Main Area and Open Discussion > Living Room

Malware removal - PUP.Optional.CrossRider.A

(1/1)

IainB:
Posted as a warning and for information/use of other DC denizens.

Following a link in Lifehacker, oCam Supercharges Screen Capture in Windows, I went to the oCam developer's website at http://www.ohsoft.net. There I found they had 4 products:

* oCam
* VirtualDVD
* CoffeeZip
* SecretFolder
I downloaded and installed oCam (it was a straightforward silent install), as that was what I was primarily interested in, and took a look at the other 3 items, downloading VirtualDVD as that looked like it could be useful to me.
I gave oCam a quick try out, and it seemed to do what it was designed for rather well.
I then turned my attention to something else and opened up IE11 (this is on a laptop with Win7-64 Home Premium), and saw that the default page was what looked like a search page hijack for unifinder.net.
At the bottom of the page there was a box with small type in it that said:
You can change the search engine using the PageUp, PageDown key and Mouse Wheel.
 * If keyword is the URL address, we will go directly to the site. ;)
 * [100% Freeware] Screen Recorder / DVD-ROM emulator / File Archiver / Hide Folder Download   
Copyright Ohsoft.net All Right Reserved

--- End quote ---
After a bit of experimentation, I recognised that the search page was a trojan hijack - i.e., it persisted between IE sessions and could not be deleted. It kept recreating itself as file unifinder.em[1].js.
Fearing the worst, I set MBAM (Malwarebytes PRO) on a scan, and it took a few minutes to come up with a report that 8 folders and 60 files had been infected with (PUP.Optional.CrossRider.A). The infected items were quarantined and deleted, necessitating what MBAM said was an "urgent" reboot of the laptop (some of the malware had been running in RAM).
After reboot, I re-ran the MBAM scan (better safe than sorry) and then turned my attention to the IE start page, which still had the persistent unifinder.net page. I eventually figured out that if I set another website page as the start page instead, and shredded the file unifinder.em[1].js, then the problem was cleared.

I then did a DuckGo search on (PUP.Optional.CrossRider.A), and discovered that "PUP" stands for "Potentially Unwanted Program". I ran MBAM and MS Security Essentials over the installer files for oCam and VirtualDVD, but they both came up "clean". I shredded both files and added some notes to avoid them, to my OneNote Notebook.

The DuckGo search on (PUP.Optional.CrossRider.A) also came up with an interesting post at fixpcyourself.com about a variant of it - Remove PUP.Optional.Cgminer Virus
Another learning experience.

EDIT 2014-04-30 2332hrs:
By the way, as a precaution I did of course expunge every last trace of oCam, and as a result of this experience I would strongly recommend that you never download the thing. I certainly wouldn't touch it with a bargepole again. There is, after all, such a thing as a failure of trust.

tomos:
Thanks for all that info Iain :up:

After reboot, I re-ran the MBAM scan (better safe than sorry) and then turned my attention to the IE start page, which still had the persistent unifinder.net page. I eventually figured out that if I set another website page as the start page instead, and shredded the file unifinder.em[1].js, then the problem was cleared.
-IainB (April 30, 2014, 02:18 AM)
--- End quote ---

I cleared out some stuff for my sister a while back - was a different startpage, but otherwise similar (I cant remember the details exactly) but we had the same problem at the end - malware appeared to be removed, yet the startpage still kept getting hijacked. Quoted tip may be of help (next time I visit her..)

IainB:
^^ Yes, the residual hijacked search page in IE11 bugged me. I managed to defeat it by trial and error, but being able to get at IE's innards and certainly hack it (as can be done with Firefox) would have been of more help.

IainB:
Added an edit to the opening post:
EDIT 2014-04-30 2332hrs:
By the way, as a precaution I did of course expunge every last trace of oCam, and as a result of this experience I would strongly recommend that you never download the thing. I certainly wouldn't touch it with a bargepole again. There is, after all, such a thing as a failure of trust.

Navigation

[0] Message Index