Jump to content

Search Protect by Conduit Service and Possible Root Kit


Recommended Posts

Saw an item in my tool tray that I did not recognize, so I investigated and found I had Search Protect by Conduit Service installed.  

 

Both MBAM and MBAR act weird and crash on me.  I saw MBAM find an infected file, then the file count flashed from about 7000 to a negative number then then flash to 77000 something.  Followed by a windows exception followed by a BSOD.

 

I deleted the C:\Program Files\SearchProtect directory but MBAM and MBAR both still crash and BSOD on me.

 

(I did not clean the registry.)  

 

MBAR in it's log text complains about the drivers directory being inaccessible or encrypted.

 

Other than this behavior my system is acting stable.  (As long as I don't run MBAM or MBAR)

 

Any help is appreciated.

dds.txt

attach.txt

Link to post
Share on other sites

Hello wodahsehtmai and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
Step 1

Please uninstall the following applications:

Search Protect

SearchAssist

Step 2

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 3

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner\AdwCleaner[s0].txt as well.
Step 4
  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

  • Junkware Removal Tool log
  • AdwCleaner log
  • Malwarebytes' Anti-Malware log
Link to post
Share on other sites

 

Follow my instructions:


There are several similar notes.

 

Here you go.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by John on Mon 12/30/2013 at 18:57:26.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduitsearchscopes
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\smartbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3289847
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\end"
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Documents and Settings\John\Local Settings\Application Data\conduit"
Successfully deleted: [Folder] "C:\Documents and Settings\John\Local Settings\Application Data\cre"
Successfully deleted: [Folder] "C:\Program Files\conduit"
 
 
 
~~~ FireFox
 
Successfully deleted the following from C:\Documents and Settings\John\Application Data\mozilla\firefox\profiles\q4zz9nwc.default\prefs.js
 
user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
user_pref("browser.search.defaultthis.engineName", "WhiteSmoke New Customized Web Search");
user_pref("extensions.seoquake.params.0.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7PT7/3zF6/9Ptu//RbHx/0227/+Tzvb/9vv5/97
user_pref("extensions.seoquake.params.1.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7PT7/3zF6/9Ptu//RbHx/0227/+Tzvb/9vv5/97
user_pref("extensions.seoquake.params.108.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAQAQAABMLAAATCwAAAAAAAAAAAAD//////////////////////////////////////////
user_pref("extensions.seoquake.params.2.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7PT7/3zF6/9Ptu//RbHx/0227/+Tzvb/9vv5/97
user_pref("extensions.seoquake.params.3.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7PT7/3zF6/9Ptu//RbHx/0227/+Tzvb/9vv5/97
user_pref("extensions.seoquake.params.37.icon", "AAABAAEAEBAAAAAAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAQAQAAAAAAAAAAAAAAAAAAAAAAAD///8B////Af///wHp6en/ubm5/4ODg/+JiYn/YmJi/8
user_pref("extensions.seoquake.params.51.icon", "AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABILAAASCwAAAAAAAAAAAACgoKB+oKCg56CgoP+goKD/oKCg/6CgoP+goKD/oKCg/6
user_pref("google.toolbar.search-icon", "data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7PT7/3zF6/9Ptu//RbHx/
user_pref("smartbar.originalSearchAddressUrl", "");
user_pref("smartbar.originalSearchEngine", "");
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 12/30/2013 at 19:02:15.45
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
# AdwCleaner v3.016 - Report created 30/12/2013 at 19:15:40
# Updated 23/12/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : John - OMEGA
# Running from : C:\Documents and Settings\John\My Documents\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Documents and Settings\LocalService\Application Data\Searchprotect
Folder Deleted : C:\Documents and Settings\NetworkService\Local Settings\Application Data\Searchprotect
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{090ACFA1-1580-11D1-8AC0-00C0F00910F9}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B4E90801-B83C-11D0-8B40-00C0F00AE35A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKLM\Software\InfoAtoms
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\InfoAtoms
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
 
-\\ Mozilla Firefox v24.0 (en-US)
 
[ File : C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\q4zz9nwc.default\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2231 octets] - [30/12/2013 19:13:47]
AdwCleaner[s0].txt - [2182 octets] - [30/12/2013 19:15:40]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2242 octets] ##########
 
Link to post
Share on other sites

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.12.31.01

 

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

John :: OMEGA [administrator]

 

1/2/2014 7:20:25 PM

mbam-log-2014-01-02 (19-20-25).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 329672

Time elapsed: 25 minute(s), 35 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 10

C:\Documents and Settings\John\My Documents\Downloads\ZipOpenerSetup.exe (PUP.Optional.InstallCore) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-4057726913-2729460550-644373280-1005\Dc384.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-4057726913-2729460550-644373280-1005\Dc310\AutoUpdate.zip (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-4057726913-2729460550-644373280-1005\Dc310\SPUpdater.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\nsq3E.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.

C:\Documents and Settings\John\Local Settings\Temp\AU\SPSetup.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nseF.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nsi9.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nsl13.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nsm6.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.

 

(end)
Link to post
Share on other sites

Please follow the instructions here:

https://forums.malwarebytes.org/index.php?showtopic=10138&page=1entry181018

Then here:

https://forums.malwarebytes.org/index.php?showtopic=10138&page=1entry417944

When you are done, reboot your system, update Malwarebytes and perform a quick scan. Post the log file.

 

Looks like that first one got it.  Even though I had MSE was turned off the two programs were still conflicting.  Scans are looking clean.  No more crashes.

 

Thanks!!!

Link to post
Share on other sites

Some additional steps, please:

Step 1

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
Step 2

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.

    ESET OnlineScan

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

      Save it to your Desktop.

    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Link to post
Share on other sites

Sorry for the delay...  Thanks for your help on this.

 

C:\AdwCleaner\Quarantine\C\Documents and Settings\LocalService\Application Data\Searchprotect\ffprotect\application.js.vir Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Documents and Settings\LocalService\Application Data\Searchprotect\ffprotect\nsprotector.js.vir Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined
C:\Program Files\Adobe\Adobe Acrobat 7.0.5 SDK\JavaScriptSupport\Samples\InsidePDF\ConvertTime\ConvTime.pdf PDF/Exploit.Gen trojan cleaned by deleting - quarantined
Link to post
Share on other sites

Glad I could help! :)

Step 1

  • Download OTL to your desktop and run it.
  • Click on CleanUp button.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Step 2
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Uninstall
  • Confirm with Yes
Step 3

Please uninstall: ESET Online Scanner .

Step 4

Some malware preventions:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing! :)

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.