Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on March 05, 2016, 12:47:07 AM
-
Hi . Since thursday , when I ran a malwarebytes full scan, mbam found this thing "PUP.Optional.ConduitTB.Gen", its type : Registry key , and its location which is the most weird and i've not even found it to this day : "HKU\S-1-5-21-...-...-...-1003\SOFTWARE\Conduit . Malwarebytes says it's pup ( potential unwanted program ) , but for real . Every time I put it to quarantine and delete it, this virus ( thing ) it shows up again next day , maybe next hour after the removal .
Here is one log from Threat Scan : Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 05.03.2016
Scan Time: 01:17
Logfile:
Administrator: Yes
Version: 2.2.0.1024
Malware Database: v2016.03.04.05
Rootkit Database: v2016.02.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 10
CPU: x64
File System: NTFS
User: Andreiii
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 337546
Time Elapsed: 3 min, 0 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 1
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-2785295504-2673479696-1846757279-1003\SOFTWARE\Conduit, Quarantined, [62631271cacf0b2b9249c1b99f659769],
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)
Do any of you know how to get rid of this ? Oh , I have to mention that in this time I've reinstalled the windows as well , but only quick formatting the SSD , not the HDDs.
-
Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253
-
Here is everything you asked for . FRST + Addition , aswMBR and another one from MBAM . I hope all the logs can be seen and are approximately OK ...
-
OK, now you've to wait a bit...
-
Try this
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S0].txt as well.
-
Ahmm.... So I've downloaded AdwCleaner and after the scan, it says something strange somehow and that is that my computer is safe ... You what mate ? Here is the message it displays after the scan : " AdwCleaner found no malicious program on your computer !"
So ? What now ? I mean, I read on the Internet about that HKU\S-1-5-21 and it says that is quite harmful for the PC , including things like keylogger, a downgrade of the pc peformance, and so on ...
Oh, and if you ask yourself if the scan was made without any programs running in the same time , yes it was, i've closed everything from steam, chrome to my mouse/keyboard drivers.
-
Sorry for double posting, but even in the situation of seeing that message, I ran a scan again, of course it didn't find anything, but I pressed on Clean and i've restarted the PC. Here is the log .
-
I read on the Internet about that HKU\S-1-5-21 and it says that is quite harmful for the PC
No not dangerous, just a annoying toolbar
PUP.Optional.ConduitTB = Conduit Tool Bar
-
It is not showing in any log... Navigate to this key and see if it present
HKU\S-1-5-21-2785295504-2673479696-1846757279-1003\SOFTWARE\Conduit
-
OK ... 1st of all : @Pondus : I don't understand what you wanted to say ...
2nd of all : I've used once again adwcleaner this time after a restart and a MBAM threat scan where, once again MBAM found that PUP, but this time i didn't remove it and didn't click finish from mbam so I can use ADWCleaner . Here is the log .
And finally , essexboy how can i navigate to it ? I went to regedit and then to HKEY_USERS . There i have more things ">.DEFAULT | >S-1-5-18 | >S-1-5-19 | >S-1-5-20" and of course 2 more with the name of the location but without "HKU" so at HKEY_USERS I have as well ">S-1-5-21-2785295504-...-...-1003"
It has a subfolder named SOFTWARE , but SOFTWARE doesn't contain a subfolder Conduit so... Yeah ... This is the weirdest virus or whatever it is , that i've ever had ...
-
@Pondus : I don't understand what you wanted to say ...
EDITED ... Read my post again
-
OK reboot and see if it returns
It is doing no harm to your computer and is inactive
-
Yes, it's still here... Should I reinstall the windows again, but this time erase everything on my SSD and HDD too ?
-
hey andrei41 i suggest you go to this guide and post a frst scan+addation and let essexboy have a look at the computer.
https://forum.avast.com/index.php?topic=53253.0
don't throw in the towel just yet folow the guide above and post the log.
-
Here you have them, even if I've already posted them yesterday ...
-
OK we will try a manual removal... But, there is no danger with this registry key it is harmless
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
Reg: reg delete HKU\S-1-5-21-2785295504-2673479696-1846757279-1003\SOFTWARE\Conduit /f
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Ok . Before I do this I want to know something, if I do what you said there, is there any risk to break my computer, as you said ? And how ? :o
One more thing . I've got a little problem with the memory usage, I went to task manager and it says that "System" is using ~200MB , which is quite high because in the first/two hours it only uses around 50MB , can you tell me why ?
-
This fix is for your computer only, use it on another computer and it may break... Your computer is safe :)
Windows will use as much memory as possible, otherwise why have it
-
Yea... It says it was unable to find that registry key ...
Edit: I tried once again after a restart and there you have it : ( second one )
-
Is MBAM now still finding it
-
I'm done . It's still finding it ... :(
-
Personally I would just ignore it as it can do no harm
-
Ok , i just found what is causing this problem . I went to that location in regedit and in "Conduit" there is only one subfolder : "AppPaths" which leads to an application , that one is bsplayer ... What it's quite strange, is that i've been using bsplayer for many years (more than 4 years), and only now, it appears ? MBAM as well , I'm scanning everyday my PC with it. So now, the question is, should i uninstall bsplayer ?
L.E: Or should I chose at MBAM , when it's found to be ignore always?
-
It depends on you really, obviously the player recreates that key on restart although it does not actually install any files.. You could change player or just ignore it