Solved Groogle.tr35.com virus

Status
Not open for further replies.

robgee

Posts: 20   +0
I have a virus - its redirecting me to the above address forcing a browser shutdown when navigating to malware sites - I am running avast and ad aware and Malware bytes -

Should I go ahead and run the 8 steps and post the results?

Thanks
 
If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, paste the logs for review in your next reply . You can use multiple posts if needed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

EDIT: Please verify your subject: you state Groogle tr35.com virus
Is Groogle a misspelling?

Groogle is a web based peer code review tool providing a range of features aimed at easing the code review process. Also a legitimate site.

tr35.com is for this site- legitimate> http://www.technologyreview.com/tr35/

I can't identify Groogle35.com virus.
 
Groogle

Hi Thanks for the reply

No, groogle isnt a misspelling - The bowser gets redirected to groogle when opening.

I will follow the steps you suggested and post the results.

Thanks
 
files attached

Received a message saying pasted text was too long. I have attached the files requested -

Thanks
 

Attachments

  • mbam-log-2010-09-30 (19-06-55).txt
    1,014 bytes · Views: 2
  • Attach.txt
    20.7 KB · Views: 1
  • DDS.txt
    15.4 KB · Views: 2
  • gmer.log
    21.2 KB · Views: 2
Going to have to add a line that it's okay to use multiple posts to paste the logs1

Your homepage URL is now http://www.technologyreview.com/tr35/
This is what is bringing up the analytics. And it looks like it may also be in the default search.

Go to a page you would like to have for a home page> you can change it later if wanted. As you can see below, 'groogle.t35.com has made itself your home page
uStart Page = hxxp://groogle.t35.com/
uDefault_Page_URL = hxxp://groogle.t35.com/
uURLSearchHooks: H - No File

You also need to reset the Search age.

In IE, change both using Internet Options in Tools or the Control Panel.

In Firefox, use Tools> Options > Main.

After you have done this, run TFC again to get rid of the old URLs, check your Cookies and remove any from this site. Let me know how that goes. You may also want to delete the History.

TFC (Temp File Cleaner)
Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
==============================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Okay to paste both logs- use as many posts as you need.
Open Internet Options in Tools (IE) or the Control Panel
 
Eset NOD32 log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=51fd371fa90b7c43a2b4ba6ddfc807e2
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-10-01 06:35:32
# local_time=2010-10-01 07:35:32 (+0000, GMT Daylight Time)
# country="Ireland"
# lang=9
# osver=6.1.7600 NT
# compatibility_mode=768 16777215 100 0 20014067 20014067 0 0
# compatibility_mode=5893 16776573 100 94 210789 38380460 0 0
# compatibility_mode=8192 67108863 100 0 132 132 0 0
# scanned=24054
# found=0
# cleaned=0
# scan_time=863
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=51fd371fa90b7c43a2b4ba6ddfc807e2
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-10-01 07:57:37
# local_time=2010-10-01 08:57:37 (+0000, GMT Daylight Time)
# country="Ireland"
# lang=9
# osver=6.1.7600 NT
# compatibility_mode=768 16777215 100 0 20015593 20015593 0 0
# compatibility_mode=5893 16776573 100 94 212315 38381986 0 0
# compatibility_mode=8192 67108863 100 0 1658 1658 0 0
# scanned=144673
# found=0
# cleaned=0
# scan_time=4430
 
still being redirected

Yep , Virus is still alive and well ....... what next ?

Thanks so far.....
 
Did you follow my directions for resetting the home page?
Your homepage URL is now http://www.technologyreview.com/tr35/
This is what is bringing up the analytics. And it looks like it may also be in the default search.

Go to a page you would like to have for a home page> you can change it later if wanted. As you can see below, 'groogle.t35.com has made itself your home page
uStart Page = hxxp://groogle.t35.com/
uDefault_Page_URL = hxxp://groogle.t35.com/
uURLSearchHooks: H - No File
You also need to reset the Search age.

In IE, change both using Internet Options in Tools or the Control Panel.

In Firefox, use Tools> Options > Main.

I'm not sure this is a virus.
 
Home page

Hi - I have changed my homepage a number of time and its keeps getting forced back to the groogle url after a few restarts. I have run Malware again and it finds an item changed in the registry every time. This is the 3rd time its found a registry key changed.
 
I should be able to spot it in this:

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
 
With Notepad open> click on Format> Uncheck Word Wrap
Paste logs in reply . Use multiple post if needed.

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys
c:\windows\Microsoft.NET\Framework\v4.0.30128\WPF\WPFFontCache_v0400.exe

DDS::
uStart Page = hxxp://groogle.t35.com/
uDefault_Page_URL = hxxp://groogle.t35.com/
uURLSearchHooks: H - No File
mRun: [<NO NAME>]

Folder::
c:\program files\Enigma Software Group
c:\program files\Common Files\Wise Installation Wizard
c:\users\Greg\AppData\Local\Sunbelt Software
Registry::

Driver::
SafeBoot
SbAlg
SbFsLock
aswSP
Lavasoft Kernexplorer
WPFFontCache_v0400
aswFsBlk
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
==================================
Download the HijackThis Installer and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

====================

Update Java> remove old
 
Boot sector affected?

After running ComboFix , my laptop could not boot - Now, the only way I can boot up is through F8 last good known boot sequence...... How can I fix this?
 
Virus still active?

Also, I think the virus is still active - after every reboot I have to manually switch the windows firewall on -
 
I don't think you had/have a virus. There is no sign of Groogle. Please run the Error Checking: Instructions and screen shot HERE>
=============================================
After Error Check, please run this Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\users\Greg\java_JRE_6.7.5.5.exe
Folder::
FileLook::
c:\users\Secret_File.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"AntiVirusDisableNotify"=-

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]

Driver::
aswFsBlk
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Please update to Java v6u21:
Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
 
Looks fixed now...

Hi Bobbye

The booting is good again and the firewall isnt being set off anymore. Thanks a bunch for all the time and effort you put in on my problem. You save me hours of frustration and a possible reformat.

Greg
 
You're welcome. I fixed the firewall problem in the script. Here' something you might want to take into consideration if you start slowing down:
I took a 'look' at c:\users\Secret_File.exe and note that the Original Filename was: DMW.exe

Courtesy compouterhope:
Question:What is dwm.exe and why is it using so much memory?

Answer: The dvm.exe file is the Microsoft Windows Desktop Windows Manager and is a valid Windows file that should be running on your computer. This processes helps manage the visual effects found in Windows Vista and Windows 7 such as the transparent or glass look, the Flip3D alt tab windows switcher, and handle the rendering of each of the Windows being displayed on your computer.

As more program windows are opened the memory of this process will increase sometimes using several megabytes. This is normal behavior.

If you're trying to maximize the performance of your computer, or concerned about how much memory this process is using, we first suggest disabling Windows Aero to see if this has any effect. Additional information about disabling Aero can be found on document CH0001181. If after doing this you still wish to disable dwm.exe it can be done by following the below steps.
1. Click Start
2. In the Start Search box type services and click the Services link.
3. In the Services Window locate and double-click Desktop Windows Manager.
4. In the Desktop Windows Manager window click Stop to disable the service. If you wish for this process to never startup change the Startup type from Automatic to Disabled.
=======================================
Please run this Custom CFScrip

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys
c:\windows\Microsoft.NET\Framework\v4.0.30128\WPF\WPFFontCache_v0400.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"AntiVirusOverride"=-
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]

Driver::
Lavasoft Kernexplorer
WPFFontCache_v0400
SafeBoot
SbAlg
SbFsLock
aswSP
RsvLock
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
If all is okay, there will be one more scan then cleanining up the tools we used.
 
ComboFIx.txt

ComboFix.txt - Booting problem is back - Had to F8 it again -
 

Attachments

  • ComboFix.txt
    20.3 KB · Views: 1
Booting issue

I set the boot checking schedule as described in earlier post but now the machine will not boot at all. I have tried last good boot , as well as most of the options offered by F8 - Nothing works - Can you suggest how I can fix the boot issue? - This post is from another machine.
 
Strange the boot issue has come up again. Please, if you have to leave any more logs, paste them in.

You can check the Event Viewer to see if there is an error that corresponds to the time you try to boot into Normal Mode. You may have to force the error- we're not interested in events that say 'this process won't start in Safe Mode' because many drivers won't:

Attempt to boot into Normal Mode. When you get the message, note the time on the computer clock. Then boot into safe Mode and see if there is an error in either System or Apps that corresponds to that time:
Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES
  • You can ignore Warnings and Information Events.
  • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
  • You don't need to include the lines of code in the box below the Description, if any.
  • Please do not copy the entire Event log.

Errors are time coded.

Edit: Refresh me on this please:
I set the boot checking schedule as described in earlier post
 
Booting

After Combofix ran the reboot, I got a message asking if i wanted to boot normally or in recovery mode.

I selected normal and the machine booted normally. I followed the instructions from a previous post where the system runs a checkdisk on the next boot.

When I did the next boot, the system offered me the same 2 options. Boot Normal or Boot with recovery.

I chose Boot with recovery and then the system attempts to run a fix. If a fix cannot be applied, the system normally offers a restore point option. In my case , the fix could be applied and all I was offered was a option to mail the problem to MS or to attempt another reboot.

I chose another reboot which just brought me back to the same options mentioned above.

I then tried to reboot to Safe mode - didnt work. I tried Last Good known configuration - that didnt work either. I was able to boot to the command line so any fixes I attempt will have to be run from there.

To sum up , I cant follow your instruction because I cant boot to Normal or Safe mode.

I am guessing that ComboFix has done something to the boot sector, althought I might be completely off the mark.
 
Status
Not open for further replies.
Back