OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Adware Removal Guide : Conduit

Published January 19th, 2014 at 9:48 AM EDT , modified January 8th, 2015 at 4:01 PM EDT

Conduit is a browser toolbar add-on that is often responsible for browser problems or ads. There are a number of different modified versions out there.

Removal

Delete any Conduit, MyBrand, Trovi or Search Protect browser extensions that you find, as well as any with a name ending in “Community Toolbar.” Examples of the latter include, but are probably not limited to, Genealogy Gems Podcast Community Toolbar, SB Tool Bar Community Toolbar, WiseConvert Community Toolbar, MovieBario Community Toolbar, Game Master 1.1 Community Toolbar and Elf 1.15 Community Toolbar. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)

Move the following items to the trash. Note that, if you don’t know how to locate a file or folder based on the paths that I will give in the instructions, you should read Locating files from paths. Removing many of these files will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. If you are not, you will be unable to remove some of them.

/Library/InputManagers/CTLoader/
/Library/LaunchAgents/com.conduit.loader.agent.plist
/Library/LaunchDaemons/com.perion.searchprotectd.plist
/Library/Application Support/SIMBL/Plugins/CT2285220.bundle
/Library/Application Support/Conduit/
/Applications/SearchProtect.app
/Applications/SearchProtect/
~/Library/Application Support/Conduit/
~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
~/Conduit/
~/Trovi/

Some of these items can only be deleted by an admin user, and will require entry of that admin user’s password to delete. You may not find all these items, but should remove all that you do find.

If you have Firefox installed, go to the following folder:

~/Library/Application Support/Firefox/Profiles/

Inside that folder, you will find another folder whose name begins with a series of random characters and ends with “.default”. Open that folder. Inside this folder, remove the following items:

abstraction.js
takeOverNewTab.txt
searchplugins/[any file with "Conduit" in the name].xml
searchplugins/MyBrand.xml

Finally, be aware that some variants of Conduit are known to modify the Firefox application itself. If you have Firefox installed, there is no easy remedy to this except to delete the Firefox application entirely and download it again from mozilla.org.

If you found the CT2285220.bundle SIMBL plugin earlier, you will probably want to remove SIMBL as well, unless you had it installed for a specific purpose. To remove SIMBL, move the following items to the trash:

/Library/Application Support/SIMBL/
/Library/LaunchAgents/net.culater.SIMBL.Agent.plist
/Library/ScriptingAdditions/SIMBL.osax

Restart your computer. After it starts back up, empty the trash to delete all the removed files.

You may also need to change the home page and search engine settings in your browser’s preferences.