Basic Browser Hijack Removal 1


Lately, we have been repairing many systems that have been infected by a software called “Conduit”. It appears to hijack your home page, create pop ups, and install extensions to Google Chrome and Firefox. It even has a component that will prevent it from being fully removed. If you change your home page, and even remove the extensions, it will change your settings right back, then after you use their search page (which, to add insult to injury, is just relaying Bing results) it can install the extensions again.

So what do you do when this happens? Call us, of course!

Seriously, if you do want to see the effects and attempt to fix it yourself, or if you just want to know what you should be looking out for, just keep reading.

Your first line of defense is always a good anti-virus program. We recommend using Microsoft Security Essentials, since it is free, updates regularly, and who better to know the intricacies of the Windows systems than the people that created it? It actually comes pre-installed on Windows 8, and can sometimes go under the name “Windows Defender”.
Once installed, it looks like a little green fort with a flag on top, usually with a check-mark in the center of it. If it is green, you are clear to keep working, as it will scan your files periodically, and alert you if a download may pose a threat. If it turns orange or red, then you need to open it and see what the issue is. Most of the time, it will have a single button to fix the problem.
While this software is very thorough, it can’t catch everything right away, especially if a user overrides or ignores it. This is generally where most of the issues start to happen.

This image is from a system we recently repaired that the user had been ignoring warnings and installed detreimental software. These programs, often referred to as “malware” (meaning bad-programs) normally come packaged or bundled with other software that is often offered for free. Well, nothing is really free, and the price of the software is the attached programs. So, the next time you want to install “Free youtube video splitter”, think twice, because there is a price to pay for it.

*Note: click any image to view it larger

8

 

As you can see, the same software was found repeatedly, but was only removed once we repaired it.
If you would like to access this screen, you can do so by double-clicking on the Windows Defender/Security Essentials icon in the corner by the time (circled in blue), then click on “History” (green), and finally, all items will display a history of all detected threats and what happened to them.

Before we get into correcting the issues caused by these kinds of programs, let’s talk about the signs or symptoms you might experience from them. This most recent blight, “Conduit”, takes over your browser with add-ons and changing your search engine. They do this because it allows them to display ads less invasively that if they used pop-ups, which most people consider a worse issue, and will more actively seek to have it removed. You can think of it as a disease. If it is too aggressive and virulent, the host dies before it can pass it on, or will at least seek some type of treatment. If the disease is more mild, such as a stomach ache or headache, the host is less likely to seek treatment and may just attempt to “live with it”. So, if your homepage suddenly changes, or has more ads than normal, or your settings don’t seem to stick when you change them, you might have a problem.

If you look at the image above, notice the conflicting information (circled in red), from the attempt at mimicking multiple search engines in an effort to seem more legitimate. The plain style page with just a search box, such as Google’s. Actual search results are supplied by Bing. Whether or not bing supports them or if they are just linking to the appropriate bing search page is unknown. The plain logo, not identifying the company providing the page, and the generic page title, “Search”. These are all signs that something fishy is going on.

In orange, notice the advertisments. This is what really drives people to create these kind of programs. If they can get you to click on their ads, they will make money. Most real search pages won’t have many ads on the first page where you type your search. They may have ads on the results pages, usually pertaining to the search you just performed, since there are high costs associated with maintaining servers, but you they are almost never ads for winning prizes or optimizers or anything like that.

Finally (in black), in Internet Explorer, when an addon is installed, you will get a message asking if you want to allow it to run. If you know what it is, then go ahead and enable it. In this case, WaUdix is another unknown addon. Many pieces of software that you don’t want running will have names that are random letters, don’t make sense, or are very generic. But there will be more on that shortly.

Now that you have seen some of the effects, the next step is removal. Obviously, you want to run a FULL scan using your antivirus software. Then, you want to remove any installed malware. You can start by going to “Control Panel” and then Programs and Features (or Add/Remove Programs if you are still running Windows XP). You should see a screen similar to the one portrayed below. The following steps should ideally be executed while in safe-mode, which mitigates some programs that attempt to keep installing themselves.

3

If you look at the red arrows, they are pointing to suspicious programs that have odd names. The names are either mispelled, or have randomly capitalized letters, or may not make any sense at all. Would you name your program “John’s pop-up creator and ad generator”?

The orange arrows point to software that if generic. Most companies or people that create software want to create a brand or name for themselves or their creations, and will put an icon representing it with it, and give it a descriptive name. By using generic names, such as “Media View” or “Media Player”, you can once again hide your program by not causing too much trouble for people.

The brown arrows denote items that ascribe (what’s the word I want here? strive? reach for?) to be that little extra you just have to have to make your experience the best. Or, at least that’s what their names want you to think. “Search Protect”, if you notice the publisher, is made by Conduit, which seems to be the common thread in most of the repairs we have done this year. Each variation of conduit seems to bring in slightly different packages of software, and a recent mutation of it actually was able to prevent itself from being uninstalled by normal means. Anyway, these programs want you to think they are providing additional services, such as keeping your searches safe, enhancing your media viewing, or optimizing your computer. None of these ever actually work, since most searches (especially if you use google and chrome) are already protected. How do you enhance your media viewing if you never notice a difference except more ads? And any software that claims to “clean”, “optimize”, or “speed up” your computer probably won’t. And if it is actually attmepting to, it normally is over-zealous and modifies too much, leading to glitches and misconfigurations down the road. There are a few programs out there that do well, but none of them have seemed to be worthwhile, when you can perform all the necessary maintenance yourself in just a few minutes.

The blue arrow shows software that pops up from time to time, mostly when sites want you to use a special player to watch free movie or tv from them. It actually just is a way to show you more ads.

Finally, the teal arrows show toolbars. Unless you really like one, you should never have a toolbar in your browser. They slow things down, clutter the screen, and can actually track things you do online.

You can remove these items by clicking on each one, then pressing the uninstall or remove button that appears in the top bar.

As a side note, most “optimizer” software tends to be more invasive than helpful. This screenshot shows how they tend to automatically run on startup, and tell you that you have hundreds or thousands of problems that need fixed. Most of the time, they want you to pay money to get the full version which promises to remove the detected items. However, there are no real detected items, and the full version just says that it fixed them, even though they never existed.

After the uninstallations have been completed, then you will need to clean up the remnants so that your system will not be re-infected right away. This article will cover doing so on Internet Explorer and Google Chrome browsers. If you have firefox, it is very similar to the process used for Chrome.

First, IE. Open your Internet Explorer browser (it is a blue “e” icon) and then click on the gear icon (circled in green), or if you are using an older version of Internet Explorer, it’s under the “Tools” menu (and you should also update to the latest version for security). Then select “Internet Options” (circled in blue).

On the first tab that is open, “General”, you will want to change the home page. Make it something you trust, such as “http://www.google.com”.

In the “Browsing History” section of this tab, click on the “Delete” button, and you will see a screen similar to the one below. You can select whatever you want to remove, as long as the two boxes shown here in the red box are checked. This will remove any cached copies of software, waiting to be reactivated. Click “Delete”, and make sure that you click “Apply” before closing the “Internet Options” box.

Now we are done with Internet Explorer. If you use Google Chrome (it is highly recommended that you do), then here is how to remove it from that browser. After you open Chrome, Click on the three bars in the upper-right corner, circled below in blue. This opens a menu on which you can choose “Settings”. Scroll down as far as you can, and click to show the advanced settings. Now you will see a screen which is similar to the background of the image below. First, click on the “Clear Browsing Data” button in the “Privacy” section. The important parts to erase here are the ones highlights in orange, “Cookies and other site and plug-in data” and “Cached images and files”. Clear the data, then move on.

Scroll back toward the top of the page, and under the “On Startup” section, click the link that says “Set pages”, even if a different radio button is selected in this section.


A
s you can see, even if you are not using the startup pages option, it can still be set, which is another way that you could pick these viruses up again after an almost complete removal. Be sure to remove any entries here (unless you are certain you want them, such as www.google.com).


C
lick OK, then move on to the “Show Home Button” option. If this is not checked, check it, and then click on change. Just like with the previous step, the page can be set without it being an active option.


You can clear the box and change the option to the New Tab page, or enter a home page. 

 


N
ext, click on “Manage Search Engines”.


First, move you mouse over an entry that you can trust, such as google or yahoo, and select “Make default”. Then, when you move your mouse over the other entries, an ‘X’ should appear on the right end of the line, and you can click that to remove the search engine entry. Do this for each of the entries that you do not recognize.

Next, go to “Extensions”, which is listed on the left side of the screen. If you look at the red circles, you will see that Chrome is notifying you that these apps came from somewhere outside of the app store, which means that they could not be verified to be trusted. Since Google has now taken steps to prevent extensions from being installed in this way, it is not as common to see this anymore. However, there are still some ways to manipulate a system to allow it, one of which is to disable updates to prevent you from getting the version of software that prevents this. That is something to also check, but it is covered in another post.
Looking at the names (in orange) of the extensions, you will usually notice names that are mispelled, offering coupons, free music or videos, or optimizers. Most of these things are signs that the extension should be removed.

 

This process will remove the most basic of browser invasions and should, at the very least, allow you to keep going until someone can look at your system more thoroughly. Note, that this guide is in no way comprehensive, and is intended for a novice to be able to remove simple infections. There are many other steps and processes to ensure a fully cleaned system.

Also check out our post about a new guide we’ve found that could be beneficial to anyone wanting to learn about how to keep their system and data secure and private.


Leave a comment

Your email address will not be published.

One thought on “Basic Browser Hijack Removal