RE Conduit Search Protect for Disinfection

[Deque]

I attempt to write a disinfector for Conduit Search Protect. This thread document the steps and progress.

What is Conduit Search Protect?

Conduit Search Protect comes often bundled with installers of other programs, e.g., PowerISO. It is classified as potentially unwanted program (PUP), meaning, no one with a right mind would actually want that on his/her PC.
Conduit Search Protect sets your browser's default home page, new tab settings and search engine to search.conduit.com or www.trovi.com.
It is hard to get rid off and blocks any attempts to change the browser settings back. Other symptoms are unwanted pop-up and in-text advertisements.

The program can cause severe problems after using the uninstaller, it may even render your system unbootable (see link)

1. Step Research

* Finding manual removal descriptions
* Finding technical details.
* Finding common problems.
* Finding an installer.

Most valueable links so far:

http://www.symantec.com/security_response/writeup.jsp?docid=2014-063009-1324-99&tabid=2
http://lavasoft.com/mylavasoft/company/blog/how-to-remove-search-protect-by-conduit-ltd
http://pcsmarties.wordpress.com/methods-to-remove-conduit/

2. Infected Snapshot and Analysis of PowerISO Installation

Tools:
* VirtualBox VM with WinXP 32 bit
* Regshot
* Progmon
* Process Explorer

Infection

I downloaded the PowerISO installer and infected the VM image with Conduit Search Protect.
During installation I was asked to agree to SEARCH PROTECT END USER INSTRUCTIONS, which I did. As it turns out other adware (PriceMeter and TuneUp) is offered as well, which I disagreed to install.
The infected image is saved as snapshot, so it can be used for disinfection tests and analysis.

Monitoring Registry Changes

I used regshot to monitor registry changes, the difficulty here is that they include also PowerISO related changes. That means all of them have to be analysed for their purpose and if they relate to Conduit in any way.
Here are the changed registry entries after infection with Conduit Search Protect: http://pastebin.com/dEJKdqut

Monitoring Processes and File Modifications

I used progmon to monitor any file and process operations on the system during installation.
I added the following filters:
If Operation is CreateFile then include
If Operation is ProcessCreate then include
If Operation is ProcessStart then include
If Process Name is PWRISOVM.EXE then include
If Process Name is PowerISO6 then include
If Process Name is regvr32.exe then include
If Process Name is sp-downloader.exe
Here are the results as CSV: http://pastebin.com/wT7hYUg1

Processes created and started: regsvr32.exe, sp-downloader.exe, PWRISOVM.EXE

Process information (after research)
regsvr32.exe  Microsoft register server, usually harmless, but I analyse its activity in the log.
sp-downloader.exe belongs to conduit, several instances are listed here: http://processchecker.com/file/sp-downloader.exe.html
I will have to analyse its activity throughoughly
PWRISOVM.EXE belongs to PowerISO, I won't bother with it

Running Processes

I used process explorer to monitor and identify processes associated with Conduit Search Protect. Those processes will have to be killed before any disinfection. The most obvious ones have the Conduit Search Protect icon with a blue shield and white magnifying glass:



3. Analysis of sp-downloader.exe Activities

I ran a second analysis with procmon, this time I let it ran until the Conduit icon appeared in the Windows toolbar. I filtered the processes:
sp-downloader.exe, CltMngSvc.exe, cltmngui.exe and  cltmng.exe and the Operation CreateFile:
http://pastebin.com/NB4jbXYE

Ignoring the temporary files, we can see the most important folder creations with must be deleted including all subfolders and contained files by the disinfector:

* %programfiles%\SearchProtect
* %allusersappdata%\SearchProtect


Furthermore, browser settings in chrome and IE are affected. (At this point I realize I should have installed Firefox before infection, which I will do before further analysis)

reg.log shows me that CltMngSvc.exe is installed as a service to the system.
See registryshot comparison: http://pastebin.com/KB0k3bVk

Code: [Select]

----------------------------------
Keys added:53
----------------------------------
...
HKLM\SYSTEM\ControlSet001\Services\CltMngSvc
HKLM\SYSTEM\ControlSet001\Services\CltMngSvc\Security
HKLM\SYSTEM\ControlSet001\Services\CltMngSvc\Enum
...
----------------------------------
Values added:229
----------------------------------
...
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLTMNGSVC\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLTMNGSVC\0000\Control\ActiveService: "CltMngSvc"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLTMNGSVC\0000\Service: "CltMngSvc"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLTMNGSVC\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLTMNGSVC\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLTMNGSVC\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLTMNGSVC\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLTMNGSVC\0000\DeviceDesc: "Search Protect Service"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLTMNGSVC\NextInstance: 0x00000001

4. First Outline of the Disinfector: File Removal, Service Deletion

The disinfector should have direct access to Windows' functions and no dependencies, so I decided to use Batch. It is available on every Windows system and its capabilities should be sufficient for a relatively small program like this.

My first version only concentrates on killing processes, deleting folders and files associated to Conduit Search Protect and removing the CltMngSvc.exe service from the system. That means browser settings are not yet restored. This will be added later.

I created functions for folder, directory and service deletion, and temporary folder cleaning. I also wrote the first outline of the main script.

Code: [Select]

@echo off

::-----------------------------------
:: Main Script
::-----------------------------------

call :killProcess "cltmng.exe"
call :killProcess "cltmngui.exe"
call :deleteService "CltMngSvc"

call :deleteDirectory "%programfiles%\SearchProtect"
call :deleteDirectory "%allusersappdata%\SearchProtect"
call :deleteDirectory "%appdata%\SearchProtect"

call :cleanTemp

echo.disinfection done
goto :eof

::-----------------------------------
:: Function Section
::-----------------------------------

:: killProcess processname
:killProcess
echo.killing process %~1
taskkill /f /im "%~1"
goto :eof

:: deleteService servicename
:deleteService
echo.deleting service %~1
sc stop "%~1"
sc delete "%~1"
goto :eof

:: deleteDirectory directoryname
:deleteDirectory
echo.removing directory %~1
if exist %~1 (
   attrib /s /d -s -h -r "%~1"
   rd /s /q "%~1"
) else echo.not found
goto :eof

:: deleteFile filename
:deleteFile
echo.removing file %~1
if exist %~1 (
   attrib -s -h -r "%~1"
   del /f /q "%~1"
) else echo.not found
goto :eof

:: cleanTemp
:cleanTemp
echo.cleaning temporary files
::cd %temp%
for /d %%D in ("%temp%\*") do rd /s /q "%%D"
del /f /q "%temp%\*"
goto :eof

First test run seems successful. The blue shield icon is not shown anymore and Process Explorer does not show any suspicious processes.
Let's restart and see what happens.
...
Still no more signs of the infection regarding processes.
Now we take a look at remaining registry entries and the browser settings, which are still fucked up.

5. Fixing the Registry

Two registry keys can be found which are related to Search Protect installation. We will delete them including all subkeys and values using reg.exe

Code: [Select]

reg delete "HKLM\SOFTWARE\SearchProtect" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect" /f

The /f switch forces the deletion

6. Resetting the Browsers

I added some functions to reset IE and Firefox. This is actually the bruteforce way to do it. Any personal preferences will be lost.
Later versions of the disinfector will include a soft reset.

Code: [Select]

:: reset Firefox settings
:resetFirefox
taskkill.exe /f /im firefox.exe
rd /s /d "%UserProfile%\AppData\Local\Mozilla\Firefox\Profiles"
rd /s /d "%AppData%\Mozilla\Firefox"
goto :eof

:: reset IE settings
:resetIE
taskkill.exe /f /im iexplore.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer" /f
goto :eof
Finally let's clean the temp directories, internet temp directories and internet caches.

Code: [Select]

:: cleanFolder
:cleanFolder
if exist "%~1" (
    echo.cleaning folder "%~1"
    for /d %%D in ("%~1\*") do rd /s /q "%%D"
    del /f /q "%~1\*"
)
goto :eof

:: clean temporary folders and internet caches
:cleanTemps
echo.cleaning temporary files
call :cleanFolder "%temp%"
call :cleanFolder "%USERPROFILE%\Local Settings\Temporary Internet Files"
call :cleanFolder "%USERPROFILE%\Local Settings\Temp"
call :cleanFolder "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5"
goto :eof

Seem like the first version of the disinfector is born. Let's test it.

7. First Release

Regshot comparison from before and after usage of our program shows the following: http://pastebin.com/m3mJtqdN
Anything seems to run fine. So it is time for the first release for the Conduit Search Protect disinfector.

Let's give it a name: ConduitSPKiller v1.0

Full source: https://evilzone.org/evilzone-releases/%28release%29-conduit-search-protect-disinfector/

[Deque]

8. Firefox Soft Reset

As the upcoming release should reset the browsers without destroying all user settings, I have now to find solutions to change any browser settings back.
The above release uses the sledgehammer method by deleting the user profiles.

Firefox user settings are saved in %APPDATA%\Mozilla\Firefox\Profiles\[random].default\prefs.js
I compared this file of a fresh Firefox installation with a conduit infected version. This way I could find affected settings.
We use the following code to write the standard values back to prefs.js

Code: [Select]

:: soft reset of Firefox settings after CSP infection
:resetFirefox
echo.resetting Firefox
call :killProcess firefox.exe
for /d %%D in ("%APPDATA%\Mozilla\Firefox\Profiles\*.default") do (
  echo user_pref^("browser.startup.homepage","about:home"^);>>"%%D\prefs.js"
  echo user_pref^("browser.newtab.url","about:newtab"^);>>"%%D\prefs.js"
  echo user_pref^("browser.search.defaultenginename","Google"^);>>"%%D\prefs.js"
  echo user_pref^("browser.search.selectedEngine",""^);>>"%%D\prefs.js"
)
goto :eof

Note: This only works, if the infection has been cleaned and temporary internet files have been deleted. Otherwise the settings won't be permanent.

8. IE Soft Reset

To solve this issue, I looked into the regshot logs again, because IE settings are saved in the registry. There you can see the following changes, among others:

Code: [Select]

HKU\S-1-5-21-1993962763-1935655697-1060284298-500\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}\URL: "http://www.trovi.com/Results.aspx?gd=&ctid=CT3321459&octid=EB_ORIGINAL_CTID&ISID=M7FE6AB64-846B-4D71-B9D3-3A8B7DE15227&SearchSource=58&CUI=&UM=6&UP=SPDCA73826-2F68-425F-9EDF-367A3B26B8E4&q={searchTerms}&SSPV="

HKU\S-1-5-21-1993962763-1935655697-1060284298-500\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}\DisplayName: "Trovi search"

HKU\S-1-5-21-1993962763-1935655697-1060284298-500\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.trovi.com/?gd=&ctid=CT3321459&octid=EB_ORIGINAL_CTID&ISID=M7FE6AB64-846B-4D71-B9D3-3A8B7DE15227&SearchSource=55&CUI=&UM=6&UP=SPDCA73826-2F68-425F-9EDF-367A3B26B8E4&SSPV="

Deletion of the Main\Start Page value and the SearchScopes key in the registry will force the default values to be applied again.

So I created the following snippet for the reset.

Code: [Select]

:: soft reset of IE settings after CSP infection
:resetIE
echo.resetting Internet Explorer
call :killProcess iexplore.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /f
reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchScopes" /f
goto :eof