Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Malicious Software Removal Tool 5.43 released

14 Dec 2016   #1

64-bit Windows 10 Pro
Malicious Software Removal Tool 5.43 released

In this month’s Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need.

BrowserModifier:Win32/Clodaconas, for instance, displays ads when you’re browsing the internet. It modifies search results pages so that you see unsolicited ads related to your searches.

For example, if you were looking for a gift to give a loved one this holiday season and are searching for “fitness tracker”, your search results page might contain an ad like this:

Figure 1. Ads injected by Clodaconas to search results for “fitness tracker”

It can also add pop-up ads when you’re visiting online retailer websites. For example, if you previously searched for “TV”, and then visited an online shop, the threat may display the following ad:

Figure 2. Pop-up ad injected by Clodaconas to online retailer pages

BrowserModifier:Win32/Clodaconas does this by hijacking your domain name server (DNS) settings.

Injecting ads through DNS hijacking

When you browse the Internet, your PC contacts a DNS server to resolve the domain of the website you’d like to access. The DNS server returns the IP address of the website, which your PC then accesses to get the content to display.

Figure 3. Normal domain name resolution by legitimate DNS servers

BrowserModifier:Win32/Clodaconas compromises this process to inject ads. It modifies DNS settings in your registry so that they point to a rogue DNS server. All DNS queries are therefore redirected to this DNS server, which resolves specific domains to the IP address of another attacker-controlled server.

This results in a man-in-the-middle (MITM) attack. Instead of getting content directly from the server of the website you’re accessing, your PC gets content from the MITM server. It contacts legitimate websites to get the actual content you’re looking for, but modifies it before it is displayed on your browser. This is how the unwanted ads are displayed on your search results pages or on online retail websites.

Figure 4. In DNS hijacking, DNS requests are redirected to a rogue DNS server

This method of injecting ads meets the evaluation criteria that Microsoft Malware Protection Center (MMPC) uses for identifying unwanted software. This threat modifies webpage content without your consent. It also does this without using the browser’s supported extensibility models, hence our classification of this program as unwanted software.

Using rogue root certificate

Many websites use SSL encryption to protect transactions. This mechanism also prevents the modification of content served by websites. Browsers check the validity of a website’s SSL certificate against trusted root certification authorities’ certificates stored on your PC. Browsers show a warning page or icon if a website’s certificate is not trusted.

To avoid triggering this alert, BrowserModifier:Win32/Clodaconas installs a root certificate as a trusted root certification authority. With the rogue root certificate installed, ads can be injected into encrypted content and still appear valid to the browser.

MSRT removes Clodaconas

This month, we’re adding detections for BrowserModifier:Win32/Clodaconas to Microsoft Malicious Software Removal Tool (MSRT). If your PC is infected with this threat, run MSRT to remove all related files and restore all system modifications on your PC.

You may need to clear your browser cache after the threat is removed. The browser might still hold cache of a website you recently visited, so you might still see the ads.

Prevention, detection, and recovery

Stay protected from BrowserModifier:Win32/Clodaconas and other threats:
  • Keep your Windows operating system and antivirus up-to-date; if you haven’t already, upgrade to Windows 10.
  • Use Microsoft Edge. It can:
    • Help warn you about sites that are known to be hosting exploits and other threats
    • Help protect you from social engineering attacks such as phishing and malware downloads
    • Automatically detect bad changes and protect settings
  • Use the Settings app to reset to Microsoft recommended defaults if your default apps were changed.
    • Launch the Settings app.
    • Navigate to the Default apps page.
    • From Home go to System > Default apps.
    • Click Reset.
  • Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date.
    • If you are using Windows Defender, you can check your exclusion settings to see whether the malware added some entries in an attempt to exclude folders from being scanned.
      • To check and remove excluded items in Windows Defender:
        1. Navigate to Settings > Update & security > Windows Defender > Add an exclusion.
        2. Go through the lists under Files and File locations, select the excluded item that you want to remove, and click Remove.
        3. Click OK to confirm.
  • Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

Jody Koo

Source: MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking Microsoft Malware Protection Center

See also:

My System SpecsSystem Spec
14 Dec 2016   #2

Windows 7 Professional X64 Service Pack 1

Thanks Brink, great info.
My System SpecsSystem Spec
14 Dec 2016   #3
michael diemer

Windows 7 x64 SP1

Is this included in the December Security Only Update? Or do I need to install it separately?
My System SpecsSystem Spec

14 Dec 2016   #4

Windows 7 Home Premium 64 bit sp1

Quote   Quote: Originally Posted by michael diemer View Post
Is this included in the December Security Only Update? Or do I need to install it separately?
The Windows Malicious Software Removal Tool is shown as a separate item in this months Updates & is listed as KB890830 for the 64 bit computers.

If you download the December Updates you will see it listed.

If you install it, it is not shown in Installed Updates, so keep that in mind.
My System SpecsSystem Spec

 Malicious Software Removal Tool 5.43 released

Thread Tools

Similar help and support threads
Thread Forum
Malicious Software Removal Tool 5.45 released
Source: See also: Download Malicious Software Removal Tool from Official Microsoft Download Center Malicious Software Removal Tool - Use in Windows -...
Malicious Software Removal Tool?
Hi All. In a recent thread I got a pretty good lesson on Windows Defender. I just did a Windows Update and it had an update for Malicious Software Removal Tool, which I installed. I've never run this, nor have I known it to run. I looked in Control Panel and didn't find it. Where is it? ...
System Security
Malicious Software Removal Tool
Every time I log in recently the system asks me whether I want to install the Malicious Software Removal Tool. I do not want to do so. Where is this message coming from and how can I get rid of this message?
System Security
Malicious software removal tool ?
Malicious software removal tool x64 how does someone run it manually ?
System Security
Malicious Software Removal Tool
How to Download and Use Microsoft Windows Malicious Software Removal Tool This will show you how to open and use the Malicious Software Removal Tool (MSRT) to manually run scans for and automatically remove malicious software in XP, Vista, Windows 7, and Windows 8. For more information and...

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 22:41.
Twitter Facebook Google+