In Google Chrome, the browser somehow became infected and now shows a blank page with the letters QFxZ-CAA and it redirects to wewewesearch.com.
The whois on that domain shows ipower is the host and it does show an administrative contact. Perhaps he has more information.
It appears to be a new virus as no solutions pull up through an internet search or by searching direct on anti-virus software websites. I’m running the free AVG now, but it’s not finding anything.
If you know how to solve this, please post!
After not finding a virus and later restarting, here are 3 of the annoying pop up ads the virus now displays:
You’re not alone. Went straight by Sophos Antivirus. No idea how to remove yet.
Seems to be Trojan.Vundo. Malwarebytes’ Anti-Malware (http://www.malwarebytes.org/mbam.php) seems to kill it. (Do a quick scan, remove all after the scan has finished, ad click ‘ok’ to restart to do the final file removal) Also it might be good to not have your browser open, because Firefox seemed to have been the vector for me, and the moment the registry entries were removed by MBAM, my Sophos started complaining of registry modifications by Firefox, which it also did when I was first infected.
last night the samething happened to me… everytime i ran a search on google it gave me a blank page with the letters QFxZ-CAA. i was getting pretty annoyed because google chrome’s default search engine is google… so i used this anit virus and spyware and malware security suite called ZoneAlarm and scaned the entire computer and it found one trojan virus with marked as high… the ZoneAlram program Quarantined it and now google works everytime. =) i dont know if that was why…but now it works fine.
Well, AVG simply didn’t find it. I hesitantly tried the free Malwarebyte software and it said it found the mundo virus, but said it had to restart to remove the rest. Upon restarting there was no confirmation or anything that the remaining files were removed, so I opened the app again and did another scan. It didn’t find anything this time. Below is the report.
Google search now works fine. The only problem now is it seems unusually slow, as if part of the virus is still there. I’m hesitant trying additional software, because sometimes I think the anti-virus companies in some cases actually create viruses to drive their business. What a coincidence that they happen to be the ONLY company with a removal tool? For example, as a part of this mundo virus, it advertises anti-virus software called ‘the shield deluxe 2009′. It seems suspicious this company is being advertised as part of the virus itself.
This is the report of what the virus scan:
Database version: 2297
Windows 5.1.2600 Service Pack 2
7/12/2009 11:22:28 AM
mbam-log-2009-07-12 (11-22-17).txt
Scan type: Quick Scan
Objects scanned: 114439
Time elapsed: 13 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 8
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\SYSTEM32\wimesabi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\sesotoja.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\dizigiro.dll (Trojan.Vundo.H) -> No action taken.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bb2cfdbe-e005-4aae-9e8d-e580eadda889} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{bb2cfdbe-e005-4aae-9e8d-e580eadda889} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bb2cfdbe-e005-4aae-9e8d-e580eadda889} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{12da1bc4-5384-42fd-a119-3c99d2d146a2} (Trojan.Adware) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{dbe49762-874f-41ac-9409-ecdd4b3db4a2} (Trojan.Adware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{12da1bc4-5384-42fd-a119-3c99d2d146a2} (Trojan.Adware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2ffc610b (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wohojupife (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sesotoja.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\sesotoja.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\dizigiro.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\SYSTEM32\dizigiro.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\japidahu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\wimesabi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\sesotoja.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\mozifihi.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> No action taken.
Update: the above software removed the core issue on the system, but Google Chrome seems to be permanently damaged. Search doesn’t work at all in Chrome even though it was a fresh install. I’m using Firefox now.
Pl keep me updated. I am also nfected by this problem. Crome acts weird like a hit or miss type and I keep bumping into the same QFxZ-CAA.
Are you suggesting just going to quit awesomest chrome ?
Yeah, bummer, searches don’t work from the address bar anymore, so until I have more time to look into, I’m using Firefox. I do prefer Chrome.
JUST RECENTLY I DOWNLOADED A PROGRAM AND I’VE COME TO FIND IT HAD A VIRUS. NOW GOOGLE ALWAYS POPS UP WITH QFxZ-CAA .. I DIDNT KNOW WHAT TO DO,BUT I AM RUNNING – AVG VIRUS PROTECTION, IT FOUND SOME OF THE VIRUS BUT STILL HAVNT GOT RID OF IT… BUT IV’E FIGURED OUT,WELL THIS IS NOT A SOLUTION BUT IT HELPS UNTIL U TRY SEARCHING FOR SOMETHING ELSE…. JUST THOUGHT I’D LET YOU KNOW ..******** WHAT YOU WANT TO DO IS RIGHT CLICK THE MOUSE AND SCROLL TO WHERE IT SAYS ENCODING. THEN WHAT YOU WANT TO DO IS CLICK ON UNICODE (UTF-8) AND THAT WILL DISPLAY YOUR GOOGLE AND WHATEVER IT IS THAT YOUR LOOKIN FOR.. ********** THATS WHAT IVE FOUND SO FAR…
SO IF ANYONE GOES ANY FURTHER PLEASE HELP OUT THANKS!
YOU MAY ALSO CLICK ON VIEW AND THEN SCROLL DOWN TO ENCODING AND CLICK ON THE SAME THING
System restore has cured mine !
try downloading Symantec Tojan.Vundo Removal Tool 1.5.1
tried system restore with mine – did not work – I still have no Google. I got the Malware – cost me $49 and I agree it is a coincidence that they are the ONLY company who knows the answer to this problem – they probably sent it in the first place, IMHO. Wish me luck – nothing seems to help – anyone have a solution, please advise!! Thanks!
Hey, I recently got a virus, I have noticed that I run into that QFxZ-CAA only when I search anything related to getting rid of the virus: such as: Hijack this log analyzer, anything with the word “virus” in it, etc… I am afraid I may have picked up a keylogger as well… The virus not only did that to my Chrome, but also disabled my active desktop picture, safe mode, and the task manager.