PUA.Win32.Conduit.GS

January 07, 2020
 Analysis by: Arvin Roi Macaraeg
 ALIASES:

Riskware/Conduit(FORTINET); HEUR:AdWare.Win32.Conduit.gen(KASPERSKY)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application drops the following files:

  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\setup.ini
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\chrome.manifest
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\install.rdf
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\version.txt
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\chrome\brothersoft_extreme.jar
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\ConduitAutoCompleteSearch.js
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\ConduitAutoCompleteSearch.xpt
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\ConduitToolbar.idl
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\ConduitToolbar.js
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\ConduitToolbar.xpt
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\FFExternalAlert.dll
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\FFExternalAlert.xpt
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\RadioWMPCore.dll
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\RadioWMPCore.xpt
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\alertSettingsComponent.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\appContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\default_radio_skin.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\engineContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\engineSettings.json
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\fbAlert.js
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\getAppsContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\postAppsContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\toolbarContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\unsharedAppsContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\lib\xpcom.js
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\META-INF\manifest.mf
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\META-INF\zigbert.rsa
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\META-INF\zigbert.sf
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\searchplugin\conduit.gif
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\searchplugin\conduit.ico
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\searchplugin\conduit.PNG
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\searchplugin\conduit.src
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\searchplugin\conduit.xml
  • %Program Files%\BrotherSoft_Extreme\UNWISE.EXE
  • %Program Files%\BrotherSoft_Extreme\toolbar.cfg
  • %Program Files%\BrotherSoft_Extreme\BrotherSoft_ExtremeToolbarHelper.exe
  • %Program Files%\BrotherSoft_Extreme\tbBrot.dll
  • %Program Files%\BrotherSoft_Extreme\GottenAppsContextMenu.xml
  • %Program Files%\BrotherSoft_Extreme\OtherAppsContextMenu.xml
  • %Program Files%\BrotherSoft_Extreme\SharedAppsContextMenu.xml
  • %Program Files%\BrotherSoft_Extreme\ToolbarContextMenu.xml
  • %Program Files%\ConduitEngine\toolbar.cfg
  • %Program Files%\ConduitEngine\ConduitEngineUninstall.exe
  • %Program Files%\ConduitEngine\appContextMenu.xml
  • %Program Files%\ConduitEngine\engineContextMenu.xml
  • %Program Files%\ConduitEngine\EngineSettings.json
  • %Program Files%\ConduitEngine\ConduitEngineHelper.exe
  • %Program Files%\ConduitEngine\ConduitEngine.dll
  • %Program Files%\ConduitEngine\INSTALL.LOG
  • %User Temp%\BrotherSoft_Extreme.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Potentially Unwanted Application connects to the following possibly malicious URL:

  • brothersoftextreme.{BLOCKED}lbar.com

It does the following:

  • It adds the following lines:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrotherSoft_Extreme Toolbar
      DisplayName = BrotherSoft_Extreme Toolbar
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrotherSoft_Extreme Toolbar
      UninstallString = %Program Files%\BROTHE~1\UNWISE.EXE /U %Program Files%\BROTHE~1\INSTALL.LOG
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\IE5
      CabinetVisible = FALSE
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\IE5
      ExplorerVisible = FALSE
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\IE5
      FirstTime = TRUE
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\IE5
      Visible = TRUE
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\settings
      EnableSearchFromAdress = TRUE
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\settings
      FixPageNotFoundError = 1
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\settings
      SearchFromAdressUrl = http://search.conduit.com/ResultsExt.aspx?ctid=CT2776682&q=MYSEARCHTERM
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\settings\LanguagePack
      LanguagePackServerUrl = http://translation.users.conduit.com/Translation.ashx
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
      GroupingServerURL = http://grouping.services.conduit.com/
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
      SearchServerUrl = http://search.conduit.com
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
      Server = users.conduit.com
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
      ShouldPerformGroupByOS = FALSE
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
      UsageURL = http://usage.users.conduit.com/UsersWebService.asmx/UsersRequests
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
      WebServerUrl = http://BrotherSoftExtreme.OurToolbar.com/
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
      Write us link = forrest@brothersoft.com
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\settings
      ShouldSendReferalCookie = TRUE
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\Communicator
      Url = http://servicemap.conduit-services.com/Toolbar/
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      ComId = {51a86bb3-6602-4c85-92a5-130ee4864f13}
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      DisplayName = BrotherSoft Extreme
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      DisplayTitle = BrotherSoft_Extreme Toolbar
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      GroupingEnabled = FALSE
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      InstallationId = integrated_brothersoft_extrme.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      InstallationType = conduitintegration
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      MultiCommunityEnabled = FALSE
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      Path = %Program Files%\BrotherSoft_Extreme
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      Server = users.conduit.com
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      ShouldPerformGroupByOS = FALSE
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      ShouldShowPersonalComponentDlg = TRUE
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      SponsorId = CT2776682
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      ToolbarHelperFileName = %Program Files%\BrotherSoft_Extreme\BrotherSoft_ExtremeToolbarHelper.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{51a86bb3-6602-4c85-92a5-130ee4864f13}
      Name = BrotherSoft_Extreme
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      PlatformType = ConduitToolbar
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      IsEngineHost = TRUE
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      AllowToUninstallFromEngine = FALSE
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      ForceEngineUninstall = TRUE
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      IphoneUpdateURL = {Default}
    • HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
      ShouldSendToolbarAge = TRUE
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      DisplayName = Conduit Engine
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      UninstallString = %Program Files%\ConduitEngine\ConduitEngineUninstall.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      DisplayIcon = %Program Files%\ConduitEngine\ConduitEngineUninstall.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      DisplayVersion = 6.1.0.7
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      Publisher = Conduit Ltd.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      Comments = {Default}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      Contact = {Default}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      DisplayIcon = %Program Files%\CONDUI~1\ConduitEngineUninstall.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      DisplayVersion = {Default}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • HelpLink = {Default}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      UninstallString = %Program Files%\CONDUI~1\ConduitEngineUninstall.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
      URLInfoAbout = {Default}

  SOLUTION

Minimum Scan Engine:

9.850

SSAPI PATTERN File:

2.243.00

SSAPI PATTERN Date:

19 Dec 2019

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrotherSoft_Extreme Toolbar
    • DisplayName = BrotherSoft_Extreme Toolbar
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrotherSoft_Extreme Toolbar
    • UninstallString = %Program Files%\BROTHE~1\UNWISE.EXE /U %Program Files%\BROTHE~1\INSTALL.LOG
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\IE5
    • CabinetVisible = FALSE
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\IE5
    • ExplorerVisible = FALSE
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\IE5
    • FirstTime = TRUE
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\IE5
    • Visible = TRUE
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\settings
    • EnableSearchFromAdress = TRUE
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\settings
    • FixPageNotFoundError = 1
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\settings
    • SearchFromAdressUrl = http://search.conduit.com/ResultsExt.aspx?ctid=CT2776682&q=MYSEARCHTERM
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\settings\LanguagePack
    • LanguagePackServerUrl = http://translation.users.conduit.com/Translation.ashx
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
    • GroupingServerURL = http://grouping.services.conduit.com/
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
    • SearchServerUrl = http://search.conduit.com
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
    • Server = users.conduit.com
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
    • ShouldPerformGroupByOS = FALSE
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
    • UsageURL = http://usage.users.conduit.com/UsersWebService.asmx/UsersRequests
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
    • WebServerUrl = http://BrotherSoftExtreme.OurToolbar.com/
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar
    • Write us link = forrest@brothersoft.com
  • In HKEY_CURRENT_USER\Software\AppDataLow\Software\BrotherSoft_Extreme\toolbar\settings
    • ShouldSendReferalCookie = TRUE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\Communicator
    • Url = http://servicemap.conduit-services.com/Toolbar/
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • ComId = {51a86bb3-6602-4c85-92a5-130ee4864f13}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • DisplayName = BrotherSoft Extreme
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • DisplayTitle = BrotherSoft_Extreme Toolbar
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • GroupingEnabled = FALSE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • InstallationId = integrated_brothersoft_extrme.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • InstallationType = conduitintegration
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • MultiCommunityEnabled = FALSE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • Path = %Program Files%\BrotherSoft_Extreme
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • Server = users.conduit.com
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • ShouldPerformGroupByOS = FALSE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • ShouldShowPersonalComponentDlg = TRUE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • SponsorId = CT2776682
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • ToolbarHelperFileName = %Program Files%\BrotherSoft_Extreme\BrotherSoft_ExtremeToolbarHelper.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{51a86bb3-6602-4c85-92a5-130ee4864f13}
    • Name = BrotherSoft_Extreme
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • PlatformType = ConduitToolbar
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • IsEngineHost = TRUE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • AllowToUninstallFromEngine = FALSE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • ForceEngineUninstall = TRUE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • IphoneUpdateURL = {Default}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
    • ShouldSendToolbarAge = TRUE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • DisplayName = Conduit Engine
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • UninstallString = %Program Files%\ConduitEngine\ConduitEngineUninstall.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • DisplayIcon = %Program Files%\ConduitEngine\ConduitEngineUninstall.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • DisplayVersion = 6.1.0.7
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • Publisher = Conduit Ltd.
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • Comments = {Default}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • Contact = {Default}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • DisplayIcon = %Program Files%\CONDUI~1\ConduitEngineUninstall.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • DisplayVersion = {Default}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • HelpLink = {Default}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • UninstallString = %Program Files%\CONDUI~1\ConduitEngineUninstall.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
    • URLInfoAbout = {Default}

Step 4

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\setup.ini
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\chrome.manifest
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\install.rdf
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\version.txt
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\chrome\brothersoft_extreme.jar
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\ConduitAutoCompleteSearch.js
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\ConduitAutoCompleteSearch.xpt
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\ConduitToolbar.idl
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\ConduitToolbar.js
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\ConduitToolbar.xpt
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\FFExternalAlert.dll
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\FFExternalAlert.xpt
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\RadioWMPCore.dll
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\RadioWMPCore.xpt
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\alertSettingsComponent.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\appContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\default_radio_skin.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\engineContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\engineSettings.json
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\fbAlert.js
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\getAppsContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\postAppsContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\toolbarContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\defaults\unsharedAppsContextMenu.xml
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\lib\xpcom.js
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\META-INF\manifest.mf
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\META-INF\zigbert.rsa
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\META-INF\zigbert.sf
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\searchplugin\conduit.gif
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\searchplugin\conduit.ico
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\searchplugin\conduit.PNG
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\searchplugin\conduit.src
  • %Application Data%\Mozilla\Firefox\Profiles\{Random Characters}.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\searchplugin\conduit.xml
  • %Program Files%\BrotherSoft_Extreme\UNWISE.EXE
  • %Program Files%\BrotherSoft_Extreme\toolbar.cfg
  • %Program Files%\BrotherSoft_Extreme\BrotherSoft_ExtremeToolbarHelper.exe
  • %Program Files%\BrotherSoft_Extreme\tbBrot.dll
  • %Program Files%\BrotherSoft_Extreme\GottenAppsContextMenu.xml
  • %Program Files%\BrotherSoft_Extreme\OtherAppsContextMenu.xml
  • %Program Files%\BrotherSoft_Extreme\SharedAppsContextMenu.xml
  • %Program Files%\BrotherSoft_Extreme\ToolbarContextMenu.xml
  • %Program Files%\ConduitEngine\toolbar.cfg
  • %Program Files%\ConduitEngine\ConduitEngineUninstall.exe
  • %Program Files%\ConduitEngine\appContextMenu.xml
  • %Program Files%\ConduitEngine\engineContextMenu.xml
  • %Program Files%\ConduitEngine\EngineSettings.json
  • %Program Files%\ConduitEngine\ConduitEngineHelper.exe
  • %Program Files%\ConduitEngine\ConduitEngine.dll
  • %Program Files%\ConduitEngine\INSTALL.LOG
  • %User Temp%\BrotherSoft_Extreme.exe

Step 5

Scan your computer with your Trend Micro product to delete files detected as PUA.Win32.Conduit.GS. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.