Conduit safe search virus - PROBLEM SOLVED

[ringtail]

How can I get rid of this message that displays on boot up?

Don’t know how I got conduit safe search. It may have been bundled with some software I installed when reinstalling Windows a week ago. It seems like a virus but antivirus programs don't catch it..

Uninstalled conduit, removed the search tool conduit added to Firefox browser, and deleted every mention of conduit from the registry.

After that, still get this message on every boot up. Can I kill it without completely reinstalling Windows again?

 

[lxskllr]

Try msconfig, and see if it shows up under startup items. You could also try autoruns from sysinternals.

It's not exactly a virus, just crapware. I removed it from an XP machine at the office, and it didn't give me any problems.

 

[ringtail]

lxskllr,

Thank you for replying.

Don't find "Conduit" or "safe search" with either of the ways you suggested, nor in my registry, but that Autoruns you pointed out is going to be useful in the future. Thanks!

The dang message about Conduit must be burried inside a dll named RunDLL. The AgentRansack search tool finds 16 files with RunDLL as part of the file name. Guess I need to learn how to look inside a dll and to edit it.

 

[JEDIYoda]

check under add/remove programs...

 

[MustISO]

I've seen it launched from different areas but there's usually a reg key somewhere. I'd try Malwarebytes as that will typically find everything left behind after removal.

http://www.malwarebytes.org/mwb-download/

 

[ringtail]

MustISO,

Thank you.

Installed, updated & ran malwearbytes 1.75.0.1300. It didn't find any "Conduit" files. Also updated & ran Kaspersky at deepest scan level. Nada.

However, after all the above the same dang Conduit message still pops up every time I boot up. Grrrr.

 

[Fardringle]

Run this little beauty as an administrator. Un-check every line that is highlighted yellow (or just the one for the file in your error if you don't want to get rid of anything else). Yellow means the entry is set as an automatic startup item somewhere in Windows, but the file does not exist at the specified location. Unchecking the items will disable the startup entries so Windows will not try to launch the files during the boot process. You can also click to highlight them and then click the Delete button (or menu item) to completely remove the entry from the system.

 

[JEDIYoda]

also if you search the internet..google it....you swill find what registry files have conduit and then you need to manually remove those registry files!!

 

[PliotronX]

You might have luck with Hijackthis. I couldn't find what was starting up a file on one system even though MBAM successfully removed it, the error would happen at logon and msconfig and even Startup Control Panel couldn't remove it but Hijack this was able to.

Food for thought, Conduit is prevalent on most systems. The reason is that there is a lot of money for Conduit to be made by hijacking search queries with advertisement and so has also recruited other malware makers into developing nastyware so they get a cut of Conduit's revenue.

 

[mikeymikec]

@ ringtail

Just so you know, rundll32 is a program that comes with Windows. The description for it is "run a DLL as an app". DLL files are library files that programs use to look up various functions (rather than one enormous exe - Word's executable is probably still only about 5MB despite the entire program install probably being about 90MB).

Conduit is probably using it here to obscure the run entry and make it look more legit to the casual observer. One is more likely to ignore the rest of an entry if the first part points to a known OK file. Also, when the program is running, you just see 'rundll32' in Task Manager rather than "rundll32 C:\My_dodgy_program.dll" or "C:\My_dodgy_program.exe". You would see rundll32 running for a completely legitimate reason when, for example, you start an app like Control Panel > Programs & Features (or at least, you did on XP).

However, with Process Explorer one can float the mouse pointer over a program entry and it gives you the full command that is being run.

Rundll32 probably hasn't been infected (at least, I can't remember seeing a situation when it turned out to be infected unless we go back to the days of when viruses used to try and trash every system file). Conduit isn't really a virus, I'd just call it not-very-malware or adware, a home page and search engine setting hijacking program. You've probably been installing some new apps recently and it came with them, that would be my guess.

 

[ringtail]

I'm 75% sure Conduit arrived in the DivX player I downloaded directly from the DivX web site.

This proved to be the solution to remove the pop up message, as found on Microsoft's Community forum:

a) remove Conduit by uninstalling via the Windows installer

2) remove the residual pop up message by:

Press the Windows key + R
Type “taskschd.msc”
Press the Enter key
Click on the Task Scheduler Library folder
Right-click on the BackgroundContainer task
Select "Delete”


​

My problem is solved. Thank you all!

 

[JEDIYoda]

I'm 75% sure Conduit arrived in the DivX player I downloaded directly from the DivX web site.

This proved to be the solution to remove the pop up message, as found on Microsoft's Community forum:

a) remove Conduit by uninstalling via the Windows installer

2) remove the residual pop up message by:
Press the Windows key + R
Type “taskschd.msc”
Press the Enter key
Click on the Task Scheduler Library folder
Right-click on the BackgroundContainer task
Select "Delete”



My problem is solved. Thank you all!

If I may please double check to make sure it is not dormant somewhere else.....

 

[VirtualLarry]

For future reference, "FreeFixer" is good for this sort of thing. It finds not only startup items like HijackThis, but also scheduled tasks and other things. Very thorough.

 

[devhda]

For reference, I got mine from PowerISO. Removed it with malwarebytes.

 

[PliotronX]

Do you guys know of software that will prevent its installation paid or not? Some of the clients I work with repeatedly install crap and we're seeing repeat PC's in the cleanup service department.