Solved

Browser Hijacker

  • 28 October 2012
  • 61 replies
  • 11543 views

Chrome, on our our home computer,  has been subverted by a browser hijacker that allways directs it to secure.conduit.  It is quite annoying that the browser immediately goes to bing.  It cannot be removed using the Chrome search engine option though I did delete some browsers I didn't want.
 
Does/Could SecureAnywhere deal with this and if so how?
icon

Best answer by rayb-baby 10 April 2017, 03:59

This DEFINITELY worked for "Guruofsearch" on Chrome, but I suspect that it will work for other browser hijackers and it also fixed my Internet Explorer.

I went to Chrome Help at this link:
https://support.google.com/chrome/answer/2765944#browsersettings
It was EASY and QUICK!  I was rid of "Guruofsearch" in no time.

 
Or you can go directly to the Chrome Cleanup Tool for Windows 7 thru 10.
https://www.google.com/chrome/cleanup-tool/

 
"Clean Chrome of unwanted ads, pop-ups, & malware
If you're seeing some of these problems with Google Chrome, you might have unwanted software or malware installed on your computer:
  • Pop-up ads won't go away.
  • Your Chrome homepage or search engine keeps changing or is not set to Google anymore.
  • Unwanted Chrome extensions or toolbars keep coming back.
  • You keep getting redirected to unfamiliar webpages."   
 "Chrome will open a new tab, and ask you to reset your settings. Click Reset".
 
It literally worked in seconds.  I'm no expert, but I think it cleared the cache as all of my saved sign-ins were gone.  A small price to pay.  I hope you know all of your passwords .      It also disabled my extensions, so enable any extensions that you're using.

                     
I'm not even sure if there is any relation, but the "plugin" link for FlashPlayer still didn't work, so I went here:
https://support.google.com/chrome/answer/142064?hl=en
The link still doesn't do anything, but now when a FlashPlayer video comes up it asks me if I want to activate it.  Goodbye plugin link, hello ask me on screen.  That's good enough for me!  I even like it better that way!

If anyone still has the problem, I hope it works for you.  And YES, it's SAFE to use.

     
View original

61 replies

Userlevel 7
Hi Charlotte_Sterling
 
Thanks for your intent to assist.
 
However, here in the Community we do not advocate the recommendation or use of YouTube-related solutions to malware and/or PUA removal unless they are from a source known to be reputable, i.e., from a security app vendor or one of the major institutions such as Microsoft, Apple, Google, etc.; this is due to the fact that malware removal is a skilled task and many of the solution shown may not be safe or have considered all aspects of the removal process. 
 
And even if one has found a suitable video we believe that the best approach, if WSA is unable to handle the issue (and no security app can handle 100% of issues/infections 100% of the time...not even WSA ;)), is for the OP to Open a Support Ticket to get the Webroot Support Team of professionals to intevene and resolve the issue. This is a free service available to all users with an active subscription.
 
This is what I would advocate using in this instance, and so potentially avoiding getting into further trouble be doing something  unforseen to one's system.
 
Regards, Baldrick
Userlevel 1
I'm upset that the techs for webroot haven't classified this conduit.search as a PUP (potentiallially unwanted program) or PUA (application). I ended up with this extremely annoying toolbar that I NEVER agreed or consented to, and all my attempts to remove it have failed. Evidently, this add-on,  tool bar, or browser hijacker (which is what i prefer to call it, because you NEVER get your REAL browser back....EVER) what ever you want to call it, comes secretly bundled to whatever program you download. I ALWAYS do the CUSTOM install, whenever I download anything, so I can UNCHECK all the programs and extensions and add ons I DON'T want. But this CONDUIT never EVER appeared in any of my custom installs. It changed the layout, color and font size of my google chrome page, added the mixidj search bar, added the delta search bar, allowed for constant pop ups and unwanted ads, and changed the layout and font size of my face book page. Now, it may not TECHNICALLY be a VIRUS, but is SURE is an UNWANTED program, that I didn't CONSENT to. When you spend at least three weeks trying to remove this UNWANTED software, believe me, you've tried going to programs and looking for conduit to remove it or going to the settings option and resetting your page as whatever, or resetting your default page as whatever or resetting your browser as what ever in addition to REMOVING this PUA, PUP...whatever, MULTIPLE times, ONLY to have it RETURN, EVERY TIME. I've gone into the REGISTRY to tried to delete the specific files, but they ALWAYS come back. Now, if THAT'S not the very DEFINITION of a VIRUS, I don't know what is. Your software developers need to study this PUP and find out how to develop a FILTER for it, because believe me, it is HIGHLY UNWANTED. To suggest the very basic program removing techniques is an INSULT after how much time and energy so MANY ppl have spent trying to get RID of this PUP. 
@ wrote:
To make sure that your WSA is checking for PUAs proficiently, it sometimes helps to reset the PUA detection within WSA's settings. For PUA's that had previously been scanned and determined to be OK, but have since been added to detection/removal, you may want to complete the following steps:
 
  • Open Webroot SecureAnywhere
  • Click on ‘Advanced Settings’ from the top right
  • Select ‘Scan Settings’ from the left side
  • Unselect the option “Detect Potentially Unwanted Applications”
  • Click on the Save button (you may have to enter in a CAPTCHA)
  • Reselect the option to “Detect Potentially Unwanted Applications”
  • Click on the Save button
  • Run another scan with Webroot and remove any items that get detected.
and...
@ wrote:
PS.  What I occassionally do is go into the Advanced Settings, Scan settings, and toggle off the Detect PUAs...setting, save the configuration, then go back in and toggle it back on, save once more and then run a scan.  This is a tip provided by one of the excellent Threat Researchers, as something that seems to 'bump' the detection of PUAs/PUPs...not sure how or why but it seems to, so yo many want to try it. 


Thanks, Baldrick! I'd somehow missed that one. As you may have noticed, I recently reported here on my first ever "infection" since using Prevx/WSA (more than 10 years now) and what I had done to get rid of it. If this ever happens again, I shall first try the hint you give above.
Userlevel 3
Thanks!  I'll give it a try and let you know how things work out,  The worst thing is that my plugins are blocked and I can't use Flashplayer.
Userlevel 7
We are fully aware of Conduit and the like they are classified as PUA. The majority of these programs are user installed and will ask the user a number of times if they want to install said toolbar.
 
If they dont and/or the dont uninstall correctly we will mark the bad in our database. However just because people dont like the software doesnt mean its automatically is bad software. We mark thousands of pieces of PUA bad every day.We are constantly testing these and will adjust them from good->bad or bad->good depending on changes that are made to the software.
Userlevel 7
Baldrick has it right on the nail.  WSA has until recently not detected and removed what we call PUA's.. that is new to the 2014 version and the functionality of it is still in the beginning stages.  Each time someone posts here regarding a specific one, especially if we have them contact Support about it, that helps being more and more PUA's into the radar, getting them added to the Cloud detection.
 
In that sense, we are ALL 'training' Webroot, but it is on a global sale and trains it for all users at the same time 🙂
Userlevel 7
Browser Hijackers are not malware but in nearly all cases are user installed toolbars. PUA`s often come bundled with other junk that will install a toolbar or will change the default homepage. Please dont post links to 3rd party sites/tools, we can fix these issues for our customers without using them. 
Userlevel 7
Hi Stuart
 
Welcome to the Community Forums.
 
We appreciate your desire to assist other Community members but if you wish to promote malware removal tips from other site please do so outside the Forums, i.e., via an offer to PM (Private Message) with interested members.
 
For more information on the Guidelines please see here.
 
Regards, Baldrick
Userlevel 7
Hi yayb-baby
 
Sorry to hear about you issue.
 
Guruofsearch.com is indeed a browser hijacker...and it is most definitively 'caught' via bundling with other free software that one downloads off of the Internet. When installed this browser hijacker (a PUA or Potentially Unwanted Application in Community parlance) it will set the homepage and search engine for your web browser to http://guruofsearch.com.
 
Given what you say about not having installed any software recently usually the key to avoiding them is to make sure that when downloading apps one does so from the author's own website or one that they have recommended, and not 3rd party downloading site.
 
WSA does detect and remove many PUA's, and more are being added, but WSA does not detect all of them. A simple browser add-on with PUA behaviour that is easy to identify and easy to remove is not likely to be detected and removed by WSA. Those that are intentionally difficult to locate and remove are. Please see THIS LINK for more information regarding Webroot's stance on these annoying programs.
 
To make sure that your WSA is checking for PUAs proficiently, it sometimes helps to reset the PUA detection within WSA's settings. For PUA's that had previously been scanned and determined to be OK, but have since been added to detection/removal, you may want to complete the following steps:
 
  • Open Webroot SecureAnywhere
  • Click on ‘Advanced Settings’ from the top right
  • Select ‘Scan Settings’ from the left side
  • Unselect the option “Detect Potentially Unwanted Applications”
  • Click on the Save button (you may have to enter in a CAPTCHA)
  • Reselect the option to “Detect Potentially Unwanted Applications”
  • Click on the Save button
  • Run another scan with Webroot and remove any items that get detected.
 
If that does not helps and you feel or consider yourself technically proficient then you can try these steps to remove it from your system.
 
And if that does not work or you do not feel technically capable then the best thing to do is to Open a Support Ticket & ask Webroot Support to take a look and remove these for you.  There is NO CHARGE for this for valid/active WSA license holders.
 
Hope that helps somewhat?
 
Regards, Baldrick
 
Userlevel 7
No worries...;)
 
When you say that your "plugins are blocked and I can't use Flashplayer" precisely what do you mean/how does the blocking/issue manifest itself? Are their any messages informing you of the blocking? What are you seeing?
 
Regards, Baldrick
Userlevel 7
No worries, Muddy7
 
We are all of us a learning...every day...and that is what makes this Commuinty so great. :D
 
Regards, Baldrick
Userlevel 3
This DEFINITELY worked for "Guruofsearch" on Chrome, but I suspect that it will work for other browser hijackers and it also fixed my Internet Explorer.

I went to Chrome Help at this link:
https://support.google.com/chrome/answer/2765944#browsersettings
It was EASY and QUICK!  I was rid of "Guruofsearch" in no time.

 
Or you can go directly to the Chrome Cleanup Tool for Windows 7 thru 10.
https://www.google.com/chrome/cleanup-tool/

 
"Clean Chrome of unwanted ads, pop-ups, & malware
If you're seeing some of these problems with Google Chrome, you might have unwanted software or malware installed on your computer:
  • Pop-up ads won't go away.
  • Your Chrome homepage or search engine keeps changing or is not set to Google anymore.
  • Unwanted Chrome extensions or toolbars keep coming back.
  • You keep getting redirected to unfamiliar webpages."   
 "Chrome will open a new tab, and ask you to reset your settings. Click Reset".
 
It literally worked in seconds.  I'm no expert, but I think it cleared the cache as all of my saved sign-ins were gone.  A small price to pay.  I hope you know all of your passwords .      It also disabled my extensions, so enable any extensions that you're using.

                     
I'm not even sure if there is any relation, but the "plugin" link for FlashPlayer still didn't work, so I went here:
https://support.google.com/chrome/answer/142064?hl=en
The link still doesn't do anything, but now when a FlashPlayer video comes up it asks me if I want to activate it.  Goodbye plugin link, hello ask me on screen.  That's good enough for me!  I even like it better that way!

If anyone still has the problem, I hope it works for you.  And YES, it's SAFE to use.

     
Userlevel 2
Sorry, I disagree with your solution.  not that you are wrong, but that its not that simple.  Conduit is a hijacker and once you get it, you may spend weeks getting rid of it.  Once its on your system if you have multiple browsers like Internet Explorer, FireFox, Opera, etc. it will infest all of them and you need to clean eachone seperatly, and then clean your system, uninstall it and it comes right back.  I dont know why we cant have webroot do a cleaner for it or a filter to prevent it. its a real pain.  check out the internet, everyone if fighting this nasty unwanted hijacker.
Userlevel 7
Badge +55
It's not an infection it's a PUA have a look at this KB Article: https://community.webroot.com/t5/Tips-and-Tricks-KB/How-to-Remove-Potentially-Unwanted-Applications/ta-p/40744# also have a look at this thread: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/How-to-Get-Rid-of-TopArcadeHits-Infection/td-p/56423#.UjOn1j-c44I
 
TH
Userlevel 7
Conduit has now been changed to PUA so we are blocking the installers. I still stand by my original point that a large number of these toolbars do require a user to click yes to install. We cant block every single installer of programs that people dont like, if we did that I`d guess that about 95% of software programs would be blocked!
Userlevel 7
Badge +55
Hello Charlotte_Sterling and Welcome to the Webroot Community Forums!


 
Yes that is possible and so many sites add PUA's to software but most of the time if it's a Fake Adobe update it would be mostly a true infection also Adobe adds Crapware to there installers and users have to watch when installing and make sure to uncheck any unwanted add-ons.
 
Cheers,
 
TH ;)
Userlevel 7
Badge +55
@ wrote:
Yeah, Cheers for that litle pearl Baldrick  😃 , I have now submitted a support ticket,  Not sure I qualify though I only have the trial version, but this could be a turning point as far as my security software goes.  I've been with ESET for years, but only because they were the only ones doing 64 bit software at the time.
 
I was a Big NOD32 user fan and had Prevx running with it and found out I didn't need NOD32 as Prevx was protecting much better and Prevx was Acquired by Webroot in Nov 2010 and made it much better and with more features and you can't beat the Cloud as it's the future and it's here now! Only a 745kb installer 3 to 6MB of RAM and all the work is done in the Cloud!
 
Daniel ;)
 

Userlevel 7
Badge +55
Hello @ please don't post links to off site help forums just forums for OS's such as Microsoft Answer Forums: http://answers.microsoft.com/en-us as Webroot likes to help there own users and members.
 
TIA,
 
Daniel 😉
Userlevel 7
Thank you for your post HydroNick.
 
I am not quite sure what you mean by "browser hijacker" but I would certainly like to help you out.
 
From what you are describing, it sounds like a browser extention has been changed through your browser. Please follow the instructions below.
 
Navigate to your Google Chrome Settings:


 
Change your search engine to Google if that is what you prefer:


 
If you are ever affraid that you have an infection, please Submit a Support Ticket. This is the best place for issues that involve an infection because we can keep track of the interaction and get logs from your system to help investigate.
Userlevel 4
Threat Researcher Rakanisheu:
 
Yours is a stock answer that comes from  most AV companies and comes from an old spyware program'.s description. I recently got it and received the same reply from Bitdefender.
 
Conduit is MALWARE-- it downloads and installs WITHOUT asking your permission--it changes your home page and search engine to the Conduit search engine which is a paid ad placement / paid position search engines with questiionable sites and no usefull purpose...
 
Its a bitch to get rid of. The windows installer will not get rid of it as it would a legitimate toolbar or browser plugin.
 
Google How to get rid of conduit search engine and you will get hundreds of hits. If it were legit it would be simple to uninstall. It loads code throughout your machine.
 
It is sometimes possible to get your old home page and search engine back using your browser but the program remains throughout your system. It's an unvited intruder that infests your machine.
Malwarebytes treats this as a PUP and so should Webroot. Malwarebytes will remove it from registry etc. but you still have to go into each browser to change some settings.
Userlevel 4
I was not referring to the toolbar -- that is not a hijacker -- it's a tool bar
 
In my case I got my home page and home page search engine changed to the Conduit homepage with the Conduit Search engine,or searching results are constantly redirected to search.conduit.com, which I described in my original post as a useless scam. There was never a visible install process and I never agreed for it to be downloaded. That's a hijack much worse than some toolbar, because it seizes control of your browser.
 
Here:
 
https://www.google.com/#q=conduit+search+removal
Userlevel 2
I disagree,  as stated earlier, several people I know suddenly have conduit and dont know how they got it.  you have to remember the vast majority of computer users now a days dont really know what they are doing other than buying things from amazon, doing facebook or sending emails.  These are the people we need to protect, not the professionals.  Once you have conduit it infects every browser you have installed on your system and then comes back again if you dont malewarebye it.
Userlevel 7
Badge +55
That's what we try to do is have a conversation and in the end hopefully everyone will be happy. But the point is Conduit & I never seen an update from Java or Adobe with Conduit.
 
TH
My sympathies!! My husband's PC gets his browser constantly hijacked. He stopped using IE and is using FireFox but still gets them. I've helped him go through the Control Panel to delete per FireFox Mozilla's suggestions but they keep coming back. (Luckily for me, I have a MAC and have never had this problem!!)

You're right, it's nothing you sign up for but often there's lots of confusing windows which keep popping up, maybe telling him he needs an update for a legitimate program he has like Adobe Flash Player but if you look at the address it's not an Adobe one.

Reply