Page 1 of 1

[Solved] Conduit redirect

Posted: Thu Apr 24, 2014 2:12 pm
by wmmiller
Hi Fred,
I have a remote Dell Inspiron 1521 Windows 7 x64 laptop computer. I don’t know why but I’m having a heck of a time getting rid of conduit redirect in IE 11. I don’t get it. I’ve never found this to be problematic, but I’m sucking swamp water on this one for some reason. :oops: I deleted
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] “Start page=) It comes right back as soon as I open a web page. I used AdwCleaner, it finds it and claims to have deleted it, but it’s not gone. It is not active in safe mode. Will you please give me some advice? Maybe I’ve just lost a brain cell or two, but that’s beside the point. :roll:
Bill

Re: Conduit redirect

Posted: Thu Apr 24, 2014 2:26 pm
by Fred
Hi Bill. Can I have a UVK log from that computer?

If not, try the following fixes:

Reset IE and internet settings
Reset Chrome for all users (if chrome installed)
Reset Firefox for all users (if FF installed)
Fix browser shortcuts

Thanks

Re: Conduit redirect

Posted: Thu Apr 24, 2014 2:28 pm
by Fred
Also check out if there are any bad IE BHO or toolbars, in the Autorun manager section, and remove them, including the associated file.

Re: Conduit redirect

Posted: Thu Apr 24, 2014 2:53 pm
by wmmiller
I did try all those fixes yesterday and again just now without luck. It does show up in auto run manager and I have deleted the entry as well as the file a few times and it just comes back. Here’s a log to take a gander at. Thanks!

NOTE: IE is the only browser that is used on this computer so any entries to all others can be removed.

Re: Conduit redirect

Posted: Thu Apr 24, 2014 3:25 pm
by Fred
Do you know what these files are related to?

C:\Program Files (x86)\Nike\Nike+ Connect\Nike+ Connect daemon.exe
C:\Users\Bunny\AppData\Local\Nike\Nike+ Connect\Nike+ Connect daemon.exe
C:\Windows\Temp\ShAeroDisabler.exe

VirusTotal says they are goodware, but I know of many goodware programs that change IE's home page and search providers.
An example is Incredimail.

Maybe worth to kill those processes, reset the home page and try again.
Or temporarily move them to the recycle bin, reset the home page and try again.

Also check if there aren't any root/boot kits with TDSSKiller and aswmbr.

Re: Conduit redirect

Posted: Thu Apr 24, 2014 3:33 pm
by wmmiller
I do know what those are. The first two are something from Nike. She’s a runner and athletic trainer. I don’t know if they are safe or not, but that’s why they are there.
The third one is there because my remote support app can’t see the Dell dock on some computers. That one is safe. I have it on all my dell computers as well as many other Dells.

Re: Conduit redirect

Posted: Thu Apr 24, 2014 3:36 pm
by Fred
Well, you won't loose anything by simply killing the processes to check out.

Re: Conduit redirect

Posted: Thu Apr 24, 2014 3:38 pm
by Fred
What happens if you try to set the home page in the Internet setting applet? Does it succeed?

Re: Conduit redirect

Posted: Thu Apr 24, 2014 3:49 pm
by wmmiller
I ran TDSSKiller, MalwareBytes Anti-Rootkit and McAfee Rootkit Remover and they found nothing.
I’ll kill those and see what happens.

“What happens if you try to set the home page in the Internet setting applet? Does it succeed?” Nope, it doesn’t. It does not give any error either.

Re: Conduit redirect

Posted: Thu Apr 24, 2014 3:57 pm
by Fred
IMHO it is a running program that is monitoring the Start page value.

I would also check out the wltrysvc service.
C:\Windows\System32\WLTRYSVC.EXE

Re: Conduit redirect

Posted: Thu Apr 24, 2014 4:12 pm
by wmmiller
I wondered about that one too and Googled WLTRYSVC.EXE and it seems to be related to Broadcom Corporation Wireless, so I’m reluctant to kill it because I would be cut off.
.
I killed and it didn’t make a difference.
C:\Program Files (x86)\Nike\Nike+ Connect\Nike+ Connect daemon.exe
C:\Users\Bunny\AppData\Local\Nike\Nike+ Connect\Nike+ Connect daemon.exe
C:\Windows\Temp\ShAeroDisabler.exe


When I set default home page in internet option it changes to go.microsoft.com something but when you close it and reopen it, it is changed back to conduit.

Re: Conduit redirect

Posted: Thu Apr 24, 2014 4:24 pm
by Fred
That is weird.

Please post a new log. this time, before clicking Start scan do the following:
Uncheck Hide all Microsoft files.

Click the text box under Custom to clear its contents and paste the following code:

Code: Select all

 <Reg>
HKCU\Software\Microsoft\Internet Explorer
HKLM\Software\Microsoft\Internet Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Re: Conduit redirect

Posted: Thu Apr 24, 2014 4:49 pm
by wmmiller
Here it is Fred.

Re: Conduit redirect

Posted: Thu Apr 24, 2014 4:56 pm
by Fred
Thanks. I'm gonna have a look now.

Re: Conduit redirect

Posted: Thu Apr 24, 2014 5:16 pm
by Fred
Bill, I'm assuming you already tried setting the IE's start page using UVK, from the Autoruns manager. Is that correct?

Re: Conduit redirect

Posted: Thu Apr 24, 2014 5:40 pm
by wmmiller
Fred,
OMG! I just figured this out and now feel foolish. :oops: SuperAntiSpyware was keeping the home page from being changed. Somehow it got set to conduit and SAS hijack protection was set, the “display notification when home page changed” box wasn’t check so it wasn’t popping up a warning of the change when it was reset. I don’t know why I didn’t think of that. I discovered this because I started to kill processes one by one and when I disabled SAS it magically was fixed, so I started looking at the SAS settings. I do apologize for wasting your time and thank you for all your help. :roll: Here’s a screen shot with the box that should have been check circled in red.
Bill

Once again, I have learned something today and would think that this won’t happen to me again.

Re: Conduit redirect

Posted: Thu Apr 24, 2014 5:52 pm
by Fred
Can you believe it? I thought about that, launched SAS and couldn't find that option. Didn't search for long, though.

So I thought: Maybe they don't have the option anymore...

Well, glad you figured it out! :)

Can we mark this topic as Solved?

Re: Conduit redirect

Posted: Thu Apr 24, 2014 5:55 pm
by wmmiller
Solved it is. :D I really appreciate your taking the time to help me and again apologize for wasting your time.
Bill

Re: Conduit redirect

Posted: Thu Apr 24, 2014 6:02 pm
by Fred
Oh, you don't have to apologize at all. This happened to you, and could certainly happen to others.

Hopefully other people having the same problem may find the solution in this page.