Possible Trojan? Search Conduit won't leave my laptop! LOTS OF CONFLICTS

[soldbylinz]

Hello,
I did the logs as requested and still having issues with Search Conduit and that's not even the beginning.  I haven't been able to play any DVD's since this past Thursday 6/19.  Did System Restore multiple times and all have failed.  The Toshiba Video Player will not work (did on the 19th) Window's media player cannot even open the dvd.  I cannot use any 8.1 apps, cannot access any of the metro apps without error messages stating that this is not installed?  Java keeps sending these updates.  Search Conduit is constantly changing my home page in all browsers.  Please view the logs.  I cannot upload the MBAM log because C:\Documents and Settings\Soldbylinz\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Says access denied?!?

[recovering disk space, attachment deleted by admin]

[soldbylinz]

Oh yay, I got the Toshiba Video Player working!

Still no 8.1 metro option to use anything.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************

The Toshiba Video Player will not work (did on the 19th) Window's media player cannot even open the dvd. 

Windows Media player will not play DVD's. You will need to buy the App for it.

I cannot upload the MBAM log because C:\Documents and Settings\Soldbylinz\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Says access denied?!?

Don't try to upload the logs. Just Copy and Paste them in your next reply.
Windows 8 comes with its own AV installed called Windows Defender. If you wish to use another AV, you will need to disable Windows Defender.

Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.

[soldbylinz]

Here you go:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 8.1 x64
Ran by soldbylinz on Sun 06/22/2014 at 14:10:06.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] cltmngsvc
Successfully deleted: [Service] cltmngsvc



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\searchprotect
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\searchprotect
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C5146A43-295A-4403-A8AB-A250F046A87E}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E65D492A-D0E7-4033-9BB9-06C24D3DA9D6}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"
Successfully deleted: [Folder] "C:\Program Files (x86)\myfree codec"
Successfully deleted: [Folder] "C:\Program Files (x86)\searchprotect"



~~~ FireFox

Successfully deleted the following from C:\Users\soldbylinz\AppData\Roaming\mozilla\firefox\profiles\b8n3xg9r.default-1403244976794\prefs.js

user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=55&CUI=&UM=5&UP=SP1A37C6E1-993D-4085-B8F1



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 06/22/2014 at 15:26:50.41
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[SuperDave]

Could you please run MBAM again and post the log.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*********************************************
Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
• Copy and paste the contents of these two log files in your next reply.

[soldbylinz]

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/23/2014
Scan Time: 8:03:29 PM
Logfile: MBAM 6.23.14.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.24.02
Rootkit Database: v2014.06.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: soldbylinz

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 308067
Time Elapsed: 39 min, 1 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 7
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Local\Temp\CT3326777, Quarantined, [eb57dba12952b680651c048c16ecba46],
PUP.Optional.SearchProtect.A, C:\Users\soldbylinz\AppData\Local\SearchProtect, Quarantined, [71d1ed8f2d4ec57126d8dcc9d52d54ac],
PUP.Optional.SearchProtect.A, C:\Users\soldbylinz\AppData\Local\SearchProtect\SearchProtect, Quarantined, [71d1ed8f2d4ec57126d8dcc9d52d54ac],
PUP.Optional.SearchProtect.A, C:\Users\soldbylinz\AppData\Local\SearchProtect\SearchProtect\rep, Quarantined, [71d1ed8f2d4ec57126d8dcc9d52d54ac],
PUP.Optional.SearchProtect.A, C:\Users\soldbylinz\AppData\Local\SearchProtect\SearchProtect\STG, Quarantined, [71d1ed8f2d4ec57126d8dcc9d52d54ac],
PUP.Optional.SearchProtect.A, C:\Users\soldbylinz\AppData\Local\SearchProtect\UI, Quarantined, [71d1ed8f2d4ec57126d8dcc9d52d54ac],
PUP.Optional.SearchProtect.A, C:\Users\soldbylinz\AppData\Local\SearchProtect\UI\rep, Quarantined, [71d1ed8f2d4ec57126d8dcc9d52d54ac],

Files: 18
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Local\Temp\nsaB878.exe, Quarantined, [46fca5d79cdf6dc907760c7af70a4fb1],
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Local\Temp\nsg357C.exe, Quarantined, [3f03bdbf1f5ca096f38aeb9bb24f9f61],
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Local\Temp\nsl236.exe, Quarantined, [3e04f6865f1c91a5b3ca1c6a966b9967],
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Local\Temp\nsoCB94.exe, Quarantined, [02408bf13843b1855924523410f1fa06],
PUP.Optional.OpenCandy, C:\Users\soldbylinz\AppData\Local\Temp\utt471D.tmp, Quarantined, [9ba791ebdf9c05316a3d1f899173bd43],
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Local\Temp\nsxC1A.tmp, Quarantined, [bf833646b4c7b581d9a4c5c1b24fd32d],
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Local\Temp\nszCD98.exe, Quarantined, [6dd52d4f7902c1750974d8aeef12f20e],
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Local\Temp\nszE7E7.exe, Quarantined, [172b3943790255e1c0bdacda827f669a],
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Local\Temp\d4630f5a-d712-418a-9b61-dc6edbc0615b\ExtremeFlashPlayer.exe, Quarantined, [62e04e2e413a81b5557e98ae17e9a55b],
PUP.Optional.Conduit.A, C:\Users\soldbylinz\Downloads\ExtremeFlashPlayer.exe, Quarantined, [f151a4d85823be78b9c2d06ded13f907],
PUP.Optional.Trovi.A, C:\Users\soldbylinz\AppData\Roaming\Mozilla\Firefox\Profiles\b8n3xg9r.default-1403244976794\searchplugins\trovi-search.xml, Quarantined, [f052710b90eba78fec31bcf70ef425db],
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Local\Temp\CT3326777\ddt.csf, Quarantined, [eb57dba12952b680651c048c16ecba46],
PUP.Optional.SearchProtect.A, C:\Users\soldbylinz\AppData\Local\SearchProtect\SearchProtect\rep\Cvc.dat, Quarantined, [71d1ed8f2d4ec57126d8dcc9d52d54ac],
PUP.Optional.SearchProtect.A, C:\Users\soldbylinz\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat, Quarantined, [71d1ed8f2d4ec57126d8dcc9d52d54ac],
PUP.Optional.SearchProtect.A, C:\Users\soldbylinz\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat, Quarantined, [71d1ed8f2d4ec57126d8dcc9d52d54ac],
PUP.Optional.SearchProtect.A, C:\Users\soldbylinz\AppData\Local\SearchProtect\UI\rep\UIRepository.dat, Quarantined, [71d1ed8f2d4ec57126d8dcc9d52d54ac],
PUP.Optional.Trovi.A, C:\Users\soldbylinz\AppData\Roaming\Mozilla\Firefox\Profiles\b8n3xg9r.default-1403244976794\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.trovi.com/?gd=&ctid=CT3326777&octid=EB_ORIGINAL_CTID&ISID=d4630f5a-d712-418a-9b61-dc6edbc0615b&SearchSource=69&CUI=&SSPV=&Lay=1&UM=5&UP=SPD7D8CC04-5D85-4EDD-917B-E1E8749FC720"), Replaced,[2a18bebec4b7290d8a7ba30f9d67f10f]
PUP.Optional.Conduit.A, C:\Users\soldbylinz\AppData\Roaming\Mozilla\Firefox\Profiles\b8n3xg9r.default-1403244976794\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "http://search.conduit.com/?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=55&CUI=&UM=5&UP=SP1A37C6E1-993D-4085-B8F1-AB52502E6830&SSPV="), Replaced,[b191215b4b3093a3325c0ea4b3518977]

Physical Sectors: 0
(No malicious items detected)


(end)

[soldbylinz]

How strange, the Windows 8.1 app opened the Notepad.  (Tested Calculator, no such luck)


Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.06.24.03

Windows 8.1 x64 NTFS
Internet Explorer 11.0.9600.17126
soldbylinz :: LINZ [administrator]

6/23/2014 9:35:42 PM
mbar-log-2014-06-23 (21-35-42).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 310523
Time elapsed: 25 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[soldbylinz]

Here you go.
C:\AdwCleaner\Quarantine\C\Users\soldbylinz\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll.vir   Win32/Toolbar.Conduit.Y potentially unwanted application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\soldbylinz\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.1.dll.vir   Win32/Toolbar.Conduit.Y potentially unwanted application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\soldbylinz\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.2.dll.vir   Win32/Toolbar.Conduit.Y potentially unwanted application   deleted - quarantined
C:\Program Files (x86)\IObit\Driver Booster\Toolbar\iobitappsToolbar-stub-1.exe   a variant of Win32/Toolbar.Widgi.B potentially unwanted application   deleted - quarantined
C:\Program Files (x86)\IObit\Driver Booster\Update\db_update0303.exe   a variant of Win32/Toolbar.Widgi.B potentially unwanted application   deleted - quarantined
C:\Program Files (x86)\IObit\Smart Defrag 2\smartdefrag-3-free.exe   Win32/Toolbar.Widgi.E potentially unwanted application   deleted - quarantined
C:\Program Files (x86)\IObit\Smart Defrag 3\SDUpgrate.exe   Win32/Toolbar.Widgi.E potentially unwanted application   deleted - quarantined
C:\Users\soldbylinz\Downloads\advanced-systemcare-setup.exe   a variant of Win32/Toolbar.Widgi.B potentially unwanted application   deleted - quarantined
C:\Users\soldbylinz\Downloads\asc7-setup.exe   a variant of Win32/Toolbar.Widgi.B potentially unwanted application   deleted - quarantined
C:\Users\soldbylinz\Downloads\cbsidlm-cbsi134-First_Page_2006-SEO-10490779.exe   a variant of Win32/CNETInstaller.B potentially unwanted application   deleted - quarantined
C:\Users\soldbylinz\Downloads\cbsidlm-cbsi145-Free_Resume_Builder-SEO-75875646.exe   a variant of Win32/CNETInstaller.B potentially unwanted application   deleted - quarantined
C:\Users\soldbylinz\Downloads\cbsidlm-cbsi183-PDF_Combine-SEO-10429191.exe   a variant of Win32/CNETInstaller.B potentially unwanted application   deleted - quarantined
C:\Users\soldbylinz\Downloads\defragsetup.exe   a variant of Win32/Toolbar.Widgi.B potentially unwanted application   deleted - quarantined
C:\Users\soldbylinz\Downloads\FileZilla_3.7.4.1_win32-setup.exe   a variant of Win32/Injected.F trojan   cleaned by deleting - quarantined
C:\Users\soldbylinz\Downloads\SoftwareUpdater.exe   a variant of Win32/Packed.VMDetector.G potentially unwanted application   deleted - quarantined

[SuperDave]

That looks good. How's your computer running now? Any other issues?

[soldbylinz]

Much better!!!!  Thank you SuperDave!  Now if only we could figure out why the Windows apps will not work and why there's adware on all browsers...

[soldbylinz]

Hi Dave,
You wrote: Windows 8 comes with its own AV installed called Windows Defender. If you wish to use another AV, you will need to disable Windows Defender. 
Me: What do you recommend?

[soldbylinz]

Dave,
Should I not be using Advanced System Care?

[SuperDave]

Me: What do you recommend?

Should I not be using Advanced System Care?

The choice is up to you. You can go here to make a comparison of all AV's

and why there's adware on all browsers

What do you mean by this?

[soldbylinz]

What do you mean by this?

I figured it out.  Needed to enable Adblocker in Chrome.  All is good and fixed!  Now will post Windows 8.1 App issue within their thread.
Thank you so much Super Dave!