Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Need help! I'm probably infected!
#1
Every time I open Chrome now there's a second tab going to searchfunmoods.com. After googling around I found out that it's a dangerous malware. However, it's also said that antivirus won't catch it and any of the manual removal instructions I found didn't help me at all!

I booted on safe mode with networking, but I found nothing suspicious at the task manager. I also found nothing on regedit. Nothing in my computer matches the instructions at all. So any help from here will be appreciated.

By the way, most instructions I found also refer to a "Live chat with experts to remove this threat" site. I tried going there once, but then I immediately found out that their help is not free. This kinda raised my suspicion that this malware might be actually harmless, but false news are made so people panic and consult the charged service, which will reap profits. Well, my mind is a mess now. =P
[Image: TheGrapesChildrenSig.png]
Reply
#2
If you can, try running this in Safe-Mode... Spybot Search and Destroy..

<!-- m --><a class="postlink" href="http://www.spybot.info">http://www.spybot.info</a><!-- m -->


This should clear things up. If not, try MalwareByte's Anti-Malware.


Let me ask you this... did you download any software right before Chrome was hijacked?
I love foxes, especially the one in my avatar.
Reply
#3
Try running Combofix and Malwarebytes (but don't do that at the same time).
[Image: huckleberrypie.smart.jpg]
[Image: sue8hj-6.png]
Reply
#4
I agree with Blake with this case. Download Combofix from Here, BleepingComputer.com (I don't trust other sites), put it in your C drive, then reboot into safe mode and run combofix. I recommend booting into safe mode because Combofix is slow and cannot reliably remove certain malware when Windows is in normal mode.

After that, download and run MalwareBytes as Blake suggested, or Spybot-SD. I recommend MalwareBytes because it's better supported, but Spybot-SD is a little bit more powerful.
The Best Medicine > Magic. Because SCIENCE! can prove the former.
Reply
#5
Also, after running those two, I recommend on doing a Hijackthis scan/log so we can assess as to whether there's still some leftovers.
[Image: huckleberrypie.smart.jpg]
[Image: sue8hj-6.png]
Reply
#6
Thanks for the suggestions. I haven't done any of those yet because I don't really want to reboot. So I went straight to HijackThis. Please check if there's anything wrong at my current state.

Oh, and the only software download I've recently done was updating Chrome.

Quote:Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:31:23, on 28/11/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\System32\wsqmcons.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.packardbell.com/?id=9525">http://go.packardbell.com/?id=9525</a><!-- m -->
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://go.packardbell.com/?id=9525">http://go.packardbell.com/?id=9525</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSD.exe"
O4 - HKLM\..\Run: [WisVoClt] "C:\Program Files\Launch Manager\WisVoClt.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SmpcSys] C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EvolveClient] "C:\Program Files\Echobit\Evolve\EvolveClient.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe
O8 - Extra context menu item: &Download by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgwdsvc.exe
O23 - Service: Evolve Service (EvoSvc) - Echobit LLC - C:\Program Files\Echobit\Evolve\EvoSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Layanan Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Layanan Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: vToolbarUpdater13.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe

--
End of file - 10374 bytes
[Image: TheGrapesChildrenSig.png]
Reply
#7
Blackberry Bun Wrote:Thanks for the suggestions. I haven't done any of those yet because I don't really want to reboot. So I went straight to HijackThis. Please check if there's anything wrong at my current state.
Hmmm, at a quick glance I can't see anything wrong. Not sure if the malware is hiding itself using rootkit, though I doubt it.

Can you try uninstalling Google Chrome, delete the c:\Program Files\Google Chrome directory, then reinstall?
The Best Medicine > Magic. Because SCIENCE! can prove the former.
Reply
#8
It also seems to me like there could be a rogue extension installed with Chrome. Some "free" extensions are really just malware that can cause problems such as that second tab opening to that shady search site. Normally, these types of Malware only seem to affect Chrome, but other times the rogue extension can be installed with outside software, or it may have come with Chrome itself if you didn't download it from Google.

Did you get Chrome from Google's website, or was it a third-party site? Shady third-party download sites have been known to pack malware or adware with software that you can otherwise get malware-free from their official sites.


For now, do what David said... uninstall Chrome, delete it's program files directory, and reinstall it, and make sure you get Chrome from the official website, not any third party site.
I love foxes, especially the one in my avatar.
Reply
#9
I ended up only changing the "On startup" setting on Chrome back to the way it was, and the additional tab never appeared again.

Quick conclusion:
The malware only edits Chrome's on startup setting to open a second tab to the fake site. The one who made the malware also wrote fake articles/blogs to spread rumors that it is a very dangerous malware that cannot be easily removed and professional advice (Which is not free and referred in the fake articles) is recommended. Clueless and panicked people will go there and pay, and then... Profit!

What do you say about my wild mind? Tongue
[Image: TheGrapesChildrenSig.png]
Reply
#10
Blackberry Bun Wrote:I ended up only changing the "On startup" setting on Chrome back to the way it was, and the additional tab never appeared again.

Quick conclusion:
The malware only edits Chrome's on startup setting to open a second tab to the fake site. The one who made the malware also wrote fake articles/blogs to spread rumors that it is a very dangerous malware that cannot be easily removed and professional advice (Which is not free and referred in the fake articles) is recommended. Clueless and panicked people will go there and pay, and then... Profit!

What do you say about my wild mind? Tongue

It's great that you got the second search tab to disappear, but you still need to check if Chrome has any unusual extensions installed, and to scan your system to ensure that the malware that did change the On Startup setting is removed. It could still be there, and chances are, the second search tab may come back if you reboot.
I love foxes, especially the one in my avatar.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)