Jump to content

Recommended Posts

I have run malware to get rid of search protect - conduit

(I did try to uninstall search protect - but it did not work - it just seemed to hang)

 

After I run malware, it determines the threats and I try to remove them, it asks me to restart the PC

My PC - HP ENVY X2 - goes into a repair mode and never comes out.  I am able to shut it down and then I am able to restore to a 2/28/14 restore point and get the PC running again

 

Here is the malware quickscan log (below) and the DDS and Attach logs are attached

 

This is a PC I use for work and unfortunately I don't have another PC that has enough of the software I need daily, so while I can try different fixes, if they leave my PC unable to restart,  I will have to keep restoring to the 2/28 point.

 

thanks for helping with this

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.02.03

Windows 8 x86 NTFS
Internet Explorer 10.0.9200.16798
doris :: HPENVY [administrator]

Protection: Enabled

3/2/2014 9:48:33 AM
MBAM-log-2014-03-02 (10-49-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 238345
Time elapsed: 33 minute(s), 28 second(s)

Memory Processes Detected: 2
C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe (PUP.Optional.Conduit.A) -> 2680 -> No action taken.
C:\Program Files\SearchProtect\UI\bin\cltmngui.exe (PUP.Optional.Conduit.A) -> 3480 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\CltMngSvc (PUP.Optional.Conduit.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs (PUP.Optional.Conduit.A) -> Bad: (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll) Good: () -> No action taken.

Folders Detected: 4
C:\Users\doris\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\doris\AppData\Roaming\OpenCandy\4372E64684894C5D9AC534AE56E3EE30 (PUP.Optional.OpenCandy) -> No action taken.
C:\Program Files\SearchProtect\UI\bin (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\SearchProtect\bin (PUP.Optional.SearchProtect.A) -> No action taken.

Files Detected: 17
C:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\SearchProtect\UI\bin\cltmngui.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\doris\AppData\Roaming\OpenCandy\4372E64684894C5D9AC534AE56E3EE30\SSStub_SearchProtect_p1v0.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\doris\AppData\Local\Temp\nse8878.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Users\doris\AppData\Local\Temp\nsy20A4.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Users\doris\AppData\Local\Temp\nsq66D9\SpSetup.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\doris\AppData\Local\Temp\nsrEBB.tmp\OCSetupHlp.dll (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\doris\Local Settings\Temporary Internet Files\Content.IE5\1TP0SC81\doubleTwistSetupFull (1).exe (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\doris\Local Settings\Temporary Internet Files\Content.IE5\1TP0SC81\SPIdentifierImpl[1].exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Users\doris\Local Settings\Temporary Internet Files\Content.IE5\2DBSZ35I\spstub[1].exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\doris\Local Settings\Temporary Internet Files\Content.IE5\8TNNHG06\SPSetup[1].exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\SearchProtect\SearchProtect\bin\SPTool64.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\SearchProtect\bin\SPVC64.dll (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Program Files\SearchProtect\SearchProtect\bin\SPVC64Loader.dll (PUP.Optional.SearchProtect.A) -> No action taken.

(end)

 

 

attach.txt

dds.txt

Link to post
Share on other sites

Please uninstall Search Protect from your add/remove programs.

Then........

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner from HERE or HERE to your desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

I can't do the first step of

 

"Please uninstall Search Protect from your add/remove programs"

 

It looks like the remove/uninstall starts, then nothing.  Search Protect doesn't uninstall and if I try to uninstall is again I get a message --please wait until previous uninstall is complete. 

 

Should I skip that step and continue on with the rest?

Link to post
Share on other sites

Ran AdwCleaner - it did remove search protect and my PC restarted just fine

then I updated malware scanner settings > pup >show results and check for removal

updates and ran quick scan.  checked everything and removed

When my PC restarted it went into attempting repairs and hung there.

I was able to restore to a 3/1 restore point, but search protect has been restored

 

 

here is the Adwcleaner log  -  Malwarebytes log is next

 

# AdwCleaner v3.019 - Report created 24/02/2014 at 08:27:08
# Updated 17/02/2014 by Xplode
# Operating System : Windows 8  (32 bits)
# Username : doris - HPENVY
# Running from : C:\Users\doris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2DBSZ35I\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : CltMngSvc
Service Deleted : Level Quality Watcher

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Level Quality Watcher
Folder Deleted : C:\Users\doris\AppData\Local\Searchprotect
Folder Deleted : C:\Users\doris\AppData\Roaming\OpenCandy
File Deleted : C:\END
File Deleted : C:\Users\doris\AppData\Local\Temp\Uninstall.exe

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\conduit.com
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10AD2C61-0898-4348-8600-14A342F22AC3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10AD2C61-0898-4348-8600-14A342F22AC3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10AD2C61-0898-4348-8600-14A342F22AC3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKLM\Software\caphyon
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C19AC53289098045B06B0DD1D37CBAB
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23D9E9D21B4E77E41B9F50DD22F24E20
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\23EEA1F105A7F45449974D9B95E7AC89
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\26982796A8AFD1246B95E00265A95BF9
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32DA746012E6D4F488AAD113D6FA4A44
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\42D92D0D75AFEF74297E03876C8D9D33
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50FFE845C555A6E4BADB7CB7A145BFEB
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\715A3348920B6534690067594BB69F60
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7B7B13B037A7C2A42AC3E3EAF14D7107
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7D05B2942E9CC80499F397F6114DFB35
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8591B8948E1C4A04F90505B3CDEE8555
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8D841C5FEC311624CB88D49DB3884FA7
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD746BF3B3B3FD8409B86604BA85982A
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F355F0DB7A2E3A14B8E7A568FBA25937

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16798

*************************

AdwCleaner[R0].txt - [4484 octets] - [24/02/2014 08:25:57]
AdwCleaner[s0].txt - [4491 octets] - [24/02/2014 08:27:08]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4551 octets] ##########
# AdwCleaner v3.020 - Report created 02/03/2014 at 22:08:00
# Updated 27/02/2014 by Xplode
# Operating System : Windows 8  (32 bits)
# Username : doris - HPENVY
# Running from : C:\Users\doris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SNNLUT22\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : CltMngSvc
Service Deleted : Level Quality Watcher

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Level Quality Watcher
Folder Deleted : C:\Program Files\SearchProtect
Folder Deleted : C:\Users\doris\AppData\Local\SearchProtect
Folder Deleted : C:\Users\doris\AppData\Roaming\OpenCandy

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKLM\Software\caphyon
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16798

*************************

AdwCleaner[R0].txt - [5803 octets] - [24/02/2014 08:25:57]
AdwCleaner[s0].txt - [5841 octets] - [24/02/2014 08:27:08]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [5901 octets] ##########

 

 

 

 

Malwarebytes Log

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.03.02

Windows 8 x86 NTFS
Internet Explorer 10.0.9200.16798
doris :: HPENVY [administrator]

Protection: Enabled

3/2/2014 10:14:47 PM
mbam-log-2014-03-02 (22-14-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 238159
Time elapsed: 14 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\Software\AppDataLow\Software\Savings Bull (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Savings Bull (PUP.Optional.SavingsBull.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 11
C:\Users\doris\AppData\Local\Temp\nse8878.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\doris\AppData\Local\Temp\nsy20A4.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\doris\AppData\Local\Temp\nsi8402.tmp\SPtool.dll (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\doris\AppData\Local\Temp\nso2C48.tmp\SPtool.dll (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\doris\AppData\Local\Temp\nsq66D9\SpSetup.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\doris\AppData\Local\Temp\nsrEBB.tmp\OCSetupHlp.dll (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\doris\Local Settings\Temporary Internet Files\Content.IE5\1TP0SC81\doubleTwistSetupFull (1).exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\doris\Local Settings\Temporary Internet Files\Content.IE5\1TP0SC81\SPIdentifierImpl[1].exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\doris\Local Settings\Temporary Internet Files\Content.IE5\2DBSZ35I\7zip_14378_stn.exe (PUP.Optional.SafeInstall.A) -> Quarantined and deleted successfully.
C:\Users\doris\Local Settings\Temporary Internet Files\Content.IE5\2DBSZ35I\spstub[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\doris\Local Settings\Temporary Internet Files\Content.IE5\8TNNHG06\SPSetup[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)

 

 

Link to post
Share on other sites

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

Please download, install and run CCleaner free to clean out temp files:
https://www.piriform.com/ccleaner
The default settings will be OK for now, you may want to un-check cookies in your browsers.
Here's a Tutorial if needed.

Then...............

Download the attached fixlist.txt to the same folder as FRST.
Run FRST.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Last.........

Run AdwCleaner again.

Let me know...MrC

Link to post
Share on other sites

Good..........if there's no other problems:

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

done

 

here is the log

 

Results of screen317's Security Check version 0.99.79 
   x86 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Windows Defender  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
````````Process Check: objlist.exe by Laurent```````` 
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
 Windows Defender MsMpEng.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

You may want to update IE or switch to a more secure browser.

The rest looks OK......

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete. (right click.....Delete)

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:

If you used FRST and can't delete the quarantine folder:

Download the fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

That will delete the quarantine folder created by FRST.

The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (PM also found HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.