Can you suddenly get a toolbar just by going to a website?

Happy Hopping

Supreme [H]ardness
Joined
Jul 1, 2004
Messages
7,060
So, this is the first time I've seen it. My classmate drag me to see his mom's laptop. And it has some spyware, such as Mix DJ

So I use Malwarebytes w/ the latest signature to clean it out. Everything looks fine.

Now 1 of the website she goes to, is mapquest. After all the clean up is done, I went to mapquest, suddenly, a toolbar appears w/ MixDJ on it.

She's running vista home.

Has any1 seen this before? I then pick RESET at IE 9, and remove Chrome, and re-install. As soon as I go back to that mapquest website, I got the tool bar, and it stays on the browser when I go to other sites
 

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,453
Can you PM me the link exactly where you browse to that triggers toolbar + provide me screenshot? :?
 

me4get

Weaksauce
Joined
Jun 15, 2011
Messages
102
The malware is hiding on the drive somewhere and is reinstalling itself
 

Happy Hopping

Supreme [H]ardness
Joined
Jul 1, 2004
Messages
7,060
Evilsofa, thanks, that's it. But I didn't realize it's w/ Conduit. I do have a few quick questions:

1) I forgot to do Tool / Extension in Chrome, but I did totally uninstall it off the PC, and it should clear up all the user setting, why wouldn't that work?

2) Why do we need AadwCleaner & HItman Pro when we already use Malware bytes in step 4? Doesn't that mean Malwarebytes is not doing its job?
 

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,453
Evilsofa, thanks, that's it. But I didn't realize it's w/ Conduit. I do have a few quick questions:

1) I forgot to do Tool / Extension in Chrome, but I did totally uninstall it off the PC, and it should clear up all the user setting, why wouldn't that work?

2) Why do we need AadwCleaner & HItman Pro when we already use Malware bytes in step 4? Doesn't that mean Malwarebytes is not doing its job?
No tool is perfect; no tool does everything.
 

Happy Hopping

Supreme [H]ardness
Joined
Jul 1, 2004
Messages
7,060
To be honest, I'm surprise, I have very high hope on Malware bytes, I always thought it fixes everything. After all, it is charging $70/yr.
 

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
To be honest, I'm surprise, I have very high hope on Malware bytes, I always thought it fixes everything. After all, it is charging $70/yr.

"I paid $3000 for this bulletproof vest but I still got shot in the leg when I casually strolled through a gun battle."
 

Happy Hopping

Supreme [H]ardness
Joined
Jul 1, 2004
Messages
7,060
Not so fast. Back about 6 mth. ago, when Malwarebytes was using ver. 1.75, it took about 2.5 hr. to scan an average size (full of data) hard drive. Now when ver. 2.12 comes out, it takes about 1/2 to 40 min. to scan a drive.

I couldn't help but wonder if this new scanning technique misses something
 

NobleX13

2[H]4U
Joined
Jun 15, 2010
Messages
3,837
SearchConduit is some pervasive stuff. I've seen some cases where MBAM completely removes it, and some where it does not. Most mechanisms of persistance for this type of adware/greyware seem to be in the user profile. I would create a new user, sign in with that account, scan the machine, copy all documents, etc to the new profile, and blow the old one away. You may also want to remove her local admin rights and make sure you have a good resident AV besides MBAM and have Adblock Plus installed with the malware filter turned on.

In this particular case the reinfection was caused by some other persistence mechanism and not by simply navigating to a website. Due to the rise of highly complex exploit kits in recent years, you can very well get much worse than a simple toolbar by simply navigating to a URL. These exploit kits/packs profile your system, look for a vulnerable browser plugin or OS component, and deliver a payload specific to the vulnerability(s) detected. Then, a dropper is downloaded that retrieves the malware itself. I have seen quite a bit of crimeware downloaded in this way, similiar to Zbot. This stuff steals browser cookies, logs keystrokes, and even scrapes credentials out of memory depending on the variant.

I would make damn sure that this system is fully patched and up to date with the latest flash player, adobe reader, chrome, firefox, and especially Java. I recommend Secunia PSI to automate this task. http://secunia.com/vulnerability_scanning/personal/
 
Last edited:

Nenu

[H]ardened
Joined
Apr 28, 2007
Messages
19,913
This is why I browse inside a Sandbox (Sandboxie) and why I use a browser (Firefox) that allows me to use addons that turn off scripting.

This way I am unlikely to have problems due to no scripting allowed.
And if something does sneak in, I delete the sandbox contents and start afresh.
I havent had anything sneak in for years though so rarely empty the sandbox.

If using this method, be sure to run the browser unsandboxed when updating it or changing your default config, so the next time you start afresh, it is already fully configured.
You may need to do the same things when in the sandbox if it isnt a new one, sometimes it automatically applies the changes, other times it uses its already saved sandboxed config.

You may want to tell the sandbox to allow the following for your browser to be directly saved if you dont want them to be lost when you empty the sandbox:
Bookmarks/History
Cookies
Passwords
etc.
 

TomWalker

n00b
Joined
Aug 27, 2014
Messages
4
Normally toolbars do not install themselves, but you can get them installed if you install a freeware program. Toolbars are often bundled with such programs, and they are selected by default. However, you can always disable or decline their installation. Just scan the setup screens before clicking "Next" and never use any "simple" setup options, always go for 'advanced'.
 

0ptional

Don't Trust Your Friends with Your Decanter
Joined
Feb 22, 2003
Messages
5,591
Often times these malware programs re-write the appinit_dll of windows and are just totally pervasive.. anyway, try something like malwarebytes anti-rootkit utility specifically to see if that grabs anything different.

Be aware there is a new version of conduit/searchprotect/etc.. running around that will prevent explorer.exe from loading after the login screen of windows, also insanely annoying to repair.
 
Top