Search Protect by Conduit Service and Possible Root Kit

[wodahsehtmai]

Saw an item in my tool tray that I did not recognize, so I investigated and found I had Search Protect by Conduit Service installed.  

 

Both MBAM and MBAR act weird and crash on me.  I saw MBAM find an infected file, then the file count flashed from about 7000 to a negative number then then flash to 77000 something.  Followed by a windows exception followed by a BSOD.

 

I deleted the C:\Program Files\SearchProtect directory but MBAM and MBAR both still crash and BSOD on me.

 

(I did not clean the registry.)  

 

MBAR in it's log text complains about the drivers directory being inaccessible or encrypted.

 

Other than this behavior my system is acting stable.  (As long as I don't run MBAM or MBAR)

 

Any help is appreciated.

dds.txt

attach.txt

[Maniac]

Hello wodahsehtmai and ! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Step 1

Please uninstall the following applications:

Search Protect

SearchAssist

Step 2

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Step 3

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Clean.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner\AdwCleaner[s0].txt as well.

Step 4

• Launch Malwarebytes' Anti-Malware
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

• Junkware Removal Tool log
• AdwCleaner log
• Malwarebytes' Anti-Malware log

[wodahsehtmai]

Made it to step 4 - Perform Quick Scan

 

(Forgot to update, but I did that yesterday, will try again but I doubt it will make a difference.)

 

MBam crashed and BSODed during the QuickScan.

 

I'll post if updating makes a difference.

JRT.txt

AdwCleanerS0.txt

[wodahsehtmai]

Updating made no difference.

[Maniac]

Follow my instructions:

Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

There are several similar notes.

[wodahsehtmai]

 

Follow my instructions:


There are several similar notes.

 

Here you go.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.0.8 (11.05.2013:1)

OS: Microsoft Windows XP x86

Ran by John on Mon 12/30/2013 at 18:57:26.04

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

 

 

~~~ Registry Keys

 

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho.1

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduitsearchscopes

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\smartbar

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3289847

 

 

 

~~~ Files

 

Successfully deleted: [File] "C:\end"

 

 

 

~~~ Folders

 

Successfully deleted: [Folder] "C:\Documents and Settings\John\Local Settings\Application Data\conduit"

Successfully deleted: [Folder] "C:\Documents and Settings\John\Local Settings\Application Data\cre"

Successfully deleted: [Folder] "C:\Program Files\conduit"

 

 

 

~~~ FireFox

 

Successfully deleted the following from C:\Documents and Settings\John\Application Data\mozilla\firefox\profiles\q4zz9nwc.default\prefs.js

 

user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");

user_pref("browser.search.defaultthis.engineName", "WhiteSmoke New Customized Web Search");

user_pref("extensions.seoquake.params.0.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7PT7/3zF6/9Ptu//RbHx/0227/+Tzvb/9vv5/97

user_pref("extensions.seoquake.params.1.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7PT7/3zF6/9Ptu//RbHx/0227/+Tzvb/9vv5/97

user_pref("extensions.seoquake.params.108.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAQAQAABMLAAATCwAAAAAAAAAAAAD//////////////////////////////////////////

user_pref("extensions.seoquake.params.2.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7PT7/3zF6/9Ptu//RbHx/0227/+Tzvb/9vv5/97

user_pref("extensions.seoquake.params.3.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7PT7/3zF6/9Ptu//RbHx/0227/+Tzvb/9vv5/97

user_pref("extensions.seoquake.params.37.icon", "AAABAAEAEBAAAAAAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAQAQAAAAAAAAAAAAAAAAAAAAAAAD///8B////Af///wHp6en/ubm5/4ODg/+JiYn/YmJi/8

user_pref("extensions.seoquake.params.51.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABILAAASCwAAAAAAAAAAAACgoKB+oKCg56CgoP+goKD/oKCg/6CgoP+goKD/oKCg/6

user_pref("google.toolbar.search-icon", "data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7PT7/3zF6/9Ptu//RbHx/

user_pref("smartbar.originalSearchAddressUrl", "");

user_pref("smartbar.originalSearchEngine", "");

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Mon 12/30/2013 at 19:02:15.45

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

# AdwCleaner v3.016 - Report created 30/12/2013 at 19:15:40

# Updated 23/12/2013 by Xplode

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

# Username : John - OMEGA

# Running from : C:\Documents and Settings\John\My Documents\Downloads\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\Documents and Settings\LocalService\Application Data\Searchprotect

Folder Deleted : C:\Documents and Settings\NetworkService\Local Settings\Application Data\Searchprotect

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{090ACFA1-1580-11D1-8AC0-00C0F00910F9}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B4E90801-B83C-11D0-8B40-00C0F00AE35A}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}

Key Deleted : HKLM\Software\InfoAtoms

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\InfoAtoms

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v8.0.6001.18702

 

 

-\\ Mozilla Firefox v24.0 (en-US)

 

[ File : C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\q4zz9nwc.default\prefs.js ]

 

 

-\\ Google Chrome v

 

[ File : C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [2231 octets] - [30/12/2013 19:13:47]

AdwCleaner[s0].txt - [2182 octets] - [30/12/2013 19:15:40]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2242 octets] ##########

 

[Maniac]

Please follow the instructions here:

https://forums.malwarebytes.org/index.php?showtopic=10138&page=1entry181018

Then here:

https://forums.malwarebytes.org/index.php?showtopic=10138&page=1entry417944

When you are done, reboot your system, update Malwarebytes and perform a quick scan. Post the log file.

[wodahsehtmai]

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.12.31.01

 

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

John :: OMEGA [administrator]

 

1/2/2014 7:20:25 PM

mbam-log-2014-01-02 (19-20-25).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 329672

Time elapsed: 25 minute(s), 35 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 10

C:\Documents and Settings\John\My Documents\Downloads\ZipOpenerSetup.exe (PUP.Optional.InstallCore) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-4057726913-2729460550-644373280-1005\Dc384.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-4057726913-2729460550-644373280-1005\Dc310\AutoUpdate.zip (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-4057726913-2729460550-644373280-1005\Dc310\SPUpdater.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\nsq3E.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\AU\SPSetup.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nseF.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nsi9.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nsl13.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nsm6.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.

 

(end)

[wodahsehtmai]

Please follow the instructions here:

https://forums.malwarebytes.org/index.php?showtopic=10138&page=1entry181018

Then here:

https://forums.malwarebytes.org/index.php?showtopic=10138&page=1entry417944

When you are done, reboot your system, update Malwarebytes and perform a quick scan. Post the log file.

 

Looks like that first one got it.  Even though I had MSE was turned off the two programs were still conflicting.  Scans are looking clean.  No more crashes.

 

Thanks!!!

[Maniac]

Some additional steps, please:

Step 1

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2

Please scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.

  ESET OnlineScan

• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

    Save it to your Desktop.

  • Double click on the to download the ESET Smart Installer. icon on your Desktop.
• Check "YES, I accept the Terms of Use."
• Click the Start button.
• Accept any security warnings from your browser.
• Under Scan Settings, check "Scan Archives" and "Remove found threats"
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.

[wodahsehtmai]

Sorry for the delay...  Thanks for your help on this.

 

C:\AdwCleaner\Quarantine\C\Documents and Settings\LocalService\Application Data\Searchprotect\ffprotect\application.js.vir Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined

C:\AdwCleaner\Quarantine\C\Documents and Settings\LocalService\Application Data\Searchprotect\ffprotect\nsprotector.js.vir Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined

C:\Program Files\Adobe\Adobe Acrobat 7.0.5 SDK\JavaScriptSupport\Samples\InsidePDF\ConvertTime\ConvTime.pdf PDF/Exploit.Gen trojan cleaned by deleting - quarantined

[Maniac]

How are things there?

[wodahsehtmai]

Everything has been running smooth, no more issues.  

[Maniac]

Glad I could help!

Step 1

• Download OTL to your desktop and run it.
• Click on CleanUp button.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Step 2

• Double click on AdwCleaner.exe to run the tool.
• Click on Uninstall
• Confirm with Yes

Step 3

Please uninstall: ESET Online Scanner .

Step 4

Some malware preventions:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[gringo_pr]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!