Solved

Malware infection in IE11

Posted on 2014-02-27
25
73 Views
Last Modified: 2016-11-23
This is a Dell XPS8400 running Win7 and IE11 with latest updates.

I was looking for a cheap free file conversion application and found one on CNET which I downloaded and installed. Terrible mistake to put it mildly! This is really embarrassing but my system immediately started displaying indications of malware or a virus. Some of the things I began seeing were:
1) Pop up ads on IE pages that never had pop up ads. Several of this suggested I click to download some driver update. At least I was smart enough not to do click on any of these.
2) Opening a new tab which should be blank, takes me to a site with the URL search.conduit.com/.... which has a pop up ad
3) If I try to open IE Manage Addons the screen goes gray and IE crashes. I can only open Manage Addons through the Control Panel/Internet Options. Once open, there are a couple of addons that I don't remember seeing before but they are disabled.
4) Chrome started displaying similar symptoms so I deleted it.

So, my questions are:
1) Does this seem likely to be a security risk or is it mainly just annoying?
2) What steps should I follow to rid myself of this pest?
3) I've considered going back to a recent restore point. Is this a reasonable approach and will this affect any user files?

Thanks for any advice you can offer. I'm getting ready to do my taxes which involves quite a bit of computer activity. I can do this work on another PC but it would be more convenient to my main system.

Wayne
0
Comment
Question by:wayneskid
  • 10
  • 10
  • 2
  • +2
25 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 39893692
Close IE and any applications like Office or Outlook.

From another computer, download Process Explorer from Microsoft. Run Process Explorer on the affected system.

See if, down the left side, under Explorer, if there is an alphanumerically labeled process. If so, kill the process but do not restart.

From another computer, download Malwarebytes (malwarebytes.org) and run Malwarebytes on the affected system.

When the scan is done and you have deleted malware, restart and see where you stand.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39893710
Thanks John,
re. Malwarebytes, is the free version sufficient?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39893712
Yes. I had this kind of problem with a client and we solved it by the above method. I used the free malwarebytes.

I use and this client uses Symantec Endpoint Protection but like any Anti Virus, sometimes clicking on a bad link evades the Anti Virus.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 39893713
Conduit virus.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 39893715
Check the other ee questions one was just answered about how to get rid of conduit
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39893718
John,
Do you think I should be concerned that this might be malicious (ie, key logger, stealing personal information, etc.) or is it more likely just extremely annoying?

I do have Norton 360 and have run a full system scan.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39893727
I am not sure if it is a key logger or just malicious annoying. In addition to running malwarebytes (good practice in these situations), also look at the link below for removing the Conduit Search from your system.

http://www.techsupportall.com/how-to-remove-conduit-search/

I think if you can get rid of it, that your information may be ok.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39893732
OK I'll look at that. Do you think a system restore to a known good restore point might also solve this?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39893737
I would do the scans first. If that fixes things, you might not wish to restore to a prior point as that will undo recent changes.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39893943
In the last couple of years the amount of additional 'software' that is installed along with the program you wanted has skyrocketed.. One must be extremely watchful when installing any downloaded software.  You must decline the installation of all but the desired program (which will be the last one in the list of installers) .. Conduit is one of the major funders for the free download sites. It used to be the ask toolbar but times have changed. Conduit isn't malware by definition it is doing exactly what you agreed to when you installed it (by mistake of not reading everything in the install process)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39898843
1) If anything unknown is running, of course it's a security risk. We cannot say from here if it is really a simple adware or not, you should...
2)...scan the system offline, for example using a boot CD with updatable virus scanner or simply MS windows defender offline
3) restore points can be used but will of course not cure file infections (if any)
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901477
OK, finally getting back to this.

John, you said "From another computer, download Process Explorer from Microsoft. Run Process Explorer on the affected system.  See if, down the left side, under Explorer, if there is an alphanumerically labeled process. If so, kill the process but do not restart."

Not sure what you mean; there are several alphanumeric labeled processes; Snagit32.exe for example.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 90

Expert Comment

by:John Hurst
ID: 39901513
I should have said random alphanumeric like  0000E48ADC .... SnagIt32 is fine - I use it. If there are no such random processes as the prior line, then close Process Explorer and go on to finding malware with Malwarebytes and other tools as suggested.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901540
Running Process Explorer, I see CLTMNG.exe by couduit. Tried to kill the process but got access denied.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39901554
That should go. That process is what keeps the pop ups going.

Close Process Explorer, close IE, and close down anything you are not using (Outlook, Office, Adobe).

Now right click on Process Explorer and select Run as Administrator. Authorize. Now try to kill CLTMNG.EXE and see if you can.

If so, close Process Explorer but do not shut down. Run Malwarebytes again.  See if you can uninstall conduit now that the process is not running.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 39901567
Here is an article (one of many) on how to remove CLTMNG.EXE if the suggestions above don't work.

http://malwaretips.com/blogs/cltmng-exe-virus-removal/

CNET looks bad for openly distributing malware that wrecks machines. I hope someone from CNET sees this.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901598
Running MalwareBytes quick scan shows 167 malicious objects. The first few of them have the name PUP.OPTIONAL.CONDUIT.A and the rest all start with PUP.OPTIONAL. Some of these are registry keys. Should I remove all 167 of these files? Deleting registry keys makes me very nervous.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 39901607
You can back up the registry first, but these entries do look malicious to me. I cleaned up a client computer this way. After looking at them, I deleted them and the computer was fine afterward.

Back up important things just in case and proceed. Malwarebytes does not mark good items as malicious.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901617
Interesting comment on the MalwareBytes home page:

"CNET Editor's Rating - OUTSTANDING" with 4 1/2 start out of five.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901644
I re-ran Malware Bytes quick scan; it reports 157 object labeled as:
Files - 105
Folders - 22
Memory Process - 4
Registry Data - 2
Registry Key - 22
Registry Value - 2

All found objects are named PUP.Optional.xxxx

You are saying I should have MalwareBytes remove ALL of these objects, correct?
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901648
This thing has a strangle hold on IE. I clicked on "Buy Now" to see what the cost would be and IE hangs then crashes.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39901651
If they all look related (say PUP... ), then I would say delete them.
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
ID: 39901664
That IE hangs is the reason I was looking for randomly named processes. Keep IE closed until you get through with Malwarebytes and restart.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901817
I registered at MalwareBytes and did a search on the forum. The most recent case I found (Aug. 2013) was a user that was guided through a long involved 7 step process that included downloading several other scan tools. The MalwareBytes staff person seemed quite knowledgeable and helpful. At the end of a week of back and forth postings the user had installed the Pro version of MalwareBytes and "seemed" to have eliminated the problem. Yet some here have suggested this would be a simple matter of having MalwareBytes remove 157 suspicious objects (including some registry items) and restarting the system. This feels a little 'brutal' and I'm a little reluctant to proceed but really need to put this behind me and move on with life.

Does anyone else have thoughts on the best way to go from here?

Thanks to everyone!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now