Inactive Yet another Google redirect virus

[amrush71]

I've been trying to squash this bug for three days straight. As a freelancer, I'm losing money the longer my computer is out of commission. I can usually get rid of these viruses, but this one just keeps coming back, no matter what I do. I've run about 10 different antivirus programs, a rootkit remover, and a registry cleaner. Nothing works. I have two browsers I use -- Firefox and Maxthon. My Google searches in Firefox get occasionally redirected to ad/spam sites (maybe one in every three or four clicks). In Maxthon (which is IE-based, in case you haven't heard of it), I get "operation aborted" notices when trying to go to sites like Bleepingcomputer, or this one. (So far, Firefox seems unaffected in that regard.)

Can't run GMER, as I'm on 64-bit Win7. MBAM and DDS logs follow. "Attach" exceeds 20K characters, so it's included here as an attachment.

----------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4661

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

22-Sep-10 8:40:13
mbam-log-2010-09-22 (08-40-13).txt

Scan type: Quick scan
Objects scanned: 137652
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------------------------------------------------------------------------


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 13-Sep-10 16:47:32
System Uptime: 22-Sep-10 8:30:07 (0 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Celeron(R) CPU 900 @ 2.20GHz | CPU | 2194/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 222 GiB total, 181.71 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP31: 20-Sep-10 11:51:47 - Installed FreeUndelete
RP32: 20-Sep-10 12:01:02 - Installed ParetoLogic Data Recovery.
RP33: 20-Sep-10 13:33:30 - printer fixed
RP34: 20-Sep-10 19:15:51 - after norton scan
RP35: 21-Sep-10 6:42:28 - avast! Free Antivirus Setup
RP36: 21-Sep-10 7:50:34 - Removed ParetoLogic Data Recovery.
RP37: 21-Sep-10 7:52:22 - Removed FreeUndelete
RP38: 21-Sep-10 11:13:38 - avast! Free Antivirus Setup
RP39: 21-Sep-10 11:39:31 - apparently safe
RP40: 21-Sep-10 22:52:03 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP41: 22-Sep-10 5:45:58 - StopZILLA! Restore Point.
RP43: 22-Sep-10 8:32:08 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.

==== Installed Programs ======================

Adobe AIR
Adobe Community Help
Adobe Dreamweaver CS5
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe InDesign CS5
Adobe Media Player
Adobe Reader 9.3
AIM 7
Apple Application Support
Apple Software Update
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Atheros Driver Installation Program
Audacity 1.3.12 (Unicode)
Auslogics Registry Cleaner
Avira AntiVir Personal - Free Antivirus
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
DHTML Editing Component
DJ_AIO_05_F4400_Software_Min
Download Updater (AOL LLC)
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Gtk# for .Net 2.12.9
HijackThis 2.0.2
Hitman Pro 3.5
HP Photo Creations
HP Update
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 21
Junk Mail filter update
Label@Once 1.0
LAME v3.98.2 for Audacity
Malwarebytes' Anti-Malware
Maxthon2
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Student 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox (3.6.10)
MSVCRT
MSXML 4.0 SP3 Parser (KB973685)
Norton AntiVirus
OpenOffice.org 3.2
OpenVPN 2.1.3
PandoraRecovery (Remove Only)
PDF Settings CS5
PhotoImpact X3
PolarClock3 Screen Saver
QuickTime
Realtek USB 2.0 Card Reader
Scan
Sophos Anti-Rootkit 1.5.4
Spybot - Search & Destroy
Toolbox
TOSHIBA Application Installer
TOSHIBA Assist
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
TOSHIBA Quality Application
TOSHIBA ReelTime
TOSHIBA Service Station
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
ToshibaRegistration
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer

==== Event Viewer Messages From Past Week ========

22-Sep-10 8:30:49, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: is3srv SAVRKBootTasks
22-Sep-10 8:28:45, Error: Service Control Manager [7034] - The STOPzilla Service service terminated unexpectedly. It has done this 1 time(s).
22-Sep-10 5:50:54, Error: bowser [8003] - The master browser has received a server announcement from the computer ORLANDO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{13084601-1182-4B83-A822-E79BD39E97D1}. The master browser is stopping or an election is being forced.
22-Sep-10 5:45:06, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
22-Sep-10 5:44:51, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SAVRKBootTasks
21-Sep-10 6:34:29, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
21-Sep-10 3:12:27, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx64 DfsC discache eeCtrl IDSVia64 NetBIOS NetBT nsiproxy Psched rdbss SASDIFSV SASKUTIL spldr SRTSP SRTSPX SymIRON SymNetS tdx vwififlt Wanarpv6 WfpLwf
21-Sep-10 3:12:27, Error: Service Control Manager [7001] - The Task Scheduler service depends on the Windows Event Log service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
21-Sep-10 22:40:29, Error: Service Control Manager [7000] - The MEMSWEEP2 service failed to start due to the following error: This driver has been blocked from loading
21-Sep-10 22:40:29, Error: Application Popup [1060] - \??\C:\windows\system32\EB0A.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
21-Sep-10 22:38:03, Error: Application Popup [1060] - \??\C:\windows\system32\9D86.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
21-Sep-10 22:29:50, Error: Application Popup [1060] - \??\C:\windows\system32\4D12.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
21-Sep-10 21:52:30, Error: Application Popup [1060] - \??\C:\windows\system32\1002.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
21-Sep-10 2:28:47, Error: Service Control Manager [7030] - The Lavasoft Ad-Aware Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
20-Sep-10 22:23:41, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{13084601-1182-4B83-A822-E79BD39E97D1} because another computer on the network has the same name. The server could not start.
20-Sep-10 11:48:37, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
20-Sep-10 11:48:07, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service.
20-Sep-10 11:47:37, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.
18-Sep-10 12:28:06, Error: bowser [8003] - The master browser has received a server announcement from the computer TONY that believes that it is the master browser for the domain on transport NetBT_Tcpip_{390E530B-D42C-4C75-931E-255B69283D1B}. The master browser is stopping or an election is being forced.
17-Sep-10 12:30:14, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
16-Sep-10 16:15:33, Error: Service Control Manager [7031] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

==== End Of File ===========================

 

[Bobbye]

You got mixed up pasting the logs in> you both pasted and attached the DDS log named Attached.txt. But you did not include the DDS.txt log. I need that one.

When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

I can usually get rid of these viruses, but this one just keeps coming back,

Specifically, what 'virus' are you referring to? This term "operation aborted would not normally be associated with malware so we need to sort this out:
1. Firefox gets redirected to sites with ads every few searches.
2. Maxthon, a China-based browser, formerly called MyIE2 does not redirect a search but gives you "operation aborted" when you try to load some sites
Does this size it up?

About Sophos AntiRootkit: . Currently SAR doesn't support 64bit which is why the errors appeared. So I suggest you uninstall SAR to remove at least one conflict from the system.
There are numerous Errors in the Event Viewer for this:
21-Sep-10 22:40:29, Error: Application Popup [1060] - \??\C:\windows\system32\EB0A.tmp has been blocked from loading due to incompatibility with this system.
The entry in red has various names: EB0A.tmp, 9D86.tmp, 1002.tmp> they are all tmp files in System 32 folder, all are incompatible with your OS

21-Sep-10 22:40:29, Error: Service Control Manager [7000] - The MEMSWEEP2 service failed to start due to the following error: This driver has been blocked from loading
The memsweep2 file is from Sophos which can't verify the temp file.

Give this a run please- let's see what it uncovers:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

======================================
Also please run this: Security Check
Download Security Check and save it to your Desktop.

• Double-click SecurityCheck.exe to run.
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post this log in your next reply.

Leave the Eset log, the DDS.txt log and the Security Check in your next reply.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[amrush71]

Y
1. Firefox gets redirected to sites with ads every few searches.
2. Maxthon, a China-based browser, formerly called MyIE2 does not redirect a search but gives you "operation aborted" when you try to load some sites
Does this size it up?

Yes, that's it exactly.

Sorry about the initial mix-up. Too much copying and pasting to try to get things to fit. Both DDS logs are attached.

Downloading ESET right now. Back with more ASAP.

 

[amrush71]

And here are the ESET and Security Check logs. Not sure why the DNS vulnerability check timed out.

 

[Bobbye]

Let's get the security set to a safer level.
You are running multiple antivirus programs. This actually makes a system more vulnerable. They are:

• 
  [1]. c:\program files\Alwil Software>> Avast
  [2]. c:\program files (x86)\Avira
  [3]. c:\program files (x86)\Norton AntiVirus
  c:\program files (x86)\Norton Internet Security
  c:\program files\Symantec

The system shows three, separate downloads and installs for Symantec/Norton. If you choose to keep this as your antivirus + program, look into getting a suite which will include everything you want such as AV, FW and antimalware together instead of having 3 separate programs.
Security Uninstalls
Remove these using these tools:

• Avast Removal
• To uninstall Avira:
  [o] Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
  [o] Wait for the list of installed programs to load, then click the name of the Avira program.
  [o] Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
  [o] Press Yes, to confirm the removal and then OK.
  [o]. Click Next until Finish. The software is removed.
  
• Please uninstall Hitman Pro. It is nothing but a bundle of programs that are free on the internet. Why?
  There is a 30 day trial. When this expires, although Hitman Pro still scans for malware; it just won't remove any found threats until you pay the $20 for the program. The 64 bit version is Hitman Pro 3 (64-bit) 3.5.6.115. Hitman Pro 3 combines a variety of anti malware programs without installing software on your PC using cloud technology for malware detection.
  The may have varied slightly, but this is a list of programs in v3:
  NOD32 Antivirus, Avira AntiVir, Prevx, G DATA Anti-Virus, a-squared Anti-Malware
  
  So why should you have to pay to remove entries when these programs are free? And using this program is misleading: None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.

Additional Uninstalls:

1. Remove Sophos Anti-Rootkit 1.5.4. As mentioned, it is not compatible with your OS.
2. I recommend that you uninstall the Auslogics Registry Cleaner. Most of us do not recommend using a Registry cleaner.
3. Uninstall HijackThis v2.0.2. It is an outdated version and HJT won't scan well on a 64 bit system.
4. ParetoLogic>> You are getting programdata but I can't tell for which program. Recommend you uninstall any of these> Antivirus?, Registry cleaner?, XoftSpy?, Driver Cure?All bad> Remove all

=============================================================
After these uninstalls are handled, please reboot the computer and run TFC again. Advise me of system status.

Question:
1. Do you have any Group Policies set? If so, which ones?
2. There is one entry that I'm wondering if it could be a part of the redirecting. It is:
URLRedirectionBHO, Office Document Cache Handler
URLREDIR.DLL Part of Microsoft Office 2010 - responsible for "caching Office documents on client computer, with differential synchronization between Office client and SharePoint server"

 

[amrush71]

I don't know why Norton shows three installations. I only installed it for the first time a few days ago, when this all started.

The Avast uninstaller caused Firefox to crash the first time. I think I got it off now.

Re: group policies. I don't have any set. The only thing I can guess about URLREDIR is that Office (which I also just installed last week) is using it to grab articles from a Sharepoint file that I access via VPN, which I use to communicate with a freelance client's system.

Yeah, I've tried out just about every free antivirus program out there -- at least the ones that CNET said were kosher. Each one seems to pick up something different. (Stopzilla was a lot of fun ... said it found about 20 problems, but when I clicked to fix them, it told me I had to pay. I don't think so.) But when I delete the malware every scan finds, I reboot and run another scan, and the stuff is still there. Even more frustrating and perplexing is that my last two scans didn't show anything, yet the Google redirect persisted.

I can't run Combofix on 64-bit Win7, can I?

When TFC began running, I got a message saying Windows has encountered a problem and needs to close. TFC appeared to finish its scan before the reboot, though.

Anyway, I just tried about 10 random Google searches, and no redirects yet. I'll report in a little later, after some more surfing. Further, Maxthon appears to be able to get to Web pages without an "operation aborted" notice.

Thanks for your help and patience so far.

 

[amrush71]

Bah ... just got another redirect in Firefox.

 

[Bobbye]

It's unusual to just get an occasional, random redirect. Describe the redirect please.

 

[amrush71]

I was searching in Google for how to locate an OS upgrade disc for our old eMac. Found some information on the Apple forums, but instead of going to discussions.apple.com, my Google link went to an Infomash page with a bunch of links for Apple-related products for sale. I clicked back to Google, tried the link again, and it went where it was supposed to.

Edited to add: I also tried Maxthon again. I plugged "jusched" into Google, to check on the legitimacy of the Java Update Scheduler that's running on my system. When I clicked on the link I wanted, the page stopped loading, and I got the usual notice saying the page couldn't be uploaded and the operation has been aborted; check to make sure you're connected to the Internet. But then I hit reload, and the page came up fine.

 

[Bobbye]

See where this takes you: http://discussions.apple.com/index.jspa

There is always a chance in a forum of a bad link.

The edit you left sounds more like a server problem. You didn't get redirected, there was a delay, but I think the problems are setting based rather than malware. Mbam and Eset were clean.

Have you done the uninstalls I requested? Let's run this and see if it picks up anything:

Part 1 - The Scan
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

 

[amrush71]

But these aren't bad links, at least in Firefox. They're redirects to spam sites. Going to CompUSA via Google, for example, sent me to an Infomash page showing a list of links where I could buy cheap computer hardware and software. I clicked back to Google, hit the link again, and it went to CompUSA like it was supposed to. I can only assume that the person who wrote this virus is hijacking my DNS and sending me to random spam websites, and he probably gets a monetary reward every time someone clicks to the page. In Maxthon, if it's the same virus causing the issue, it only seems to affect clicks to websites that deal with virus detection and removal. A few days ago, it was preventing me completely from getting to such sites. Now, at least the last time I tried, it seems to be behaving like the Firefox redirect: First attempt won't send me where I'm going, but the second attempt lets me in. There doesn't seem to be any rhyme or reason to any of this.

I think everything you asked me to undelete is now gone.

Meanwhile, here's how the Goored report came out. No redirects since I ran GooredFix, but I haven't been on this machine much over the past couple of days. Fingers crossed ...

GooredFix by jpshortstuff (03.07.10.1)
Log created at 06:55 on 23/09/2010 (Adrian)
Firefox version 3.6.10 (en-US)

========== GooredScan ==========

(none)
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{2006E816-2E7C-4DD2-AB9D-B0090A40B12C} -> Success!
Deleting C:\Users\Adrian\AppData\Local\{2006E816-2E7C-4DD2-AB9D-B0090A40B12C} -> Success!

========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:00 14/09/2010]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [19:52 19/09/2010]

C:\Users\Adrian\Application Data\Mozilla\Firefox\Profiles\o3fqrzud.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{BBDA0591-3099-440a-AA10-41764D9DB4DB}"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn\" [22:40 20/09/2010]

-=E.O.F=-

 

[Bobbye]

Part 2 - Goored The Fix

You should print these instructions because all FireFox browsers MUST be closed before running the fix.

• Please double-click Goored.exe on your Desktop to run it.
  • 
    [o] Select 2. Fix Goored by typing 2 and pressing Enter.
    [o] Make sure all instances of Firefox are closed at this point.
    [o] Type y at the prompt and press Enter again.
    [o] A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
• Now rerun FireFox and please paste the new Goored.txt log into your next reply

Reboot the computer when finished. Empty the Recycle Bin
Give it a couple of days and let me know if the problems have been resolved.