Jump to content

Another Search Engine redirect Virus


Recommended Posts

My laptop got infected with a search engine redirect virus and a fake security protection virus. In fact, I think I had two search engine redirect viruses. For the past couple of days, I've been going crazy trying to restore the machine to good operating condition. Malwarebytes is my goto product when I suspect virus activity; and it did a great job removing the fake security virus, however the search engine redirects were elusive. I tried Malwarebyte, Microsoft Security Essentials, Super Anti-spyware, Spybot Search and Destroy, GMER, TDSSKiller FixTDSS, and finally Microsoft Fixit 52067, thinking that somehow my hosts file got currupted. None of these could fix the problem.

The first thing I did was check IE's add-ons and saw an active add-on for CTHTML by Creative Technologies, Ltd. I know that I did not install this add-on. I manually explored the Windows system directories looking for any newly added files. First I looked in system32 then SysWOW64. Using Windows explorer I set the browser to sort by newest file date first. Lo and behold. in SysWOW64 I found a file called wscui32.dll that this had been installed on Sept. 3, 2011. I knew that I did not install any system related products that day. When I viewed the file's metadata, the author is Creative Technologies, Ltd.--the same author of the unauthorized IE add-on. While I was fairly certain this was a suspect file, I didn't want to delete it straight out because there is a real Windows control panel widget called wscui.dll. I renamed the suspect file to wscui32.dont-use-dll. I then scanned the registry with CCleaner. Sure enough, there was a runtime loader entry pointing to wscui32.dll.

Unfortunately, that still did not resolve the problem with the search engine redirects which also infected Firefox. It didn't matter which search engine I tried either. No matter what I typed into the search bar, the first half-dozen or so directory returns were being redirected to adware sites. I kept searching the internet and stumbled across a product called unhackme by Greatis.com. Unhackme works differently from all other anti-malware products I tried, included Malwarebytes. Unhackme is a boot-watch ultility that monitors the bootloader process as the machine is coming up. So I installed it and rebooted my machine.

The product discovered 8 suspicious processes and produced 1 warning. It provides a gui to scroll through the suspicious processes so you can decide whether they are legit or not. Seven of these processes are legitimate software products I installed. The 8th pointed to a process called c:\programdata\GoogleVerifyTray. I have no idea what this is and an internet search proved to be fruitless. I only know that I did not install anything by that name. The convincing factor that this is the virus is the fact that unhackme reported the author as Creative Technologies, Ltd.

I allowed unhackme to delete the file. It fixed the redirect issue. The problem I found is that while unhackme displayed a bootloader registry entry for this software on the screen, I can't find a reference to it in any log files. Maybe it's there and I just missed it, but I wish I had jotted it down so I could report it on this forum. The GoogleVerifyTray is a search engine redirect virus that is very difficult to root out and destroy. I hope Malwarebytes can successfully add it to it's database.

Link to post
Share on other sites

Hello, and welcome to Malwarebytes, VFont:

Sorry to hear that your computer may be infected.

Alas, we cannot work on malware detection/removal in this part of the General MBAM forum.

The following information will help you get started on the cleaning process.

Excellent, self-help troubleshooting info for getting MBAM to run on an infected machine can be found here.

And there are specific, self-help malware removal instructions here.

If you would like expert assistance with cleaning your system, there are 3 support options from which to choose:

  • Option 1 -- Free, Expert advice in the Malware Removal Forum
  • Option 2 -- Free support for paying customers using MBAM PRO -- Contact MBAM Support via email
  • Option 3 -- Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in this General Malwarebytes' Anti-Malware Forum, you need to start a topic in the Malware Removal forum so that a qualified helper can help you fix any malware related problems/infections you may have.

  • First, please print out, read and follow the directions here, skipping any steps you are unable to complete.
  • If the infection has so crippled the computer that you cannot follow most/all of the requested steps, then please just proceed as advised below:
  • Then please post a NEW topic here.
  • When posting your new thread, please make sure that, under "options", you select Track this topic and choose Immediate Email Notification, so that you're alerted when someone has replied to your post.
  • One of the expert helpers there will give you free, one-on-one assistance when one becomes available.
  • Please refrain from making any further changes to your computer such as (Install/Uninstall programs, use special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.

IMPORTANT NOTE:Please DO NOT post back to your topic or "bump" it within the first 48 hours.

Replying to your own posts changes the post count from zero. Helpers are looking for topics with zero replies. If you reply to your own post, helpers may think that you're already being helped and thus may overlook your post. This will only delay your obtaining assistance.


  • o If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
    Or
    o You may send a Private Message to a Moderator asking for assistance.

OPTION 2

Alternatively, as a paying customer using MBAM PRO, you can contact the help desk at support@malwarebytes.org or here.

OPTION 3

If you would like to use the Malwarebytes Premium Services (Comprehensive solutions to all your computer support needs -- from installation and set-up to troubleshooting and tune-ups), please go to the Malwarebytes Premium Services support site.

Please be patient -- someone will assist you as soon as it is possible.

Thanks very much!

daledoc1

PS: Please use the zMn2t.jpg button instead of other ones when you reply here and at the other forums, so that it will be easier to read. :)

Link to post
Share on other sites

Hi, VFont:

Thanks for your very detailed account of your malware removal process on your computer.

You obviously spent a lot of time and effort to compose it after working hard to clean your system. :)

However, this particular sub-forum is designated for discussion of issues/problems with installing and running the MBAM program, and it does not deal directly with malware-related issues.

Additionally, unlike many computer forums (and even most of the sub-forums here at MBAM), the posting of malware removal advice by regular members is not permitted.

Only authorized, trained experts are permitted to assist with malware removal, and this support is provided in the Malware Removal forum.

If you have samples of a new malware threat you would like to submit for analysis to the MBAM engineers in the Research Center Forum, please read this sticky and then please start a new topic here.

The other expert members and MBAM staffers may have some additional information for you, as well. :)

I apologize for any misunderstanding and thank you very much for your consideration and for taking the time to describe your malware removal experience, :)

daledoc1

Link to post
Share on other sites

Whenever you suspect a infected file upload for analysis.

Many infections use random names.

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

(file name goes here)

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.