It doesn't really matter and I'm not blaming anyone. In fact my every-day operating system is Centos Linux so this is little more than an occasional annoyance for me. It doesn't help that I'm so irritated with Microsoft these days that I only use Windows when and IF I have to. That boils down to about three programs. Everything else is on Linux.
The Linux side works fine, it's just this Swiss-Cheese OS named Windows that's any issue. Anyway, I could go on for hours about the various issues I have with Microsoft, but I digress.
So I am documenting what I have found so that if anyone else with this issue can benefit from it, so much the better.
This Trojan is sneaky. You can search Google all day long and mostly what you find are very randomly named web sites that appear to all be slight variations on the same destination. Where you wind up is some site that wants to sell you "their" virus removal tool, something called "SpyHunter".
I have no idea if this product is legitimate or not but I recommend that anyone reading this stay away from it. The fact that 40 or 50 oddly named web sites, each with a slightly varied content, all suggest you use this product makes me very suspicious.
Almost all of these supposed "removal" sites run you through removing installed "bad" programs, "bad" browser extension, and editing the system registry. Trouble is these steps don't help and don't accomplish anything. The final step is "oh, none of this worked, try buying our tool...". Yeah, right...
Also, why have none of the major anti-virus program authors jumped on this? The fact that they are saying nothing again makes me very suspicious. This seems to be a prety common infection, there are loads of Google hits when you look up zerohorizon.net.
I've scanned my system with Comodo, Avast, Kaspersky, and also scanned the Windows OS drive while Linux was running (the only REAL way to scan Windows for viruses), and nothing has been found. Very odd.
This seems to primarily affect the Google Chrome browser (note that as far as I can tell Google has said nothing about this either), but Firefox, and IE have both been reported to be affected.
OK, enough soap box, time for details.
This Trojan is a browser redirect. At random times it pops up new tabs or windows that load one of a small list of sites. These sites are all adware sites or sites with fake pages that try to fool you into clicking on links which will likely install other nasty things. It may also be doing any number of other things, there is really no way to tell without reverse engineering it. Before that can be done it needs to be located. The list of sites it uses (so far) is below. They all seem to eventually bounce through www.buy-targeted-traffic.com and if that doesn't sound like a shady site I don't know what does:
- buy-targeted-traffic.com
- orion.zerohorizon.net
- oziris.zerohorizon.net
- zerohorizon.net
- onclicktop.com
- fugdownload164.com
- fugdownload173.com
- ptp24.com
- cdn.shorte.st
- shorte.st
- bundleworldbits.com
- putono5.com
- cdn.putono5.com
- d.putono5.com
- a.putono5.com
(Damn! Within 15 minutes of posting this I found 2 more sites to add...)
- adspserving.com
- xl415.com
- truequotes.org (added 1-31-16)
I will add to that list as I find more entries. These sites were found either via a direct pop-up, or by reviewing the source code of the pop-up pages. By the way, to view the HTML code to find these site just right mouse click the blank web page in the browser and select "view source". Most entries will be bad but some are ok such as "http://www.w3.org" which is the group that sets web code standards. Look for entries such as "http://<whateversite.com>", these are the "bad" sites it's trying to direct you to.
I have so far not been able to determine the method this thing uses to load. It appears to be pretty stealthy. I have some experience with PC forensics and to date I have yet to locate the root cause. Many other posts seem to indicate a bogus browser plugin is the culprit. I do occasionally use some but nothing I would be wary of.
In any case the best thing so far is placing entries for each site in the local PC hosts file. This file is the first location the computer uses when it tries to identify the TCP/IP address of a site. For those unfamiliar with this, the computer connects to the site IP address, not the site name, so it must translate between the two first. Normally this is done automatically via DNS, but if a hosts file exists those entries take precedence. In fact many viruses and Trojans use this file to redirect you to bad sites.
The hosts file is located here: C:\Windows\System32\Drivers\Etc\hosts and no, there is no extension such as ".txt" on it. In fact you may not be able to see the file without making a few adjustments in the Windows file explorer (look for info at Google on viewing hidden files).
By adding these entries the browser pop-up still occurs, but it cannot find the sites it wants and so does nothing but load a blank page. This "should" have the effect of neutering the Trojan. This won't stop it, or remove it, but it seems to slow it down. Below is what the file will look like after editing. This is a copy-&-paste of my own file:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 buy-targeted-traffic.com
127.0.0.1 orion.zerohorizon.net
127.0.0.1 oziris.zerohorizon.net
127.0.0.1 zerohorizon.net
127.0.0.1 onclicktop.com
127.0.0.1 fugdownload164.com
127.0.0.1 fugdownload173.com
127.0.0.1 ptp24.com
127.0.0.1 cdn.shorte.st
127.0.0.1 shorte.st
127.0.0.1 bundleworldbits.com
127.0.0.1 putono5.com
127.0.0.1 cdn.putono5.com
127.0.0.1 d.putono5.com
127.0.0.1 a.putono5.com
127.0.0.1 adspserving.com
127.0.0.1 xl415.com
127.0.0.1 truequotes.org
127.0.0.1 adspserving.com
127.0.0.1 xl415.com
127.0.0.1 truequotes.org
The entries prefixed with "127.0.0.1" cause a lookup of any of those sites to be redirected to "loopback" which is a local test address that goes no where.
Again, this is a "band-aid" and will not stop the Trojan.
My suspicion is that when this thing was installed it added a hook into the operating system at some non-common area. It would appear to be a scheduled task of some sort but so far none of the tasks seem out of order. Windows 7, 8, and 10 include a plethora of schedules tasks that do a myriad of things. So many that it's hard to figure out what belongs. There also may be settings added to the browser or system registry but so far I've identified nothing. More than like this is running as a scheduled task somewhere due to the regular occurrence of it.
As I find new info I'll list it here. If anyone reading this has comments or additions please leave a comment. I would very much like to kill this thing without reinstalling Windows. It's annoying more than anything and since I usually work in Linus it's even more annoying that I have to deal with it the few times I run Windows.
More later....
Dang.... Sorry I can't seem to post replies to comments. Not sure why. The comment about auditing is a good one. I set it up on the "...\Local\Temp" folder and found Chrome.exe to be the culprit. Trouble is that doesn't tell me what caused Chrome to execute a new instance. I think I'll audit the exe itself and see what I get...
Dang.... Sorry I can't seem to post replies to comments. Not sure why. The comment about auditing is a good one. I set it up on the "...\Local\Temp" folder and found Chrome.exe to be the culprit. Trouble is that doesn't tell me what caused Chrome to execute a new instance. I think I'll audit the exe itself and see what I get...
Update 02-21-16
Since I've mostly switch to Linux this issue hasn't been on the top of my priority list. Either way I did make some headroom. What I did was adjust the Windows startup to see what could be turned off to stop this. I'm down to three items still shut off. First is the Windows sidebar at "c:\program files\windows sidebar\sidebar.exe". Next is the Windows error reporting server wer.exe at "c:\programdata\microsoft\windows\wer\wer.exe". Lastly the Comodo "GeekBuddy" service, which I just read is a huge security risk anyway. I use Comodo for Antivirus. So far there have been NO new occurrences. I would be curious to see if anyone else sees the same effect.
Since I've mostly switch to Linux this issue hasn't been on the top of my priority list. Either way I did make some headroom. What I did was adjust the Windows startup to see what could be turned off to stop this. I'm down to three items still shut off. First is the Windows sidebar at "c:\program files\windows sidebar\sidebar.exe". Next is the Windows error reporting server wer.exe at "c:\programdata\microsoft\windows\wer\wer.exe". Lastly the Comodo "GeekBuddy" service, which I just read is a huge security risk anyway. I use Comodo for Antivirus. So far there have been NO new occurrences. I would be curious to see if anyone else sees the same effect.
Update 03-11-16
Still cant reply to comments for some reason. In response to the third comment... Very interesting. What files were involved and what did you do to identify and fix it? The more detail we can post the more it might help someone else. I'm planning to reinstall Windows (something I've done way too many times in my life) since It will only be left on my system for the things I absolutely can't run under Linux. After that I expect the issue will be a moot point.
Still cant reply to comments for some reason. In response to the third comment... Very interesting. What files were involved and what did you do to identify and fix it? The more detail we can post the more it might help someone else. I'm planning to reinstall Windows (something I've done way too many times in my life) since It will only be left on my system for the things I absolutely can't run under Linux. After that I expect the issue will be a moot point.
Update 05-28-16
In response to the May 19th post... I would love to be able to test this but I have been exclusively running Linux for some time now. I never noticed any bogus accounts on my system and being a professional sysadmin I tend to have a pretty intimate knowledge of my systems. Still this could be a valuable check should it find something. Best of luck.
Update 07-27-16
I haven't suffered from this beasties sting for a number of months now. Since switching over exclusively to Linux I've seen nothing. I'm pretty sure I now know why. I'm surprised I hadn't hit on this before due to the obvious symptoms. I feel like an audience member watching a magic act and never noticing the assistant in the audience feeding the magician clues.
Like I said before... scheduled tasks... the trick here is "trigger start tasks" which are a new feature with Windows 7 and later versions of the OS. Basically Microsoft has once again given the bad guys a wonderful tool to pick our pockets. True, it's a great feature, if you use your powers for good. Trouble is when powerful things are placed in the hands of idiots it doesn't take long for them to become corrupted. Heck I've used them at work for things myself.
Trigger start tasks are those that only fire off when a specific action is detected on the PC. This could be logon, logoff, system idle, or... a mouse click in a certain place, like say a browser window.... See where I'm going here. This is a well know tactic of adware and malware authors. See this article for details: https://blog.malwarebytes.com/cybercrime/2015/03/scheduled-tasks/
The hard part is that Microsoft pretty much runs Windows on these tasks and they include a LOT of them out of the box. Did you think the OS detected you inserting a DVD or memory key by magic? Nope, trigger start tasks.
So, why you may ask, am I still blabbering about these PUPs (Potentially Unwanted Programs) again? Well I initially got nailed by some damn Chrome extension, god only knows which. I, like many of you sync my settings between browsers, and now my work browser running on Windows has dutifully synced whatever extension came with this crap and so once again I'm trying to rid my life of it.
I'm working on a few things to clean this up like PowerShell scripts to list and purge the trigger tasks. The new task scheduler store task definitions as XML files with a ".JOB" extension so you can search for them and scan their contents. Once I get something concrete I'll post it here.
I have the same problem. Whatever it is, it's creating files in C:\Users\[User]\AppData\Local\Temp (mute7vpxmz.ini and mute9vpxmz.ini). So far, no luck trying to detect a Task or anything suspicious other than that. I'm trying to see if an audit will help in detecting what's creating or reading those files.
ReplyDeleteThis is so far the most interresting post regarding this issue. I've battled with it for 6 months now, after a family member installed the Torch browser... The trojan makes locked tmp files on the temp directory aswell. If you remove the mute files, they will reappear at the first popup. It has to load somewhere, as this doesn't happen in Safe mode with network.
ReplyDeleteTurned out to be hidden as nVidia. Problem fixed.
ReplyDeleteHey there
ReplyDeleteI came across this after extensive searching for the cause and many scans etc etc
I felt a little silly after I found the issue.
Check for a hidden user account.
Go to Control Panel> User Accounts> Manage another account > Set Up Parental Controls (or just 'parental controls')
This should list users including hidden ones that will not show up when you click "Manage Another Account".
If you find a user there like i did, click start, type "regedit"
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Find the user that is not yours and delete.
WARNING: do not delete keys containing 'SYSTEMPROFILE' 'LOCALSERVICE' or 'NETWORKSERVICE' or the one containing your own user account. Only if there is one added that you DO NOT recognise.
Please let me know how you go!
I was facing the same problem of you, and I guess I figured out in how to solve this. so the only thing that I did was install the malwarebytes (corporate version) in my computer, and after the installation I made a quick scan and found some entries in the computer and now it's on the quarantine of the malwarebytes, I'm gonna let 'em below:
ReplyDeleteHKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|wermgr (Trojan.ProjectOrion) -> Data: C:\ProgramData\Microsoft\Windows\WER\wermgr.exe -> Enviado para a Quarentena e deletado com sucesso. [7d70f033a8f2b581f7c6574f8b798080]
Pastas Detectadas: 2
C:\ProgramData\11026639394093586170 (PUP.Optional.MultiPlug.Gen) -> Enviado para a Quarentena e deletado com sucesso. [905d56cd5545e0562901c1d347bcc937]
C:\ProgramData\{a4bc9495-9bcb-6d81-a4bc-c94959bc5256} (PUP.Optional.MultiPlug) -> Enviado para a Quarentena e deletado com sucesso. [cf1edc471882171f98728c58ed1630d0]
C:\ProgramData\11026639394093586170\ad944670c92406e7524edb337cad686e.ini (PUP.Optional.MultiPlug.Gen) -> Enviado para a Quarentena e deletado com sucesso. [905d56cd5545e0562901c1d347bcc937]
C:\ProgramData\11026639394093586170\d662dc959576c454524edb337cad686e.ini (PUP.Optional.MultiPlug.Gen) -> Enviado para a Quarentena e deletado com sucesso. [905d56cd5545e0562901c1d347bcc937]
C:\ProgramData\{a4bc9495-9bcb-6d81-a4bc-c94959bc5256}\SuperOneClickv2.3.3.dat (PUP.Optional.MultiPlug) -> Enviado para a Quarentena e deletado com sucesso. [cf1edc471882171f98728c58ed1630d0]
btw, I'm brazilian and so the log is in portuguese. hope this can help you in some way. if you want, you can e-mail me: scrod_@hotmail.com, or say here if it worked, :)
one more thing about http://orion.zerohorizon.net/ when ever i try to find out all my efforts was send me to spyhunter so many many many pages about that specific program spyhunter 4 can clean it up but in truth ?? it cant i have try it why so many ads about that program any idea????
ReplyDeleteI also find that to be really odd. I can only speculate that the company that makes that tool is trying to boost sales by using the adware and then padding the google searches witgh it's own results. No way to really prove that so it's just me guessing.
DeleteLook for wermgr.exe in the task manager / processes. This is the "virus". The Windows file wermgr.exe should be in the system32 folder, but this one is under ProgramData\Microsoft\Windows\WER. You need to have access to the folder, and to see hidden files. Under WER is should be only two directories. Stop the process in task manager and delete all files (except the two Report directories). Clean up your cookies and reset all browsers. I didn't find any traces in the registry, and the computer has been clean for 6 months now. Regards, Morten.
ReplyDeleteProgramming like Trojan stallions conceal themselves as blameless records and go into your PC with the rationale of inferring all your own data. Not just this, right now there are as of now a great many projects that put on a show to be infection cleaners yet in actuality when you download them they introduce malevolent contaminations on your framework. crytowall removal guide at how-to-remove.org
ReplyDeleteThis is very true and it is extremely difficult to discern which are valid and which are fakes. It would be nice if Windows was simply more secure so that these things were not so prevalent. Things are only going to get worse so vigilance is the best offense.
Delete