Solved

Browser Hijacker


Chrome, on our our home computer,  has been subverted by a browser hijacker that allways directs it to secure.conduit.  It is quite annoying that the browser immediately goes to bing.  It cannot be removed using the Chrome search engine option though I did delete some browsers I didn't want.
 
Does/Could SecureAnywhere deal with this and if so how?
icon

Best answer by rayb-baby 10 April 2017, 03:59

This DEFINITELY worked for "Guruofsearch" on Chrome, but I suspect that it will work for other browser hijackers and it also fixed my Internet Explorer.

I went to Chrome Help at this link:
https://support.google.com/chrome/answer/2765944#browsersettings
It was EASY and QUICK!  I was rid of "Guruofsearch" in no time.

 
Or you can go directly to the Chrome Cleanup Tool for Windows 7 thru 10.
https://www.google.com/chrome/cleanup-tool/

 
"Clean Chrome of unwanted ads, pop-ups, & malware
If you're seeing some of these problems with Google Chrome, you might have unwanted software or malware installed on your computer:

  • Pop-up ads won't go away.
  • Your Chrome homepage or search engine keeps changing or is not set to Google anymore.
  • Unwanted Chrome extensions or toolbars keep coming back.
  • You keep getting redirected to unfamiliar webpages."   
 "Chrome will open a new tab, and ask you to reset your settings. Click Reset".
 
It literally worked in seconds.  I'm no expert, but I think it cleared the cache as all of my saved sign-ins were gone.  A small price to pay.  I hope you know all of your passwords .      It also disabled my extensions, so enable any extensions that you're using.

                     
I'm not even sure if there is any relation, but the "plugin" link for FlashPlayer still didn't work, so I went here:
https://support.google.com/chrome/answer/142064?hl=en
The link still doesn't do anything, but now when a FlashPlayer video comes up it asks me if I want to activate it.  Goodbye plugin link, hello ask me on screen.  That's good enough for me!  I even like it better that way!

If anyone still has the problem, I hope it works for you.  And YES, it's SAFE to use.

     

View original

61 replies

Userlevel 7
Hi Charlotte_Sterling
 
Thanks for your intent to assist.
 
However, here in the Community we do not advocate the recommendation or use of YouTube-related solutions to malware and/or PUA removal unless they are from a source known to be reputable, i.e., from a security app vendor or one of the major institutions such as Microsoft, Apple, Google, etc.; this is due to the fact that malware removal is a skilled task and many of the solution shown may not be safe or have considered all aspects of the removal process. 
 
And even if one has found a suitable video we believe that the best approach, if WSA is unable to handle the issue (and no security app can handle 100% of issues/infections 100% of the time...not even WSA ;)), is for the OP to Open a Support Ticket to get the Webroot Support Team of professionals to intevene and resolve the issue. This is a free service available to all users with an active subscription.
 
This is what I would advocate using in this instance, and so potentially avoiding getting into further trouble be doing something  unforseen to one's system.
 
Regards, Baldrick

@Baldrick wrote:
To make sure that your WSA is checking for PUAs proficiently, it sometimes helps to reset the PUA detection within WSA's settings. For PUA's that had previously been scanned and determined to be OK, but have since been added to detection/removal, you may want to complete the following steps:
 

  • Open Webroot SecureAnywhere
  • Click on ‘Advanced Settings’ from the top right
  • Select ‘Scan Settings’ from the left side
  • Unselect the option “Detect Potentially Unwanted Applications”
  • Click on the Save button (you may have to enter in a CAPTCHA)
  • Reselect the option to “Detect Potentially Unwanted Applications”
  • Click on the Save button
  • Run another scan with Webroot and remove any items that get detected.

and...

@Baldrick wrote:
PS.  What I occassionally do is go into the Advanced Settings, Scan settings, and toggle off the Detect PUAs...setting, save the configuration, then go back in and toggle it back on, save once more and then run a scan.  This is a tip provided by one of the excellent Threat Researchers, as something that seems to 'bump' the detection of PUAs/PUPs...not sure how or why but it seems to, so yo many want to try it. 


Thanks, Baldrick! I'd somehow missed that one. As you may have noticed, I recently reported here on my first ever "infection" since using Prevx/WSA (more than 10 years now) and what I had done to get rid of it. If this ever happens again, I shall first try the hint you give above.

Userlevel 3
Thanks!  I'll give it a try and let you know how things work out,  The worst thing is that my plugins are blocked and I can't use Flashplayer.
Userlevel 7
Hi Stuart
 
Welcome to the Community Forums.
 
We appreciate your desire to assist other Community members but if you wish to promote malware removal tips from other site please do so outside the Forums, i.e., via an offer to PM (Private Message) with interested members.
 
For more information on the Guidelines please see here.
 
Regards, Baldrick
Userlevel 7
Hi yayb-baby
 
Sorry to hear about you issue.
 
Guruofsearch.com is indeed a browser hijacker...and it is most definitively 'caught' via bundling with other free software that one downloads off of the Internet. When installed this browser hijacker (a PUA or Potentially Unwanted Application in Community parlance) it will set the homepage and search engine for your web browser to http://guruofsearch.com.
 
Given what you say about not having installed any software recently usually the key to avoiding them is to make sure that when downloading apps one does so from the author's own website or one that they have recommended, and not 3rd party downloading site.
 
WSA does detect and remove many PUA's, and more are being added, but WSA does not detect all of them. A simple browser add-on with PUA behaviour that is easy to identify and easy to remove is not likely to be detected and removed by WSA. Those that are intentionally difficult to locate and remove are. Please see THIS LINK for more information regarding Webroot's stance on these annoying programs.
 
To make sure that your WSA is checking for PUAs proficiently, it sometimes helps to reset the PUA detection within WSA's settings. For PUA's that had previously been scanned and determined to be OK, but have since been added to detection/removal, you may want to complete the following steps:
 
  • Open Webroot SecureAnywhere
  • Click on ‘Advanced Settings’ from the top right
  • Select ‘Scan Settings’ from the left side
  • Unselect the option “Detect Potentially Unwanted Applications”
  • Click on the Save button (you may have to enter in a CAPTCHA)
  • Reselect the option to “Detect Potentially Unwanted Applications”
  • Click on the Save button
  • Run another scan with Webroot and remove any items that get detected.
 
If that does not helps and you feel or consider yourself technically proficient then you can try these steps to remove it from your system.
 
And if that does not work or you do not feel technically capable then the best thing to do is to Open a Support Ticket & ask Webroot Support to take a look and remove these for you.  There is NO CHARGE for this for valid/active WSA license holders.
 
Hope that helps somewhat?
 
Regards, Baldrick
 
Userlevel 7
No worries...;)
 
When you say that your "plugins are blocked and I can't use Flashplayer" precisely what do you mean/how does the blocking/issue manifest itself? Are their any messages informing you of the blocking? What are you seeing?
 
Regards, Baldrick
Userlevel 7
No worries, Muddy7
 
We are all of us a learning...every day...and that is what makes this Commuinty so great. :D
 
Regards, Baldrick
Userlevel 7
Baldrick has it right on the nail.  WSA has until recently not detected and removed what we call PUA's.. that is new to the 2014 version and the functionality of it is still in the beginning stages.  Each time someone posts here regarding a specific one, especially if we have them contact Support about it, that helps being more and more PUA's into the radar, getting them added to the Cloud detection.
 
In that sense, we are ALL 'training' Webroot, but it is on a global sale and trains it for all users at the same time :)
Userlevel 7
We are fully aware of Conduit and the like they are classified as PUA. The majority of these programs are user installed and will ask the user a number of times if they want to install said toolbar.
 
If they dont and/or the dont uninstall correctly we will mark the bad in our database. However just because people dont like the software doesnt mean its automatically is bad software. We mark thousands of pieces of PUA bad every day.We are constantly testing these and will adjust them from good->bad or bad->good depending on changes that are made to the software.
Userlevel 7
Browser Hijackers are not malware but in nearly all cases are user installed toolbars. PUA`s often come bundled with other junk that will install a toolbar or will change the default homepage. Please dont post links to 3rd party sites/tools, we can fix these issues for our customers without using them. 
I'm upset that the techs for webroot haven't classified this conduit.search as a PUP (potentiallially unwanted program) or PUA (application). I ended up with this extremely annoying toolbar that I NEVER agreed or consented to, and all my attempts to remove it have failed. Evidently, this add-on,  tool bar, or browser hijacker (which is what i prefer to call it, because you NEVER get your REAL browser back....EVER) what ever you want to call it, comes secretly bundled to whatever program you download. I ALWAYS do the CUSTOM install, whenever I download anything, so I can UNCHECK all the programs and extensions and add ons I DON'T want. But this CONDUIT never EVER appeared in any of my custom installs. It changed the layout, color and font size of my google chrome page, added the mixidj search bar, added the delta search bar, allowed for constant pop ups and unwanted ads, and changed the layout and font size of my face book page. Now, it may not TECHNICALLY be a VIRUS, but is SURE is an UNWANTED program, that I didn't CONSENT to. When you spend at least three weeks trying to remove this UNWANTED software, believe me, you've tried going to programs and looking for conduit to remove it or going to the settings option and resetting your page as whatever, or resetting your default page as whatever or resetting your browser as what ever in addition to REMOVING this PUA, PUP...whatever, MULTIPLE times, ONLY to have it RETURN, EVERY TIME. I've gone into the REGISTRY to tried to delete the specific files, but they ALWAYS come back. Now, if THAT'S not the very DEFINITION of a VIRUS, I don't know what is. Your software developers need to study this PUP and find out how to develop a FILTER for it, because believe me, it is HIGHLY UNWANTED. To suggest the very basic program removing techniques is an INSULT after how much time and energy so MANY ppl have spent trying to get RID of this PUP. 
Userlevel 3
This DEFINITELY worked for "Guruofsearch" on Chrome, but I suspect that it will work for other browser hijackers and it also fixed my Internet Explorer.

I went to Chrome Help at this link:
https://support.google.com/chrome/answer/2765944#browsersettings
It was EASY and QUICK!  I was rid of "Guruofsearch" in no time.

 
Or you can go directly to the Chrome Cleanup Tool for Windows 7 thru 10.
https://www.google.com/chrome/cleanup-tool/

 
"Clean Chrome of unwanted ads, pop-ups, & malware
If you're seeing some of these problems with Google Chrome, you might have unwanted software or malware installed on your computer:
  • Pop-up ads won't go away.
  • Your Chrome homepage or search engine keeps changing or is not set to Google anymore.
  • Unwanted Chrome extensions or toolbars keep coming back.
  • You keep getting redirected to unfamiliar webpages."   
 "Chrome will open a new tab, and ask you to reset your settings. Click Reset".
 
It literally worked in seconds.  I'm no expert, but I think it cleared the cache as all of my saved sign-ins were gone.  A small price to pay.  I hope you know all of your passwords .      It also disabled my extensions, so enable any extensions that you're using.

                     
I'm not even sure if there is any relation, but the "plugin" link for FlashPlayer still didn't work, so I went here:
https://support.google.com/chrome/answer/142064?hl=en
The link still doesn't do anything, but now when a FlashPlayer video comes up it asks me if I want to activate it.  Goodbye plugin link, hello ask me on screen.  That's good enough for me!  I even like it better that way!

If anyone still has the problem, I hope it works for you.  And YES, it's SAFE to use.

     
Userlevel 7
Badge +55
It's not an infection it's a PUA have a look at this KB Article: https://community.webroot.com/t5/Tips-and-Tricks-KB/How-to-Remove-Potentially-Unwanted-Applications/ta-p/40744# also have a look at this thread: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/How-to-Get-Rid-of-TopArcadeHits-Infection/td-p/56423#.UjOn1j-c44I
 
TH
Userlevel 7
Badge +55
Hello Charlotte_Sterling and Welcome to the Webroot Community Forums!


 
Yes that is possible and so many sites add PUA's to software but most of the time if it's a Fake Adobe update it would be mostly a true infection also Adobe adds Crapware to there installers and users have to watch when installing and make sure to uncheck any unwanted add-ons.
 
Cheers,
 
TH ;)

Userlevel 7
Badge +55

@GettinBetter wrote:
Yeah, Cheers for that litle pearl Baldrick  😃 , I have now submitted a support ticket,  Not sure I qualify though I only have the trial version, but this could be a turning point as far as my security software goes.  I've been with ESET for years, but only because they were the only ones doing 64 bit software at the time.
 

I was a Big NOD32 user fan and had Prevx running with it and found out I didn't need NOD32 as Prevx was protecting much better and Prevx was Acquired by Webroot in Nov 2010 and made it much better and with more features and you can't beat the Cloud as it's the future and it's here now! Only a 745kb installer 3 to 6MB of RAM and all the work is done in the Cloud!
 
Daniel ;)
 


Userlevel 7
Badge +55
Hello @Allen_Clark please don't post links to off site help forums just forums for OS's such as Microsoft Answer Forums: http://answers.microsoft.com/en-us as Webroot likes to help there own users and members.
 
TIA,
 
Daniel ;)
Userlevel 2
Sorry, I disagree with your solution.  not that you are wrong, but that its not that simple.  Conduit is a hijacker and once you get it, you may spend weeks getting rid of it.  Once its on your system if you have multiple browsers like Internet Explorer, FireFox, Opera, etc. it will infest all of them and you need to clean eachone seperatly, and then clean your system, uninstall it and it comes right back.  I dont know why we cant have webroot do a cleaner for it or a filter to prevent it. its a real pain.  check out the internet, everyone if fighting this nasty unwanted hijacker.
Userlevel 7
Conduit has now been changed to PUA so we are blocking the installers. I still stand by my original point that a large number of these toolbars do require a user to click yes to install. We cant block every single installer of programs that people dont like, if we did that I`d guess that about 95% of software programs would be blocked!
Userlevel 7
Badge +55
That's what we try to do is have a conversation and in the end hopefully everyone will be happy. But the point is Conduit & I never seen an update from Java or Adobe with Conduit.
 
TH
Userlevel 7
Hi Charlotte
 
Welcome to the Community Fora...:D
 
Sounds like you husband should heed your advice, as should a good many others...it is sound  (apart from the bit about the Mac...;)...but then again, I am a diehard PC head and no fan of the Glowing White Apple).
 
Dispensing that sort of advice please do stick around...you will be most welcome.
 
Regards, Baldrick
Userlevel 7
Hi GettinBetter
 
So DON'T click on it.  http://www.emotiyou.com/galerie/films/animation/moi-moche-mechant/minions/201310250040YAU.gif
 
At this point it is worthwhile making sure that you are in possession of all the words of wisdom expounded in this thread so far, and that you may have missed (apologies if you have not...but thought it best to make sure...;)).
 
If you have not yet seen then them please see Daniel's wise words in this previous post...in case it can be of assistance.
 
Regards
 
 
Baldrick
Userlevel 7
Hi GettinBetter
 
I am sure that you qualify, even on a trail license, after all...they will want to make you a happy punter, I am sure...and what better way to convince than with great support...which is what the Webroot Support Team are renown for...amongst those who know.
 
Do keep us posted re. your experiences...and whether you decide to stick with WSA.
 
Regards
 
 
Baldrick
Userlevel 7
Hi Charlotte
 
It is not so much that you are training WSA but rather that the Cloud that holds all the information on what is good and what is not good grows daily, what with all the Webroot Threat Researchers continually analysing new files and apps that are daily being released and/or new versions of existing files and apps.
 
So when your system is scanned the threat database in the Cloud will have changed, and things previously not flagged up will be, etc.
 
If you take a look at the excellent post that Daniel put up earlier you will see what all of that entails.
 
Hope that helps...and keep asking the questions. ;)
 
Regards
 
 
 
Baldrick
 
PS.  What I occassionally do is go into the Advanced Settings, Scan settings, and toggle off the Detect PUAs...setting, save the configuration, then go back in and toggle it back on, save once more and then run a scan.  This is a tip provided by one of the excellent Threat Researchers, as something that seems to 'bump' the detection of PUAs/PUPs...not sure how or why but it seems to, so yo many want to try it. :D
Userlevel 7
Hi BobbyBoswell13
 
Welcome to the Community Forums.
 
Thanks for your input into the Great Debate...if only it were that simple but unfortunately PUAs come in all shapes and sizes, i.e., from different sources, impacting the system in different ways, embedding themselves in browsers, installed as programs, chnaging the Registry, adding services, etc., or any permutastion of the aforementioned and more.
 
As I am sure that you must have read in numerous threads and posts on the topic WSA does detect and remove many PUA's, and more are being added, but WSA does not detect all of them. A simple browser add-on with PUA behaviour that is easy to identify and easy to remove is not likely to be detected and removed by WSA.
 
There are thos that that are intentionally difficult to locate and remove are. But having said all of that Webroot does have an official stance on these annoying programs, which you can read more on here is you are interested.
 
Also, one of our gurus @shorTcircuiT has posted an Idea for Webroot to consider asking them to increase PUA detection.  Please go along, review this, add your comments (this is the best place as the Development Team frequently review what has been raised/posted in the Ideas Exchange) and even kudo the feature request...it will all help to get traction on improving WSA...and after all that is one of the things we want to do...help make WSA a better product.
 
Regards, Baldrick
Userlevel 7
Thank you for your post HydroNick.
 
I am not quite sure what you mean by "browser hijacker" but I would certainly like to help you out.
 
From what you are describing, it sounds like a browser extention has been changed through your browser. Please follow the instructions below.
 
Navigate to your Google Chrome Settings:


 
Change your search engine to Google if that is what you prefer:


 
If you are ever affraid that you have an infection, please Submit a Support Ticket. This is the best place for issues that involve an infection because we can keep track of the interaction and get logs from your system to help investigate.

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings