General Question

Hypocrisy_Central's avatar

Where is the slimy little bugger (malicious program) hiding?

Asked by Hypocrisy_Central (26879points) January 14th, 2015
12 responses
“Great Question” (3points)

This might seem like a boring dry question to some, but it can be beneficial if the right answers come, and you ever encounter the situation.

Somehow back around the 9th some malware, or whatever snuck pass all my security and attached itself in my system. Microsoft Security Essentials, Adaware, Spybot, and Malwarebytes all missed it and supposedly can’t find it. It has not seemed to affect anything but my Chrome browser running on Win 7 Pro. When I want to click onto a link, sometimes within the same Web site, this slimy, nasty, malicious program opens up and another tab or window and takes me to it, and I have to shut it down to get where I intended. I ran Hijackthis which gave me this result:

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 8:10:17 PM, on 1/13/2015
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17496)

Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
F:\Installed from net\Ad-Aware Antivirus\Ad-Aware Antivirus\11.1.5354.0\AdAwareTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
F:\Toolbox\Spybot – Search & Destroy\TeaTimer.exe
C:\Windows\System32\C2MP\TrayMenu.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\System32\taskmgr.exe
C:\Windows\explorer.exe
E:\Vault\Tools\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\taskhost.exe
D:\tools\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = _http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:54748;https=127.0.0.1:54748
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 – BHO: Spybot-S&D IE Protection – {53707962–6F74–2D53–2644-206D7942484F} – F:\Toolbox\Spybot – Search & Destroy\SDHelper.dll
O2 – BHO: Groove GFS Browser Helper – {72853161–30C5–4D22-B7F9–0BBC1D38A37E} – C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD-4d91–8333-CF10577473F7} – C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 – BHO: URLRedirectionBHO – {B4F3A835–0E21–4959-BA22–42B3008E02FF} – C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O3 – Toolbar: Google Toolbar – {2318C2B1–4965-11d4–9B18–009027A5CD4F} – C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 – Toolbar: (no name) – {6c97a91e-4524–4019-86af-2aa2d567bf5c} – (no file)
O4 – HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe –s
O4 – HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 – HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 – HKLM\..\Run: [Ad-Aware Browsing Protection] “C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe”
O4 – HKLM\..\Run: [AdAwareTray] “F:\Installed from net\Ad-Aware Antivirus\Ad-Aware Antivirus\11.1.5354.0\AdAwareTray.exe”
O4 – HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 – HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 – HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 – HKLM\..\Run: [MSC] “c:\Program Files\Microsoft Security Client\msseces.exe” -hide –runkey
O4 – HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 – HKCU\..\Run: [SpybotSD TeaTimer] F:\Toolbox\Spybot – Search & Destroy\TeaTimer.exe
O4 – HKCU\..\Run: [uTorrent] “C:\Users\AsusHE\AppData\Roaming\uTorrent\updates\3.4.2_36802.exe” /MINIMIZED
O4 – HKUS\S-1–5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1–5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1–5-19—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ’?’)
O4 – HKUS\S-1–5-19—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ’?’)
O4 – HKUS\S-1–5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘NETWORK SERVICE’)
O4 – HKUS\S-1–5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘NETWORK SERVICE’)
O4 – HKUS\S-1–5-20—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ’?’)
O4 – HKUS\S-1–5-20—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ’?’)
O4 – HKUS\S-1–5-21–3121945578-4220466481–3813107283-1000—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User ’?’)
O4 – S-1–5-21–3121945578-4220466481–3813107283-1000—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0 Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (User ’?’)
O4 – Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
O4 – Global Startup: TrayMenu.lnk = C:\Windows\System32\C2MP\TrayMenu.exe
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 – Extra context menu item: Se&nd to OneNote – res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 – Extra button: Send to OneNote – {2670000A-7350–4f3c-8081–5663EE0C6C49} – C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 – Extra ‘Tools’ menuitem: Se&nd to OneNote – {2670000A-7350–4f3c-8081–5663EE0C6C49} – C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 – Extra button: OneNote Lin&ked Notes – {789FE86F-6FC4–46A1–9849-EDE0DB0C95CA} – C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 – Extra ‘Tools’ menuitem: OneNote Lin&ked Notes – {789FE86F-6FC4–46A1–9849-EDE0DB0C95CA} – C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 – Extra button: (no name) – {DFB852A3–47F8–48C4-A200–58CAB36FD2A2} – F:\Toolbox\Spybot – Search & Destroy\SDHelper.dll
O9 – Extra ‘Tools’ menuitem: Spybot – Search && Destroy Configuration – {DFB852A3–47F8–48C4-A200–58CAB36FD2A2} – F:\Toolbox\Spybot – Search & Destroy\SDHelper.dll
O11 – Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 – DPF: {D27CDB6E-AE6D-11CF-96B8–444553540000} (Shockwave Flash Object) – http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 – Protocol: IW231 – {1CD50F0B-C67D-4B01-A707–55573DACAADF} – “F:\Installed from net\Viewers and enhancers\ImageWalker231\ImageWalkerU.exe” (file missing)
O18 – Filter hijack: text/xml – {807573E5–5146-11D5-A672–00B0D022E945} – C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 – Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) – Adobe Systems Incorporated – C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 – Service: Google Update Service (gupdate) (gupdate) – Google Inc. – C:\Program Files\Google\Update\GoogleUpdate.exe
O23 – Service: Google Update Service (gupdatem) (gupdatem) – Google Inc. – C:\Program Files\Google\Update\GoogleUpdate.exe
O23 – Service: Google Software Updater (gusvc) – Google – C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 – Service: Ad-Aware Service 11 (LavasoftAdAwareService11) – Unknown owner – F:\Installed from net\Ad-Aware Antivirus\Ad-Aware Antivirus\11.1.5354.0\AdAwareService.exe
O23 – Service: SBSD Security Center Service (SBSDWSCService) – Safer Networking Ltd. – F:\Toolbox\Spybot – Search & Destroy\SDWinSec.exe


End of file – 8707 bytes

The entries in bold I eliminated per a Hijackthis analysis Web site, but the redirect is still there, and seem to be tripped by clinking links, but at least the popups are gone. The question remains, where is this slimy redirect program hiding?

Observing members: 0
Composing members: 0

Answers

SQUEEKY2's avatar

Did you make sure Malwarebytes was up to date?
I’m kinda shocked it got past Malwarebytes, but it can happen if the program isn’t kept right up to date.
Make sure all your protection is right up to date and scan again,I have been told some malware like to partly hide in windows office.

elbanditoroso's avatar

when it takes you to that bad site, are you getting a “real” URL? if so, you can put the URL in your hosts file with an address of 127.0.0.1 (loopback) which will defang the problem, although not solve it.

Have you checked your Chrome / Tools / Extension list to see if there is anything suspicious there? (Delete all the extensions and see if that makes it go away)

Hypocrisy_Central's avatar

@SQUEEKY2 I’m kinda shocked it got past Malwarebytes, but it can happen if the program isn’t kept right up to date.
Yeah….my computer tech buddy that knows way more than I do, swears by it, so I was surprised when it could not find it. I am no shrinking violet when it comes to rooting around my registry, but I have to know which specific keys to get rid of and what hierarchy they are under; if I can do that, this bug is toast.

I was more surprised Hijackthis came up dry, even after deleting the entries the analysis site said delete.

@elbanditoroso Have you checked your Chrome / Tools / Extension list to see if there is anything suspicious there? (Delete all the extensions and see if that makes it go away)

Cruiser's avatar

I saw a line including a “torrent” listing…that and numerous possibilities of an intrusion via email this so called bugger could have maliciously reset some setting in Chrome. This site has many potential fixes that sound promising…

Hypocrisy_Central's avatar

^ It kinda alludes to uninstalling Chrome, then re-installing it, I swished that idea around a bit but figured I would try to get rid of it before burning any forest down or nuking the OS back to the transistor age.

Cruiser's avatar

@Hypocrisy_Central I “nuked” chrome for similar reasons….though I nostalgically miss it, I have learned to surf bug free without it.

funkdaddy's avatar

Have you cleared Chrome’s browsing history? Sometimes these can be saved as a cookie plus some other items (like the shady proxy redirect you eliminated)...

So click the “settings bars” -> Settings -> Show Advanced Settings -> Clear Browsing Data

You’ll get a list of options, clear at least the top 4 (and any others you don’t mind losing) “from the beginning of time”... restart and you may be done. I don’t think you actually need to restart, but it makes me feel better.

If still no luck, I’d look in Add/Remove programs to see if anything was installed lately. A lot of things come with unexpected “help” programs that aren’t helping. Malwarebytes catches most as “PUP” files, but not all.

After that check the system logs (link to Microsoft’s explanation of how to get there and other info)... there’s a ton of stuff in there, so look for errors and warnings first. Most malware seems to bang around until it find something that works and that usually leaves a trail.

If nothing turns up, I’d make sure everything is updated (windows, software, and security software), then try your security programs one at a time. It seems like a lot are running at once.

If still no dice, these guys are awesome, but all volunteers, so it takes a while.

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

They’ll stick with you until it’s done though.

zenvelo's avatar

Here’s an article on fighting malware from the NY Times.

Hypocrisy_Central's avatar

VICTORY!!!! I believe the dragon has been slain. The measures aforementioned seemed to have worked. I think I failed to mention that along with those measures I cleared my cache and cookies. I found and removed folders Conduit, GetPrivate, SearchProtect, Protect, uenissales, uNiesaLes, unisealeS, and Wajam off my hard drive . I do not know what the heck they are supposed to do, I have not noticed any change other than no more redirects, so I guess I assassinated the correct folders, or certainly the redirectors. Check your machine, see any of them folders, I suggest terminate with extreme prejudice. TAKE THAT BUG PLANTERS! <fist pump>

Cruiser's avatar

@Hypocrisy_Central Before you turn off/restart your computer DO a backup of all pertinent data. I had a similar situation and was fist pumping during a restart only to be rewarded with a BSOD. Lost 6 mos of data….silly me.

elbanditoroso's avatar

@Hypocrisy_Central – do you know which of the different suggestions above was the one that actually fixed it?

Hypocrisy_Central's avatar

@Cruiser Before you turn off/restart your computer DO a backup of all pertinent data.
Well, my good fortune was nothing happened on the reboot other than no hijacking. I did not back anything up other than the restore point because I wasn’t removing or tinkering with any system files, or the registry, other than what Malwarebytes or Spybot removed.

@elbanditoroso *[…do you know which of the different suggestions above was the one that actually fixed it?
I believe, though not 100% certain, it had to do with the removal of Conduit, GetPrivate, SearchProtect, Protect, uenissales, uNiesaLes, unisealeS, and Wajam folders off my hard drive. Some of the other measures seemed to slow it down, but not kill it off completely. But once I checked the creation date of those folders and they were around the span that the trouble started, I figured I did not need them, and not knowing how they got there, seeing I did not place them there, I banished them to the recycle bin, but I remember way back when, the CoolWebSearch virus would regenerated upon reboot if it was anywhere on the hard drive, unless you had it completely off the hard drive, you could expect it to come back. I placed them in a folder on a thumb drive just in case they were connected to something I was using, but so far, I have not missed them, everything runs OK, and no more hijacks; guess I assassinated the right culprits.

Answer this question

Login

or

Join

to answer.

Mobile | Desktop


Send Feedback   

`