windows 7 - How do I get rid of adware from Search Conduit/White Smoke?
2014-04
Michael Jordan
This adware came bundled with some freeware I downloaded. It hijacked my home page and search engine. I have fixed both of those things, but still every time I open Chrome, it opens http://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN27663547709134535&UM=2&sspv=TB_CH2:
in addition to the new tab page (which I have set as my home page)
What I have tried, to no avail:
- Following the instructions from How do I remove the Conduit toolbar that comes with µTorrent?, which sounded like a similar question (Basically deleting the .crx file and any registry item that pointed to the directory in which I found it)
- Removing any programs I didn't recognize
- Removing the freeware that installed the adware in the first place
- Manually changing my home page and default search provider
- Running: ADWCleaner, CCleaner, and Malware Bytes Anti-Malware
One more thing: I noticed that "search.conduit.com" is referenced several times in the file C:\Users\MattVS\AppData\Local\Google\Chrome\User Data\Default\Preferences. I have tried modifying this file, but I really don't know what I'm doing with it. I suspect that my changes to this file are being put back anyways.
What else can I do??
From that Preferences file I referenced, here are the two groups of text that mention "conduit" or "WhiteSmoke":
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
EDIT: I deleted the Extensions folder per @Jason's suggestion. The folder was already empty before I deleted it, and the problem persists
EDIT: I tried reinstalling Chrome. This fixed the problem until I restarted the computer and the problem came back on my newly installed version of chrome (even though I was able to stop it from installing any extensions or changing any settings)
Here are the results from HijackThis. I don't see anything malicious, do you?:
EDIT: I downloaded autoruns and ran it. I used ctrl+F to search for "conduit" and "smoke" (up and down) and did not find anything. Anything else I should search for?
Scandalist
Ah....YE OLDE WHITESMOKE.
I remove this sick little puppy almost daily with the help of hijack this. Do a scan in admin mode and remove the BHO related to whitesmoke.
Also I noticed the adware has a startup item so locate it with autoruns. Also, a THOROUGH scan with malwarebytes is probably in order and check DOUBLY that the program is removed from your programs list.
Michael Jordan
It sounds like you have done all the right things to start, namely removing any programs you don't recognize, removing the unwanted extension, and fixing your default search provider and home page. Here are a couple more things to try:
Make sure you aren't signed into Chrome on any other infected machines. Your settings are probably synced between instances of Chrome wherever you are logged in, so your settings can be changed by any infected machine on which you are logged into Chrome.
Lastly, after you correct your homepage and search provider settings, look where it says "On startup" and make sure "Open a specific page or set of pages" is not marked and set to something like search.conduit.com
Jason Bristol
I had to clean this out around 3 or 4 times last week.
The way I did this was to close Chrome and delete your C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions folder.
This will remove all extensions from Chrome including these malware extensions.
After this reopen Chrome and go to Settings>Manage Search Engines and delete conduit and whitesmoke as well as any unwanted engines.
That fixed it for me.
Questioner
I have a bit of a spyware problem.
I tried using How to Clean up a Windows Spyware Infestation to help get rid of the spyware/adware on my computer. I have autoruns and process explorer and got rid of the files that did not have a publisher or a company name. I restarted the computer and the same files came back. I got really lost towards the end of the article about the winlogon hooks and trying to find the bad handles and DLL files.
I don't want to delete the winlogon file because I won't be able to log in (according to the warning) and there isn't a publisher name like Microsoft corporation.
8088
Sounds like you've removed all the files without a valid publisher using Process Explorer.
This is the part you might be stuck on:
Evil apps like to attach themselves to unkillable system processes. That way they can't easily be deleted and will magically "reappear".
As before, scan process explorer looking for processes with no valid publisher. Make note of the filenames of these processes. You now need to kill any active threads in unkillable system processes referencing these evil files.
Use the find function in Process Explorer to locate any live references to the evil files. The process properties dialog is where you want to end up, and then select the threads tab and click the Kill button for each evil thread.
Fire up Process Explorer and use the Find | Find Handle or DLL menu to locate all the instances of this DLL by name. (See, I told you this option was powerful.) Kill any open handles to this file that you find, exactly as we did before. But you'll need to go one step further. We know from the Autoruns that this DLL is likely to be attached to the Explorer and Winlogon processes, but let the find results be your guide. Double-click on any processes you found that reference this DLL. In the process properties dialog, select the Threads tab. Scroll through the threads and kill every one that has the rogue DLL loaded.
Once you've killed all the threads, you can finally delete the entries in Autoruns without them coming back. Reboot, and your machine is now completely free of spyware. I count 17 entries in Task Manager, exactly the same number as when I originally started.
Until you do this, the files will not be delete-able!
Jeff Atwood
To solve the problem you can use
http://free-av.com/en/tools/12/avira_antivir_rescue_system.html
to scan and clean your harddrive completely.
But depending on what you have installed on your system you have to reinstall the system (don't forget to first copy your important data with for example ubuntu-live-cd or knoppix - google for download-links).
Additionally:
- scan your system with the already named avira-antivir rescue cd (remember to change the settings to preferred rename the found files)
- install spybot search and destroy; run it and search for spyware (often spybot search and destroy does a good job in deleting stuff
- install hijackthis, open and scan, copy and paste the log to the hajackthis-website-check and read the shown information
- install a good antivirus-program (for example from kaspersky, panda cloud antivirus or AVG Antivirus)
- install all system-updates! and the latest version of your favourite browser!
Jeff Atwood
The most effective, yet disruptive, way to rid a computer of spyware and adware is to format and reinstall.
Next, I would try using the free solutions and tools that are already on most Windows machines.
Go to Start > Run and type in "mrt.exe" to run the Microsoft Windows Malicious Software Removal Tool. The title bar for the program should have a recent month and year in it to let you know it has been recently updated. Select "full scan" and let it do it's job.
You may also have Windows Defender installed. Run it.
You you might have Microsoft Security Essentials, a free antivirus tool from Microsoft. If not, you may search for and download it.
Lastly, visit onecare.live.com and click on "Safety Scanner." An Active-X program from Microsoft will scan your computer for malware.
Glimmet
A free software I really like for this kind of mission is Spybot Search and Destroy, http://www.safer-networking.org/index2.html.
Easy to use and effective.
cometbill
I'd recomment giving VIPRE from Sunbelt Software (www.sunbeltsoftware.com) a try.
There's a 15 day trial, and as far as I can tell no limit to the functionality during that time.