8 Replies Latest reply on Oct 25, 2011 9:17 PM by Hayton

    Mcafee can't find google redirect - keep getting infected

      Hello,

       

      I've been dealing with the google redirect for about 2 weeks now and cant seem to find the source. When I run Mcafee it removes tracking cookies but then I continue to pick up problems due to being redirected to malicious pages.

       

      I've scanned with stinger and tdsskiller  and have had negative results with both.

       

      I've checked for additional hosts but have none.

       

      Any advise?

       

      Thanks!

        • 1. Re: Mcafee can't find google redirect - keep getting infected
          spc3rd

          Hi Ecotramp!

           

               Sorry to hear of the redirect problems you are experiencing.  Unfortunately, no single antivirus program will necessarily detect every piece of malware floating around the Internet these days.  It's a good idea to also have an antimalware program available to supplement your major AV software.

           

          Have you tried downloading and running a full scan with an anti-malware program such as Malwarebytes?  (Malwarebytes has both a FREE and paid version.  You only need the FREE version)

           

          The Malwarebytes program can be downloaded at the following link:

           

          http://www.malwarebytes.org/

           

          Message was edited by: spc3rd on 10/22/11 7:01:17 PM EDT
          • 2. Re: Mcafee can't find google redirect - keep getting infected
            k3tg

            This document from McAfee will assist with the issue you are experiencing

            Required Reading - Home User Assistance Malware Troubleshooting

            • 3. Re: Mcafee can't find google redirect - keep getting infected
              Peter M

              Moved to Malware Discussion > Home User Assistance as a more appropriate spot.

               

              Some tools here:  https://community.mcafee.com/docs/DOC-2168

               

              Message was edited by: Ex_Brit on 23/10/11 7:18:10 EDT AM
              • 4. Re: Mcafee can't find google redirect - keep getting infected

                Thanks for the responses but the problems are getting worse...

                 

                In safe mode I ran a full scan, stinger, and getsusp. Stinger did not find anything, the scan found some tracking cookies, but getsusp found a trojan and winupd.exe.

                 

                Winup.exe (with some number variant) tries to load evertime I start my computer and turns on automatically. I can turn it off in the processes which, stops it from attempting to run, but I can't get rid of it.

                 

                Getsusp says its in my appdata/temp, but I cannot find it there. When I search I can find the shortcut which causes it to turn on when I log in, but I cant find the exe file.

                 

                After running in safe mode my windows does not have a registry key as I deleted temp download files (can this result in losing the registration key)?.

                 

                The google redirect is still there as well.... It was through the redirect that I was infected with winupd.exe (I was redirected to a website and was smacked with 4 boxes of winupd trying to run.

                 

                 

                below is an excerpt from the getsusp log. I managed to delete the dll and an earlier copy of the winupd, but cannot find the one listed here (even when searching in the temp?

                 

                :\PROGRA~1\MI1933~1\Office12\MLSHEXT.DLL ... is OK.

                C:\PROGRA~1\MI1933~1\Office12\OLKFSTUB.DLL ... is OK.

                C:\PROGRA~1\MI1933~1\Office12\ONFILTER.DLL ... is OK.

                C:\PROGRA~1\WI4EB4~1\wmpband.dll ... is OK.

                C:\Users\Dustin\AppData\Local\Temp\winupd.exe ... is Suspicious !!!

                C:\Users\Dustin\AppData\Local\usrGLhid\DirectEventxx.dll ... is Suspicious !!!

                C:\Windows\ehome\ehPrivJob.exe ... is OK.

                C:\Windows\ehome\ehRecvr.exe ... is OK.

                 

                 

                Thanks for your help!!

                • 5. Re: Mcafee can't find google redirect - keep getting infected
                  Peter M

                  Which Stinger did you use?  Also did you use GetSusp to submit files to McAfee...it detects anything suspicious but can't clean anything.

                   

                  I suggest using the FakeAlert Stinger followed by the free Malwarebytes (after updating it).   See the link I posted for the download links.

                   

                  Message was edited by: Ex_Brit on 24/10/11 7:07:58 EDT AM
                  • 6. Re: Mcafee can't find google redirect - keep getting infected

                    Sorry Ex_Brit, I'm still not getting anywhere. I ran stinger fake alert followed by malwarebytes... nada.

                     

                    When I turn on my comp in normal mode I first cant access my product key, then I am prompted to allow winupd.exe to open. Winupd shows in my processes where I can manually shut it down. I deleted the w suspicious files above that getsusp found, but did not touch the other two (related to an hp printer).

                     

                    No search discovers winsusp anywhere.....

                     

                    Whats going on?

                     

                    Thanks

                    • 7. Re: Mcafee can't find google redirect - keep getting infected
                      Peter M

                      Rather than go to virus removal which is a chargeable service you could try this.

                       

                      Post a Hijackthis log on one of the followingmforums for expert advice.   They may, depending on what they see, suggest various tools or procedures which we can't really recommend here/

                       

                      HIJACKTHIS


                      This is an old tool but still useful where all else fails and you need something to gather information to obtain help elsewhere.  Run "Hijackthis" and post its log on one of the specialist forums below to see what action is recommended. They will check it and help you get rid of whatever ails your machine.  Don't try to fix it yourself.  

                      It has been updated to be compatible with Windows 7 and still serves a useful purpose in getting the ball rolling with help in the forums mentioned below.   Any other tools will be recommended by them in due course of the investigation.

                       

                      Note: Hijackthis is not intended as a removal tool per se, and should only be used under the guidance of the specialist forums.

                       

                      DOWNLOAD HIJACKTHIS

                       

                      Do not post Hijackthis logs here, we can't help you with those !

                       

                      Post the logs at a specialist Forum:

                       

                      AUMHA

                       

                      BLEEPINGCOMPUTER

                       

                      MAJOR GEEKS

                       

                      MALWAREBYTES

                       

                      MALWARE REMOVAL

                       

                      SPYWAREHAMMER

                       

                      SPYWARE INFO

                       

                      WHATTHETECH

                       

                      Be sure to read all the sticky announcements/instructions at the top of each malware forum!

                      • 8. Re: Mcafee can't find google redirect - keep getting infected
                        Hayton

                        Those two files detected by Getsusp are malware. ThreatExpert classes winupd.exe as :

                        A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

                         

                        Kaspersky knows it as "Backdoor.Win32.Agent.bitb". McAfee's name for it will be different - I haven't found it yet.

                        A file with the same name is associated with a program called  "Generic Trial Program Starter" from ILYA-Corp. Soft Group, a Russian (?software house), according to Runscanner; ILYA's product page contains the warning

                        DO NOT USE THIS TOOLS FOR COMMERCIAL hacking software products

                         

                        - so possibly someone has done just that.

                         

                        winupd.exe is invoked at startup by an instruction placed in the registry. What is unusual is that the file is in ...\appdata\local\temp, where it can be easily deleted. Previously it was being dropped into the ...\system32 folder. The ThreatExpert submission report (HERE) confirms that this is where the file is now being dropped, which perhaps indicates that it is expendable once it has been created and has run.

                         

                        See this submission report for DirectEventxx.dll. The analysis of reports of winupd.exe (HERE) lists malware with which it is or has been associated. McAfee links it with at least four different instances of malware.

                         

                        These files have been known to crash Firefox. If that happens on your machine, see http://support.mozilla.com/en-US/kb/Firefox%20crashes/discuss/1877 for advice on a quick fix.

                         

                        I would have thought that by now McAfee would have included the malware that is causing this in the latest DAT file. Try updating McAfee to get that latest DAT, and then run a full scan and see if anything is detected. Then get hold of CCleaner (the free version) to purge all your temp files, cookies, and browser cache files. Check as many boxes in the list on the left as you want, but leave unchecked the one beside 'McAfee AntiVirus' (in 'Applications') or you'll lose all your log files; and you might need those. Same goes for the Windows log files.

                         

                        To prevent the exe being invoked at startup you could disable it in AutoRuns (other utilities allow you to do that, but Autoruns is extremely informative about everything that gets invoked at startup).