TechSpot

Groogle.tr35.com virus

By robgee
Sep 28, 2010
  1. I have a virus - its redirecting me to the above address forcing a browser shutdown when navigating to malware sites - I am running avast and ad aware and Malware bytes -

    Should I go ahead and run the 8 steps and post the results?

    Thanks
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, paste the logs for review in your next reply . You can use multiple posts if needed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    EDIT: Please verify your subject: you state Groogle tr35.com virus
    Is Groogle a misspelling?

    Groogle is a web based peer code review tool providing a range of features aimed at easing the code review process. Also a legitimate site.

    tr35.com is for this site- legitimate> http://www.technologyreview.com/tr35/

    I can't identify Groogle35.com virus.
     
  3. robgee

    robgee TS Rookie Topic Starter Posts: 20

    Groogle

    Hi Thanks for the reply

    No, groogle isnt a misspelling - The bowser gets redirected to groogle when opening.

    I will follow the steps you suggested and post the results.

    Thanks
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay. Please PASTE the logs in next reply.
     
  5. robgee

    robgee TS Rookie Topic Starter Posts: 20

    files attached

    Received a message saying pasted text was too long. I have attached the files requested -

    Thanks
     

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Going to have to add a line that it's okay to use multiple posts to paste the logs1

    Your homepage URL is now http://www.technologyreview.com/tr35/
    This is what is bringing up the analytics. And it looks like it may also be in the default search.

    Go to a page you would like to have for a home page> you can change it later if wanted. As you can see below, 'groogle.t35.com has made itself your home page
    uStart Page = hxxp://groogle.t35.com/
    uDefault_Page_URL = hxxp://groogle.t35.com/
    uURLSearchHooks: H - No File

    You also need to reset the Search age.

    In IE, change both using Internet Options in Tools or the Control Panel.

    In Firefox, use Tools> Options > Main.

    After you have done this, run TFC again to get rid of the old URLs, check your Cookies and remove any from this site. Let me know how that goes. You may also want to delete the History.

    TFC (Temp File Cleaner)
    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
    ==============================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Okay to paste both logs- use as many posts as you need.
    Open Internet Options in Tools (IE) or the Control Panel
     
  7. robgee

    robgee TS Rookie Topic Starter Posts: 20

    Eset NOD32 log

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=51fd371fa90b7c43a2b4ba6ddfc807e2
    # end=stopped
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=false
    # utc_time=2010-10-01 06:35:32
    # local_time=2010-10-01 07:35:32 (+0000, GMT Daylight Time)
    # country="Ireland"
    # lang=9
    # osver=6.1.7600 NT
    # compatibility_mode=768 16777215 100 0 20014067 20014067 0 0
    # compatibility_mode=5893 16776573 100 94 210789 38380460 0 0
    # compatibility_mode=8192 67108863 100 0 132 132 0 0
    # scanned=24054
    # found=0
    # cleaned=0
    # scan_time=863
    # version=7
    # iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=51fd371fa90b7c43a2b4ba6ddfc807e2
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=false
    # utc_time=2010-10-01 07:57:37
    # local_time=2010-10-01 08:57:37 (+0000, GMT Daylight Time)
    # country="Ireland"
    # lang=9
    # osver=6.1.7600 NT
    # compatibility_mode=768 16777215 100 0 20015593 20015593 0 0
    # compatibility_mode=5893 16776573 100 94 212315 38381986 0 0
    # compatibility_mode=8192 67108863 100 0 1658 1658 0 0
    # scanned=144673
    # found=0
    # cleaned=0
    # scan_time=4430
     
  8. robgee

    robgee TS Rookie Topic Starter Posts: 20

    still being redirected

    Yep , Virus is still alive and well ....... what next ?

    Thanks so far.....
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you follow my directions for resetting the home page?
    I'm not sure this is a virus.
     
  10. robgee

    robgee TS Rookie Topic Starter Posts: 20

    Home page

    Hi - I have changed my homepage a number of time and its keeps getting forced back to the groogle url after a few restarts. I have run Malware again and it finds an item changed in the registry every time. This is the 3rd time its found a registry key changed.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I should be able to spot it in this:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
     
  12. robgee

    robgee TS Rookie Topic Starter Posts: 20

    ComboFix.txt file

    ComboFIx.txt attached
     

    Attached Files:

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    With Notepad open> click on Format> Uncheck Word Wrap
    Paste logs in reply . Use multiple post if needed.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys
    c:\windows\Microsoft.NET\Framework\v4.0.30128\WPF\WPFFontCache_v0400.exe
    
    DDS::
    uStart Page = hxxp://groogle.t35.com/
    uDefault_Page_URL = hxxp://groogle.t35.com/
    uURLSearchHooks: H - No File
    mRun: [<NO NAME>]
    
    Folder::
    c:\program files\Enigma Software Group
    c:\program files\Common Files\Wise Installation Wizard
    c:\users\Greg\AppData\Local\Sunbelt Software
    Registry::
    
    Driver::
    SafeBoot
    SbAlg
    SbFsLock
    aswSP
    Lavasoft Kernexplorer
    WPFFontCache_v0400
    aswFsBlk
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ==================================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    ====================

    Update Java> remove old
     
  14. robgee

    robgee TS Rookie Topic Starter Posts: 20

    ComboFix.txt

    ComboFix.txt
     

    Attached Files:

  15. robgee

    robgee TS Rookie Topic Starter Posts: 20

    hijackthis.txt

    hijackthis.txt
     

    Attached Files:

  16. robgee

    robgee TS Rookie Topic Starter Posts: 20

    Boot sector affected?

    After running ComboFix , my laptop could not boot - Now, the only way I can boot up is through F8 last good known boot sequence...... How can I fix this?
     
  17. robgee

    robgee TS Rookie Topic Starter Posts: 20

    Virus still active?

    Also, I think the virus is still active - after every reboot I have to manually switch the windows firewall on -
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't think you had/have a virus. There is no sign of Groogle. Please run the Error Checking: Instructions and screen shot HERE>
    =============================================
    After Error Check, please run this Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\users\Greg\java_JRE_6.7.5.5.exe
    Folder::
    FileLook::
    c:\users\Secret_File.exe
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "AntiVirusDisableNotify"=-
    
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
    
    Driver::
    aswFsBlk
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please update to Java v6u21:
    Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
     
  19. robgee

    robgee TS Rookie Topic Starter Posts: 20

    ComboFix.txt

    ComboFix.txt attached
     

    Attached Files:

  20. robgee

    robgee TS Rookie Topic Starter Posts: 20

    Looks fixed now...

    Hi Bobbye

    The booting is good again and the firewall isnt being set off anymore. Thanks a bunch for all the time and effort you put in on my problem. You save me hours of frustration and a possible reformat.

    Greg
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. I fixed the firewall problem in the script. Here' something you might want to take into consideration if you start slowing down:
    I took a 'look' at c:\users\Secret_File.exe and note that the Original Filename was: DMW.exe

    Courtesy compouterhope:
    =======================================
    Please run this Custom CFScrip

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys
    c:\windows\Microsoft.NET\Framework\v4.0.30128\WPF\WPFFontCache_v0400.exe
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    "AntiVirusOverride"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    
    Driver::
    Lavasoft Kernexplorer
    WPFFontCache_v0400
    SafeBoot
    SbAlg
    SbFsLock
    aswSP
    RsvLock
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    If all is okay, there will be one more scan then cleanining up the tools we used.
     
  22. robgee

    robgee TS Rookie Topic Starter Posts: 20

    ComboFIx.txt

    ComboFix.txt - Booting problem is back - Had to F8 it again -
     

    Attached Files:

  23. robgee

    robgee TS Rookie Topic Starter Posts: 20

    Booting issue

    I set the boot checking schedule as described in earlier post but now the machine will not boot at all. I have tried last good boot , as well as most of the options offered by F8 - Nothing works - Can you suggest how I can fix the boot issue? - This post is from another machine.
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Strange the boot issue has come up again. Please, if you have to leave any more logs, paste them in.

    You can check the Event Viewer to see if there is an error that corresponds to the time you try to boot into Normal Mode. You may have to force the error- we're not interested in events that say 'this process won't start in Safe Mode' because many drivers won't:

    Attempt to boot into Normal Mode. When you get the message, note the time on the computer clock. Then boot into safe Mode and see if there is an error in either System or Apps that corresponds to that time:
    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:
    [1]. Click to open the log>
    [2]. Look for the Error>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    [6].NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.

    Errors are time coded.

    Edit: Refresh me on this please:
     
  25. robgee

    robgee TS Rookie Topic Starter Posts: 20

    Booting

    After Combofix ran the reboot, I got a message asking if i wanted to boot normally or in recovery mode.

    I selected normal and the machine booted normally. I followed the instructions from a previous post where the system runs a checkdisk on the next boot.

    When I did the next boot, the system offered me the same 2 options. Boot Normal or Boot with recovery.

    I chose Boot with recovery and then the system attempts to run a fix. If a fix cannot be applied, the system normally offers a restore point option. In my case , the fix could be applied and all I was offered was a option to mail the problem to MS or to attempt another reboot.

    I chose another reboot which just brought me back to the same options mentioned above.

    I then tried to reboot to Safe mode - didnt work. I tried Last Good known configuration - that didnt work either. I was able to boot to the command line so any fixes I attempt will have to be run from there.

    To sum up , I cant follow your instruction because I cant boot to Normal or Safe mode.

    I am guessing that ComboFix has done something to the boot sector, althought I might be completely off the mark.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...