Malware.Win32.Gen.cld (aka "hi.ru redirect") and Avast does not detect

I’m wondering why this trojan, that’s been around for a couple of years now is not detected by Avast. Ran a full scan, Avast says everything is A-Ok. I run competitor’s product–one I don’t pay for–and I have 60+ infected system files.

I’ve just spent the past 12 hours researching, getting rid of this thing and reinstalling two systems.

Needless to say, this person is muy mucho not happy-oso. >:(

Avast, what say you?

Oh, and where’s my refund?

Do you have pup detection enabled ?
If not that can be the reason why you are not getting a alert.

Refund for what ?
Did you submit a ticket ?
If so, what is the number ?

Thanks for the Reply. I haven’t had a chance to submit a ticket because I haven’t had a system until just now. As far as I’m aware all of the features were turned on, but I did a bit of research after your reply and let me see if I get what you’re saying.

Avast Security Suite is a product that does everything from screening your email, securing your DNS transactions, providing Secure VPN, Anti-Theft protection, System Optimization, software and driver updates and a host of other services in addition to Anti-Virus and Malware protection. So the one thing it’s expected to exceed in is providing is malware protection.

Yet here I’m finding that a well known trojan that commonly plagues people’s systems is considered a “potentially unwanted program” and I have to dig into the settings to opt-in to be protected from it? Yet I can download lightweight competitor that does it out of the box, for free.

Like I said, where’s my refund?

Like I said, where's my refund?
have you submited a ticket?

hi.ru is a browser hijacker, try AdwCleaner http://www.bleepingcomputer.com/download/adwcleaner/

I will submit a ticket, but it does far more than hijack a browser. It hijacks your machine

Here’s a link to what other’s have been through.

http://www.bleepingcomputer.com/forums/t/563450/hiru-chrome-redirect-all-attemps-to-remove-failed/


Here’s what I’ve just been through on one machine.

http://i1129.photobucket.com/albums/m514/tmckain/160117_avast001.jpg

(the “some files” were personal encrypted files and others were dll’s that were the trojan)

http://i1129.photobucket.com/albums/m514/tmckain/160117_avast002_1.jpg

http://i1129.photobucket.com/albums/m514/tmckain/160117_win7001.jpg


tmckain ::

1/17/2016 6:59:38 PM
9lab-log-2016-01-17 (18-59-38).txt

Scan type: Full
Objects scanned: 46471
Time Elapsed: 14 m 5 s

Registry Values detected: 1
Risk.EnableLUA [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA]

Files detected: 61
[21A5B82CB55BDBC58591D0F6971A14F3] Malware.Win32.Gen.cld [C:\Program Files (x86)\Audacity\Plug-Ins\multivoice_chorus_1201.dll]
[BC560A26AACB3ACDB9E7386283DD5846] Malware.Win32.Gen.cld [C:\Program Files (x86)\IObit\IObit Uninstaller\IU_KillAllFile.exe]
[C6AA10109D7BE3395E3A312C5453DA2C] Malware.Win32.Gen.cld [C:\Program Files (x86)\K-Lite Codec Pack\Filters\DCBass\bass_aac.dll]
[038ED3C6A5343ECAAB5505AD1AAD7C06] Malware.Win32.Gen.cld [C:\Program Files (x86)\VideoLAN\VLC\plugins\access\libcdda_plugin.dll]
[A8B51E3A72F050AC676211A50D7C6236] Malware.Win32.Gen.cld [C:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll]
[EBE90B205F881E1AB69A0D987D63DC0A] Malware.Win32.Gen.cld [C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll]
[70D4262960422D9303222B0A581DB7BE] Malware.Win32.Gen.cs0 [C:\Program Files (x86)\TweakNow PowerPack\App\local\stubexe\0xC3F056786AE7331F\PowerPack.exe]
[6D5DBA957D94E902F5A2C649A361D4CE] Malware.Win32.Gen.cs0 [C:\Users\travin\AppData\Local\atom\app-1.2.1\resources\app\apm\bin\node.exe]
[F92C7457C2FA19DE1E4F1DBAD885FAAA] Malware.Win32.Gen.cld [C:\Windows\Installer$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe]
[3C809EFE1AA6C9355FA3D2CEA29821C0] Malware.Win32.Gen.cs0 [C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll]
[A87261EF1546325B559374F5689CF5BC] Malware.Win64.Gen.cs0 [C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdkmd64.sys]
[D45BE8BAED0B82F6BBC9D9421FA8FA1C] Malware.Win64.Gen.cs0 [C:\Windows\System32\Ribbons.scr]
[29C1D5B330B802EFA1A8357373BC97FE] Malware.Win64.Gen.cs0 [C:\Windows\System32\spinstall.exe]
[28F53390A15648FFD403CC4C65A90B27] Malware.Win32.Gen.cld [C:\Windows\SysWOW64\auditpolmsg.dll]
[BDFABEDACD6F18B5EFB14B7529F3ED3E] Malware.Win32.Gen.cs2 [C:\Windows\SysWOW64\AdapterTroubleshooter.exe]
[02AF9857838C25EC98BBE492271F3E27] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\aecache.dll]
[DBB45A0839719312F248351E3FB9A0AE] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\cmdl32.exe]
[B4834F08230A2EB7F498DE4E5B6AB814] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\fsutil.exe]
[536020876C0980D49094E7EBB94A00AA] Malware.Win32.Gen.cs2 [C:\Windows\SysWOW64\hdwwiz.exe]
[F67A64C46DE10425045AF682802F5BA6] Malware.Win32.Gen.cs2 [C:\Windows\SysWOW64\msdt.exe]
[0842FB9AC27460E2B0107F6B3A872FD5] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\raserver.exe]
[7CA00998C1AAF913AC089E29DB746037] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\unregmp2.exe]
[3C809EFE1AA6C9355FA3D2CEA29821C0] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7600.16385_none_019357585ef99a63\amdpcom32.dll]
[3C809EFE1AA6C9355FA3D2CEA29821C0] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7601.17514_none_03c46b205be81dfd\amdpcom32.dll]
[A87261EF1546325B559374F5689CF5BC] Malware.Win64.Gen.cs0 [C:\Windows\winsxs\amd64_igdlh.inf_31bf3856ad364e35_6.1.7600.16385_none_f3e7064ea3c09a9a\igdkmd64.sys]
[F6FD7F8147A591317E57D9008C8C7541] Malware.Win32.Gen.cld [C:\Windows\SysWOW64\wimserv.exe]
[90499F3163A9F815CF196A205EA3CD5D] Malware.Win64.Gen.cs0 [C:\Windows\winsxs\amd64_microsoft-windows-a…ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\apphelp.dll]
[784FA3DF338E2E8F5F0389D6FAC428AF] Malware.Win64.Gen.cs0 [C:\Windows\winsxs\amd64_microsoft-windows-cryptbase_31bf3856ad364e35_6.1.7600.16385_none_c15ac71fc7aafddc\cryptbase.dll]
[D45BE8BAED0B82F6BBC9D9421FA8FA1C] Malware.Win64.Gen.cs0 [C:\Windows\winsxs\amd64_microsoft-windows-ribbons_31bf3856ad364e35_6.1.7601.17514_none_e6dae9713e9b7588\Ribbons.scr]
[29C1D5B330B802EFA1A8357373BC97FE] Malware.Win64.Gen.cs0 [C:\Windows\winsxs\amd64_microsoft-windows-servicepackcoordinator_31bf3856ad364e35_6.1.7601.17514_none_92e727843e307e1b\spinstall.exe]
[28F53390A15648FFD403CC4C65A90B27] Malware.Win32.Gen.cld [C:\Windows\winsxs\wow64_microsoft-windows-a…olicy-snapin-native_31bf3856ad364e35_6.1.7600.16385_none_a5b522837df19ae3\auditpolmsg.dll]
[98C66B8010CD7B6865F308ABD87C8E86] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-cdosys_31bf3856ad364e35_6.1.7601.17514_none_86c0afe17064a99d\cdosys.dll]
[59DF156711A76BCB993253EC6C9BBF41] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7\dnsapi.dll]
[76161B9D78A275F8F28DD67436013110] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.18409_none_fc484db2a13f5426\kernel32.dll]
[F67A64C46DE10425045AF682802F5BA6] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\wow64_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_0bcbfdec6b984220\msdt.exe]
[0842FB9AC27460E2B0107F6B3A872FD5] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-r…sistance-dcomserver_31bf3856ad364e35_6.1.7600.16385_none_963d3becc3a475f1\raserver.exe]
[DBB45A0839719312F248351E3FB9A0AE] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7600.16385_none_c569db6aae975591\cmdl32.exe]
[DBB45A0839719312F248351E3FB9A0AE] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_c79aef32ab85d92b\cmdl32.exe]
[A3D9528E228DDD9A404E5EF4295AE35F] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\wow64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_6.1.7600.16385_none_122602d047c011da\msinfo32.exe]
[4C61EA0D3BE4623EC040C4BE3E05AB26] Malware.Win32.Gen.cld [C:\Windows\winsxs\wow64_microsoft-windows-w…for-management-core_31bf3856ad364e35_6.1.7600.16385_none_30af1158fb1994f7\WSManHTTPConfig.exe]
[4C61EA0D3BE4623EC040C4BE3E05AB26] Malware.Win32.Gen.cld [C:\Windows\winsxs\wow64_microsoft-windows-w…for-management-core_31bf3856ad364e35_6.1.7601.17514_none_32e02520f8081891\WSManHTTPConfig.exe]
[68B4A549D0B56A4DD9A488751037CF09] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\wow64_microsoft-windows-t…minalservicesclient_31bf3856ad364e35_6.1.7601.17514_none_b656fd566c17dc3a\mstsc.exe]
[BDFABEDACD6F18B5EFB14B7529F3ED3E] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\x86_microsoft-windows-adaptertroubleshooter_31bf3856ad364e35_6.1.7600.16385_none_d1d79dd7e49a786f\AdapterTroubleshooter.exe]
[622D95520182F6D3D05310D5810CA8B3] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7600.16385_none_d9a3beb1698738d8\SearchIndexer.exe]
[622D95520182F6D3D05310D5810CA8B3] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_dbd4d2796675bc72\SearchIndexer.exe]
[B4834F08230A2EB7F498DE4E5B6AB814] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7601.17577_none_ce2d9fba4e5ca8e7\fsutil.exe]
[536020876C0980D49094E7EBB94A00AA] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf\hdwwiz.exe]
[76B39554938CABCC219C7471ADAF3135] Malware.Win32.Gen.cld [C:\Windows\winsxs\x86_microsoft-windows-ie-impexp-extexport_31bf3856ad364e35_8.0.7601.17514_none_4abf71c398c9a7d6\ExtExport.exe]
[7CA00998C1AAF913AC089E29DB746037] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.1.7600.16385_none_adca1fa537de6f5e\unregmp2.exe]
[7CA00998C1AAF913AC089E29DB746037] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.1.7601.17514_none_affb336d34ccf2f8\unregmp2.exe]
[A3D9528E228DDD9A404E5EF4295AE35F] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\x86_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7600.16385_none_861b553e4c3473c1\msinfo32.exe]
[670205944B0F9D4FE47B86D7F6CC0A16] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d\auditpol.exe]
[670205944B0F9D4FE47B86D7F6CC0A16] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7601.18637_none_c937305dd6bd2876\auditpol.exe]
[02AF9857838C25EC98BBE492271F3E27] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-sysprep-aecache_31bf3856ad364e35_6.1.7600.16385_none_f4906b14fa5f4e62\aecache.dll]
[F6FD7F8147A591317E57D9008C8C7541] Malware.Win32.Gen.cld [C:\Windows\winsxs\x86_microsoft-windows-wimgapi_31bf3856ad364e35_6.1.7601.17514_none_8b030c557320a2c1\wimserv.exe]
[0729A9A1026BEBD625E9F1FAF5113C34] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\x86_microsoft-windows-sethc_31bf3856ad364e35_6.1.7600.16385_none_6296951cd66ee3c2\sethc.exe]
[E777BD47354F76CACF62FA193E510812] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\x86_microsoft-windows-systemcpl_31bf3856ad364e35_6.1.7600.16385_none_e0abcaa7bf6258b5\systemcpl.dll]
[6DE80F60D7DE9CE6B8C2DDFDF79EF175] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe]
[2540B048D09C391B18E1EDB68EF9460C] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.1.7600.16385_none_beb69dae2443e398\RegSvcs.exe]

follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in … Attachments and other options

a malware expert will then assist you

Sorry, m8, not bloody likely. System is wiped. Have to work with what we’ve got, I posted it for your benefit.

I did run Malwarebytes anti-root kit though, nothin. 9-lab was what nabbed it, that’s why I posted it. I followed the process in the bleepingcomputer link I posted above. It just left me with a crippled system, is all so I wiped it.

Thanks for your help, though.

I followed the process in the bleepingcomputer link I posted above. It just left me with a crippled system
never use fix found online as it is not made for your specific system and may damage your system when run

always post diagnostic logs (FRST) from your system so a fix made for you can be created by a malware expert

Unless you are hit with a fileinfector, it seems the log you posted above containe lots of False Positives … search MD5 on VT

Like this one

[[b]2540B048D09C391B18E1EDB68EF9460C[/b]] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.1.7600.16385_none_beb69dae2443e398\RegSvcs.exe]

https://www.virustotal.com/en/file/ec110cfda19394e1a9d065011f3feb275d646a7c6c1ea3e987ac6132ff7a6b9b/analysis/

Copyright© Microsoft Corporation. All rights reserved.
Publisher Microsoft Windows
Product Microsoft® .NET Framework
Original name RegSvcs.exe
Internal name RegSvcs.exe
File version 2.0.50727.4927 (NetFXspW7.050727-4900)
Description Microsoft .NET Services Installation Utility
Comments Flavor=Retail
Signature verification Signed file, verified signature
Signing date 4:17 AM 7/14/2009
Signers
[+] Microsoft Windows
[+] Microsoft Windows Verification PCA
[+] Microsoft Root Certificate Authority
Counter signers
[+] Microsoft Time-Stamp Service
[+] Microsoft Time-Stamp PCA
[+] Microsoft Root Certificate Authority

If you had allowed the programme to remove those files then you would have needed to re-install windows

Undoubtedly there are some false positives mixed in. A messy business, this.

As for using fixes found online, thanks for the advice, but I’ve been doing this awhile.

Really now?

C:\Windows\winsxs\x86 is the backup area for windows system files e.g. userinit.exe

So if for some reason the original system files were corrupted then you have no backup for SFC to use

See also https://technet.microsoft.com/en-us/library/cc753059.aspx for [B4834F08230A2EB7F498DE4E5B6AB814] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\fsutil.exe]

Though I appreciate both of your efforts, they are, unfortunately, sadly misplaced. As I’ve already mentioned, I’ve already wiped these two systems so there’s no use trying to further diagnose them.

Cheers.

I've already wiped these two systems so there's no use trying to further diagnose them.
So what was the reason fo comming here ???