Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Malware infection in IE11

Posted on 2014-02-27
25
Medium Priority
?
105 Views
Last Modified: 2016-11-23
This is a Dell XPS8400 running Win7 and IE11 with latest updates.

I was looking for a cheap free file conversion application and found one on CNET which I downloaded and installed. Terrible mistake to put it mildly! This is really embarrassing but my system immediately started displaying indications of malware or a virus. Some of the things I began seeing were:
1) Pop up ads on IE pages that never had pop up ads. Several of this suggested I click to download some driver update. At least I was smart enough not to do click on any of these.
2) Opening a new tab which should be blank, takes me to a site with the URL search.conduit.com/.... which has a pop up ad
3) If I try to open IE Manage Addons the screen goes gray and IE crashes. I can only open Manage Addons through the Control Panel/Internet Options. Once open, there are a couple of addons that I don't remember seeing before but they are disabled.
4) Chrome started displaying similar symptoms so I deleted it.

So, my questions are:
1) Does this seem likely to be a security risk or is it mainly just annoying?
2) What steps should I follow to rid myself of this pest?
3) I've considered going back to a recent restore point. Is this a reasonable approach and will this affect any user files?

Thanks for any advice you can offer. I'm getting ready to do my taxes which involves quite a bit of computer activity. I can do this work on another PC but it would be more convenient to my main system.

Wayne
0
Comment
Question by:wayneskid
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 10
  • 2
  • +2
25 Comments
 
LVL 98

Assisted Solution

by:John Hurst
John Hurst earned 2000 total points
ID: 39893692
Close IE and any applications like Office or Outlook.

From another computer, download Process Explorer from Microsoft. Run Process Explorer on the affected system.

See if, down the left side, under Explorer, if there is an alphanumerically labeled process. If so, kill the process but do not restart.

From another computer, download Malwarebytes (malwarebytes.org) and run Malwarebytes on the affected system.

When the scan is done and you have deleted malware, restart and see where you stand.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39893710
Thanks John,
re. Malwarebytes, is the free version sufficient?
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39893712
Yes. I had this kind of problem with a client and we solved it by the above method. I used the free malwarebytes.

I use and this client uses Symantec Endpoint Protection but like any Anti Virus, sometimes clicking on a bad link evades the Anti Virus.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 39893713
Conduit virus.
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 39893715
Check the other ee questions one was just answered about how to get rid of conduit
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39893718
John,
Do you think I should be concerned that this might be malicious (ie, key logger, stealing personal information, etc.) or is it more likely just extremely annoying?

I do have Norton 360 and have run a full system scan.
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39893727
I am not sure if it is a key logger or just malicious annoying. In addition to running malwarebytes (good practice in these situations), also look at the link below for removing the Conduit Search from your system.

http://www.techsupportall.com/how-to-remove-conduit-search/

I think if you can get rid of it, that your information may be ok.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39893732
OK I'll look at that. Do you think a system restore to a known good restore point might also solve this?
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39893737
I would do the scans first. If that fixes things, you might not wish to restore to a prior point as that will undo recent changes.
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39893943
In the last couple of years the amount of additional 'software' that is installed along with the program you wanted has skyrocketed.. One must be extremely watchful when installing any downloaded software.  You must decline the installation of all but the desired program (which will be the last one in the list of installers) .. Conduit is one of the major funders for the free download sites. It used to be the ask toolbar but times have changed. Conduit isn't malware by definition it is doing exactly what you agreed to when you installed it (by mistake of not reading everything in the install process)
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39898843
1) If anything unknown is running, of course it's a security risk. We cannot say from here if it is really a simple adware or not, you should...
2)...scan the system offline, for example using a boot CD with updatable virus scanner or simply MS windows defender offline
3) restore points can be used but will of course not cure file infections (if any)
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901477
OK, finally getting back to this.

John, you said "From another computer, download Process Explorer from Microsoft. Run Process Explorer on the affected system.  See if, down the left side, under Explorer, if there is an alphanumerically labeled process. If so, kill the process but do not restart."

Not sure what you mean; there are several alphanumeric labeled processes; Snagit32.exe for example.
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39901513
I should have said random alphanumeric like  0000E48ADC .... SnagIt32 is fine - I use it. If there are no such random processes as the prior line, then close Process Explorer and go on to finding malware with Malwarebytes and other tools as suggested.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901540
Running Process Explorer, I see CLTMNG.exe by couduit. Tried to kill the process but got access denied.
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39901554
That should go. That process is what keeps the pop ups going.

Close Process Explorer, close IE, and close down anything you are not using (Outlook, Office, Adobe).

Now right click on Process Explorer and select Run as Administrator. Authorize. Now try to kill CLTMNG.EXE and see if you can.

If so, close Process Explorer but do not shut down. Run Malwarebytes again.  See if you can uninstall conduit now that the process is not running.
0
 
LVL 98

Assisted Solution

by:John Hurst
John Hurst earned 2000 total points
ID: 39901567
Here is an article (one of many) on how to remove CLTMNG.EXE if the suggestions above don't work.

http://malwaretips.com/blogs/cltmng-exe-virus-removal/

CNET looks bad for openly distributing malware that wrecks machines. I hope someone from CNET sees this.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901598
Running MalwareBytes quick scan shows 167 malicious objects. The first few of them have the name PUP.OPTIONAL.CONDUIT.A and the rest all start with PUP.OPTIONAL. Some of these are registry keys. Should I remove all 167 of these files? Deleting registry keys makes me very nervous.
0
 
LVL 98

Assisted Solution

by:John Hurst
John Hurst earned 2000 total points
ID: 39901607
You can back up the registry first, but these entries do look malicious to me. I cleaned up a client computer this way. After looking at them, I deleted them and the computer was fine afterward.

Back up important things just in case and proceed. Malwarebytes does not mark good items as malicious.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901617
Interesting comment on the MalwareBytes home page:

"CNET Editor's Rating - OUTSTANDING" with 4 1/2 start out of five.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901644
I re-ran Malware Bytes quick scan; it reports 157 object labeled as:
Files - 105
Folders - 22
Memory Process - 4
Registry Data - 2
Registry Key - 22
Registry Value - 2

All found objects are named PUP.Optional.xxxx

You are saying I should have MalwareBytes remove ALL of these objects, correct?
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901648
This thing has a strangle hold on IE. I clicked on "Buy Now" to see what the cost would be and IE hangs then crashes.
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39901651
If they all look related (say PUP... ), then I would say delete them.
0
 
LVL 98

Accepted Solution

by:
John Hurst earned 2000 total points
ID: 39901664
That IE hangs is the reason I was looking for randomly named processes. Keep IE closed until you get through with Malwarebytes and restart.
0
 
LVL 1

Author Comment

by:wayneskid
ID: 39901817
I registered at MalwareBytes and did a search on the forum. The most recent case I found (Aug. 2013) was a user that was guided through a long involved 7 step process that included downloading several other scan tools. The MalwareBytes staff person seemed quite knowledgeable and helpful. At the end of a week of back and forth postings the user had installed the Pro version of MalwareBytes and "seemed" to have eliminated the problem. Yet some here have suggested this would be a simple matter of having MalwareBytes remove 157 suspicious objects (including some registry items) and restarting the system. This feels a little 'brutal' and I'm a little reluctant to proceed but really need to put this behind me and move on with life.

Does anyone else have thoughts on the best way to go from here?

Thanks to everyone!
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
What we learned in Webroot's webinar on multi-vector protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question