• Skip to main content

Victor Font Consulting Group, LLC

The DEX Intranet Specialists

Call Us:

+1 919-604-5828

  • Home
  • Care Plans
    • Care Articles
    • Optional Subscriptions
  • Consultations
  • Products
    • Code Snippets
    • Public GitHub Repositories
    • Gist Snippets
    • Pastebin Snippets (Free)
    • Free Plugins
  • FAQs
  • Support
    • Graphic Design
  • Contact
    • Speakers
    • Portfolio
  • Resources
    • Free WordPress Video Training
    • Tutorials
    • Articles
    • Cybersecurity
    • EU Referral Network
You are here: Home / Computers and Internet / New Search Engine Redirect Virus: GoogleTrayVerifier

New Search Engine Redirect Virus: GoogleTrayVerifier

By Victor M. Font Jr.
September 5, 20114 Comments

Download UnHackMeMy laptop got infected with a search engine redirect virus and a fake security protection virus. In fact, I think I might have had two search engine redirect viruses. For the past couple of days, I've been going crazy trying to restore the machine to good operating condition. Malwarebytes is my goto product when I suspect virus activity; and it did a great job removing the fake security virus, however, the search engine redirects were elusive. I tried Malwarebytes, Microsoft Security Essentials, Super Anti-spyware, Spybot Search & Destroy, GMER, TDSSKiller FixTDSS, and finally Microsoft Fixit 52067, thinking that somehow my hosts file got currupted. None of these could fix the problem.

The first thing I did was check IE's add-ons and saw an enabled add-on for CTHTML by Creative Technologies, Ltd. I know that I did not install this add-on. I manually explored the Windows system directories looking for any newly added files. First I looked in system32 then SysWOW64. Using Windows explorer I set the browser to sort by newest file date first. Lo and behold. in SysWOW64 I found a file called wscui32.dll that had been installed on Sept. 3, 2011. I knew that I did not install any system related products that day. When I viewed the file's metadata, the author is Creative Technologies, Ltd.—the same author of the unauthorized IE add-on. While I was fairly certain this was a suspect file, I didn't want to delete it straight out because there is a real Windows control panel widget called wscui.cpl. I renamed the suspect file to wscui32.dont-use-dll. I then scanned the registry with CCleaner. Sure enough, there was a runtime loader entry pointing to wscui32.dll.

Unfortunately, that still did not resolve the problem with the search engine redirects which also infected Firefox. It didn't matter which search engine I tried either. The problem infected Google, Bing and Yahoo. No matter what I typed into the search bar, the first half-dozen or so directory returns were being redirected to adware sites. I kept searching the internet and stumbled across a product called UnHackMe by Greatis.com. UnHackMe works differently from all other anti-malware products I tried, included Malwarebytes. UnHackMe is a boot-watch utility that monitors the bootloader process as the machine is coming up. So I installed it and rebooted my machine.
border="0"
The product discovered 8 suspicious bootloader processes and produced 1 warning. It provides a gui to scroll through the suspicious processes so you can decide whether they are legit or not. Seven of these processes are legitimate software products I installed. The 8th pointed to a process called c:programdataGoogleTrayVerifier. I have no idea what this is and an internet search proved to be fruitless. I only know that I did not install anything by that name. The convincing factor that this is the virus is the fact that UnHackMe reported the author as Creative Technologies, Ltd.

I allowed UnHackMe to delete the file. It fixed the redirect issue. The problem I found is that while UnHackMe displays a bootloader registry entry for this software on the screen, I can't find a reference to it in any log files. Maybe it's there and I just missed it, but I wish I had jotted it down so I could report it. The GoogleTrayVerifier is a search engine redirect virus that is very difficult to root out and destroy. I have no connection to Greatis software, but I highly recommend getting UnHackMe. You can download the 30-free trial to test it for yourself.

  • 26shares
  • Facebook0
  • Twitter0
  • Pinterest0
  • LinkedIn26
  • Print
  • SMS0

About Victor M. Font Jr.

Victor M. Font Jr. is an award winning author, entrepreneur, and Senior IT Executive. A Founding Board Member of the North Carolina Executive Roundtable, he has served on the Board of Advisors, of the North Carolina Technology Association, the International Institute of Business Analysis, Association of Information Technology Professionals, Toastmasters International, and the North Carolina Commission for Mental Health, Developmental Disabilities, and Substance Abuse Services. He is author of several books including The Ultimate Guide to the SDLC and Winning With WordPress Basics, and Cybersecurity.

Reader Interactions

VictorFont.com runs on the Genesis Framework

Genesis FrameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple—start using Genesis now!

Click here to download The Genesis Guide for Absolute Beginners (PDF - 1.4 MB)

Leave a Reply Cancel reply

Your email address and website will not be published. Required fields are marked *
Posting a comment means that you agree with and accept our Comment & Product Review Policy

Comments

  1. Egan says:

    September 6, 2011 at 11:04 pm

    Same problem started today 9-6-11. Thanks Victor, your fix worked. And, thanks to UnHackMe.

    Reply
    • Victor Font

      September 7, 2011 at 10:05 am

      Hi Egan,

      Thanks for your comment. I’m glad you found the article timely and that you were able to resolve the issue quickly. The virus was driving me nuts for a couple of days!

      Reply
  2. David

    September 5, 2011 at 3:57 pm

    Confirmed. If you go to internet explorer and check tools, manage add ons, the file is there. Disabling the addon failed. I ran spybotsearch and destroy and Symantic Corp version on my system with no change. After finding a site that had UnHackMe (I was redirected many times), I downloaded the trial version, ran it, restarted and after a long restart, was healthy again.

    Reply
    • Victor Font

      September 5, 2011 at 4:17 pm

      Thanks for confirming this David. UnHackMe can be downloaded from the developer at http://www.greatissoftware.com/unhackme.zip

      Reply

Call: +1 919-604-5828

Send us an E-mail

Accessibility Statement | Affiliate Marketing Disclosure | Capability Statement

Cookie Policy | Comment & Product Review Policy | Privacy Policy | Site Map | Terms & Conditions

Copyright © 2003–2023 Victor M. Font Jr.

Return to top of page