My laptop got infected with a search engine redirect virus and a fake security protection virus. In fact, I think I might have had two search engine redirect viruses. For the past couple of days, I've been going crazy trying to restore the machine to good operating condition. Malwarebytes is my goto product when I suspect virus activity; and it did a great job removing the fake security virus, however, the search engine redirects were elusive. I tried Malwarebytes, Microsoft Security Essentials, Super Anti-spyware, Spybot Search & Destroy, GMER, TDSSKiller FixTDSS, and finally Microsoft Fixit 52067, thinking that somehow my hosts file got currupted. None of these could fix the problem.
The first thing I did was check IE's add-ons and saw an enabled add-on for CTHTML by Creative Technologies, Ltd. I know that I did not install this add-on. I manually explored the Windows system directories looking for any newly added files. First I looked in system32 then SysWOW64. Using Windows explorer I set the browser to sort by newest file date first. Lo and behold. in SysWOW64 I found a file called wscui32.dll that had been installed on Sept. 3, 2011. I knew that I did not install any system related products that day. When I viewed the file's metadata, the author is Creative Technologies, Ltd.—the same author of the unauthorized IE add-on. While I was fairly certain this was a suspect file, I didn't want to delete it straight out because there is a real Windows control panel widget called wscui.cpl. I renamed the suspect file to wscui32.dont-use-dll. I then scanned the registry with CCleaner. Sure enough, there was a runtime loader entry pointing to wscui32.dll.
Unfortunately, that still did not resolve the problem with the search engine redirects which also infected Firefox. It didn't matter which search engine I tried either. The problem infected Google, Bing and Yahoo. No matter what I typed into the search bar, the first half-dozen or so directory returns were being redirected to adware sites. I kept searching the internet and stumbled across a product called UnHackMe by Greatis.com. UnHackMe works differently from all other anti-malware products I tried, included Malwarebytes. UnHackMe is a boot-watch utility that monitors the bootloader process as the machine is coming up. So I installed it and rebooted my machine.
The product discovered 8 suspicious bootloader processes and produced 1 warning. It provides a gui to scroll through the suspicious processes so you can decide whether they are legit or not. Seven of these processes are legitimate software products I installed. The 8th pointed to a process called c:programdataGoogleTrayVerifier. I have no idea what this is and an internet search proved to be fruitless. I only know that I did not install anything by that name. The convincing factor that this is the virus is the fact that UnHackMe reported the author as Creative Technologies, Ltd.
I allowed UnHackMe to delete the file. It fixed the redirect issue. The problem I found is that while UnHackMe displays a bootloader registry entry for this software on the screen, I can't find a reference to it in any log files. Maybe it's there and I just missed it, but I wish I had jotted it down so I could report it. The GoogleTrayVerifier is a search engine redirect virus that is very difficult to root out and destroy. I have no connection to Greatis software, but I highly recommend getting UnHackMe. You can download the 30-free trial to test it for yourself.