I have a lot to update you with. Thanks for working with me, but I would like McAfee to please take a look at some files that I believe to be malicious viruses or trojans on my computer.
I discovered these while running some other virus checks that were recommended on the Internet - such as SuperAntiSpyware. It discovered a number of "Gen" trojans, and as it detected them, I got a real time alert from the McAfee software that found these files in my c:\windows directory. It called them Hiloti.gen trojans.
I looked inside my c:\windows directory, and I see an entire list of files with .dll extensions that I don't recognize, such as ajupusovo.dll and atoqomicelote.dll - all of the file names are nonsense. I have attached some of these file samples for McAfee to check, because although it seems to have identified some of these, there are still others that it claims are clean, but clearly they look malicious. Here is what they look like in notepad. Note that they are invoking a website that looks like it will upload something.
I plan to delete these files, but I wanted McAfee to be able to study them if necessary to make your software more robust. Please let me know if I should proceed with deleting these files manually.
Message was edited by: Brian Mann on 12/2/09 8:10 PMMessage was edited by: Brian Mann on 12/2/09 8:14 PM
I remove the attachments that you made in the post. You should never attach possible malware to these, or any other communities because you open up others to infection by doing so. Anybody could have downloaded those without paying attention and accidentally infected themselves.
To submit samples for review, there is a process that can be followed to insure everything gets safely to McAfee Labs. Please see http://vil.nai.com/vil/submit-sample.aspx for how to submit samples.
My sincere apologies, Brian. Let me know if there is anything I can do to be helpful. I'd like to rid myself of these issues with my computer, and it sounds like others on this forum are having similar symptoms. I'll follow up with the link you provided and let you know how it goes.
This sounds like a difficult one to solve, since McAfee software isn't detecting any problems with these files, but it seems clear that they shouldn't be on my computer.
No problem Jeffrey, no harm meant, but just wanted to make sure we're all safe.
I did grab the files to look at first, do seem like Hiloti.gen threats. They do create random dll names in locations like you mentioned.
What I find interesting is that you mentioned that the real time scanner triggered when you were running the other program. We triggered to scan them since that app was touching them as part of it's scan. If real time was detecting them we definitely should be able to detect with our On Deman Scan as well.
Not sure how familiar you are with taking a look at your registry, and wouldn't recommend messing around with it if you aren't comfortable. If you are comfortable, launch Regedit and take a look at keys like:
under both of those you may find some gobbledygook names. An example of what you may see would be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\bditihikilug\ "grekunodijipat = 54
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\run\ "sbafoberebe = rundll32.exe "c:\windows\qsameb.dll",e "
if you see any filenames (like the qsameb.dll in the above example) be sure to send us those as well.
Brian, you are right! I do see one piece of nonsense in this directory. It is a folder called "pfesulodupokid". Most of the values are hex, but I do see a string name for "chrome.exe", which is my browser, so this might be the culprit. Is it ok for me to delete the entire "folder"? For example:
I do not see anything immediately suspicious in the \run directory, though.
Just be careful
You want to make sure that you click on pfesulodupokid and it is highlighted before you hit that delete key.
After you do, reboot the system and see if that key comes back. If so, then we'll have to dig deeper to see what is putting that k
I looked through the rest of the CurrentVersion folder, and can't find anything else suspicious. I've rebooted since deleting the previous item, and all seems well in windows, except the original problem - which is that my browser continues to redirect from search links.
You mentioned something earlier called the "On Deman Scan". Where can I find this scan, so I can try it as a next step?Message was edited by: Jeffrey Howard on 12/2/09 10:21 PM
Brian or whomever can help,
I've been able to isolate the virus's redirection process, by hitting the escape key immediately after clicking on any of the Google search links that come up with I perform an Internet search. What happens is that I click on the link, and it sends me to a random search engine, such as the following (I edited the dot and slash to avoid compromising security with these):
Hopefully these are helpful in debugging my problem.
Essentially, these search engines then end up redirecting me to yet another random location, which is sometimes benign, and sometimes malicious. I tried searching for some of these strings in the registry, but no luck.
I tried to do what Jeffrey did and once came up with something that had "localhero" in it. However when I tried to do it again, Windows itself (I think?) came up with a bright red warning and warned me that I had 'dangerous' spyware on my computer. They identified them as something like this ... I'll keep it safe...
Soap Hoax Spyware
I don't know how to get to Win32, or to get into the registry... and probably shouldn't even try.
I'm going to hire a professional to try to solve these problems.
I'm afraid to even use my computer... am I unwittingly adding more every day???
And like others, my computer is essential to my work. Some help would be nice.
I've been doing a lot of research on the web. I've downloaded a lot of additional malware and spyware detection programs, and although I've been shocked by the amount of dormant infections on my computer (that McAfee had not found, I might add), none of the viruses I managed to clean had any positive effect on my problem with the Google search redirections. I can only conclude that I have caught a newer version of one of the viruses, and none of applications out there are capable of fixing it. That sucks for me, and probably means I'll have to backup and nuke my system.
The best I could do was read up on my symptoms, and it sounds like I have a variety of the "Cool Web Search" virus, which are rapidly evolving and notoriously difficult to detect and/or eliminate. I've literally spent hours combing through my registry and looking for online help, and still my symptoms persist.
I would of course appreciate any help from the gurus on this forum, but I'm a bit disappointed to see no activity on this thread today, and I'm guessing that no one really knows the answer.
<sigh> that's ok. I'll look into rebuilding my system this weekend if there is no further advice to give....