Jump to content

Conduit search engine virus + friends

TheLee

By TheLee
in Resolved Malware Removal Logs

 Share

Recommended Posts

TheLee

TheLee

Posted
  • Author
Posted

I ran erunt in Admin and it seems to have worked just fine. Unfortunately that is where the good news stops as Combofix still sits at 49 in the scanning process for hours. So I have no log to post yet. I tried activating Rkill and then running it but it still has the same results. 

Link to post
Share on other sites
  • Replies 89
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay let me have you do the following then. 

 

Please run a FULL disk check.  Option 8 from here:  How to Run Check Disk at Startup in Vista or Windows 7
 

 

Then once that's done and the system has restarted please run the following.

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

Then reboot again and run RKill and make sure it completes and then try to do the ESET antivirus scan again.

 

button_eos.gif
Next, please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Let's try the combofix again now that you were able to clean up and run the antivirus scan okay.

 

Make sure to disable your antivirus and be patient with combofix to complete.

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Since we're having trouble running these other tools we'll probably need to do the following. Please download the following tool from Kaspersky and burn it to CD from a clean working computer and then boot from it on the affected computer.

Make sure you watch this video which describes how to create the CD to use it.

How to create the Kaspersky Rescue Disk 10 CD


Please visit the Kaspersky site and review the information and then download and burn the ISO image to CD to use on the affected computer.
Make sure you update the definitions for Kaspersky before doing the actual scan. Make sure to also write down what it finds or does as some users have trouble saving and accessing the log afterwards.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please try running the following

 

 

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
     
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

    Select Command Prompt
     
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please try it again from the Recovery Environment.  There have been thousands of users run this without an issue from RE so you should be able to complete it as well.

If need create the Windows 7 Recovery Disk and boot from it and try it.

 

I'll check back on you tomorrow.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay while you're still in the Recovery Environment please run the following

 

Start a DOS prompt and run a full disk check from there.

 

CHKDSK C: /P /R

 

 

 

That should check the entire drive and attempt to find and repair any disk errors.

 

The FRST log did not show anything obvious that would be considered an infection so there must be some other reason that the other tools were blocked which could just be due to disk maintenance needing to be done.

 

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

No a check disk without parameters does nothing for the most part accept a very basic check with no repair.

I'm sorry, that /P was from the old Windows XP version.

From RE DOS console on Windows 7 type the following.

CHKDSK C: /R /X

That should do a full disk check and should take quite a while to run.

One done please let me know it's done and about how long it took to complete.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

From the Windows 7 System Recovery Options logon

SystemRecoveryOptionsLogon_zpsba8fecce.j

After logon you should get the "Choose a recovery tool list and you want to click on the "Command Prompt"
SystemRecoveryOptions_RecoveryTools_zpsd

Optional but nice to have is to set the Command Prompt options.  Click on the very top left corner of the DOS box and then click on Defaults
comandprompt_options1_zps83b307fd.jpg

Change the Buffer Size to 500 and Number of Buffers to 25 and ensure that all 3 check marks under Edit Options are enabled.
comandprompt_options2_zps4750d506.jpg

Then click on the Layout tab and set the Screen Buffer Size to 8500 in both boxes.
The other boxes you can leave as is or modify to preference based on the size of your screen.
comandprompt_options3_zpsb2078edd.jpg

Then click on the Colors tab and click the Screen Text radio button and then click on the Green or other color options in the middle.
comandprompt_options4_zps8c95ce81.jpg

Then click OK and close the Command Prompt and then reopen the Command Prompt to allow these new changes.

Then if you type CHKDSK /? it will give you a list of the options.  The /R being one of them.

comandprompt_options6_zps7eae902d.jpg


As you can see from the image below the /R switch is very much valid.  CHKDSK C: /R

comandprompt_options7_zpsa844d817.jpg

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Well it should take much longer to complete.  The error is normal because it cannot write to the Event Logs in that mode.

 

Please go ahead and restart the computer back into Normal Mode and let's run Combofix again and see if it finds anything new.

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites
TheLee

TheLee

Posted
  • Author
Posted

It still stops at 49. 

 

From what I can tell, the reason why /r /x are so fast is because when I do /r this is basically what the results are:

 

Step 1 

256 file records processed

step 2

328 index entries processed

step 3

256 file sd/sids processed

step 4

240 files processed

step 5

19285 free 

 

I have a 465 gb hard drive with 306 gb used  and 159 gb free space.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.