Google redirection virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by vparunak, Feb 27, 2009.

  1. vparunak

    vparunak Private E-2

    During the last week, I began to experience redirection from some (not all) links produced by Google searches. On a previous occasion, I was able to solve a (different) virus problem by diligently following the instructions in http://forums.majorgeeks.com/showthread.php?t=35407 (without submitting any logs). So I set down that path again, including getting updated copies of all the scanning programs. Everything went along fine until I got to running ComboFix. Even though I unloaded my AV (Trend Micro OfficeScan), something kept killing ComboFix. So I pressed ahead, ran MGTools, and attach its zip log along with those from SAS and MBAM. I'd be very grateful for any help you can give. Thanks!
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your MGLog is empty.....did you let it run to completion? Did you make the agreement for HJT?

    What browser is affected with the redirects? IE or FF or others?

    Please run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
  3. vparunak

    vparunak Private E-2

    Tim,

    Thanks so much for responding.

    I'm seeing the problem in Firefox.

    I don't think MTTools did run to completion. The DOS window it produced didn't go as far as the example shown on http://forums.majorgeeks.com/showthread.php?t=137630 . It only got as far as saying:

    Running scan with GetUnkeys.bat - 08/11/2006 by Chaslang and ShadowPuterDude

    32 bit Windows OS found
    adding: GetUnKey.txt (188 bytes security) (deflated 88%)

    But I think this is a symptom of something deeper. Now GetLogs.bat, or any batch file, won't run at all, and in fact crashes the file explorer from which I invoke it. Poking around, I've found that the problem appears to be cmd.exe. When I try to run it from the file explorer, it crashes the explorer. Then the desktop gets funny (icons on the desktop disappear, taskbar goes away), then returns. Running cmd.exe or regedit from the run command line in Start has the same effect.

    It's not the code in cmd.exe that's faulty. If I rename the file cmd1.exe and run it, I get a command window just fine. And from within this cmd window, I can still run MGTools (but get only as far as above, then the only thing that Process Explorer shows as running is the system idle process).

    I can run analyse.exe, which I understand is HJT, and I've attached the log it produces.

    Something else interesting. When I rename cmd.exe (in C:\WINDOWS\system32) to cmd1.exe and run it, then close the DOS window it produces, a brand new cmd.exe appears in the directory.

    I didn't notice the alignment of the redirect problem, inability to run ComboFix, and the cmd.exe problem at the time I made my initial post. But since then it appears to be surfacing lots of places: see the threads at http://www.bleepingcomputer.com/forums/topic206736.html and http://www.help2go.com/forum/spyware-help/101315-cant-open-cmd-exe.html .

    I'll be very grateful for any help that you can give.
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use windows explorer to find and delete:
    C:\WINDOWS\TEMP\PJECE6.EXE

    The run CCleaner for any leftovers.

    Now see this thread:
    Using GooRedFix
     
  5. vparunak

    vparunak Private E-2

    OK, here's the log from goored.

    BTW, C:\WINDOWS\TEMP\PJECE6.EXE didn't want to go away. I applied unlocker to it, and unlocker said that it could only delete it if I restarted. So I restarted and checked the directory. PJECE6.EXE was gone, but HHDDCA.exe had appeared, and wouldn't delete either. I found its process running in Process Explorer, killed the process there, and when I came back to the explorer, the file was gone.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Can you now run the scans? What problems are you still having.

    Please try to get me logs from SAS, MBAM, Combo and MGLogs if you can.
     
  7. vparunak

    vparunak Private E-2

    Tim,

    Per the instructions on GooRed, I only ran part 1, to generate the log that I sent you. It said not to run part 2 until told to do so by a helper. May I run that now?

    As of this moment, I'm still having the following problems:
    * clinking on a link in an index produced by a Google search often takes me to a secondary index page apparently triggered by keywords in the site I was trying to reach; page-back sometimes takes me to my desired target page, but sometimes not
    * cmd.exe and regedit blank the desktop, which restores after a few seconds, but they don't bring up their intended results
    * ComboFix asks permission to run, then brings up a little green bar showing that it's loading, then dies
    * MBTools.exe manages to open a cmd.exe window (!) but prints nothing in it (not even what it printed before), but an attempt yesterday generated the attached;
    * GetLogs.bat crashes the file explorer and does not run.

    BTW, weird-named files keep appearing in c:\WINDOWS\temp, like the file you asked me to delete. Currently HOC91C.exe is there. ProcExp says that its parent is the Trend Micro Office Scan program.

    I ran mbam today, but it found nothing. But runs Friday and Sat did turn up a few things. I've zipped the three logs together and attached. I also attach my latest SAS log, which was clean. In all cases, I update the signatures immediately before running.

    Thank you so much for your help!
    Van
     

    Attached Files:

    Last edited: Mar 2, 2009
  8. vparunak

    vparunak Private E-2

    Tim,

    A little progress. Yesterday I learned about the noscript plug-in for Firefox (http://noscript.net/), and installed it. This appears to have "fixed" the redirection problem (or rather, blocked it--I imagine that the exploit was using Javascript; this is rather like using a sledgehammer to fix a watch). However, I still can't run cmd.exe, ComboFix.exe (even if I rename it or go into safe mode), or batch files. I did find that I can run regedit by copying regedit.exe to regedit.com, though regedit.exe temporarily creams the desktop just as cmd.exe does. So I'm not at all out of the woods.

    I know you're a volunteer, and really appreciate your help. I'm waiting eagerly for the next time you can devote a few moments to my problem.

    Best,
    Van
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  10. vparunak

    vparunak Private E-2

    Here it is. It found something--in the Trend antivirus folder!

    The instructions on "using bitdefender" said to save the file as tab delimited text, but Bitdefender didn't give me that option. It only allowed to save as html. Since you don't allow uploading html, I have changed the suffix to .txt.

    After the scan completed, Windows notified me that "Generic Host Process for Win32 Services has encountered a problem and needs to close." The scan was the only thing going on at the time (it ran overnight), so may be related to the disinfection.

    At this point, I could continue to edit this window, but couldn't select other programs from the task bar, or select different tabs in Firefox. I used ctrl-alt-delete to get a restart prompt, but couldn't select that either, and had to power down physically. Upon restart, cmd.exe still kills the file explorer, and ComboFix still doesn't run.
     

    Attached Files:

  11. vparunak

    vparunak Private E-2

    I think maybe we got it. I succeeded in running ComboFix from a USB drive instead of from the desktop. Now I can run batch files, ComboFix from the desktop, and cmd.exe. MGTools now runs to completion. In addition, I don't appear to get google redirection even with noscript turned off (though I'm going to keep it on as a matter of prudence). I've attached the MGTools and ComboFix logs--how do they it look? Any other final cleanup I should do before I burn myself an image? (I'm already doing ccleaner.)
     

    Attached Files:

  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to uninstall:
    J2SE Runtime Environment 5.0 Update 15
    Viewpoint Media Player

    Use windows explorer to find and delete:
    C:\32788R22FWJFW.1.tmp
    C:\32788R22FWJFW.0.tmp

    And tell me what this is:
    C:\Documents and Settings\vparunak\Desktop\310405.exe
     
  13. vparunak

    vparunak Private E-2

    OK, Viewpoint is gone. Unfortunately, I have to keep a JRE 5 on the system, since some of our in-house SW doesn't run on later versions. This is the latest update I could find of that version.

    Done

    I was asking myself that question earlier this week; when I couldn't remember, I deleted it.
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    OK.....If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds