Conduit Hijacked Firefox Search; About:Config disabled
A new version of Conduit has hijacked my FireFox browser, among other things. Every time I open a new tab it comes up in the conduit search engine rather than my default of Google. Any mistyping of a url sends me to bing via conduit. I used to be able to get into about:config and fix such problems, but now any attempt to do that simply sends me to bing. This is a horrible mess, and keeps happening, and FF users need a way to block these conduit takeovers.
Chosen solution
Comments by a Forum Moderator.
(This thread has over 80000 views)
Readers of the thread may be interested in a summary of some of this advice, including links for genuine free antimalware tools; and advice on preventing re occurrence of this and similar problems.
- I have posted downthread 10thFeb
- Please start your own question if you need help with your own problem
Use this special link it is direct & quicker cutting out some steps
Remember to follow prompts to provide troubleshooting information. You should see a green button to help by automating that.
A note as to what was done before hitting the forum: Malwarebytes & SuperAntiSpyware complete scans, which found and removed a number to things, all Conduit related. Kapersky TDSSKiller and MDAM chameleon found no problems.
RE >>To fix Firefox the first thing to do is to remove that Entrusted Toolbar extension through the Extensions tab of the Add-on manager. https://support.mozilla.org/en-US/kb/remove-toolbar-has-taken-over-your-firefox-search
The "entrusted11" addon pretended to uninstall. Upon FF restart, it was still there. In the meantime, I ran Hitman Pro scanner. It found & fixed several Conduit things that the others missed, plus a known malware. After a machine restart, the Entrusted11 addon did uninstall for real.
Another problem: FireFox was set to use a proxy. I set that back to no proxy and the redirects to Bing went away.
Search Reset extension installed and ran, but something (popup from some taskbar icon or FF addon -- they're close together and it disappeared quickly) blocked the changes to home page config. I reset that stuff manually under: Tools-->Options-->General.
Right-clicking the newtab checkerboard icon brought up the usual context menu for off-link right clicks on web pages, with no option to reset anything, BUT after using Hitman Pro and restarting the machine, that problem has cleared up.
Internet Explorer is still hijacked, so Hitman Pro did not solve all problems on this machine. I want to use Firefox awhile before I call this post solved.
Read this answer in context 👍 4All Replies (20)
hello, this sounds like a problem possibly caused by malware/malware on your pc. please go to firefox > addons > extensions & remove any suspicious entries (in particular entrusted11, other things that you have not installed intentionally, don't know what purpose they serve, etc). also go to the windows control panel / programs and remove all toolbars or potentially unwanted software from there and run a full scan of your system with the security software that you have in place and different other tools like the free version of malwarebytes & adwcleaner.
Remove a toolbar that has taken over your Firefox search or home page Troubleshoot Firefox issues caused by malware
The Conduit Plugin and the associated preference changes don't become installed all by themselves, the user is involved as a result of installing "crap" extensions or other garbage programs. You need to be more careful when deciding what add-ons or programs you install.
To fix Firefox the first thing to do is to remove that Entrusted Toolbar extension through the Extensions tab of the Add-on manager.
https://support.mozilla.org/en-US/kb/remove-toolbar-has-taken-over-your-firefox-search
Then install the Search Reset extension - https://addons.mozilla.org/en-US/firefox/addon/searchreset/
Then fix the about:newtab preference - https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off - and instead of double-clicking that preference, right-click that pref and select Reset.
Seçilmiş Həll
Comments by a Forum Moderator.
(This thread has over 80000 views)
Readers of the thread may be interested in a summary of some of this advice, including links for genuine free antimalware tools; and advice on preventing re occurrence of this and similar problems.
- I have posted downthread 10thFeb
- Please start your own question if you need help with your own problem
Use this special link it is direct & quicker cutting out some steps
Remember to follow prompts to provide troubleshooting information. You should see a green button to help by automating that.
A note as to what was done before hitting the forum: Malwarebytes & SuperAntiSpyware complete scans, which found and removed a number to things, all Conduit related. Kapersky TDSSKiller and MDAM chameleon found no problems.
RE >>To fix Firefox the first thing to do is to remove that Entrusted Toolbar extension through the Extensions tab of the Add-on manager. https://support.mozilla.org/en-US/kb/remove-toolbar-has-taken-over-your-firefox-search
The "entrusted11" addon pretended to uninstall. Upon FF restart, it was still there. In the meantime, I ran Hitman Pro scanner. It found & fixed several Conduit things that the others missed, plus a known malware. After a machine restart, the Entrusted11 addon did uninstall for real.
Another problem: FireFox was set to use a proxy. I set that back to no proxy and the redirects to Bing went away.
Search Reset extension installed and ran, but something (popup from some taskbar icon or FF addon -- they're close together and it disappeared quickly) blocked the changes to home page config. I reset that stuff manually under: Tools-->Options-->General.
Right-clicking the newtab checkerboard icon brought up the usual context menu for off-link right clicks on web pages, with no option to reset anything, BUT after using Hitman Pro and restarting the machine, that problem has cleared up.
Internet Explorer is still hijacked, so Hitman Pro did not solve all problems on this machine. I want to use Firefox awhile before I call this post solved.
Modified
After cleaning Win 7 registry of everything search.conduit, about.config in firefox, etc. and etc., I went to addons in ff and removed vafmusic (or whatever) and that ended the search.conduit.com (popup windows) interference for me.
Modified
Tried all of the suggestions proposed. Neither of them worked. Found a "Search Protect" in my tray. Uninstalled that shit using windows functions and now it is back to normal. Hope it helps and they don't invent the new extension/protection program/virus.
Hi all, I had this same problem..Conduit infested all 3 of my browsers!. I originally tried to remove it by going to 'uninstall programs' in my control panel..I couldn't find anything named conduit there so I finally ended up using CCleaner (free version).. and under the 'tools' bar they had an uninstaller program that listed all of my programs.. I finally found conduit! It was listed under a a hidden name called "search protect". I removed it immediately, and cleaned my entire computer!
Hi. Just saw this forum, and thought I could add something to it. This conduit has hijacked my computer 3 times, and does not allow me control to change my homepage. Even going under internet options and changing my home page manually, does not work. All 3 times, I finally restarted my computer from factory level and go through 4 to 5 hours for it to reboot. Have they tracked the source of this conduit yet? All 3 times it hit my computer, it was directly after downloading a Flash Player. My computer continually prompts me, that to access items, I must download the new version of Flash, but I do not want the conduit that comes with it. I always check all boxes that say I do not want tool bars, and do not change my homepage, but it does it anyway. I say the problem is with Flash, that is the only times this has happened to me. Why are we forced to take Flash, to keep our computers up to date, when they are forcing this conduit down our computers throat. If I have to use Flash, for my work, fine, but I do not want this conduit, that comes with it. Any suggestions or Ideas? Stop Hijacking my homepage-Flash Player.
Sgttipper1967: if you are getting infected with Conduit from updating your flash player, you may not be using the genuine Adobe product. I have seen them offer to install a different relatively useless toolbar but they always give the option not to do so. if you are using some product other than Adobe, I suggest you switch. It sounds as though you either have a bogus flash player or you are visiting one of the dubious web sites that claim you need a flash player upgrade and pretend to install one but put on the conduit mess instead. Also, whenever any site tells you that you need a flash upgrade or some such and offers you a button to click, it is much safer to ignore that button, open another tab and go directly to the official site for that software and download directly from them.
You may try this:
http://deletemalware.blogspot.com/2012/01/searchconduitcom-uninstall-guide.html (skip the download button) http://malwaretips.com/blogs/remove-conduit-apps-search-and-toolbar/
Also, there's a tool called AdwCleaner which may help you as well. Or your could simply reset Firefox and run Malwarebytes.
Modified
If you not using IE don't let windows install any update to do with it Anything with IE will have bing(crap) in it somewhere
Hope this Video helps.. How to Remove Conduit Toolbar from Mozilla Firefox Completely
Hope this helps.
edit by a moderator
- see also Ed's post above/en-US/questions/968030#answer-467696
The SearchReset addon installs, fixes some of these things and uninstalls itself. That is a quicker and easier method for some of the steps comparerd to the the method given in the video,
Modified
Exactly. Found a magnifying glass icon in the task bar called "Search Protect." Removed the program. Now it's back to what I wanted. When I open a new tab, the cursor is in the empty address bar as before. I don't know how I get the program because I'm pretty careful not to allow anything I haven't chosen. Anyway, now it's fixed.
There is a program named 'Search Protect' installed in your PC which is protecting the changes made in browser.newtab.url
Goto Control Panel > Programs and Features and Uninstall the 'Search Protect'
Now you will be free from the conduit, In sha allah!
Please try my detailed explanation of Registry cleaning of the keys and entries manually added by conduit, if anyone experiences re-infection after restart this is why, if you only uninstalled via control panel you did not solve the problem, you may have fixed your newtab issue on one browser, however the malware still exists in the background and there is still keys in the computer registry that point to re-write new executables.
Follow these steps if nothing else has worked for you, they will remove the core keys of conduit, these keys point to temp files that rewrite the main executable in turn re-hijacking browsers or just acting as spyware for everything your doing.
Open "Run", type "Regedit" (Pic below) http://imageshack.us/a/img138/4559/5yyb.png
This will open the Computers Registry, here is a Pic of the window below http://imageshack.us/a/img27/1152/gj1z.png
Okay, now we can see two main entries that we will work with out of the 5 folders, we will use only the 2nd and 3rd one or more specifically, HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE.
Now we visualize the two folders that contain all the malwares behind the scene instructions, these are where the programs are directed to open and install things over and over again when you try to remove or delete them ect, so we can solve this now pretty easy if you are following for anyone reading this, this is universal for all malware/virus ect.
So, we know these two folders, we will start with the 2nd one or "HKEY_CURRENT_USER" on your computer, so we click the folder and expand it so we can see all the folders it holds inside it, easy? Okay, now you've opened the folder and it shows this below: http://img541.imageshack.us/img541/8872/yx25.png
Okay, this looks like yours, so your really following me now, this is good. You see software folder I highlighted, this is the next folder we will expand, not many steps left so stay with me please!
Open software, if you are on a infected computer you will right away see "Conduit" in the folder list, its alphabetical by the way, so it would be in the C named folders near the top! See below: http://imageshack.us/a/img36/8520/1yt.bmp
Okay you see the folder, you will delete "conduit" from the softwares list of folders, this is something you can feel comfortrable about doing, just don't delete anything but the specific "conduit" named folder, leave everything else. :D
So, we just deleted Conduits main software folder in the registry entry "HKEY_CURRENT_USER/Software" folder, so now we will go ahead and navigate further into the expanding folders, now that you are still in software, continue searching down to the Microsoft folder, near the M alphabetical order obviously.
Good you found Microsoft folder that is inside the software folder, now navigate to the folder called "Windows" inside the Microsoft folder which is inside the main software parent folder, you have expanded 3 folders, you see inside the "Windows" folder there is another folder called "CurrentVersion", and inside that folder is "Run" folder and "RunOnce" folder. You found the start up programs for the computers registry current user directory, congrats, this list inside the "Run" folder contains start up programs entries that tell the computer which application to start, and the location or target of the program its being told to start see pic below: http://imageshack.us/a/img22/9369/ja2b.png
You see on that list above in the picture, its 3 entries, 2 of them are for my legitimate programs, I created a Conduit one for you to visualize, this is where it will be on your computer, it will have Conduit as key name, and the data where it says EXAMPLE will just be a path to the conduit malware its starting!
You can safely delete that "Search Conduit" entry, or just "Conduit".
Okay we are 50% done, you did the main directory for "HKEY_CURRENT_USER" but we still need to do "HKEY_LOCAL MACHINE" folder, and expand that so we can do the SAME STEPS as above in current user directory, simple right? I made more pics just the same thing but this time in the 3rd folder, should be getting easy by now... There is the main folder here in LOCAL MACHINE: http://imageshack.us/a/img841/7205/3eew.png
Now you navigate to Software> and then Look for Conduit. http://imageshack.us/a/img593/4963/bc5c.png
under local machine and inside software folder, its called "conduit" on the list, delete Conduit as shown in the picture.
okay now we just gotta locate the same "Run" and "RunOnce" folders as we did before but this time we will stay under this new "LOCAL MACHINE" directory instead of being under CURRENT USER as before.
After deleting conduit on the list, move down to Microsoft folder again, expand, navigate to "Windows", expand it, and look for "Currentversion" folder. Inside the CurrentVersion folder locate "Run" folder, open it and inside it find "Conduit" or any related conduit seach protector entries as shown in the picture below: http://imageshack.us/a/img823/5093/uc9o.png
Delete only the conduit, now your registry is free of main conduit folders, and free of re-writing on restart of the malware!, now the only step left is to delete the physical files it was pointing to, how to do that easily you ask?
Use http://www.malwarebytes.org/mwb-download/
This antimalware program will clean all physical files, but you might want to check the registry yourself as it did not clean mine, but after I cleaned registry, then scanned with anti malware, it asked me to restart after quick scan finished, did so and it was 100% gone, I would recommend using the registry tips and guide I provided or else it will end up most likely re-writing on restart. I am on windows XP guys, but these steps are much the same on win8, the directories will be the same!
Good luck, I just removed this a few days ago, but for person who isn't used to using registry you don't have to formatt, you can follow the steps above to fix it. 100%.
I hope this helped someone who felt like none of the "uninstall" via control panel solutions that have people thinking its fixed, that is not really a solution, and I wouldn't use any private data on a computer with malware/spyware still infecting the system, I do believe the mentioned programs could solve the registry entries automatically, but I've known how to do them manually for a while, as Run folder is for ALL start up programs, and its commonly used by malware/spyware, as the average user will never venture into the registry.
TIP:With registry open, try CTRL+F and then search whole registry for the specific term your looking for, in this case I used "Conduit", this will automatically give you the navigation to these mentioned folders in the long explanation above, maybe I should have just recommended that, but the reason I didn't is because other programs might use the term "conduit" like hotspotshield, but has nothing to do with the specific malware we are erasing, so when searching for keys only search looking to find what I had shared, Conduit main folder in software under the 2 directories I mentioned CURRENT USER and LOCAL MACHINE; and the Run folders as provided pics of above.
Modified
I had deleted "search protect" using Revo Uninstaller, and it apparently deleted the registry entries that refer to conduit. And I've run Malwarebytes since then. It appears I don't have any problems with Firefox. I do, though, still have a problem with Chrome. It opens 3 tabs - my home page, a conduit search tab, and a Yahoo search tab. Since I no longer use Chrome, it's not a problem for me. But there is obviously still something lurking somewhere.
Hiya Wisdom, I just infected myself and deleted it, is a few different things you have to do for chrome differently then other browsers. First maintain your settings in chrome, goto Settings>On start up, click the option "new tab" upon startup, also click the button "Set pages" and then look for conduit on that list, delete it: pic shown http://imageshack.us/a/img191/5080/5cs7.png
Okay, after that goto Settings>Manage Search Engines:
http://imageshack.us/a/img7/2845/acp0.png
Then look for Sweettunes, or Conduit/Search Protect on that list: http://imageshack.us/a/img826/5620/bv3t.png
Delete them.
Open Run, then Type Regedit: http://imageshack.us/a/img138/4559/5yyb.png
Search these few terms: Conduit (If there is no conduit related keys move on to next term)
NativeMessaging (This one is important, it brings you to google folder inside registry, you will find some malicious entries or sub folders if your chrome is infected, it should look like mine did): http://imageshack.us/a/img9/3136/0bin.png
Malicious sub folder "nmhostct3311875", is holding a key pointing to a DLL, which points to a conduit temp .exe.
That above is a registry key in HKEY_LOCAL_MACHINE directory in google folder that survives malware scans, so check it if you want to attempt cleaning google.
After you search that, search it again, because there is more then one directory that holds Google and the subfolder NativeMessaging, with the subfolders or keys you want to delete, I leave the nativemessaging folder there, but deleted the sub folder of it and any keys contained inside it.
Here is the 2nd directory holding the NativeMessaging sub folders with keys, this one is in HKEY_USERS instead of HKEY_LOCAL_MACHINE like the one above: http://imageshack.us/a/img18/7947/wf29.png
(Note the directory at the bottom of the screenshots to see where I navigated or just search the term mentioned before.
Lastly, search TBHostSupport
As you can see this TBHostSupport hi-jacks the windows "rundll32" to rewrite conduit related temp files ect: http://imageshack.us/a/img809/6669/okrd.png
Delete that TBHostSupport key inside Run folder, DO NOT delete the folder of Run; just the one key of TBHostSupport, right click the key and delete it, here is malware notification: http://imageshack.us/a/img28/9867/y680.png
Check for any Proxy servers on your registry keys for Internet Settings: http://imageshack.us/a/img201/9166/wvhp.png
I had ProxyOverride and ProxyServer both added to the InternetSettings folder as keys, so I deleted those two keys but I took screenshots of it before just incase I needed to re-add them. You can backup your registry first by clicking File>Export then save the file.
Note the Navigation bar at bottom if you need help finding Internet Settings folder in the registry, it shouldn't be a major problem. Its actually easy after you get used to navigating to software>microsoft>windows>currentversion>InternetSettings
The only thing that changes is the main directory your looking in, since HKEY_LOCAL_MACHINE, HKEY_CURRENT_USERS and HKEY_USERS are all containing relevant keys to the mentioned searches in infected computers, depending on level and browsers effected.
After you did the Chrome settings, deleted related keys in Registry, Run anti malware bytes then when it prompts restart, do it. Should eliminate your problem with chrome.
I see you have malwarebytes, unfortunately it misses some of the keys I showed above to find in registry, a person who can play with the registry is more effective then anti-malware bytes anyway, but the reason I would recommend anti-malware bytes to a new user is just because of that, they are a new user to the registry and probably don't know how to navigate it well, you can render your computer needing a reinstall of windows if you don't be careful, but following the directions for just specific conduit related stuff, and nativemessaging, and TBHostSupport related sub folders/keys.
searching Conduit or smartbar in about:config, edit prefs.js in App data for Firefox also delete the CT folder for conduit that is leftover by anti malware program ect pic below.
http://img23.imageshack.us/img23/5135/6b5h.png
Click edit on prefs.js for firefox users and search the file for conduit, smartbar, or sweettunes, I found remenets of it in there even after scanning and removing the newtab issue.
The About:config can have a "prefs.js" file permissions set to read only which would prevent changes being made to it, but I believe it would still show, and not be disabled, for the Original poster who had mentioned the about:config being disabled in Firefox. A new install of the program might solve your issues if its related to a profile save, but clearing with search in registry and left over folders in a few directories is what I did before scanning, then it scanned and removed any physical files detected, corrected a few reg keys, and missed a few, especially related to chrome native messaging key, I think it may have detected it when I scanned with anti-malware bytes but it re-writes once you open a browser that still has the profile or configuration setup of conduit URL or sweettunes extension/add-on.
The folders/files and registry keys re-wrote themselves when I opened a browser with conduit engine still set on the browser, but after clearing computer's registry and physical files of infected malware it had appeared to be clean, it simply rites when it gets new prompt from an infected browser, or when you reboot perhaps.
You will see an out of the norm rundll32.exe going in task manager after reboot if you still have TBHostSupport entry in your registry, so its a loop of sorts if your not on top of it, you could uninstall and delete chrome all together, hence the terms I mentioned above searching in registry, "conduit" "nativemessaging" and "TBHostSupport" looking for the key entries I posted pics of; and then after deleting chrome, and doing regedit check on those terms, you can check for physical files like my pics above or just let anti-malware take care of the physical files part.
Rundll32 is ofcourse a windows related file, so its fine to run but you want to prevent the TBHostSupport registry key from hijacking it via "Run" regedit key.
The problem with marking it as solved/solution when one browser is "clean" and the others are still hijacked, is the malware/trojan ect is still able to perform all of its data mining and activities regardless, it modifies not just one browsers settings but generic Internet Settings in registry, as I was explaining. So it would be not solved to say one browser works but my other one doesn't, that means your computer is still infected as it was with initial infection of your preferred browser, I wouldn't recommend it personally.
Modified
Delete search.conduit entries from registry..problem solves!
CDisplay.Exe 1.10.2 installed this problem for me. Im not new to the internet and im aware of how to not install extra stuff i dont want but this one informs you in no way that its being installed. No where in any of the install pages does it talk about this particularly annoying problem. Thanks Wisdomwisher for the particular solution that worked for me.
Awesome. Worked for me
It is said that the problem is always down to the user but I'm doubtful. I think this entity sometimes gets in through the backdoor. Nevertheless It's a mystery why anti-malware software and other checks in Windows don't pick it up.
To get rid of it means de-installing the program and also changing settings for all browsers homepages and new tabs at the same time. A pain, but do-able.
The longer it is on the PC the more it seems to ensconce itself so maybe even that action is not enough in some cases.
Objective experts call this a PUP not a virus. A lot of scare stories seem to abound on the internet about the terrible things it can do, but these seem to come from people peddling software which purports to remove it.
It seems that it's unlikely to brick a PC but it may open the door to a lot of other undesirable malware.
Modified