Google redirection hijack & other malware

My friend Bob's computer had the following symptoms:

1. A . This would only happen in Firefox, but not in IE.

2. Add / Remove Programs would simply refuse to run.

3. In Avast Antirirus, whenever an attempt was made to update either the engine and virus definitions or the program itself, an error message would appear saying that Avast was unable to access the server. I know the problem was not the server, since I didn't have this problem on my computer.This problem didn't disappear even when I reinstalled Avast Antivirus.

4. Programs got launched simply by positioning the cursor over their desktop icons, rather than actually double clicking on the icons. I'm not sure if that's a malware problem or just a Windows configuration problem, but it sure is obnoxious.

I took all the steps recommended in the Fixing Google Redirection/Hijacking Problems guide and in the Major Geeks' Malware Removal Guide, and the first two problems disappeared, but not the problem with Avast, or the program launch problem. Also, now that Add / Remove Programs works, I can see an installed program called "aaa", which I suspect is malware, and which I can't uninstall.

I'm sending the logs from GooredFix, TDSSkiller, SUPERAntiSPyware, Malwarebytes Anti-Malware, Combofix, Root Repeal and MGtools.

 

And here are the rest of the logs. Thanks a lot for any help you can give.

 

Update: I just downloaded the latest version of Avast FreeAntivirus (6.0.1125.0) and installed that, but I still can't connect to the server to update the engine and virus definitions.

 

Somehow, I managed to screw up point #1. The point was the Google was being redirected.

Anyway, here are the logs. The first Combofix log was from before I dragged CFscript.txt over Combofix.exe, and the second one is from afterwards.

 

The Google redirection and Add / Remove Programs problems appear to be resolved, except that I can't remove program "aaa", which I believe is Trojan Downloader Agent AAA. Avast Antivirus still can't connect to the server to update itself, and the mouse-over problem persists.

 

Here are the screenshots:

As you can see, Add or Remove Programs sees "aaa" but can't remove it completely, and the same for Revo Uninstaller.

Is the cursor-over problem just a Windows configuration issue? Because it's indescribably obnoxious. If it IS just a Windows configuration issue, is it possible that Miscrosoft simply has sh*t for brains?

 

OK, I removed Java 6 Build 25, and "aaa" was still visible in Add or Remove Programs, as well as in Revo Uninstaller, but Add or Remove Programs was then able to completely remove "aaa", and now "aaa" isn't visible in either Add or Remove Programs or Revo Uninstaller, so I guess "aaa" was part of Java. So should I reinstall Java 6 Build 25?

And Avast Antivirus still can't connect to the server.

And WOW, would I like to get rid of this cursor-over problem. To my mind, my friend's computer is hell to work on with this problem, and he can't stand it either.

 

>Uninstall PCTools Firewall > reboot > are you now able to update Avast? I am not seeing any signs of malware which could be blocking this...

I uninstalled PCTools Firewall Plus and rebooted, but avast still couldn't connect to the server, so I uninstalled and reinstalled avast, but it still couldn't connect to the server, so I rebooted, and when the desktop came up, a whole bunch of program icons were missing, and the computer doesn't work at all now, not even the mouse cursor, and I can't turn the computer off, so I guess I'll have to figure out how to remove the battery (it's a laptop). That's where we're at right now.

 

It turns out it does work - it's just that, for some reason, you've got to hold the button in for, like, 20 seconds, rather than 10. Dunno why.

But then, for exactly 2 attempts, these problems still persisted: not all the icons appeared on the desktop, and the mouse still didn't work. But then, on the third, attempt, it worked. Again, dunno why.

And avast still can't connect to the server.

 

I got a success message for the regedit.

I've attached MGlogs.zip.

 

OK, I was too busy before, but now I've once again tried to get Avast to connect to the server, and it still won't do it.

 

OK, I did that, but it didn't work. I know there's nothing wrong with Avast's server, because I can connect to it on my own computer.

So you can't see ANYTHING in the logs that would account for this...?

 

Oh yeah, both before and after following these recent instructions, my friend was running the version of avast! Antivirus that I downloaded from Major Geeks. Major Geeks says that version is 6.0.1125, but the properties of the file actually downloaded says it's version 6.0.1000.0.

 

>You may have an issue on your end with a firewall, ...

No, I don't think so, because I actually uninstalled PC Tools Firewall Plus while trying to troubleshoot this. Unless... could this be a problem with Windows' own firewall? Incidentally, since uninstalling PC Tools didn't allow avast! to update, I should reinstall PC Tools, correct?

>...a browser (setting)...

This seems unlikely to me, since:
1. no browser is involved in updating avast!,
2. this happens whether Firefox or IE8 is being used (or both or neither), and
3. my friend (whose computer I'm attempting to disinfect), now tells me that avast! has been unable to update for far longer than this most recent malware problem of his showed itself, and he didn't have any other problems in all that time, including with updating any other program.

But maybe I'm wrong. If you can suggest any browser setting that I should look at, I'll do so.

>...or proxy setting, ...

Could be, I guess. See my response below to your question about trying to update in Safe Mode.

>...or possibly a router or cable/dsl modem causing and issue with the connection.

I don't think so, since I have his computer at my house and it's therefore on the same wireless router and cable modem as my computer, and I'm not having any problem updating any programs on my own computer.

>Have you tried bypassing your router?

No, for the reason I've given above, but if you think I should try this anyway, I will, but I'll do this only if you tell me to, because then I'll have to do it wired, which would be a bit of a hassle.

>Also have you tried doing an update in safe mode?

Yes, I tried booting up in Safe Mode, logging on as Administrator, and updating avast!, but it didn't work. I didn't get any error message, but when attempting to update the engine and virus definitions, it stalls out when attempting to initialize, and when attempting to update the program itself, absolutely nothing happens when I click the button. Maybe that shouldn't be a surprise though, because in Safe Mode I couldn't update my friend's antimalware programs (Malwarebytes' Anti-Malware and SUPERAntiSpyware) either, although I can in Normal Mode.

>Have you tried logging into a different user account to see if it can be updated when using a different user account?

I've tried it as:
1. Bob Heil (my friend's name) - this is an administrator level user account; I tried this in both Safe Mode and in Normal Mode
2. Administrator - I tried this in Safe Mode; my friend has Windows XP Home Edition, so it's not possible to log on as Administrator in Normal Mode

Should I create some other user account to log on under?

Incidentally, to my surprise, my friend just told me that he upgraded his SUPERAntiSpyware from the free version to the paid version, which I believe runs all the time in the background, rather than just on command, so I though maybe it might have been blocking avast! from updating, so I tried exiting SUPERAntiSpyware and trying again to update avast!, but that didn't work either, either in Safe Mode or in Normal Mode.

Again incidentally, I can find no way whatsoever to exit avast! when it's running, other than to uninstall it or turn off the computer (or presumably, to log off). Do you know if there is any “normal” way to exit avast! without resorting to such measures?

>>Major Geeks says that version is 6.0.1125, but the properties of the file actually downloaded says it's version 6.0.1000.0.

>No! The link I gave you states that is is 6.0.1000

I must respectfully disagree. Please see the attached screen shot "Major Geeks' Avast 6.0.1125 download".

And now there is a new development. Upon booting up in Normal Mode, I'm getting an avast! warning of a possible unsafe app (please see attached screen shot "avast unsafe app warning"). This seems odd, since it's talking about Hewlett Packard printer software. And in fact, when I click OK, I get a subsequent message that HP's software needs to be reinstalled (please see attached screen shot "HP software uninstalled"). Nonetheless, four HP apps still show in Add or Remove Programs and Revo Uninstaller, and although I don’t have my friend’s type of printer, attempting to print does output to the printer queue for his printer profile, so I don’t know what to make of these messages.

Incidentally: as I mentioned in an earlier post in this thread, upon uninstalling Java 6 Build 25, the mystery app "aaa" vanished from the list of installed apps, and now, upon installing Java 6 Build 26, it has NOT returned to the list of installed apps, whether viewed in Add or Remove Programs or in Revo Uninstaller. If memory serves, I believe it was right about at the time I uninstalled Java 6 Build 25 that the Google redirection problem was resolved. I don't know why it occurred to Kestrel13! to recommend uninstalling Java 6 Build 25, but as I recall, "aaa" did have a Java icon in Add or Remove Programs (and I believe also in Revo Uninstaller). At any rate, "aaa" has apparently not returned, and I wouldn't know if it's a legitimate part of Java or not. Perhaps I was correct in my guess that it was Downloader Agent AAA, and had somehow piggy-backed onto Java. But for all I know, maybe that's a stupid guess.

Sorry for the ridiculously long message, but that’s the story at the moment.

 

I'll digest all this a little later today when I get a chance. For the moment, let me just SINCERELY thank you for being willing to work on such things essentially as a public service.

>...and by the way the version being used is way out of date. Your log showed version 4.35.1000 and the current version is Version: 4.54.0.1000

Yes, of course, it's way out of date because it can't update itself.

>Because the icon showed as a Java icon.

I had forgotten I sent him a screen shot that would enable him to see the icon. My bad.

>Okay I downloaded it twice. Once from the link that shows the Author's Site and once from MG link. The author link is downloading the correct version. The one from MGs is downloading the old version. Again this is likely due to the recent changes in our servers. I will get it fixed.

OK, good to know. I'll redownload it from the author's website. To tell you the truth, the reason I downloaded it from Major Geeks in that I trust you guys even more than the software authors in terms of the software being malware free.

 

>>Incidentally, to my surprise, my friend just told me that he upgraded his SUPERAntiSpyware from the free version to the paid version

>It would not block Avast and by the way the version being used is way out of date. Your log showed version 4.35.1000 and the current version is Version: 4.54.0.1000

>>Yes, of course, it's way out of date because it can't update itself.

Sorry, for some reason I thought you meant avast! was way out of date (which it is), not SUPERAntiSpyware. I've just updated SUPERAntiSpyware and its databases, both on my friend's computer and on my own.

Incidentally, when trying to download the newest version of SUPERAntiSpyware, I first tried downloading from the author's website. This opened a new window, but it was just the same webpage I had already been on to select where I wanted to download from (namely, http://www.majorgeeks.com/SUPERAntiSpyware_d5116.html). Then I tried to download from Major Geeks', and that worked fine.

 

>I suggest uninstalling (avast!) and running a registry cleaner ( like CCleaner ) and remove all items related to Avast...

>>my friend (whose computer I'm attempting to disinfect), now tells me that avast! has been unable to update for far longer than this most recent malware problem of his showed itself

>Then it is more likely not a malware problem which was why I suggested uninstalling and then manually cleaning ALL signs of Avast from the file system and registry. Are you sure that you did this correctly.

OK, I just now uninstalled avast! via CCleaner. Sorry, I didn’t realize you were actually telling me to do that, I thought it was just suggested as a possible course of action.

>Rerun ComboFix and then after it finishes rerun MGtools and attach new logs.

OK, here they are.

>Are you also using Avast on your PC ?

Yes.

>Are you using a wired connection or wireless and how is your friends laptop connected? Is it connected the exact same way?

Both my computer and my friend's computer are both connected via my wireless router.

>Or you have to delete all other admin accounts and then it would show by defaults.

>It would be worth a try to create a new admin user account and then reboot and login into it. DO NOT use a switch to another user account. Logout completely and reboot. Then use the new account. If this account does not work then it may be a Windows file system issue or a registry entry that is in a common area used by all user accounts.

I see that for some reason (no doubt because Microsoft made it the default option), my friend set up his user account with administrative level privileges, rather than limited privileges, which isn't a good idea for surfing the web, and he's not savvy enough to need to use an account with administrative level privileges anyway, so I just limited his account's privileges. However, Windows XP Home Edition wouldn't allow me to do this without first creating another administrative level user account, so that's what I did, so I never saw the default Administrator user account, but of course that doesn't really matter.

>>Incidentally, to my surprise, my friend just told me that he upgraded his SUPERAntiSpyware from the free version to the paid version,

>It would not block Avast and by the way the version being used is way out of date. Your log showed version 4.35.1000 and the current version is Version: 4.54.0.1000

It just occurred to me: since I updated my friend's SUPERAntiSpyware to version 4.54.0.1000 (from the Major Geeks website), does this version number apply to both the free and lifetime subscription versions? Because the newly installed version says it's version 4.54.0.1000 and that it's the Professional version.

>>...I can find no way whatsoever to exit avast! when it's running, other than to uninstall it or turn off the computer (or presumably, to log off). Do you know if there is any “normal” way to exit avast! without resorting to such measures?

> I have not used the newer versions of Avast, but I don't remember anyone having problems shutting it down.

I don't mean that the means provided to shut down avast! aren't working, I mean that no means to shut down avast! are provided in the program, as bizarre as that may sound, at least that I can find.

>>And now there is a new development. Upon booting up in Normal Mode, I'm getting an avast! warning of a possible unsafe app (please see attached screen shot "avast unsafe app warning").

>Likely just a false detection.

Can I stop these warnings?

By the way, do you know how I can solve my friend's cursor-over problem? (See my first post in this thread.) As I commented to Kestrel13!, I find this indescribably obnoxious. Incidentally, my friend didn't give me his mouse, so I'm using the laptop's "onboard" mouse-type control below the keyboard. Would this problem go away if I used a mouse?

 

Thanks again to chaslang & Kestrel13! for all their help!