Very difficult computer issue.

[malikrthr]

I am sorry for posting this long message everyone but I wanted to know if anyone has the time, can they please help me with a computer issue? Recently, I found out that the desktop that I built for the Trainz about 9 or 10 months ago has been having some problems. I use that computer for several things other than train simulation such as to download music, transfer pictures from my camera and basic internet browsing and it seems that the problem occurred when I downloaded a song for my iPod from a website two weeks ago. When I downloaded the song, along with it came a browser hijacker called Ueep.com. I noticed it last Saturday afternoon when I was on the desktop because I do not have time to go on it that often. Ueep.com looks a lot like Google.com but it is really Browser hijacker. It installed itself onto Google Chrome and Internet Explorer. I did not know what to do so I researched it and some people have said it’s a pretty nasty Trojan or Virus designed to use aggressive schemes or display ads designed to bring customers in and it seems that it is not easy to get rid of. So far I have not found any way to get rid of this for good. For now, I am not going to check my email or anything like that on the desktop until this is all fixed. I am only going to do that on the laptop that I use for school. I downloaded something called SpyHunter 4 and it found the infections but it wanted me to pay $40 to get rid of it. I would not do that so I downloaded Malwarebytes and it found some things and I got rid of what it found. I then rebooted my computer and went into the internet browsers and Ueep.com (Browser Hijacker) popped up again in Internet Explorer and Google Chrome. After that, I tried a program called Hitman Pro and that found some things and I got rid of what it found. So I tried one more thing that I found online called Yet another cleaner, and it has this option to lock my homepage as Google.com , lock my default browser as Google chrome and lock my default search engine as Google Search. Though, I am afraid that “Yet Another Cleaner” is only a temporary fix. I wish I knew if this browser hijacker was completely out of my system though. I found the folder that contained that song I downloaded and a folder for the browser hijacker and deleted them. So far, Yet another cleaner seems to keep my homepage as Google instead of that nasty browser hijacker which is Ueep.com. Before I had checked my settings for the homepage and it would say Google.com, but instead, Ueep.com showed up every time In Internet Explorer under "Manage Add-ons". There was an option to delete it but I found that it shows up under the "Manage Add-ons" soon afterward. I am not so sure if the problem is fully fixed or even fixed at all, so if anyone has the time, can they please help me? One more thing, when I open up Internet Explorer, every time, it asks me if I would like to make Internet Explorer my default browser, even though I use Google Chrome all the time, Is that supposed to happen, because I do not use Internet Explorer that often. Under Manage Add-ons in the search provider section, under Google, there is another thing called Search the web and that is associated with Ueep.com. I don’t think this browser hijacker is fully out of my system but I do not want to try messing with things on the PC because I have been known to run into even bigger errors when I mess with things I never use. I was wondering if wiping or formatting my hard drive getting rid of every thing and then using my Windows 7 disk to start all over would be the way to go. Please, if anyone has the time, can they please help me with this problem. I have searched online for solutions but none of them seem to really work. It’s been about a week since I have been on the desktop I built and I am pretty scared to use it now because that browser hijacker may still be there. I did not know that downloading a song from unknown sites would bring something this trouble some to my computer. I just hope it’s not infecting my personal files or components of the computer such as the RAM, GPU, motherboard. Thank you for reading this everyone. Trying to think positively and I think there is hope. I will be very patient on this and hoping that I can have the first computer I built back to normal soon.

 

[pdkoester]

I would copy all the MP3, documents, videos, etc. that you want to keep to a location off the computer hard drive. Then reinstall Windows. Problem solved. By the way, for free, you could install Microsoft Security Essentials to thwart off threats.

Paul

 

[davesnow]

Download Microsoft Safety Scanner (msert) and run a full scan. That should get rid of your trojan.

http://www.microsoft.com/security/scanner/en-us/default.aspx

Cheers,

Dave

 

[johnwhelan]

The other thing to do once you get back to normal is set up a user account and use that for browsing the Internet, this prevents software from being installed. Provided you install Trainz not in its default location but under say c:\n3v it should work under a user account as well. I'd also go with Microsoft security essentials.

Cheerio John

 

[JCitron]

Try this process here:

http://www.smithtechres.com/search.ueep.com-hijacker-removal.html

and this here:

http://www.bleepingcomputer.com/virus-removal/remove-antimalware-virus

(See notes below)
I also recommend that you try Process Explorer first to suspend and then delete the executable. www.systeminternals.com Look for Process Explorer. Before you run it, rename it to something else. After that I highly recommend running Rouge Killer, Combofix, RKill, and then Malwarebytes in that order.

Once you are sure your system is clear, run your own antivirus/antimalware product and let it do a full system scan.

Notes:

1) You may have to disable your System Restore. The reason is the malware may have been copied to the system backup if it has changed any executables or .dll files. These files are saved by the system in case of damage and are restored if they are deleted.

2) With Process Explorer, you can suspend the malware, don't kill it because it will come back, view the properties and go to where it is installed and delete the file. Usually they have long weird filenames made up of random characters.

3) Other useful tools are AutoRuns, and Procmon. These will show what is running and at startup. They can both be a bit daunting but they have filtering capabilities so you can narrow down your search.

4) You may need to run in Safe Mode. The recommended mode is Safe Mode with Command prompt. This is because you'll have access to the system tools but not load other things in which some malware can and do load even in Safe Mode now.

Good luck and post back your results.

John

 

[malikrthr]

Thank you everyone for the helpful advice. I will definitely make the switch back to Microsoft Security Essentials.

pdkoester: I am not sure if this hijacker will effect OS files and software but since that hijacker or virus is present in my computer, would it be safe to back up Trainz and my songs to a big flash drive. I do not want to run the risk of having infected files backed up to the computer if I have to reinstall Windows 7. I have several flash drives with a decent amount of storage space remaining.

Davesnow: I will soon give the Microsoft Security Scanner a go.

Johnwhelan: I have a 1TB hard drive. If it comes down to me having to reinstall Windows 7, do you know how I can go about doing that? How would I format or wipe the drive so nothing will be on it? Would it be like a fresh new start?

Thank you everyone for giving me this helpful advice. I will try it out one day next week if I have free time and hopefully I can continue to use the computer normally again soon.

 

[johnwhelan]

The process I'd use would be install Microsoft security essentials and do a full scan. If you're lucky it might even clear the problem. I'd say you've a 50% chance it will clear the problem. I assume you're running windows update, if not then run it.

If it didn't clear the problem then try the Microsoft scanner http://www.microsoft.com/security/scanner/en-us/default.aspx

Reinstalling the operating system is the way to make sure its gone but you need to reinstall all the software afterwards which can be a pain.

.mp3 files cannot infect your system. .cdp files cannot infect your system.

So try the first two first. In ie you can disable add-ons by the way so that might be a way to control it. If you aren't on IE 10 download it.

Cheerio John

 

[malikrthr]

The process I'd use would be install Microsoft security essentials and do a full scan. If you're lucky it might even clear the problem. I'd say you've a 50% chance it will clear the problem. I assume you're running windows update, if not then run it.

If it didn't clear the problem then try the Microsoft scanner http://www.microsoft.com/security/scanner/en-us/default.aspx

Reinstalling the operating system is the way to make sure its gone but you need to reinstall all the software afterwards which can be a pain.

.mp3 files cannot infect your system. .cdp files cannot infect your system.

So try the first two first. In ie you can disable add-ons by the way so that might be a way to control it. If you aren't on IE 10 download it.

Cheerio John

I will try that route out. I have internet explorer 10 and in the manage add on's section, I saw the UEEP homepage on the list under my default homepage URL which is Google. I deleted the Ueep from IE 10 add ons but when I booted up my computer the next time, that UEEP add on appeared on the list again. I will definitely make the move to Microsoft Security Essentials once I get on the infected computer next week.

 

[johnwhelan]

I will try that route out. I have internet explorer 10 and in the manage add on's section, I saw the UEEP homepage on the list under my default homepage URL which is Google. I deleted the Ueep from IE 10 add ons but when I booted up my computer the next time, that UEEP add on appeared on the list again. I will definitely make the move to Microsoft Security Essentials once I get on the infected computer next week.

Try just disabling it.

Cheerio John

 

[SuperFudd]

It has been awhile but, as I recall, doing scans with the free Housecall from Trend Micro and the free MalwareBytes followed by a cleaning of the registry worked for me.

 

[JCitron]

Try just disabling it.

Cheerio John

Ideally yes this is the thing to do, but the way it works stinks. The malware puts a Trojan Horse somewhere in the system, usually in the system's default user profile or in Windows/System32. It then uses registry hacks to auto start so that the malware is forever there no matter how much the home page is changed, or the temporary files are deleted.

By disabling the Trojan, which usually has a weird, random letter number, really long name, this effectively kills their scheme. Once disabled it is fairly easy to remove the bug.

Here's a link to System Internals' Mark Russinivich's own blog on malware removal. Also check out his "Case of the unexplained" series from MS Tech-Ed. He goes into some extensive detail on this stuff on the videos (sometimes to the snoozy point) on how to go about using his tools to remove the bugs. I actually found his methods very helpful in removing the garbage we now see in machines. At this point, I have a 98% success rate in malware removal using his method as well as the one I outlined above.

Mark's blog post on scare-ware - Your machine is infected (not!) with malware and the new ransom-ware. The techniques outlined here work the same for hijacks such as UGeep.

http://blogs.technet.com/b/markrussinovich/archive/2013/01/07/3543763.aspx

Mark's Webcasts. Great learning, but a bit dry. He tries to make the stuff interesting and yes, he really does have a great sense of humor.

http://technet.microsoft.com/en-us/sysinternals/bb963887

John

 

[JCitron]

It has been awhile but, as I recall, doing scans with the free Housecall from Trend Micro and the free MalwareBytes followed by a cleaning of the registry worked for me.

This sometimes works, but many times these new bugs fake out the installed antimalware products into thinking everything is okay. Usually after the bug has been killed though, the installed antimalware program will find the pieces and clean up the mess.

John

 

[lewisner]

Its very important, when installing any software or programme, to play close attention to any ticked boxes you see as if you go ahead at breakneck speed you may have agreed to install this garbage. Similarly, when software offers you "Express" or "Custom" installation you should always choose Custom as the malware is hidden inside Express.

 

[JCitron]

Its very important, when installing any software or programme, to play close attention to any ticked boxes you see as if you go ahead at breakneck speed you may have agreed to install this garbage. Similarly, when software offers you "Express" or "Custom" installation you should always choose Custom as the malware is hidden inside Express.

Very true especially with the new tack-on-ware that companies appear to be adding on lately. A good example of this is I/O Bit with the ASK Toolbar add-on for IE. Who wants something like that to slow down the browser when I all I want to do is defrag my drive with Smart Drive? I've also run into this with Oracle. They want to add on Bing toolbar when installing Java.

John

 

[shaneturner12]

It's interesting that I read about Microsoft Security Essentials here. A recent antivirus test by Dennis Publishing, which owns quite a few UK tech magazines including Computeractive, Microsoft Security Essentials came last at 50 something percent. In addition to this, according to a Computeractive article, Microsoft has also stated that they are no longer improving their Security Essentials product, concentrating instead on collecting data for other antivirus providers to improve their products.

Shane

 

[malikrthr]

Ok, I have performed several operations on the PC at 5am and just finished at 5:15pm. First I downloaded all the tools from my laptop, copied them to the flash drive and transferred them over to the infected PC.After that I then ran a quick scan of Microsot Security Essentials and that did not detect anything. Following that I ran a full scan of Microsoft Security Essentials and that did not detect anything either. So I tried out the Microsoft Security scanner to see if it would detect any form of virus, spyware or unwanted software in my infected PC. The Microsoft Security Scanner quick scan did not detect any infected files.
I then ran a full scan on Microsoft Security Scanner to see if it would detect anything but it did not. Now onto the next phase of this cleanup, I booted the PC and then followed the instructions from bleepingcomputer.com


1.First, I ran the ADW cleaner and then I got the log file. Just out of curiousity, it seems there is something called
appdata/roaming/mozilla/firefox/profiles/extensions/prefs.js and appdata/local/google/chrome/userdata/default/preferences for Google Chrome.
What does the above line of text mean? I pressed the clean button and ADW cleaner wanted me to reboot the PC. I then rebooted to safe mode with networking and scanned with the ADW cleaner again and those two lines of code for Mozilla Firefox and Google Chrome showed back up again. Is that a bad sign? I searched for the line relating to Mozilla Firefox in the search documents portion of the computer and it found that line, so I deleted it. I did not follow the same procedure for that line relating to what ADW cleaner found for Google Chrome though. I just went into my Progam Files folder
and removed the Google Folder.

2. Next, I performed a deep scan on the infected PC with Emsisoft Emergency Kit. It did not find any suspicious files.

3. After that, I ran the Rkill tool and based off of the log it gave me, there was a specific line that caught my attention. It
said,
Checking Registry for Malware related settings: Explorer Policty Removed: NoActiveDesktopChanges [HKLM]
What does the above line above specifically mean?

4. Now, I ran the Rogue Killer and it did not find anything during it's scan either. Below is a log for what was found during the Rogue
Killer Scan

Program started at: 11/07/2013 03:27:42 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]
Backup Registry file created at:
C:\Users\Desktop\rkill\rkill-11-07-2013-03-27-42.reg



5. I followed the steps on Bleeping Computer about the Internt Explorer reset so I followed those steps and I was able to bring Internet Explorer 10 back to it's normal manner. I checked the manage add on section under tools in Internet Explorer and I did not see the Ueep search engine so I think following everyone's steps in this order may have worked. But I still don't feel that my PC is safe from the browser hijacker even though I used these tools. I will closely monitor my PC for the next 30 days or so and if I don't notice any suspicious behavior or acitvity then I will probably consider checking email, social media, and check the trainz forums on my PC again. For now, I am only checking all of that on my laptop. Throughout the process, Google Chrome was removed but I said to myself,I perfectly enjoy using Internet Explorer 10 on my Windows 7 PC so there is no need for another browser. I may download Safari as an emergency browser but I will always use Internet Explorer because it came with Windows 7 and I find nothing wrong with it. Can't wait to run Internet Explorer 11. My last step was to reboot the computer back into safe mode with networking and run the free version of malwarebytes. The Malware bytes quick scan did not detect anything so I then ran a full scan of my Hard Drive (C drive) and DVD drive (D drive) and it did not detect any malicious items. My last step was to perform a rootkit scan using the Rootkit option in Malware bytes and it reported that no malware has been found. I believe the PC is no longer infected but I will be keeping a close eye on it for the next 30 days. Thank you again everyone for helping me with my computer problem. I really appreciate it and am glad that everyone has tried to help me with this. I believe the browser hijacker is gone but I will closely moniotr the behavior of my PC. In several days
or maybe soon, I gotta purchase a big flash drive or external hard drive to back up all my trainz content and songs to. This process nearly took 12 hours but I think the problem is solved.

 

[davesnow]

So you didn't try the Microsoft Safety Scanner (msert)?

 

[malikrthr]

I ran the Microsoft Security Scanner

 

[JCitron]

This is good news.

The big path and file name was most likely the culprit. What the malware did was infect your preferences with a fake preference setup using their JavaScript that was setup to go out to their website and redownload any components that were deleted. When you deleted that script, you killed the ability of the malware to put its self back in when you restarted your browser.

Your machine appears to be clean, however, I suggest one more scan using another package such as Vipre Rescue from Sunbelt Software, now called Vipreantivirus.

http://www.vipreantivirus.com/live/

Download and follow their on-screen instructions and those on their website. The one that I remember used run in a command prompt and showed files it scans. If anything came up in red then you knew it found malware.

John

 

[johnwhelan]

It's interesting that I read about Microsoft Security Essentials here. A recent antivirus test by Dennis Publishing, which owns quite a few UK tech magazines including Computeractive, Microsoft Security Essentials came last at 50 something percent. In addition to this, according to a Computeractive article, Microsoft has also stated that they are no longer improving their Security Essentials product, concentrating instead on collecting data for other antivirus providers to improve their products.

Shane

About 99% of malware these days comes from looking at the latest Microsoft update to see what the vulnerability was then coding a bit of malware to take advantage of it.

Security is more than just antivirus software its procedures as well. So its running under a user account rather than an admin account, its making sure Microsoft update is running. Vista was the first Microsoft operating system where they took security seriously so they actually check bounds and other basic things.

If you run Java and Flash do it in Chrome since both are sand boxed in Chrome, other browsers often allow java scripts full access to any permissions they have. Security essentials is part of the solution,the other part is web sites that keep everything patched. Typically Windows based web sites that run windows updates aren't bad but normally you can expect 30% of web sites to be vulnerable, especially the UNIX based ones.

Remember that Dennis publishing is in business to sell advertising so saying something like upgrade to Win 7, use Windows updates and Microsoft essentials is not in their commercial interests.

Cheerio John