Jump to content

Recommended Posts

Hi,

New premium user. Upon first scan, Malwarebytes detected Pup.optional.conduit, which I quarantined. After a reboot and a new scan, the threat reappeared.

I've searched these forums for a general solution and found several references, but it looks like each person was helped through step-by-step and had their cases resolved differently, so I figured I'd open a thread of my own.

Any help would be appreciated. Thanks you.

Link to post
Share on other sites

Hello Philon and welcome to Malwarebytes,

Continue with the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Hello, kevinf80:

Thanks for your reply! I checked under "Scan Options" and "Scan for Rootkits" was off. I turned it on.

I then performed a scan. Two PUPs were identified: PUP.Optional.Conduit and PUP.Optional.InstallCore. I quarantined them, which crashed my running version of Chrome. Malwarebytes then asked me to reboot. I did so and my computer froze, causing me to do a hard shutdown.

Here's the report from the clipboard:

Spoiler

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/22/19
Scan Time: 5:14 PM
Log File: b956a286-acc5-11e9-ae9e-482ae326fd64.json

-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.613
Update Package Version: 1.0.11678
License: Premium

-System Information-
OS: Windows 10 (Build 17763.557)
CPU: x64
File System: NTFS
User: X1-EXTREME\mainuser

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 291382
Threats Detected: 2
Threats Quarantined: 2
Time Elapsed: 1 min, 33 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
PUP.Optional.Conduit, C:\USERS\MAINUSER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [207], [454832],1.0.11678
PUP.Optional.InstallCore, C:\DOCUMENTS AND SETTINGS\PUBLIC\OLDUSER XPS 15\DOWNLOADS\MLX5-MOVIEPLUS-SE-INSTALLER-EN.EXE, Quarantined, [446], [398272],1.0.11678

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

____________________________

 

Here's the adwcleaner log:

Spoiler


# -------------------------------
# Malwarebytes AdwCleaner 7.3.0.0
# -------------------------------
# Build:    04-04-2019
# Database: 2019-07-22.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    07-22-2019
# Duration: 00:00:01
# OS:       Windows 10 Pro
# Cleaned:  1
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

Deleted       http://search.conduit.com/?gd=&ctid=CT3319741&octid=EB_ORIGINAL_CTID&ISID=MDA8A26C5-4530-436E-A283-707524FC06FE&SearchSource=55&CUI=&UM=5&UP=SPC4CEEB23-2F63-4C94-A264-B030E6BE54C5&SSPV=

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1433 octets] - [22/07/2019 17:27:31]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

 

________

I've attached the two FRST files as well.

FRST.txt Addition.txt

Link to post
Share on other sites

Thanks for those logs, continue..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
 
Let me see those logs in your reply, also let me know if there are any remaining issues or concerns..
 
Thank you,
 
Kevin

fixlist.txt

Link to post
Share on other sites

Hi,

Logs are below. Unfortunately, I did a Malwarebytes scan after performing what you suggested and PUP.Optional.Conduit still appeared in the scan results.

Here's the contents of fixlog.txt

Spoiler

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-07-2019 01
Ran by mainuser (22-07-2019 19:32:07) Run:1
Running from C:\Users\mainuser\Downloads
Loaded Profiles: mainuser &  (Available Profiles: mainuser)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Restriction ? <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CHR HomePage: Default -> hxxp://search.conduit.com/?gd=&ctid=CT3319741&octid=EB_ORIGINAL_CTID&ISID=MDA8A26C5-4530-436E-A283-707524FC06FE&SearchSource=55&CUI=&UM=5&UP=SPC4CEEB23-2F63-4C94-A264-B030E6BE54C5&SSPV=
S3 cpuz143; \??\C:\WINDOWS\temp\cpuz143\cpuz143_x64.sys [X]
AlternateDataStreams: C:\Windows:nlsPreferences [386]
CMD: "%WINDIR%\SYSTEM32\lodctr.exe" /R
CMD: "%WINDIR%\SysWOW64\lodctr.exe" /R
Hosts:
EmptyTemp:

*****************

Restore point was successfully created.
Processes closed successfully.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
"Chrome HomePage" => removed successfully
HKLM\System\CurrentControlSet\Services\cpuz143 => removed successfully
cpuz143 => service removed successfully
C:\Windows => ":nlsPreferences" ADS removed successfully

========= "%WINDIR%\SYSTEM32\lodctr.exe" /R =========


Error: Unable to rebuild performance counter setting from system backup store, error code is 2
========= End of CMD: =========


========= "%WINDIR%\SysWOW64\lodctr.exe" /R =========


Info: Successfully rebuilt performance counter setting from system backup store
========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 10772480 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 198665447 B
Java, Flash, Steam htmlcache => 373361283 B
Windows/system/drivers => 7025203 B
Edge => 2057180 B
Chrome => 925581782 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
LocalService => 0 B
NetworkService => 532750 B
NetworkService => 0 B
mainuser => 248269204 B

RecycleBin => 298416550 B
EmptyTemp: => 1.9 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:33:46 ====

 

And here's mrt.log


 

Spoiler

 


---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.68, January 2019 (build 5.68.15555.1)
Started On Thu Jan 10 20:29:34 2019

Engine: 1.1.15500.2
Signatures: 1.283.998.0
MpGear: 1.1.15201.1
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Thu Jan 10 20:30:35 2019


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.69, February 2019 (build 5.69.15631.1)
Started On Thu Feb 28 12:33:06 2019

Engine: 1.1.15500.2
Signatures: 1.283.2995.0
MpGear: 1.1.15201.1
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Thu Feb 28 12:51:27 2019


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.70, March 2019 (build 5.70.15749.1)
Started On Wed Mar 27 14:10:34 2019

Engine: 1.1.15700.9
Signatures: 1.289.4.0
MpGear: 1.1.15747.1
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Wed Mar 27 14:12:35 2019


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.71, April 2019 (build 5.71.15840.1)
Started On Tue Apr 23 13:10:05 2019

Engine: 1.1.15800.1
Signatures: 1.291.355.0
MpGear: 1.1.15747.1
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Tue Apr 23 13:12:02 2019


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.72, May 2019 (build 5.72.15938.1)
Started On Tue May 28 02:04:20 2019

Engine: 1.1.15900.4
Signatures: 1.293.6.0
MpGear: 1.1.15747.1
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Tue May 28 02:06:02 2019


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.73, June 2019 (build 5.73.16044.1)
Started On Wed Jun 26 13:48:19 2019

Engine: 1.1.15900.4
Signatures: 1.293.2420.0
MpGear: 1.1.15747.1
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jun 26 14:05:44 2019


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.73, June 2019 (build 5.73.16044.1)
Started On Mon Jul 22 19:51:09 2019

Engine: 1.1.15900.4
Signatures: 1.293.2420.0
MpGear: 1.1.15747.1
Run Mode: Interactive Graphical Mode

 

 

Link to post
Share on other sites

Spoiler

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/21/19
Scan Time: 8:59 AM
Log File: 57a9e188-abb7-11e9-a66a-482ae326fd64.json

-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.613
Update Package Version: 1.0.11650
License: Premium

-System Information-
OS: Windows 10 (Build 17763.557)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 289553
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 2 min, 52 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
PUP.Optional.Conduit, C:\USERS\MAINUSER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [207], [454832],1.0.11650

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

Malwarebytes scan is above.

The FRST log is attached. Note: I restored my Chrome folder after I discovered these method you suggested deleted some important browser history yet didn't remove the PUP, so that may be reflected in the FRST scan. Also, I may have to reinstall Chrome now since one of my accounts is malfunctioning after the restore. Because of this, I may just live with the PUP since it may be related to one of my Chrome extensions that I use. But I'm willing to try a bit more if you're confident that this can be removed without negative consequences. I appreciate your help thus far.

 

 

FRST.txt

Link to post
Share on other sites

Yes I agree, Chrome needs a fresh clean reinstall to root out Conduit..

Make clean install of Google Chrome, see if that clears the issue...

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

For your Passwords go here:

https://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Continue for a clean install:

Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html

Next,

Open Chrome and sign into your account, open a new tab and type or copy paste chrome://settings/syncSetup hit enter...

In the new window that opens "Sync everthing" will probably be selected, scroll down to and select "Managed sync data on Google Dashboard"

A new window will open, scroll down to and select "Reset Sync" that will clear synced data from Google Server...

Continue to next step to completely Uninstall Chrome....

Next.

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Install Google Chrome :

Next,

Import your Bookmarks... (instructions in the first step)

Import Passwords... (instructions in second step above)

Next,

Install uBlock Origin for Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en

Does that help
Link to post
Share on other sites

Hi, Kevin:

I followed most but not all of your instructions, since I have three accounts I'm logged into chrome with, and doing a "reset sync" on them would require a lot of work on my end to reset things to the way I want. So, I did "reset sync" only for one of the three accounts (the one that was malfunctioning) and followed the rest of your instructions. 

Unfortunately, once I scanned with Malwarebytes, PUP.optional.conduit reappeared after Chrome was reinstalled (it was gone when I uninstalled).

This tells me that it's probably one of the chrome extensions I use that is reinstalling it.

Is there any decent way that won't take hours to figure out which of my extensions may be installing it? If not, then I think I may just live with it. Most of my extensions are useful, and I've already spend a few hours working on this, and the cost-benefit ratio is starting to make this not worth it. If there's no easy way to track it, I may just give up and whitelist it.

Let me know if there's an easy way to examine which Chrome extension may be the cause of it. If not, I'll give up. I appreciate your input either way; thank you again.

Link to post
Share on other sites

Agreed, but I didn't quite do it as I mentioned above. 

However, it looks like I solve it! Yay! Here's what I did in brief:

  1. Narrowed down which of my three Chrome accounts was the problem by closing all chrome windows, and opening one account at a time and rescanning with Malwarebytes each time. This told me one specific account was the problem
  2. Followed these instructions for the problematic account only, which did involve "reset syncing" the account in question. But it wasn't a big deal since I didn't delete the stuff from my local chrome account.
  3. Re-established sync on the account after a reset sync and the pup.optional.conduit didn't reappear.

So, it looks like the reset sync for the problem account was what was needed. 

Thanks for the input, Kevin! I think I'm all set.

Link to post
Share on other sites

Thanks for the update, good to hear your issue is finally cleared... continue..

Right click on FRST here: C:\Users\mainuser\Downloads\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.