Kick the PUP: Conduit Search


Conduit in Internet Explorer Screencap

One of the nicer things about moving to a Mac is not having to worry as much about Malware. Or at least, I haven’t had a problem at all since I moved over, but I also have less reason to visit questionable sites than I did in the past.

Today while my manager was away on unknown business, I took the opportunity to install some Malware on my work computer I thought was actually from a credible source. Thanks to late nights and not enough sleep, perhaps didn’t take as much caution downloading as I should have, but I realised something was wrong when Google Chrome suddenly crashed out of the blue, and an unfamiliar search screen appeared with an ad showing underneath it when I restarted it immediately after.

Welcome, Conduit Search

I knew something was wrong instantly, because these were not my settings and it didn’t take much investigating to discover this was called ‘Conduit Search’. They may mask it in a nice fashion, but this program they call Search Protect by Conduit is anything but.

A little bit of quoted background for you.

Conduit is a browser hijacker, which is promoted via other free downloads, and once installed it will add the Conduit Toolbar, and change your browser homepage and default search engine to search.conduit.com.

Conduit Search will display advertisements and sponsored links in your search results, and may collect search terms from your search queries. The Conduit infection is used to boost advertising revenue, as in the use of blackhat SEO, to inflate a site’s page ranking in search results.

Conduit it’s technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a “PUP,” or potentially unwanted program.

Oops!

Anyway, what’s done was done, lesson was learned and removing it is now the important part. Although there were some mistakes I made through the process, the general way you should remove this malware is to:

  1. Uninstall Conduit Search and anything else unfamiliar, by going to Start, Control Panel and Uninstall a program.
  2. Open your browser and reset, deleting personal settings and setting the default search engine back to something you trust. Google for some, or DuckDuckGo for others. More detailed guide here. Also delete any extensions/add-ons you don't recognise.
  3. Finally, run some sort of dedicated malware removal program. Although uninstalling Conduit seemed to do the trick, there's no knowing where other files are hiding.
  4. Run yourself an Anti-virus scan if you have one.

Very easy right? No? Because you can’t even search up how to get malware off your computer unless you have another computing device handy? Oh.

Lucky for me I had my MacBook around at the time to fall back on. I guess you wouldn’t be reading this unless you had something to fall back on too.

Mistakes, lessons learned

When I first discovered Chrome redirecting me to a search engine I didn’t know or want to use, the first thing I did other than try to uninstall programs was change some of the browsers’ settings back (‘Open the New Tab page’ instead of ‘Open a specific page or set of pages’ for example, and change the default search engine). Then I quit the program.

I tried to delete some of the unfamiliar programs from my machine with little success (apparently it was still in the process of uninstalling something), so I went back to see if I could clean more of Google Chrome again, however found that I was unable to open it. Clicking it would make it flash as thought it were about to open, but then it would stop again, quitting. I was mystified.

In order to try to reopen Google Chrome, I tried to reset it by going into the programs files instead using the Run box, accessed through using a combination of the Windows Key + R. My machine at work is running Windows 7, so the command I used was:

%UserProfile%\AppData\Local\Google\Chrome\User Data\Default

If you happen to be on XP, the command will be:

%UserProfile%\Local Settings\Application Data\Google\Chrome\User Data\Default

In the folder that opens, rather than renaming the ‘Preferences’ and ‘Web Data’ files to ‘disable’ them, I simply deleted them completely. I would rather have to redo all my preferences and lose my web history than have malware on my machine. Google Chrome was restored to its default settings and I could open it again. Curiously enough, suddenly I could also delete the other malware programs from my machine.

Strangely, Chrome still had my web history recorded, so I deleted it anyway as the browser mocking reminded me that I could have just used Incognito Mode if I were going to delete my history anyway. I wonder if simply deleting Chrome itself and reinstalling it would have been easier somehow, but nonetheless, this method seems to have worked to some extent.

The last step now, is finding a malware remover to get rid of the last vestiges of this browser-jacking, PUP (Potentially Unwanted Program). This kind of PUP is the only kind I approve of kicking.