtAtCyCtN1L2XzutBtFtBtFtDtFtAyEyE&cr=2030117041", "hxxp://safesearchr.lavasoft.com/?source=3336ca5f&tbp=homepage&toolbarid=adawaretb&v=2_2&u=DAD41ECF087743FEC775C150A17909D8", "hxxp://www.delta-search.com/?affID=119816&babsrc=HP_ss&mntrId=921ab3ab000000000000e0b9a5a7d843", "hxxp://mysearch.avg.com/?cid={7BD38EB7-DD1B-4C64-B257-0C64284375CC}&mid=79a1cc05301747d397d4c593af2cd221-2b2fa0f2dac447bb054e8ec30d4dc20080487df2&lang=en&ds=AVG&pr=sa&d=2013-08-26 21:17:29&v=15.6.1.2&pid=safeguard&sg=0&sap=hp", "hxxp://search.conduit.com/?gd=&ctid=CT3321728&octid=EB_ORIGINAL_CTID&ISID=M02F0A5A5-00CF-4A10-8F17-66316B4D5A34&SearchSource=55&CUI=&UM=2&UP=SP1BD22721-8BB1-4798-8737-ADA593A342AA&SSPV=" CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\KENSLA~1\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-05-20] C:\Users\Kens Laptop1\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe C:\Users\Kens Laptop1\AppData\Local\Temp\Quarantine.exe AlternateDataStreams: C:\ProgramData\Temp:3AEA6AF9 Reboot: end Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~` Please Run TFC by OldTimer to clear temporary files: Download TFC from here http://oldtimer.geekstogo.com/TFC.exe and save it to your desktop. Close any open programs and Internet browsers. Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning. Please be patient as clearing out temp files may take a while. Once it completes you may be prompted to restart your computer, please do so. Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The below scanner can take quite a while depending on how full your computer is. It is a thorough scanner that we rely on often. Please be patient. Go here to run an online scanner from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activeX control to install Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked. Click Scan Wait for the scan to finish When the scan completes, press the LIST OF THREATS FOUND button Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop Include the contents of this report in your next reply. Press the BACK button. Press Finish Please post: fixlist.txt Eset log how is the computer now? Link to comment Share on other sites More sharing options...
saxman10 Posted April 24, 2014 Author Share Posted April 24, 2014 Hi Juliet, Here's the scan reports. Fixlog.txt esetscan.txt Link to comment Share on other sites More sharing options...
Juliet Posted April 24, 2014 Share Posted April 24, 2014 Using the following created script your computer will reboot to remove the malicious files, please don't be alarmed. Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. save it to the Desktop as fixlist.txt NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow) start C:\Program Files (x86)\Restorator 2007\patch.exe C:\Users\Kens Laptop1\Desktop\wavepad.exe C:\Program Files (x86)\NCH Swift Sound\WavePad\uninst.exe C:\Program Files (x86)\NCH Swift Sound\WavePad\wavepad.exe C:\Program Files (x86)\NCH Swift Sound\WavePad\WavepadSoundEditor.4.40_v4.40.exe Reboot: end Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. ~~~~~~~~~~~~~~` Download HijackThis Go Here to download HijackThis program Save HijackThis to your desktop. Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run) Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu) copy and paste hijackthis report into the topic ~~~~~~~~~~~~~~~~~~~~~~` Please run this security check for my review. Download Security Check by screen317 from here. Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document. Please post: Fixlog.txt Hijackthis checkup.txt How is your computer? Link to comment Share on other sites More sharing options...
saxman10 Posted April 24, 2014 Author Share Posted April 24, 2014 Attached are the reports. checkup.txt Fixlog.txt hijackthislog.txt Link to comment Share on other sites More sharing options...
Juliet Posted April 24, 2014 Share Posted April 24, 2014 Update Adobe reader Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. You can download it from http://www.adobe.com/products/acrobat/readstep2.html UNcheck the McAfee security scan. After installing the latest Adobe Reader, uninstall all previous versions. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition. If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader. Note: When installing FoxitReader, be careful not to install anything to do with AskBar. ************ You have an extraordinary amount of applications loading at boot up. We can disable of few of those to speed up the system. All Items can be placed back and or researched here http://www.bleepingcomputer.com/startups/ Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked. O4 - HKLM\..\Run: [Nuance PDF Reader-reminder] "C:\Program Files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Reader\Ereg\Ereg.ini" O4 - HKLM\..\Run: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE" O4 - HKLM\..\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe /S O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe O4 - HKLM\..\Run: [updateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" O4 - HKLM\..\Run: [updateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKLM\..\Run: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" Now reboot the computer to set the registry. *************** Now, update me on how the computer is at the moment. Link to comment Share on other sites More sharing options...
saxman10 Posted April 24, 2014 Author Share Posted April 24, 2014 Hi Juliet, Just when I thought everything was good, I ran a scan with Malewarebytes and discovered that the pup is still hanging around like a drunk relative at a family reunion. Apple is looking real good right now. . I've attached the scan log. malwarebyteslog.txt Link to comment Share on other sites More sharing options...
Juliet Posted April 24, 2014 Share Posted April 24, 2014 Dang, thats kinda my fault. It's in the Google settings that we can reset. We need to reset Chrome back to defaults to completely clear out what is going on. We can keep the bookmarks by exporting them - Export Bookmarks Then I need you to go Google Sync and sign into your account scroll down untill you see the "Stop and Clear" button and click on button At the prompt click on "Ok" Now we need to uninstall chrome I want you to uninstall Chrome and if asked about user data or settings then remove this also restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome After you have Chrome reinstalled please check things out and let me know how it is doing. Link to comment Share on other sites More sharing options...
saxman10 Posted April 24, 2014 Author Share Posted April 24, 2014 Hi Juliet, Woo Whooo!! You are a Computer Goddess and I worship every script that you write!!!! Thank you very much for all your help. I've attached the last scan log. Everything is clean!!! malwarebyteslog1.txt Link to comment Share on other sites More sharing options...
Juliet Posted April 24, 2014 Share Posted April 24, 2014 LOL Let's remove the tools and quarantine folders or future scans will find these. Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. save it to the Desktop as fixlist.txt NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. Run FRST/FRST64 and press the Fix button just once and wait. no needed to post the log this time. start DeleteQuarantine: end ~~~~~~~~~~~~~~~~~~` Download Delfix from here Ensure Remove disinfection tools is ticked Also tick: Create registry backup Purge system restore Click Run Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc. ~~~~~~~~~~~~~~~~~ Your good to go, good job! Please take the time to read over a few of my preventive tips. Computer Security http://malwareremoval.com/forum/viewtopic.php?p=557960#p557960 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Be prepared for CryptoLocker: Cryptolocker Ransomware: What You Need To Know CryptoLocker Ransomware Information Guide and FAQ to help protect your computer in the future I recommend that you get the following free programmes: CryptoPrevent install this programme to lock down and prevent crypto ransome ware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows. Firefox 3 The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both. *NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points. AdblockPlus AdblockPlus, Surf the web without annoying ads! Blocks banners, pop-ups and video ads - even on Facebook and YouTube Protects your online privacy Two-click installation, It's free! click the icon that corresponds to your browser and download. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE. Green should be good to go Yellow for caution Red to stop ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ How to prevent Malware: Created by Miekiemoes WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/ and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755 I would recommend that you completely uninstall Java unless you need it to run an important software. In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/)) Avoid P2P P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. Please read these short reports on the dangers of peer-2-peer programs and file sharing. FBI Cyber Education Letter USAToday infoworld ********************************************* Please read the following safe computing articles.. Secure My Computer: A Layered Approach Free Antivirus-AntiSpyware-Firewall Software Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC Link to comment Share on other sites More sharing options...
Juliet Posted April 29, 2014 Share Posted April 29, 2014 Glad we could help. Since this issue appears resolved ... this Topic is closed. Link to comment Share on other sites More sharing options...
.png.9d4b89b15b2cd5e65edd93a0e6823dce.png)
Recommended Posts