Results 1 to 15 of 15
  1. #1
    New Lounger
    Join Date
    Jan 2005
    Posts
    14
    Thanks
    5
    Thanked 0 Times in 0 Posts

    What is SAPE.Conduit.33 and how to get rid of it?

    Four days ago Norton Internet Security popped up a "Threat Detected" window alerting me to the presence of SAPE.Conduit.33 and offering to "Fix" it. Normally the "File Insight" portion of this dialog tells me the name and location of the actual file containing the threat to help me decide what to do about, but for this threat it offered no information. A search of my computer and the Registry found no reference to it (I didn't expect it to since that is Norton's name for the threat), and a search of the Internet found nothing except it is listed on Norton's website in a huge list of security threats, but with no further information. So I let Norton "Fix" it and it reported the threat resolved. When Norton scanned the next day it was there again. I "Fixed" it and it was back the third day. So I went online and used Norton's live chat service to let a technician help. He took control of my PC, then took more than an hour to download a scanner onto my PC and run it. It found nothing except three "suspicious items" which were programs that have been on my PC for years. Then he proceeded to delete the temp files and the Recycle Bin and then announced the threat was removed. He would not tell me where the threat came from or which file it was in, etc., no matter how many different ways I asked my questions. Well, this morning Norton scanned again and it is back.

    Does anyone know anything about this threat, and what to do about it? Thank you.

    Windows 7, no recently installed software, no known risky behavior.

    I've used Norton products since 1987 (remember Norton Utilities?) and this is the first time it has failed me.

  2. #2
    jwoods
    Guest
    Conduit is a browser hijacker and is usually installed as a drive-by download.

    Try the following...

    1. Download and run AdwCleaner.

    http://www.bleepingcomputer.com/download/adwcleaner/

    2. Download and run the free version of Malwarebytes Anti-Malware.

    https://www.malwarebytes.org/antimalware/

    3. Download and run JRT (Junkware Removal Tool).

    http://www.bleepingcomputer.com/down...-removal-tool/

    Some of these programs can take a while to complete, so be patient.

  3. The Following User Says Thank You to jwoods For This Useful Post:

    GeneS (2015-06-06)

  4. #3
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    283
    Thanked 574 Times in 478 Posts
    It could easily be a false positive from Norton, Run Malwarebytes and post the log from it please.

  5. #4
    jwoods
    Guest
    The OP said " So I went online and used Norton's live chat service to let a technician help. He took control of my PC, then took more than an hour to download a scanner onto my PC and run it. It found nothing except three "suspicious items" which were programs that have been on my PC for years."

    Surprising the tech would not know if it was an FP or not.

  6. #5
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    283
    Thanked 574 Times in 478 Posts
    I'd be surprised if it was a tech...

  7. #6
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,607
    Thanks
    147
    Thanked 869 Times in 831 Posts
    It sounds like he downloaded NPE and ran a Rootkit scan - which is probably why it picked up existing programs as it's quite an intrusive scan and has been known to take out or damage legit programs.

    I'm with Satrow on this in that it sounds like a FP.

    My Norton 360 gave me one for a short while whenever I went to bleepingcomputer.com to download AdwCleaner.

    Not sure if Symantec fixed that themselves but see if manually updating its Definitions does anything and go back to Norton and report it as a possible FP.
    Last edited by Sudo15; 2015-06-01 at 19:44.

  8. #7
    jwoods
    Guest
    It would be unusual for a FP to persist for four days.

    Nothing mentioned in the Norton forums since last year...

    https://community.norton.com/en/foru...search-toolbar
    Last edited by jwoods; 2015-06-01 at 21:07.

  9. The Following User Says Thank You to jwoods For This Useful Post:

    GeneS (2015-06-06)

  10. #8
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    283
    Thanked 574 Times in 478 Posts
    Not really.

    If their 'techs' can't give a reason for the 'detection' or name the file that is the cause of the detection then it's up to those affected by it to force the issue with Norton, that can take some time to get the FP resolved and removed, especially over a weekend period.

    The detection for this was only released 5/29/2015, removing temp files and PUPs that are years old and yet the detection returns doesn't instill any confidence in the product, their 'tech' training or the current 'detections'.

    Heuristics = guesswork.

  11. #9
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,607
    Thanks
    147
    Thanked 869 Times in 831 Posts
    Quote Originally Posted by jwoods View Post
    It would be unusual for a FP to persist for four days.
    I think mine lasted for 3 or 4 days but when I was researching it, it seems that Symantec have generic names for certain Heuristics.

  12. #10
    New Lounger
    Join Date
    Jan 2005
    Posts
    14
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Thank you for your quick response. I apologize for my silence; I have been too busy to follow up till this morning. I have been running AdwCleaner before leaving for work and checking the results at night, and letting it delete items. After the first two scans/removals Norton still reported the Conduit malware. This morning I ran AdwCleaner until nothing showed up in results, ran a quick Norton scan and it found nothing. Then I ran AntiMalwareBytes and it found 9 more items, which I let it remove. Then I ran JRT and it found about a dozen more items (although some of them were just empty folders left over from other scans/removals). As soon as I can leave my computer for a few hours I will do a Norton complete scan. I will report back if there is anything new.

    I do not know what program installed the Conduit malware. The first actual program AdwCleaner wanted to remove was MyFree Codecs, which is installed with Kies, an application used to transfer data between Windows and my (first) Samsung phone. My new Samsung Galaxy does not need it so I deleted both Kies and MyFree Codecs. I also had several Firefox add-ons for validating websites I am working on. A bunch of Firefox items were deleted, especially by JRT. I don't know if that broke any of those Firefox add-ons; I'll check later. Anyway, I don't know where the malware came from, but Norton's tech support didn't help--you guys did!

    This is the first time I remember posting in the Windows Secrets Forum, although I have been a reader of the paid newsletter for many years. I was blown away by the nearly immediate response of all of you. From dealing with other forums in the past I expected to log in the next day or so to see if anyone posted anything, but I got an email a half-hour after I posted telling me there was a response. By the time I logged in there were multiple responses. You guys are amazing. Thanks very much.

    Best regards to you all,
    Gene

  13. #11
    New Lounger
    Join Date
    Jan 2005
    Posts
    14
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Hello All,

    Norton reported it back again yesterday morning. I haven't had time yet to re-run the three malware scans, but will report back after I do so, and after I let it run for a few days thereafter. Sigh.

    Thanks,
    Gene

  14. #12
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    283
    Thanked 574 Times in 478 Posts
    Post or attach the resulting logs please Gene, they might furnish enough clues that we can figure out where the problem is.

  15. #13
    New Lounger
    Join Date
    Jan 2005
    Posts
    14
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Once again, sorry for the delay. I am swamped with work and not getting to this. However, Norton has not reported the malware since my last report to you all on June 11, one week ago. So it may indeed have been a false positive. In any case I am not going to run the scanners unless it pops up again. Then I will run the scanners and post or attach the logs.

    I really appreciate the help here, and wish I had been courteous enough to respond more quickly. Thanks.

    Best regards to you all,
    Gene

  16. #14
    jwoods
    Guest
    Quote Originally Posted by GeneS View Post
    Once again, sorry for the delay. I am swamped with work and not getting to this. However, Norton has not reported the malware since my last report to you all on June 11, one week ago. So it may indeed have been a false positive. In any case I am not going to run the scanners unless it pops up again. Then I will run the scanners and post or attach the logs.

    I really appreciate the help here, and wish I had been courteous enough to respond more quickly. Thanks.

    Best regards to you all,
    Gene
    No worries.

    Glad to hear it appears to be resolved.

    I would recommend running Malwarebytes Anti-Malware scans at least once a week.

  17. #15
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,607
    Thanks
    147
    Thanked 869 Times in 831 Posts
    It could have been a bad Definition update at the time that caused the alert and subsequent updates have ironed things out.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •