cancel
Showing results for 
Search instead for 
Did you mean: 
mlisowski
Level 7

Win 8.1 Internet explorer Hijack Search Protector PlurPush

Some how this garbage got on my computer which was redirecting (hijacking) the browser.  Went through normal unistall process the only thing it did was cause the malware to hide in the bowels of windows.  I ran full scan with livesafe and it did not find/fix the issue.  I had to go to bleeping computers to get advice  and Run AdwCleaner and MalwareBytes to get rid of this trash.  Why did McAfee 1) not prevent the installation 2) fail to find and clean out all items below.  Any program that hijacks the browser is a virus and should be identified and removed by LiveSafe. 

Key Found : HKCU\Software\SearchProtectINT
Key Found : [x64] HKCU\Software\SearchProtectINT
Key Found : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}

***** [ Browsers ] *****

PUP.Optional.FreeFileConverter.A, C:\Program Files (x86)\Convert Files for Free\ConvertFilesforFreeUpdt.exe, 2176, Delete-on-Reboot, [e115c65f86f5b482d988dfcb54afa759]

Modules: 2
PUP.Optional.FreeFileConverter.A, C:\Program Files (x86)\Convert Files for Free\ConvertFilesforFree.dll, Delete-on-Reboot, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, C:\Program Files (x86)\Convert Files for Free\ConvertFilesforFree.dll, Delete-on-Reboot, [579fad78d5a640f65f014d16679aa957],

Registry Keys: 24
PUP.Optional.FreeFileConverter.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ConvertFilesforFreeUpdt, Quarantined, [e115c65f86f5b482d988dfcb54afa759],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{59A062A1-5ECA-4a1a-BC44-B2A9283A8ACB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{22B58425-A384-436c-A334-BB9255664D10}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{951F4658-6461-46AD-AB13-F73E7FCBE6DB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{951F4658-6461-46AD-AB13-F73E7FCBE6DB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{22B58425-A384-436c-A334-BB9255664D10}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\CLASSES\ConvertFilesforFree.1, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\CLASSES\ConvertFilesforFree, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\ConvertFilesforFree, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{59A062A1-5ECA-4A1A-BC44-B2A9283A8ACB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{59A062A1-5ECA-4A1A-BC44-B2A9283A8ACB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\ConvertFilesforFree.1, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\CLASSES\CLSID\{59A062A1-5ECA-4A1A-BC44-B2A9283A8ACB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\CLASSES\CLSID\{59A062A1-5ECA-4A1A-BC44-B2A9283A8ACB}\INPROCSERVER32, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKU\S-1-5-21-4249996332-1622787085-128542896-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{59A062A1-5ECA-4A1A-BC44-B2A9283A8ACB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKU\S-1-5-21-4249996332-1622787085-128542896-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{59A062A1-5ECA-4A1A-BC44-B2A9283A8ACB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKU\S-1-5-21-4249996332-1622787085-128542896-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{59A062A1-5ECA-4A1A-BC44-B2A9283A8ACB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKU\S-1-5-21-4249996332-1622787085-128542896-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{59A062A1-5ECA-4A1A-BC44-B2A9283A8ACB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKU\S-1-5-21-4249996332-1622787085-128542896-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{59A062A1-5ECA-4A1A-BC44-B2A9283A8ACB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, HKU\S-1-5-21-4249996332-1622787085-128542896-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{59A062A1-5ECA-4A1A-BC44-B2A9283A8ACB}, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.OutBrowse, HKLM\SOFTWARE\CLASSES\TYPELIB\{03771AEF-400D-4A13-B712-25878EC4A3F5}, Quarantined, [14e2e3420873013546fc579ced16ab55],
PUP.Optional.OutBrowse, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{03771AEF-400D-4A13-B712-25878EC4A3F5}, Quarantined, [14e2e3420873013546fc579ced16ab55],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Convert Files for Free, Quarantined, [896d25002f4cba7c111b19466d95936d],
PUP.Optional.FreeFileConverter.A, HKLM\SOFTWARE\WOW6432NODE\ZUPDATER\ConvertFilesforFreeUpdt.exe, Quarantined, [71854bda740765d183abfb64ae548e72],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.FreeFileConverter.A, C:\Program Files (x86)\Convert Files for Free, Delete-on-Reboot, [896d25002f4cba7c111b19466d95936d],

Files: 12
PUP.Optional.FreeFileConverter.A, C:\Program Files (x86)\Convert Files for Free\ConvertFilesforFreeUpdt.exe, Delete-on-Reboot, [e115c65f86f5b482d988dfcb54afa759],
PUP.Optional.FreeFileConverter.A, C:\Program Files (x86)\Convert Files for Free\ConvertFilesforFree.dll, Delete-on-Reboot, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.FreeFileConverter.A, C:\Program Files (x86)\Convert Files for Free\ConvertFilesforFree_x64.dll, Quarantined, [579fad78d5a640f65f014d16679aa957],
PUP.Optional.OutBrowse, C:\Users\Mike\AppData\Local\Temp\InSetup1394989924.exe, Quarantined, [14e2e3420873013546fc579ced16ab55],
PUP.Optional.Conduit.A, C:\Users\Mike\AppData\Local\Temp\SearchProtectINT.exe, Quarantined, [698d43e2b0cb95a105eef71df9084db3],
PUP.Optional.SearchProtect.A, C:\Users\Mike\AppData\Local\Temp\nsm83D2.exe, Quarantined, [3cbad1545c1ff83ee6e180a1778a56aa],
PUP.Optional.SearchProtect.A, C:\Users\Mike\AppData\Local\Temp\nstB1DB.exe, Quarantined, [bb3b1114f784e650bc0bdf425fa230d0],
PUP.Optional.SearchProtect.A, C:\Users\Mike\AppData\Local\Temp\nswD41A.exe, Quarantined, [787e46df9be00a2c1fa834ed2dd4649c],
PUP.Optional.Conduit.A, C:\Users\Mike\AppData\Local\Temp\nsl8452\SpSetup.exe, Quarantined, [f105cf5688f3b581b205ea2c0100a060],
PUP.Optional.Outbrowse, C:\Users\Mike\Downloads\Installer.exe, Quarantined, [688e39ecdaa1d85e5ae86d3c53b0ac54],
PUP.Optional.FreeFileConverter.A, C:\Program Files (x86)\Convert Files for Free\install.ico, Quarantined, [896d25002f4cba7c111b19466d95936d],
PUP.Optional.FreeFileConverter.A, C:\Program Files (x86)\Convert Files for Free\uninstall.exe, Quarantined, [896d25002f4cba7c111b19466d95936d],

Physical Sectors: 0
(No malicious items detected)

(end)

0 Kudos
4 Replies
exbrit
Level 21

Re: Win 8.1 Internet explorer Hijack Search Protector PlurPush

It may act to you like a virus but it isn't classified as one.  It's annoying adware at worst and the above report shows it as a PUP or a "Possibly Unwanted Program".

There's an excellent removal guide here:  http://malwaretips.com/blogs/remove-plurpush-virus/

If you have something you could submit by all means submit it to McAfee Labs for analysis, see HERE.

Maybe they still need to add it to their database.

0 Kudos
catdaddy
Level 20

Re: Win 8.1 Internet explorer Hijack Search Protector PlurPush

If I may add to Ex_Brit suggestion and comments. After observing your scanned files, their were additional

(PUPS) Quarantined as well. To include the "PUP.Optional.Conduit.A" Toolbar. These are normally "bundled" with a program-software that a user has chosen to install.

Not only is the Removal Guide Ex_Brit suggested an excellent one, Microsoft Communities recommends it as well.  

Regards,

Catdaddy 

Cliff
McAfee Volunteer
0 Kudos
exbrit
Level 21

Re: Win 8.1 Internet explorer Hijack Search Protector PlurPush

I would add that you have to be extra alert for unwanted additional and usually optional downloads that are added  on to the item you actually want, usually to bolster their revenue in the way of advertising, but often with file-sharing for instance, you don't get that choice.  My advice in that case is simply not to download it.  Find a better source.

0 Kudos
catdaddy
Level 20

Re: Win 8.1 Internet explorer Hijack Search Protector PlurPush

Sorry for the additional post, seemed to not be able to edit my initial one. As Ex_Brit stated, one has to be careful when choosing a program to install. Here is the Microsoft Community article....

http://www.answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/pupoptionalcondu... or if this link is broken..

http://ri.search.yahoo.com/_ylt=A0LEVztQ_D5TeF0A2tpXNyoA;_ylu=X3oDMTEzazk5OGI1BHNlYwNzcgRwb3MDMQRjb2...   Sorry for the "Goobly-Goop"

Message was edited by: catdaddy on 4/4/14 1:40:58 PM CDT
Cliff
McAfee Volunteer
0 Kudos