Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

w7u64: Conduit/Linkury browser/search hijacker - very persistent


  • This topic is locked This topic is locked
3 replies to this topic

#1 WannabePolyHistor

WannabePolyHistor

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 20 November 2013 - 07:05 PM

Hi,

 

Short version - goto "## Question ##" at end.

Long version containing Background, Method, Results and Question see below.

 

## Background ##

 

I'm running Windows 7 ultimate 64-bit (w7u64) and recently downloaded DaemonTools Lite 4.48 (DTL448).   DTL448 installer also loaded Conduit toolbar and search engine without my permission.   Associated malware were also loaded:  SweetTunes1, LinkSwift, QuickShare and Smartbar.   The publisher appears to be Linkury.   All MS updates and updates for browsers are up to date.

 

 

## Method ##

 

Step 0: Use CloneZilla to make a clone of the operating system drive.   Turn off system restore to prevent reinfection (restore points are included in this initial clone).    Disconnect from Internet to prevent reinfection.

 

Step 1

I used ControlPanel > Programs&Features to look for and remove the each of the named malware (if present).    Conduit and SweetTunes were removed but not the other 3.

 

Step 2

In each of my browsers IE10 (not used), Firefox and Chrome I looked for default web page names and changed each of those to DuckDuckGo (DDG).   I also looked for any other incidents of feeds or unauthorized changes in parameters against my initial check list including extensions, plug-ins and apps (yes, I have a high paranoia quotient).   I made any changes necesary.

 

Step 3

Using a command line interface I have firstly used "attrib /s <drive>:\* >>drivelist.log" for each drive to make a list of files and folders on my system and then used 'find /i <malware_string> drivelist.log to locate all incidents of the malwares named above that remained.

 

Step 4

Usiing regedit.exe I searched the registry for incidents of any of the strings (malware names) and the context of the string (for example "conduit" in AutoDesk inventor refers to objects used to drawelectrical conduit).   I noted the keys and also the {references} in each key as well and searched on them also.   Where appropriate I deleted the keys in the highest reasonable directory.

Where {references} were used I checked drivelist.log (made ealier) for subfolders having the same names and made changes as appropriate.   This included:

    * removal of SweetTunes search engine from toolbar

    * removal of registry keys and references to any of the named malware or publisher

    * removal of folders containing references to any of the named malware or publisher

    * MSCONFIG: removal of any StartUp or service items that specifically reference the named malware or publisher

 

Step 5

Make another clone of the OpSys drive with incrementted filename.   Reboot.   Check FireFox browser for reinfection with Conduit.   Reboot.   Look again for signs of infection.

 

Repeat steps 1 to 5 until no further infection

 

## Result ##.

 

DDG homepage comes up as intended but when I make a new tab I get a screen using the Conduit search bar and Bing as my default search provider (I use DDG).

 

## Question ##

Can someone please show me what I've missed and/or help me remove this malware for good /

 

Many thanks in advance.   I will return to view this request progress at 12 noon every day NZ time.

 

Thanks for your contribution of time and effort.   It is much appreciated.



BC AdBot (Login to Remove)

 


#2 WannabePolyHistor

WannabePolyHistor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 21 November 2013 - 07:49 PM

Follow up:

I forgot to say that as the last part of Step 5, I connected to the net and updated MalwareBytes Anti-Malware (MBAM), SpyBotS&D and AVG2014 and then disconnected from the net (physically removed the cable from my router).   I ran and shut down each software in turn and reviewed the results.

 

The end result was that no baddies were detected by any of the anti-malware software.   The DDG homepage comes up when FireFox is opened as it should but the Conduit search bar and Bing still came up when I create a new tab (as before).



#3 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:01:34 AM

Posted 21 November 2013 - 08:21 PM

Hello WannabePolyHistor.

There are tools that can be used to help you eliminate this problem, however those tools are only allowed to be used in a specific forum board here at BC.

If you could please create a new topic at this link provided below, someone who can use those tools will be more than happy to help you resolve this problem.

Please describe the problem as best as you can and make sure you make your topic title stand out with a mention of conduit search issues.

http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/


Make sure you mention this link in your new topic and follow only the advice given to you in that topic until your problem has been resolved.


Best of luck to you!


Bruce.

Edited by MrBruce1959, 21 November 2013 - 08:26 PM.

Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:34 AM

Posted 21 November 2013 - 10:22 PM

Closed new topic is here...... http://www.bleepingcomputer.com/forums/t/514977/persistent-conduit-search-bar-browser-hijacking-issues-on-win7ult64/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users