TechSpot

Yet another Google redirect virus

By amrush71
Sep 22, 2010
  1. I've been trying to squash this bug for three days straight. As a freelancer, I'm losing money the longer my computer is out of commission. I can usually get rid of these viruses, but this one just keeps coming back, no matter what I do. I've run about 10 different antivirus programs, a rootkit remover, and a registry cleaner. Nothing works. I have two browsers I use -- Firefox and Maxthon. My Google searches in Firefox get occasionally redirected to ad/spam sites (maybe one in every three or four clicks). In Maxthon (which is IE-based, in case you haven't heard of it), I get "operation aborted" notices when trying to go to sites like Bleepingcomputer, or this one. (So far, Firefox seems unaffected in that regard.)

    Can't run GMER, as I'm on 64-bit Win7. MBAM and DDS logs follow. "Attach" exceeds 20K characters, so it's included here as an attachment.

    ----------------------------------------

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4661

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    22-Sep-10 8:40:13
    mbam-log-2010-09-22 (08-40-13).txt

    Scan type: Quick scan
    Objects scanned: 137652
    Time elapsed: 5 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    -----------------------------------------------------------------------------------------------


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 13-Sep-10 16:47:32
    System Uptime: 22-Sep-10 8:30:07 (0 hours ago)

    Motherboard: TOSHIBA | | Portable PC
    Processor: Intel(R) Celeron(R) CPU 900 @ 2.20GHz | CPU | 2194/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 222 GiB total, 181.71 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP31: 20-Sep-10 11:51:47 - Installed FreeUndelete
    RP32: 20-Sep-10 12:01:02 - Installed ParetoLogic Data Recovery.
    RP33: 20-Sep-10 13:33:30 - printer fixed
    RP34: 20-Sep-10 19:15:51 - after norton scan
    RP35: 21-Sep-10 6:42:28 - avast! Free Antivirus Setup
    RP36: 21-Sep-10 7:50:34 - Removed ParetoLogic Data Recovery.
    RP37: 21-Sep-10 7:52:22 - Removed FreeUndelete
    RP38: 21-Sep-10 11:13:38 - avast! Free Antivirus Setup
    RP39: 21-Sep-10 11:39:31 - apparently safe
    RP40: 21-Sep-10 22:52:03 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
    RP41: 22-Sep-10 5:45:58 - StopZILLA! Restore Point.
    RP43: 22-Sep-10 8:32:08 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.

    ==== Installed Programs ======================

    Adobe AIR
    Adobe Community Help
    Adobe Dreamweaver CS5
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe InDesign CS5
    Adobe Media Player
    Adobe Reader 9.3
    AIM 7
    Apple Application Support
    Apple Software Update
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    Atheros Driver Installation Program
    Audacity 1.3.12 (Unicode)
    Auslogics Registry Cleaner
    Avira AntiVir Personal - Free Antivirus
    Compatibility Pack for the 2007 Office system
    Coupon Printer for Windows
    DHTML Editing Component
    DJ_AIO_05_F4400_Software_Min
    Download Updater (AOL LLC)
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    Gtk# for .Net 2.12.9
    HijackThis 2.0.2
    Hitman Pro 3.5
    HP Photo Creations
    HP Update
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 21
    Junk Mail filter update
    Label@Once 1.0
    LAME v3.98.2 for Audacity
    Malwarebytes' Anti-Malware
    Maxthon2
    Microsoft Choice Guard
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Home and Student 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Mozilla Firefox (3.6.10)
    MSVCRT
    MSXML 4.0 SP3 Parser (KB973685)
    Norton AntiVirus
    OpenOffice.org 3.2
    OpenVPN 2.1.3
    PandoraRecovery (Remove Only)
    PDF Settings CS5
    PhotoImpact X3
    PolarClock3 Screen Saver
    QuickTime
    Realtek USB 2.0 Card Reader
    Scan
    Sophos Anti-Rootkit 1.5.4
    Spybot - Search & Destroy
    Toolbox
    TOSHIBA Application Installer
    TOSHIBA Assist
    TOSHIBA Hardware Setup
    TOSHIBA HDD/SSD Alert
    TOSHIBA Media Controller
    TOSHIBA Media Controller Plug-in
    TOSHIBA Quality Application
    TOSHIBA ReelTime
    TOSHIBA Service Station
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    ToshibaRegistration
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer

    ==== Event Viewer Messages From Past Week ========

    22-Sep-10 8:30:49, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: is3srv SAVRKBootTasks
    22-Sep-10 8:28:45, Error: Service Control Manager [7034] - The STOPzilla Service service terminated unexpectedly. It has done this 1 time(s).
    22-Sep-10 5:50:54, Error: bowser [8003] - The master browser has received a server announcement from the computer ORLANDO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{13084601-1182-4B83-A822-E79BD39E97D1}. The master browser is stopping or an election is being forced.
    22-Sep-10 5:45:06, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
    22-Sep-10 5:44:51, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SAVRKBootTasks
    21-Sep-10 6:34:29, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
    21-Sep-10 3:12:27, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx64 DfsC discache eeCtrl IDSVia64 NetBIOS NetBT nsiproxy Psched rdbss SASDIFSV SASKUTIL spldr SRTSP SRTSPX SymIRON SymNetS tdx vwififlt Wanarpv6 WfpLwf
    21-Sep-10 3:12:27, Error: Service Control Manager [7001] - The Task Scheduler service depends on the Windows Event Log service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    21-Sep-10 22:40:29, Error: Service Control Manager [7000] - The MEMSWEEP2 service failed to start due to the following error: This driver has been blocked from loading
    21-Sep-10 22:40:29, Error: Application Popup [1060] - \??\C:\windows\system32\EB0A.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    21-Sep-10 22:38:03, Error: Application Popup [1060] - \??\C:\windows\system32\9D86.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    21-Sep-10 22:29:50, Error: Application Popup [1060] - \??\C:\windows\system32\4D12.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    21-Sep-10 21:52:30, Error: Application Popup [1060] - \??\C:\windows\system32\1002.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    21-Sep-10 2:28:47, Error: Service Control Manager [7030] - The Lavasoft Ad-Aware Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    20-Sep-10 22:23:41, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{13084601-1182-4B83-A822-E79BD39E97D1} because another computer on the network has the same name. The server could not start.
    20-Sep-10 11:48:37, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    20-Sep-10 11:48:07, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service.
    20-Sep-10 11:47:37, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.
    18-Sep-10 12:28:06, Error: bowser [8003] - The master browser has received a server announcement from the computer TONY that believes that it is the master browser for the domain on transport NetBT_Tcpip_{390E530B-D42C-4C75-931E-255B69283D1B}. The master browser is stopping or an election is being forced.
    17-Sep-10 12:30:14, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    16-Sep-10 16:15:33, Error: Service Control Manager [7031] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

    ==== End Of File ===========================
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You got mixed up pasting the logs in> you both pasted and attached the DDS log named Attached.txt. But you did not include the DDS.txt log. I need that one.
    Specifically, what 'virus' are you referring to? This term "operation aborted would not normally be associated with malware so we need to sort this out:
    1. Firefox gets redirected to sites with ads every few searches.
    2. Maxthon, a China-based browser, formerly called MyIE2 does not redirect a search but gives you "operation aborted" when you try to load some sites
    Does this size it up?

    About Sophos AntiRootkit: . Currently SAR doesn't support 64bit which is why the errors appeared. So I suggest you uninstall SAR to remove at least one conflict from the system.
    There are numerous Errors in the Event Viewer for this:
    21-Sep-10 22:40:29, Error: Application Popup [1060] - \??\C:\windows\system32\EB0A.tmp has been blocked from loading due to incompatibility with this system.
    The entry in red has various names: EB0A.tmp, 9D86.tmp, 1002.tmp> they are all tmp files in System 32 folder, all are incompatible with your OS

    21-Sep-10 22:40:29, Error: Service Control Manager [7000] - The MEMSWEEP2 service failed to start due to the following error: This driver has been blocked from loading
    The memsweep2 file is from Sophos which can't verify the temp file.

    Give this a run please- let's see what it uncovers:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    Also please run this: Security Check
    Download Security Check and save it to your Desktop.
    • Double-click SecurityCheck.exe to run.
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post this log in your next reply.

    Leave the Eset log, the DDS.txt log and the Security Check in your next reply.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. amrush71

    amrush71 TS Rookie Topic Starter

    Yes, that's it exactly.

    Sorry about the initial mix-up. Too much copying and pasting to try to get things to fit. Both DDS logs are attached.

    Downloading ESET right now. Back with more ASAP.
     

    Attached Files:

  4. amrush71

    amrush71 TS Rookie Topic Starter

    And here are the ESET and Security Check logs. Not sure why the DNS vulnerability check timed out.
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's get the security set to a safer level.
    You are running multiple antivirus programs. This actually makes a system more vulnerable. They are:

    • [1]. c:\program files\Alwil Software>> Avast
      [2]. c:\program files (x86)\Avira
      [3]. c:\program files (x86)\Norton AntiVirus
      c:\program files (x86)\Norton Internet Security
      c:\program files\Symantec

    The system shows three, separate downloads and installs for Symantec/Norton. If you choose to keep this as your antivirus + program, look into getting a suite which will include everything you want such as AV, FW and antimalware together instead of having 3 separate programs.
    Security Uninstalls
    Remove these using these tools:
    • Avast Removal
    • To uninstall Avira:
      [o] Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
      [o] Wait for the list of installed programs to load, then click the name of the Avira program.
      [o] Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
      [o] Press Yes, to confirm the removal and then OK.
      [o]. Click Next until Finish. The software is removed.
    • Please uninstall Hitman Pro. It is nothing but a bundle of programs that are free on the internet. Why?
      There is a 30 day trial. When this expires, although Hitman Pro still scans for malware; it just won't remove any found threats until you pay the $20 for the program. The 64 bit version is Hitman Pro 3 (64-bit) 3.5.6.115. Hitman Pro 3 combines a variety of anti malware programs without installing software on your PC using cloud technology for malware detection.
      The may have varied slightly, but this is a list of programs in v3:
      NOD32 Antivirus, Avira AntiVir, Prevx, G DATA Anti-Virus, a-squared Anti-Malware

      So why should you have to pay to remove entries when these programs are free? And using this program is misleading: None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.


    Additional Uninstalls:
    1. Remove Sophos Anti-Rootkit 1.5.4. As mentioned, it is not compatible with your OS.
    2. I recommend that you uninstall the Auslogics Registry Cleaner. Most of us do not recommend using a Registry cleaner.
    3. Uninstall HijackThis v2.0.2. It is an outdated version and HJT won't scan well on a 64 bit system.
    4. ParetoLogic>> You are getting programdata but I can't tell for which program. Recommend you uninstall any of these> Antivirus?, Registry cleaner?, XoftSpy?, Driver Cure?All bad> Remove all
    =============================================================
    After these uninstalls are handled, please reboot the computer and run TFC again. Advise me of system status.

    Question:
    1. Do you have any Group Policies set? If so, which ones?
    2. There is one entry that I'm wondering if it could be a part of the redirecting. It is:
    URLRedirectionBHO, Office Document Cache Handler
    URLREDIR.DLL Part of Microsoft Office 2010 - responsible for "caching Office documents on client computer, with differential synchronization between Office client and SharePoint server"
     
  6. amrush71

    amrush71 TS Rookie Topic Starter

    I don't know why Norton shows three installations. I only installed it for the first time a few days ago, when this all started.

    The Avast uninstaller caused Firefox to crash the first time. I think I got it off now.

    Re: group policies. I don't have any set. The only thing I can guess about URLREDIR is that Office (which I also just installed last week) is using it to grab articles from a Sharepoint file that I access via VPN, which I use to communicate with a freelance client's system.

    Yeah, I've tried out just about every free antivirus program out there -- at least the ones that CNET said were kosher. Each one seems to pick up something different. (Stopzilla was a lot of fun ... said it found about 20 problems, but when I clicked to fix them, it told me I had to pay. I don't think so.) But when I delete the malware every scan finds, I reboot and run another scan, and the stuff is still there. Even more frustrating and perplexing is that my last two scans didn't show anything, yet the Google redirect persisted.

    I can't run Combofix on 64-bit Win7, can I?

    When TFC began running, I got a message saying Windows has encountered a problem and needs to close. TFC appeared to finish its scan before the reboot, though.

    Anyway, I just tried about 10 random Google searches, and no redirects yet. I'll report in a little later, after some more surfing. Further, Maxthon appears to be able to get to Web pages without an "operation aborted" notice.

    Thanks for your help and patience so far.
     
  7. amrush71

    amrush71 TS Rookie Topic Starter

    Bah ... just got another redirect in Firefox.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It's unusual to just get an occasional, random redirect. Describe the redirect please.
     
  9. amrush71

    amrush71 TS Rookie Topic Starter

    I was searching in Google for how to locate an OS upgrade disc for our old eMac. Found some information on the Apple forums, but instead of going to discussions.apple.com, my Google link went to an Infomash page with a bunch of links for Apple-related products for sale. I clicked back to Google, tried the link again, and it went where it was supposed to.

    Edited to add: I also tried Maxthon again. I plugged "jusched" into Google, to check on the legitimacy of the Java Update Scheduler that's running on my system. When I clicked on the link I wanted, the page stopped loading, and I got the usual notice saying the page couldn't be uploaded and the operation has been aborted; check to make sure you're connected to the Internet. But then I hit reload, and the page came up fine.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    See where this takes you: http://discussions.apple.com/index.jspa

    There is always a chance in a forum of a bad link.

    The edit you left sounds more like a server problem. You didn't get redirected, there was a delay, but I think the problems are setting based rather than malware. Mbam and Eset were clean.

    Have you done the uninstalls I requested? Let's run this and see if it picks up anything:

    Part 1 - The Scan
    Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
    • When prompted to run the scan, click Yes.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
     
  11. amrush71

    amrush71 TS Rookie Topic Starter

    But these aren't bad links, at least in Firefox. They're redirects to spam sites. Going to CompUSA via Google, for example, sent me to an Infomash page showing a list of links where I could buy cheap computer hardware and software. I clicked back to Google, hit the link again, and it went to CompUSA like it was supposed to. I can only assume that the person who wrote this virus is hijacking my DNS and sending me to random spam websites, and he probably gets a monetary reward every time someone clicks to the page. In Maxthon, if it's the same virus causing the issue, it only seems to affect clicks to websites that deal with virus detection and removal. A few days ago, it was preventing me completely from getting to such sites. Now, at least the last time I tried, it seems to be behaving like the Firefox redirect: First attempt won't send me where I'm going, but the second attempt lets me in. There doesn't seem to be any rhyme or reason to any of this.

    I think everything you asked me to undelete is now gone.

    Meanwhile, here's how the Goored report came out. No redirects since I ran GooredFix, but I haven't been on this machine much over the past couple of days. Fingers crossed ...

    GooredFix by jpshortstuff (03.07.10.1)
    Log created at 06:55 on 23/09/2010 (Adrian)
    Firefox version 3.6.10 (en-US)

    ========== GooredScan ==========

    (none)
    Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{2006E816-2E7C-4DD2-AB9D-B0090A40B12C} -> Success!
    Deleting C:\Users\Adrian\AppData\Local\{2006E816-2E7C-4DD2-AB9D-B0090A40B12C} -> Success!

    ========== GooredLog ==========

    C:\Program Files (x86)\Mozilla Firefox\extensions\
    {972ce4c6-7e08-4474-a285-3208198ce6fd} [00:00 14/09/2010]
    {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [19:52 19/09/2010]

    C:\Users\Adrian\Application Data\Mozilla\Firefox\Profiles\o3fqrzud.default\extensions\
    (none)

    [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
    "{BBDA0591-3099-440a-AA10-41764D9DB4DB}"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn\" [22:40 20/09/2010]

    -=E.O.F=-
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Part 2 - Goored The Fix

    You should print these instructions because all FireFox browsers MUST be closed before running the fix.
    • Please double-click Goored.exe on your Desktop to run it.

      • [o] Select 2. Fix Goored by typing 2 and pressing Enter.
        [o] Make sure all instances of Firefox are closed at this point.
        [o] Type y at the prompt and press Enter again.
        [o] A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
    • Now rerun FireFox and please paste the new Goored.txt log into your next reply

    Reboot the computer when finished. Empty the Recycle Bin
    Give it a couple of days and let me know if the problems have been resolved.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...