Google Browser Hijacker cloaked malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by drp3636, Mar 20, 2010.

  1. drp3636

    drp3636 Private E-2

    Seem to have a cloaked malware program that redirects most google searches to another website, but disguises redirect as google custom search. Thus far, it has evaded all antivirus and antispyware programs.

    This may be a variant of the ffsearcher trojan, but couldn't find any of the files normally associated with it. What I get is alot of ads at top and on side.

    I'm using the latest Vista with all updates, patches, etc. installed. I followed all instructions in Read & Run First Malware Removal Guide, but was unable to run last one MGTools. I installed it in my root directory, it did create the folder MGTools, but when I right clicked on GetLogs.bat file and ran as administrator, the window would very briefly pop up, then immediately disappear.

    Please find attached 4 log files from the programs I could run. I would like to complete Guide with MGTools, but need help to get it to run on my system.

    Thanks in advance for your help.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!



    Your logs show too many protection programs running. I see all of the below in the logs you attached:
    1. Avast
    2. McAfee
    3. Ad-Aware Ad-watch
    4. IO Bit 360
    5. Windows Defender
    6. PrevxCSI
    7. Comodo Internet Security
    8. I also saw signs of Kaspersky and TrendMicro but I'm guessing this was online scanners??
    What to do:
    • If Prevx is just the free trial, uninstall it immediately.
    • You must make sure you only have one antivirus program, so either Avast or McAfee must be uninstalled.
    • Also if Comodo is not just the firewall, then it would be a 3rd antivirus and you still must be sure to have only one.
    • Also choose between ONLY one of the following
      • Ad-Aware Ad-Watch
      • IO Bit 360
      • Windows Defender
    After addressing all of the above, continue with the below.




    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Click Start > Run and copy/paste the following bold command into Run box and hit Enter.
    "%userprofile%\Desktop\TDSSKiller.exe" -v
    • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    • When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
    Now make sure that you have disable Vista's UAC as instructed in the Using MGtools instructions and make sure that you have rebooted after it was disabled.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\MGlogs.zip
     
  3. drp3636

    drp3636 Private E-2

    Ok. Will start on this immediately. Thanks for your help.
     
  4. drp3636

    drp3636 Private E-2

    Alright. Followed all your instructions. Decided to buy SAS as real time scanner. Deleted everything else you asked me to.

    But, still have Registry Patrol, Identity Patrol and Advanced System Care. Is it OK to keep these, don't think they use real time scanning for spyware. Please let me know.

    Am going to try alternative methods listed in the link at end of read me first post unless you tell me not to.

    Forgot to tell you that I did manage to get MGtools to work before you replied to my first post, so find 2 logs attached, # 2 being the newest one (run after TDSSkiller.exe.

    Attached are all requested logs.

    Thanks again for you help. It is greatly appreciated.

    Don
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I only see the free version in your logs. Deleted everything else you asked me to.[/quote] I still see Windows Defender. If you really purchased SAS, I would disable Windows Defender using the below:

    Disabling & Enabling Windows Defender in Vista

    Why do you think you need Advanced System Care. It is always running. Personally I would not waste the system resources on it, but if you don't mind that is your decision to make.

    For what exact problem? I'm not seeing any real malware. I just have one thing for you to do which I will post below. Are you still being hijacked? If so, to where and with which browser? Does it happen with both IE and FireFox? Does it happen in safe boot mode?


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: agcore.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)

    After clicking Fix, exit HJT.
     
  6. drp3636

    drp3636 Private E-2

    Hello,

    Still being hijacked. Don't have Firefox, so unsure about it. But Google is still hijacked. Even Major Geeks shows "Ads by Google" now, which it didn't before, even when using Bing to get to your site. I took a screen shot of this so you can see what I mean. Don't know enough about Bing to know if redirected. Even in Google, it is hard to tell you are being redirected. They disguise it very well. At first, I thought Google just changed their look. I'll bet many people are infected and don't even know it.

    I thought I had disabled Windows Defender, didn't realize you couldn't do it by turning if off in Windows. I have disabled it per your instructions.

    I purchased SuperAntiSpyware Pro after I ran the other scans and posted logs.

    I downloaded and ran Counterspy. It found 56 traces of ezula common elements and 1 instance of memwarp.ocx. Unfortunately, trojan managed to disable it by changing license period to show expired, so was unable to clean it off or get a log.

    Also, whenever I install a program, Comodo warns me that Services.exe is trying to modify a registry key. If I block the request, the installation will not complete. Is this the virus trying to infiltrate antispyware programs while installing?

    Also, read another post by RBob, Post #109 in Favorite Antispyware Apps, He said believed he got infected downloading Free Sound Recorder off Download.com site. I noticed that I started getting redirected shortly after I had also downloaded this program from same site? Coincidence? Maybe.

    Also downloaded and ran A-squared. It reported several problems, but I didn't fix any of them, because of so many false positives. I'll attach the log. Please let me know if any of these things need fixing.

    Virus doesn't seem to run in Safe Mode, but before running Combofix, virus had disabled my internet connection even with Networking enabled. After ComboFisk it would connect in Safe Mode. Internet connection worked fine in normal mode both before and after Combofix.

    I will also attach a screen shot of Google Redirect page that includes redirected web address above.

    I followed your instructions and ran MGTools\Analyse.exe.

    BTW. My laptop comes equipped with a System Recovery option where everything can be restored to factory default settings from a D:\ drive partition. I can do this at system startup by pressing the F11 key. I have never used this partition for anything. Laptop was set up with recovery partition when I bought it. Is there any danger in using that to get rid of viruses. Supossedly, it reformats disk and reinstalls everything to its pristine, factory default setting. Of course, I would back up all files needed before doing this.

    Please let me know if this may be the best way to solve problem. Thanks again for your help.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm sorry but those are normal. You are not being hijacked. The Ads by google is normal on Major Geeks main site and you just have your search engine setup to go to search.google-custom.com

    I suggest that you ignore and uninstall A-squared as it is a major source of false detections.
     
  8. drp3636

    drp3636 Private E-2

    Hello,

    I never changed my search engine to do a google custom search ever. Online research revealed several people reported this problem. If I set it up this way, why does it not ALWAYS do a Google Custom search, but only after several searches?

    What about Counterspy reporting 56 traces of ezula common elements and memwarp.ocx.

    Bottom-line, I still think I'm infected.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Check your IE to see what Search providers you have added (knowingly or unknowingly). Also check to see that your DNS server addresses have not been changed to something else that they should not be.


    Click Start > Run and type in cmd
    • Click OK.
    • This will open a command prompt.
    • Type or copy and paste the following line in the command window:
      ipconfig /flushdns
    • Hit Enter
    • Type or copy and paste the following line in the command window:
      ipconfig /all > c:\ipinfo.txt
    • Exit the command window
    • Now attach the C:\ipinfo.txt log.

    Without seeing a log I cannot comment. Are you referring to an old scan or did you just run CounterSpy. Ezula is normally just adware that you may get when installing various software. Even the below could be suspect which you have installed:
    EveryWAN Remote Support Personal Edition
    Free Registry Defrag
    Free Sound Recorder 2010 v8.2.1
     
  10. drp3636

    drp3636 Private E-2

    Hello again. Thanks for your help so far.

    Attached is the log you requested.

    Some program(s) added 3 search providers, one I didn't recognize. I also deleted 3 registry keys under HKEY_CURRENT_USER --> Software --> Microsoft --> Internet Explorer --> SearchScopes. These may have corresponded to the search providers.

    I did this because of info other folks gave about solving their custom-google search problems. Here is the link: http://www.google.com/support/forum/p/Web+Search/thread?tid=6ae96d3d9038187c&hl=en

    Don't know how to check and see if my DNS server addresses has been changed to something else that it should not be.

    I did the Counterspy scan yesterday. Shouldn't SAS or Malwarebytes pick up eZula? What can I use to clean it off my system?

    Also, before running MGTools the host file was locked and had an entry about localhost. After running MGT, file unlocked and entry deleted.

    Thanks again for your help.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    As I suggested in my previous message, you could just use IE's Manage Search Providers option to remove unwanted search providers or to add new/correct ones if any were deleted that you needed.

    That was part of the reason I wanted the log but you did not run the proper command for the log I wanted. You repeated the first command for ipconfig instead of 2nd command which was different.

    All scanners have things they detect that others may not. Without a log from CounterSpy I cannot comment on whether anything valid was detected. It could just be things in quarantines or in System Restore. Either way not really a problem since you are not infected.

    The host file should contain a line for localhost. It should be 127.0.0.1 localhost

    Are you still have a problem?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds