"Funmoods" hijack of browser

benmacri · ‎02-05-2012

Greetings!

Somehow I noticed that my Google Chrome main browser bar looked a little different and then saw that there was a small name in it, "funmoods." When I clicked on this it took me to a website in Israel, a pretty obvious hijack. It attempted to make itself the default browser so I deleted it in the tools menu in Google Chrome. Norton didn't notice any of this activity or upon scanning for viruses.

I downloaded power eraser and it found a single file: RIKVM_1628BCEA.sys, in my system 32 file and noted that it was "Bad." I selected that it be removed and rechecked again. It still shows up even though Norton says its been fixed?!

I copied some of the log file from the power eraser scan and here it is:

-<BROWSERS_INSTALLED Default="IEXPLORE.EXE">-<Browser ID="01"><Name>Google Chrome</Name><Path>"C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe"</Path></Browser>-<Browser ID="02"><Name>Internet Explorer</Name><Path>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Path></Browser></BROWSERS_INSTALLED></Inspect>-<Analyze DateAndTime="Monday, 06 February 2012 Time: 17:52">-<Infections_Detected><DRIVERS Count="0"/><SERVICES Count="0"/><PROCESSES Count="0"/><LAYERED_SERVICE_PROVIDERS Count="0"/><DESKTOP_SHORTCUTS Count="0"/><AUTORUN_FILES Count="0"/><STARTUP_ITEMS Count="0"/><BROWSER_HELPER_OBJECTS Count="0"/><BROWSER_TOOLBARS Count="0"/><BROWSER_PLUGINS Count="0"/><SHELL_EXTENSIONS Count="0"/><EXPLORER_PLUGINS Count="0"/><DIRECTORIES Count="0"/>-<FILES Count="1">-<File ID="1">-<File_Information><Path>C:\Windows\system32\Drivers\rikvm_1628BCEA.sys</Path><FileVersion><></FileVersion><ProductVersion><></ProductVersion><ProductName><></ProductName><Company><></Company><Copyrights><></Copyrights><MD5><></MD5><SHA256><></SHA256><FileSize><></FileSize></File_Information>-<SideEffects Count="1"><File>C:\Windows\system32\Drivers\rikvm_1628BCEA.sys</File></SideEffects></File></FILES><SYSTEM_SETTINGS Count="0"/></Infections_Detected></Analyze></Session0></Norton_Power_Eraser_Information>

Any help removing this spyware would be VERY much appreciated as Norton doesn't see it and or is not able to remove it.

The web address for funmoods is: [Removed]

[edit: removed link to malicious website per the Participation Guidelines and Terms of Service. Please do not post links to anything potentially dangerous]

Krusty13 · ‎05-31-2011

Hi benmacri,

You might find your answer in this thread - http://community.norton.com/t5/Tech-Outpost/funmoods-toolbar/td-p/651281.

I hope this helps.

Dave.

Windows 7 x64 SP1 N360v20.3.1.22 NU16 SSR 2013 Secunia PSI SpywareBlaster NoScript MBAM free SAS free

benmacri · ‎02-05-2012

Hi Dave!

Well after 3 runs with Power Eraser, going into Chrome "options," then "manage search engines," I discovered that funmoods had established itself as default. I deleted it and also changed my proxy settings which had been hijacked as well, then I ran power eraser one more time. This seems to have fixed the problem as this spyware hasn't shown its face and power eraser says it has been removed...let's hope that this stays away.

Thanks for your advice!