Two PUPs came onto my system

[Mondkind]

Hi everybody,

 

unfortunately Malewarebytes found two PUPs (PUP.Optional.ConduitTB.Gen & PUP.Optional.Conduit.A) on my system (see the attached txt-file).

 

I have Windows 7 64 Bit and as a Virusscanner I use Kaspersky Internet Security 2015.

 

I went searching in the Internet and found a removal guide which had the following steps:

 

- use Adwcleaner

- use Junk Removal Tool

- use Malewarebytes

- use HitmanPro

 

I did as instructed and cleaned the system. Please note that HitmanPro didn't find anything at its first scan or any scan there after.

 

After somedays and more scanns with Kaspersky, Malewarebytes and HitmanPro, which were all negative, I'm still left unsure if my system is clean or not, although I'm not experiencing any troubles with my PC (fingers crossed).

 

Could you please help me. Thank you.

 

Best regards

Mondkind

 

P.S. I'm sorry but I'm no native english speaker. So I hope everything is understandable.

 

 

[kevinf80]

Hello and welcome to Malwarebytes.org

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Next,

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

Next,

Follow the instructions in the following link to show hidden files:

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Next,

Please open Malwarebytes Anti-Malware.

• On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
• Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
• Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
• A Threat Scan will begin.
• With some infections, you may or may not see this message box.
  
          'Could not load DDA driver'
• Click 'Yes' to this message, to allow the driver to load after a restart.
• Allow the computer to restart. Continue with the rest of these instructions.
• When the scan is complete, click Apply Actions.
• Wait for the prompt to restart the computer to appear, then click on Yes.
• After the restart once you are back at your desktop, open MBAM once more.
  

To get the log from Malwarebytes do the following:

• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click Export > From export you have three options:
  
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
• Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…
  

If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

• Double-click mbam-setup and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
• Launch Malwarebytes Anti-Malware
• A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
• Click Finish. Follow the instructions above....
  

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either accept the alert or disable your security and allow FRST to run...

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

Next,

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
• Close the program > Don't Fix anything!
  

Let me see those logs in your reply....

Thank you,

Kevin...
 

[Mondkind]

Hi Kevin,

 

thanks for helping me.

 

Please find attached the logs from MBAM, Farber and Rogouekiller.

 

Two questions for clarification:

 

- The scan in MBAM is the recomand scan from MBAM and not the user defined scan, because I used the recomanded one?

- After I accepted the Rogoukiller disclaimer it started automatically a pre scan of the processes and open a window in my broweser with "thanks for downloading/using rogouekiller". Thats ok and normal? After I closed the browser I started the normal scan.

 

Thank again for the help and I hope i will be hearing from you soon.

 

Best regards

Mondkind

 

[Mondkind]

Hi,

Sorry for the double post but I couldn't finden the editing button.

I wanted to add the info that rogouekiller has ask to upload some files he found and I allowed it. That's ok?

Best Regards

Mondkind

[kevinf80]

Yes RK query is OK... Continue please:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

• Double click on Adwcleaner.exe to run the tool.
• Click on the Scan in the Actions box
• Please wait fot the scan to finish..
• When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
• Click on the Cleaning box.
• Next click OK on the "Closing Programs" pop up box.
• Click OK on the Information box & again OK to allow the necessary reboot
• After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...
  

Next, Please download Junkware Removal Tool to your desktop.
 
Next,
 
Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

Next,
 
Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If Security Check will not run or you get an alert saying it is not supported, Re-boot your PC then try again...

Let me see those logs, also give an update on any remaining issues or concerns...
 
Thank you,
 
Kevin..

• Shut down your protection software now to avoid potential conflicts. (re-enable when done)
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.
  

 

 

 

Fixlist.txt

[Mondkind]

Hi Kevin,

 

please find attached the log files.

 

Some Questions:

 

- After I used FRST the fixlist.txt I downloaded from here fanished from my Desktop is that normal?

- After I finished every step I rebooted my pc wether the program demand it or not. Is that ok?

- Also I think in your reply some text fragments got mixed up. I used the programs in the following order: FRST, Adwcleaner, JRT, MRT & Security Check.

- Also on my Desktop are two desktop.ini files which I don't know of. They are greyish transparent so I think they are hidden files. Should I do something with them?

 

Thanks again for the help.

 

Best regards

Mondkind

 

[kevinf80]

The files you mention on yor Desktop are expected, they will go when we clean up and reset system settings...

 

Yes is normal for "Fixlist.txt" to be removed, it is replaced with "Fixlog.txt" after FRST fix is done...

 

What is the  current status of your system, do you have any remaining issues or concerns?

 

Thank you,

 

Kevin..

[Mondkind]

Hi Kevin,

 

as I mention in the opening post I didn't notices and I'm still not noticing any other problems with my system (fingers crossed).

 

But I have some more generell questions:

 

- About 4 months ago I was in our local university bibliothek and did some research. Because I couldn't get the studies otherwise I downloaded them as pdfs on the public pc, transfered them on my usb-stick, used the usb on my PC to transferd the pdfs on it. I scanned the usb-stick with Kaspersky and it didn't find anything. If there were any problems we should have found them with this analyses rigth and can I use this usb-stick again?

 

- Also I'm not sure where and when I got those pubs so I'm unsure if I can use my usb-sticks and external drive again without the threat off getting them again. I want to throw them away anyway because there is nothing important on it, I think, but I'm reluctanted to throw them away just like that. How should I destroy the usb-sticks and the external drive so that the data isn't accessible from some else? Another aspect is that I have them a while now and it would be a new start if I remove them now.

 

- After I "cleaned" my system the first time like I mentioned in the opening post. I logged into my email account and changed my passwort because it felt like it was the right thing at the time. Do I have to change my password again?

 

- Also after I "cleaned" the system the first time I created a system copy on CD-Rs. After we are finished I will do the same again. Should I destroy the old system copy than and if yes how should I do that. Just break the CDs in tiny pieces?

 

- Also this is a long time thing but I will also mention it. When I want to format a usb-stick with right click proporties in the explorer. The explorer will hung up and will be started a new. Do you have any idea why?

 

- Last but not least I used my tablet for help in research in this whole endevour and I was with it on the following sites: kaspersky forums, malwarebytes forums, malwaretipps.com, trojaner-board.de, camp-firefox.de, bleepingcomputer.com, hijackthis-forum.de, malwareremovalguides.info and heisse.de. I shouldn't have got anything bad from this sites just from visiting them? I didn't download anything on the tablet and I also didn't click on any adverts. I don't think I have any problems with the the tablet at least I didn't notice anything strange. I'm running on it the premium version of Kasperskys android app and I'm doing dailys scans which are all negative. Only thing which is strange but this is something which started at least 3-4 months ago is that I get the messages in the chrome browser that the proxy server is not available. When I change the connection settings from proxyserver "manuel" on "none" everything is fine. The thing is the next time I use the tablet I have the same thing again. Is this normal?

 

So I think this is everything. I hope this is not to much. I just want to have some answers so I can go forward without any reservations on my end. Thanks again.

Best regards

Mondkind

 

[kevinf80]

USB sticks are an easy way to pick up infections when used on Public Computers, it is beneficial to check out the sticks even if Kaspesky gave all clear..

 

Scan with McSield

Please download McShield by dr_bora and save it to your desktop.

• Install it on your machine.
• It will initially run a scan and show the result as a toaster by the system clock.
• Start the Control Centre by clicking on the icon in your system tray.
• Go to the Scanner tab and tick unhide items on flash drives.
• Plug in the drive and McShield will start a scan.
• A logfile of this scan may be found in the Logs tab of the main screen.
  

 

Next,

 

Your query regarding passwords, yes they should all be changed on a regular basis; at least evry week or so.. Have a read at the following link:

 

http://windows.microsoft.com/en-gb/windows-vista/tips-for-creating-a-strong-password

 

Next,

 

Not sure about your query regarding format of USB via explorer. If you`ve installed McShield as advised your USB sticks will be safe..

 

Next,

 

CD`s no longer required can be simply snapped in half, or burnt....

 

Next,

 

If no more issues run the following to clean up...

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

• 
     
• Remove disinfection tools
     
• Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
     
• Reset system settings
  

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…
 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629
 

Let me know if we are ok to close out....

 

Thank you,

 

Kevin...

[Mondkind]

Hi Kevin,

 

before I start the cleaning up process I have some questions.

 

When I installed McSchield it is save to plug in the usb-stick or and external drive because if there is an infection on this drive McShield will prevent it from coming onto my system?

 

Regarding Delfix will it also remove Kaspersky, Malware Bytes and HitmanPro or is this for the removal of the other tools like FRST, Rogoukiller and so?

 

Should I install McShield and test the usb-sticks before or after I used the removal tool Delfix?

 

Thanks again.

 

Best Regards

Mondkind

[kevinf80]

Hello Mondkind,

 

Delfix will not remove the security applications you mention, it will only remove specific malware/infection tools...

 

McShield can be installed whenever you are ready, just make sure it is done before using your USB memory sticks....

 

Let me know when we can close out...

 

Thank you,

 

Kevin...

[Mondkind]

Hi Kevin,

 

just a quick question. I was currently surfing with my tablet via my home WLAN first on this site and the on the link your provided form bleeping computers regarding PC securitiy.

 

I noticed that on this forum and the malwarebytes hp I get a red symbol on the browser and the https is looking like that https. I'm quiet sure that I didn't had this yesterday and I think that happend after I followed a link from bleepingcomputer regarding more features of Malwarebytes and klicked on the more information button to open a Info file which was on the offical HP from Malwarebytes. I didn't open or download the file on my tablet because it asked which application should open it.

 

Could you please help me what this means because I only got that on the malwarebytes hp and I'm sure that I didn't had this yesterday.

 

I deactivated my WLAN. Google chrome does say that some is popentailly messing with my WLAN.

 

I'm really lost now and I hope this will be all over soon.

 

Thank for helping.

 

Best regards

Mondkind

[Mondkind]

Hi Kevin,

 

I was on

https://malwarebytes.org/antimalware/premium/and http://info.malwarebytes.org/acton/attachment/8327/u-0010/0/-/-/-/-/

.

 

 

Best Regards

Mondkind

[Mondkind]

Hi Kevin,

 

now we have a trippel post.

 

After I calmed down I tried it again and I have the normal green https sign for malwarebytes on my tablet. I research it and there are two possibilities when the red symbol with the htpps appearse. First some is reading via your WLAN on this page with you, seconde a former green https site switches to a http format. I think the second alternative is what happend because the links I posted in the spoiler tag is at first a https site and then a http site.

 

But to be better safe than sorry what should I do. Rest my router and have a new passwort?

 

Sorry for the stress. But I was realley agitated before.

 

Also I read on the bleepingcomputers link that It would be no problem to use Kaspersky premium as a anti virus and malwarebytes premium as the anti-malware alternative and although both are having a realtime protection they don't hinder each other. Is this correct and is it ok to have HitmanPro as a second alternative for both?

 

Best regards

Mondkind

[Mondkind]

Hi,

 

so I realised a forgot to mention the browser name I'm using on my android tablet. It's the chrome browser for android Version 45.0.2454.84, which should be the latest version.

 

Best Regards

Mondkind

[kevinf80]

I have no experience whatsoever with anything "Android" so have nothing to offer you...

 

The links you post are absolutely fine, nothing wrong at all...

 

Regarding security. I personally use Kaspersky full suite and Malwarebytes Premium, I also run McShield. That is a set up I use on all of my systems. My wife also uses that set up, so do both of my daughters. Never had any issues whatsoever with that setup....

 

Does that help??

[Mondkind]

Hi Kevin,

 

thank for the reply.

 

I don't think this is a android thing per se because I'm using the chrome browser from google which should have the same logic on android as the PC version regarding the htpps thing.

 

It would be kind of strange that  just of right now I had problems with my WLAN because I used it since the beginning I wrote here in the forum and I didn't have this problem. I also downloaded the MBAM app and scanned my device and the scan was negative as well as the scann from Kaspersky app. But just to be save. What should I do to have my router save? Is a reset with a new password enough or should I do something else?

 

Regarding the Security so in theory Kaspersky internet security premium (which I use) and Malwarebytes premium shouldn't have any problems?

 

Ok regarding my PC. I use Delfix tommorrow and then everything is fine and my pc is clean as of now? Or should we/I be doing anythingelse? I will also change my passwords everywhere just to be safe.

 

Best Regards

Mondkind

[kevinf80]

Hello Mondkind,

 

If you have concerns regarding your Router then a reset and password change should be done when you have time. As of now your system is clean, the security set up you have should be ok,

I do not see the need for any more investigative actions on your system.....

 

Thank you,

 

Kevin...

[Mondkind]

Hi Kevin,

OK thanks for the reply. I will let you know if everything worked out with Delfix.

Best Regards

Mondkind

[kevinf80]

Hello Mondkind

 

Yes give an update when finished....

 

Thank you,

 

Kevin...

[Mondkind]

Hi Kevin,

 

sorry for the delay.

 

So I run Delfix and it deleated all desinfection sofeware except Windows Removal Tool which I deleated manually.

 

It also removed all Restore Points and Reseted the windows settings which I checked via the folder options.

 

I changed all my passwords and also resetted my router just to be save.

 

I also install McShield only problem is the windows is to small for the text so I can't read everything properly and I also find no solution to make the window bigger. Do you have an Idea?

 

McShield should be started before I insert an USB drive into my system and then it is save?

 

Also as the last question my pc is now considered to be safe?

 

Thanks again for the help.

 

Best Regards

Mondkind

[kevinf80]

As per the last logs we had your system is clean....

 

McShield default settings were to start up at boot, therefor your system is always protected...

 

To make text bigger use the following link:

 

http://windows.microsoft.com/en-us/windows7/make-the-text-on-your-screen-larger-or-smaller?v=t

 

Thank you,

 

Kevin...

[Mondkind]

Hi Kevin,

Thanks the link help with the Text in McShield. But it doesn't Start on boot. I have to Check the Box manually.

It doesn't clash with Kaspersky when its always running?

Best Regards

Mondkind

[kevinf80]

I have Kaspersky IS installed, it does not clash with McShield.. Have a look at the attached image for settings that should have been made by default when installed..

 

Open McShield Control Centre, select the "General" tab. Make sure the settings are same as the attached image, if not add those entries, click "Apply" then "OK"

 

Close McShield then re-boot, it should start...

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!