Avast WEBforum
Other => Viruses and worms => Topic started by: cromag on December 13, 2008, 04:33:20 AM
-
Hello. I'm an Avast! Home user, the free edition.
Thursday, December 4, I suffered a pretty devastating virus/worm attack. I will probably end up re-installing everything from scratch, but I wanted to run this past you guys, as well as some odd behavior that preceded the attack -- it may or may not be related.
On Thursday, November 27, when I started my computer, Windows XP SP3 popped up an alert that my antivirus program was out of date. I opened Avast!, but it reported that it was fully up to date. I eventually discovered that my computer's clock was showing the wrong month -- it showed the correct time of day and date, but it was showing December instead of November. I assumed it was a flaw in Windows and reset my clock.
Exactly one week later, on December 4, when I turned on my computer and ran Ad-Aware, it showed one of my programs to be a Trojan. I've had the program for a year, but had not used it in 6 to 8 months. Since I was confused by the report I (unfortunately) did not delete or quarantine it. Instead I ran Malwarebytes Anti-Malware. I immediately began getting alarms from Avast! about new Trojans being found, and too many identical outgoing emails. MBAM eventually stopped the active attack.
I ran MBAM again, Spybot S&D, and SUPERAntiSpyware -- as well as Avast! All scans are coming up as "no infected files found" ... but something is definitely going on.
My continuing obvious symptom is that Google searches are often, but not always, redirected. The redirection often passes through sites that are reportedly involved in cyber-crime.
Other than that, SUPERAntiSpyware acts ... strangely ... when scanning my Registry. It increments a file counter as it scans each file but, when it gets to a certain count in my Registry the filenames begin to fly by very quickly, but the file counter does not increment. What I can catch of these uncounted filenames includes some of the sites I've been redirected to, as well as sexually explicit names, and words like "porno" and "poker." After 5 to 10 minutes of this the file names slow down and the file counter begins incrementing again.
Then, on Tuesday, December 9, I got 6 automatic updates from Microsoft. They seemed legitimate. When I booted up after the updates were downloaded my destop was replaced with a white screen warning me that Windows had encountered an unexpected error and was turning off my active desktop as a precaution.
So, something is still wrong.
I am waiting for someone else to check my HijackThis logs, but I'm assuming I will need to do a format and full system reinstall.
Mostly, I wanted to report this.
-
Download HiJackThis (http://www.filehippo.com/download_hijackthis/) and post a log here.
-
Make sure you follow these procedures before performing a scan.
*Tick show hidden files and folder
*Un-tick hide extension for known files types (maybe not necessary,but just un-tick to scan thoroughly)
*Un-tick Protected operating system files (maybe not necessary,but just un-tick to scan thoroughly)
*Turn off system restore
*Restart computer in safe mode [F8] key
Then run any scan in safe mode,best is one scan at a time.
-
What browser are you using (for the google redirects there is something like this in firefox called google.goored) ?
Try an avast boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php (http://www.digitalred.com/avast-boot-time.php).
I don't know if you ran SAS and MBAM from safe mode (as newbie7 mentioned) as they are more effective from there. http://www.pchell.com/support/safemode.shtml (http://www.pchell.com/support/safemode.shtml)
-
Thanks, newbie7 -- that is how I ran them.
DavidR, yes, I was reluctant to mention the devil's name (I didn't want to lead anyone there), but that is one of the places I pass through when redirected. I am using Firefox 3.0.4. I hadn't thought to schedule a boot-time scan.
I am waiting for someone to check my HijackThis log, and promised I would not make any changes to the system until they got back to me. I'll keep you folks posted, and I am interested in anyone's advice or opinion.
Thanks again.
-
One additional symptom, perhaps?
Twice since the viruses first hit me last week I've discovered my computer "on" when I know I turned it "off." The most recent episode was this evening: about an hour and a half after turning it off (and waiting to confirm it really was OFF) I looked over and saw the power light on. I turned on the monitor and my desktop was there, as if normal.
I have no indication what, if anything, was going on.
To paraphrase the immortal Doctor Johnny Fever, "When someone is out to get you, paranoia is just good thinking."
-
cromag, check the Power settings for the LAN card or other adapters for resuming power settings.
-
Thanks, YoKenny. Actually, my connection is right at my desk, so I've started unplugging from the internet when I shut down. It's only been a couple of days, but so far no more unattended "power ups."
-
What browser are you using (for the google redirects there is something like this in firefox called google.goored) ?
...
DavidR, is there some known (but unknown to me) significance to the goored redirection?
And I'm also getting some through a site called goougly ... and some others.
-
The significance is that this seems to be a redirection of google on firefox (as the quoted text states). I have no idea what form that redirection takes or where it ends up. There is a tool which is for use in the case of firefox to try and resolve the goored issue.
So it would have been nice if you had also said what browser you used when answering a question with a question ;D
-
The significance is that this seems to be a redirection of google on firefox (as the quoted text states). I have no idea what form that redirection takes or where it ends up. There is a tool which is for use in the case of firefox to try and resolve the goored issue.
So it would have been nice if you had also said what browser you used when answering a question with a question ;D
Sorry. I guess I should feel lucky that I'm new at this kind of problem.
I am running Firefox 3.0.4.
The redirects are most obvious when searching for a consumer product and I get sent to a different shopping service. For instance in a recent test I searched for "Cassette tape." The first site on the list that Google returned was for Wikipedia, and I got there with no problem. The second site was for "designboom.com," and when I tried to go there I was redirected -- this time via "goougly," but otherwise the same symptoms.
From Firefox's history:
http://www.google.com/search?q=cassette+tape&sourceid=navclient-ff&ie=UTF-8&rlz=1B3GGGL_en___US228
http://en.wikipedia.org/wiki/Compact_audio_cassette
http://goougly.com/c.php?url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCompact_audio_cassette&p=0
And from there I was sent to "couponmountain" instead of "designboom."
-
Well first firefox 3.0.5 is now available and I would suggest that you update as there have been a number of security issues updated, I don't know if this is one.
I would guess that the goougly.com tried to pass itself of as Google ?
Before trying the tool below I would suggest you first do as suggested in the first reply, download hijackthis and post the contents of the log file.
####
Another tool just release to find the goored FF malware and remove it
FIND
Please download GooredFix (http://jpshortstuff.247fixes.com/GooredFix.exe) and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
FIX
Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
-
I had the same problem with my Firefox redirecting on Google Searches. It usually happened every other click. I was starting to get upset because I could not clear it out.
I had run Spybot S&D as well as Malwarebytes and ended up with nothing. Avast, showed nothing either.
I did a search for www.goougly.com and got linked here. I then had to search just goougly and got this thread.
I ran GooredFix and got the log list. Most of the offending locations were of the {CAJ78394237&-GENERAL GARBAGE HERE} variety. So I shutdown Firefox and nuked them manually.
Thus far I've deleted {} Bracketed directories with impunity on a few hundred machines during spy sweeps and never had an issue yet. I didn't comb the registry for the Firefox Plugins, but the directory had nothing out of order, QuickTime, Adobe, Etc.
I ran the fix anyway, and what I had deleted would have been what GooredFix would have fixed. Or at least that's how it appeared to me.
Thus far under minor tests, I've not had a redirect.
Now I as a professional have questions for the other professionals, 1) is there anything that detects Goored? 2) Is this symptomatic of a larger and harder to detect infection of some sort?
-
Not a professional, I don't do this as a job ;D
However, as far as I'm aware:
a) not yet.
I would have though that it would be the likes of MBAM or SAS or other specific anti-spy/malware tools that scan the registry which would start to detect this as there doesn't seem to be a specific file to hunt down and identify.
I guess because this has been slow to happen some kind sole put together the gooredfix tool.
b) in this case it is harder to detect as it doesn't have an active file or it may be hidden by rootkit, so it is always going to be a game of catch up. Malware writers are always going to try to get more creative and that may lead to harder to detect malware until the catchup happens.
-
...
I would guess that the goougly.com tried to pass itself of as Google ?
...
Not really. The stops at "goougly", "goored", etc., are pretty much invisible.
Searches for "digital camera" are reliably redirected, so I ran one again.
This is what it looked like to me:
- Search for "digital camera" on Google
- First item on list is for "dpreview.com"
- Click on the first item on list
- Wait through a slightly longer than usual lag
- The screen opens for a different site
This time I wound up at the Pentax site, but I usually wind up at the digital camera showroom of alibaba.com.
This is what I got from Firefox's history:
http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=en&q=digital+camera&btnG=Google+Search&aq=t
http://66.230.188.67/click.php?c=eNodk8muskoAhB+I5Eg3Q8PiLEARGUVGYXMDdCNHQJEZwsP/5qaSqlQtavf97QwncF/bLV9abOn3d6d/aJFhvgG4HdK0ACBAEADmWxO1fqV3t8yO8jOOQJ03yu9OGC7NIc/TXJ6JEBeYhwIhOBcI5tICs/+JgKcRjUnGAQGk3x+CM6bAIKULgERAdnEHO7HfOBia63uTbge9S5blZbG5bLxBIMmLdjySWBPkeCznoyprWceLBAXVgIMagxr7omoVlCjie+T6nL7W7xB7dMMWTqeOBzAyJmoeAI/CQc4htSxWg8R+6ThH1HKGrBiEL/XSr4uQN+IxM3EuM50e5qlVMin9krGrOu2R5bMKqcPNObTHIrQJmiQjEB2oi4epzEhNymQ2krmkBKP1LVsnb5f0E+CwPgYOfc18pv+Q99RQmd0qCRXe+OpJmpY+CeFDruOUTaxPtXWRrVZZL2cJfOZlzNg3edlaSdziRXKjK2XH03CZYi7pqvANKgV9UIwVe4pSUiV3Em68vXl+jGfHPSVueh4i1i7CU/d89U9H+pg9cI5639JTtXl1fvLa4jYQTK6C0KDLtYzEHvbP8c4hlRuY/kyGT4h0zXt1F3vGMB+F90lRcrm0AjyboD4V1YP6qPE7tEMHSRxBKkg69v5Sa9OL7DasWd4HJzQHw8tI8jY5u09ZWrd+EvSVsq+V4WrjfB586fCiYQXuL1ezKXAk/YNzeMN7XGsNUp2xGtOfhG9Cbi4nXyxn5mGFK508Ht27X+2HsAzGnLSG5kULiIqenK+eRbUtQVuU61AxVEGJShX/WRPJ7ofmc17/PsZ4mmHsNXMwUQSP3btd/cxUkvZmeCVxuFdIhZPksomEDMXrjEJlWD1RcIMh60tgYelWeJjO6Ma3B0xl61pqYn5yDzg/jElgNjNlfmLRXb0USj2cM6SGA7UcYVKU0Ifr4J31q7LmbT5b05PjzKDbeFM/2yiMlPHUa7zi3IoDOKDPZkzz5XILL9U1eFHHmecohf3dEfwRhJ8vnz8MvdM7EOkfhv1yy/wAJHyHHe6YwYzZJG3WuBu+hE3yxz0zSH8x/187s+cwLM3Ifsd3nU7u2hhDcdgByr6A8QLLAIZOi+8JnTICS4OUR6jgxH9zSV8B
http://66.230.188.121/click.php?re=1&cc=eNodk8muskoAhB%2BI5Eg3Q8PiLEARGUVGYXMDdCNHQJEZwsP%2F5qaSqlQtavf97QwncF%2FbLV9abOn3d6d%2FaJFhvgG4HdK0ACBAEADmWxO1fqV3t8yO8jOOQJ03yu9OGC7NIc%2FTXJ6JEBeYhwIhOBcI5tICs%2F%2BJgKcRjUnGAQGk3x%2BCM6bAIKULgERAdnEHO7HfOBia63uTbge9S5blZbG5bLxBIMmLdjySWBPkeCznoyprWceLBAXVgIMagxr7omoVlCjie%2BT6nL7W7xB7dMMWTqeOBzAyJmoeAI%2FCQc4htSxWg8R%2B6ThH1HKGrBiEL%2FXSr4uQN%2BIxM3EuM50e5qlVMin9krGrOu2R5bMKqcPNObTHIrQJmiQjEB2oi4epzEhNymQ2krmkBKP1LVsnb5f0E%2BCwPgYOfc18pv%2BQ99RQmd0qCRXe%2BOpJmpY%2BCeFDruOUTaxPtXWRrVZZL2cJfOZlzNg3edlaSdziRXKjK2XH03CZYi7pqvANKgV9UIwVe4pSUiV3Em68vXl%2BjGfHPSVueh4i1i7CU%2Fd89U9H%2Bpg9cI5639JTtXl1fvLa4jYQTK6C0KDLtYzEHvbP8c4hlRuY%2FkyGT4h0zXt1F3vGMB%2BF90lRcrm0AjyboD4V1YP6qPE7tEMHSRxBKkg69v5Sa9OL7DasWd4HJzQHw8tI8jY5u09ZWrd%2BEvSVsq%2BV4WrjfB586fCiYQXuL1ezKXAk%2FYNzeMN7XGsNUp2xGtOfhG9Cbi4nXyxn5mGFK508Ht27X%2B2HsAzGnLSG5kULiIqenK%2BeRbUtQVuU61AxVEGJShX%2FWRPJ7ofmc17%2FPsZ4mmHsNXMwUQSP3btd%2FcxUkvZmeCVxuFdIhZPksomEDMXrjEJlWD1RcIMh60tgYelWeJjO6Ma3B0xl61pqYn5yDzg%2FjElgNjNlfmLRXb0USj2cM6SGA7UcYVKU0Ifr4J31q7LmbT5b05PjzKDbeFM%2F2yiMlPHUa7zi3IoDOKDPZkzz5XILL9U1eFHHmecohf3dEfwRhJ8vnz8MvdM7EOkfhv1yy%2FwAJHyHHe6YwYzZJG3WuBu%2BhE3yxz0zSH8x%2F187s%2BcwLM3Ifsd3nU7u2hhDcdgByr6A8QLLAIZOi%2B8JnTICS4OUR6jgxH9zSV8B&cu=3dec7bf66749ed5d4e498e9992f8c042&co=2656b67c9be392d2c9e40f3e38822bef&cr=0[/li]
http://feed.genieknows.com/yz/Monitor?enc=tJRgrWIdkZAFbcrZaQ9NstpfuRYH6SwKQN1SxziYlCEDQkv91kGdsgYlp0aEsB%2FdJBQSOqUEZppJ2TpsrKDSiENiRcE6%2BNe%2FA9nORDqqoc5dh1mdvAKcj4HrOzCvnw9FfDE8zl7N6Rti1BnVRf%2BZkdCznGGYSUMCPXgteWBsRYD1EamZH1n3IRWpxnohMfyZdKkE8H6Q7sxDGDk%2FXKbay2bYHZUAosgDGEbKKnC0ybTV0lF7GVP4xluV6lvXD2LEbyG65OVQMwpCLwH6pd3oymmXMoQ22RHAMp96SCPg7Zf6LRM067wdQ9h1gN91g%2Bs1am%2BET1XunR%2BJikhRHwSYKycTSULnmnglKCKdfNj1kTUqD%2FxvV%2BGt1%2F%2FMR%2BfI7355XCW1CtbFLJJyGqnsbzCOgp60Nu49Z1vInmiP%2By9S1ElhRY7Ej6l0ShEexzg6ZEocUc%2BYR5syc54RgYKocmrs9ENtDybPak6wv3vVl3M33jZH%2FWTiTBSU9BB3RVjlVHG25TLzAB48dgcxM%2Fi15KRYwrdP9df1Rt%2B9I699wPl2xZ8N8qocfbG4z0fRF6wDSXggE8Gn%2FtgDUNCTyQLQOvEHhK0kIXm0Zk91L8MGttpMMFVmfVrQJ%2B4gb0C4v5cQUSdXjxZeqpcZ8HCqeVRoF3E%3D&geniecid=1006442058
http://www.findstuff.com/search.php?query=digital+camera&source=gk&adgroupid=local3gk&partner=1006442058&subid=33363a38
http://www.findstuff.com/search.php?uvx=d8ZD2BFHuoLLxx378lUVWNgPk7LkBez5rnAAOatzVVxRqrj4XA63fOFfeZJQFNkG8I9xOJa8yrwa4LPNza_qxQTXImUd5EQ3u9YraCfZaJ78T9jf03MBFuehIgx4hDkeXvt_hu_T-2tPX1FM_Ne_ow%2A%2A
http://goougly.com/c.php?url=http%3A%2F%2Fwww.dpreview.com%2F&p=0
http://rc12.overture.com/d/sr/?xargs=15KPjg15lSnJamwr%2Dsc73MROaLxloaxca58cJvDpl7GtRd5iMxXOJ5b6THmsB8Te1xv1PdzPSU%2Dq8RKvf%2DkP2KFgyJRFOIEefpjdLJyo44PqmnX9EbsYRzy%2DLqn49NPnkOyl%2DBQpKznOvPIMCofnNJ%5Fo4D227Bvvxvws%2Dwx%2DQfE7LRtGBIzA3Zc8RQpLZ408HBL5gLSbFUdquckFKXBeo%5F6o94kL2UDg0TKV6m4xt5rCnzICYgrKnPYowJp7HvmI%2DYf7KpkYoPNhHRpeQ3sUnPjS%5FB39s2O4OzmSdqpEhVDqauJXMNvBxLmJ742v%5FbP400s2b2F5iaUzShNy04LioyB%5FKrbw2xIndtphOPZcQefM24q3nyNI%5FFACIjZ1QH%2DYL2NccD9VzFzxteOw%2E%2E
http://pixel1780.everesttech.net/1780/rq/1/4d74416a468c6985c97f5725cadca55f_7558666013_83193268013/url=http%3A//www.pentaximaging.com/
http://www.pentaximaging.com/?ef_id=1780:1:4d74416a468c6985c97f5725cadca55f_7558666013_83193268013:vvCMTEo-JyIAABfjvDgAAAAB:20081218021400
It looks like someone is trying to collect a commission as a referrer, but it seems like a lot of work for not much money. That's why I wonder what else is going on.
BTW, I'm not trying to be obtuse about the logs, but I'm currently being helped through this by someone else, and I'm trying to keep it simple. Besides, so far he's recommended the same scans and steps as you.
-
Not a professional, I don't do this as a job ;D
However, as far as I'm aware:
a) not yet.
I would have though that it would be the likes of MBAM or SAS or other specific anti-spy/malware tools that scan the registry which would start to detect this as there doesn't seem to be a specific file to hunt down and identify.
I guess because this has been slow to happen some kind sole put together the gooredfix tool.
b) in this case it is harder to detect as it doesn't have an active file or it may be hidden by rootkit, so it is always going to be a game of catch up. Malware writers are always going to try to get more creative and that may lead to harder to detect malware until the catchup happens.
I don't know how it's defending itself, but as I noted in my opening post, scanning the Registry comes up clean, but SUPERAntiSpyware acts very strangely in the Registry:
Other than that, SUPERAntiSpyware acts ... strangely ... when scanning my Registry. It increments a file counter as it scans each file but, when it gets to a certain count in my Registry the filenames begin to fly by very quickly, but the file counter does not increment. What I can catch of these uncounted filenames includes some of the sites I've been redirected to, as well as sexually explicit names, and words like "porno" and "poker." After 5 to 10 minutes of this the file names slow down and the file counter begins incrementing again.
While the suspicious entries are flying by the "Pause" button in SUPERAntiSpyware doesn't work. When you click on "Pause" the button changes to "Resume" but the filenames still fly by. After they start incrementing again the "Pause" button works properly.
-
My reply that you have quoted was in relation to the post above it by MO770 about the comments/questions 1, 2, in Reply #13.
Not directly to you.
I tend not to even watch the SAS scan I go and have a cup of tea, etc. and come back when it is finished, so I haven't noticed that issue as I never tried pausing if I happened to be there during a scan. I would only be concerned if there were any errors displayed to the screen.
I would curtail the test google searches you are doing because one of the redirects could potentially be to a malicious site, which could be much more serious, rather than one just trying to make a fast buck.
So I would try the goored fix tool.
-
Hi there,
I don't know how it's defending itself, but as I noted in my opening post, scanning the Registry comes up clean, but SUPERAntiSpyware acts very strangely in the Registry:
Goored isn't defending itself, it has no capability to do so (yet). The issue you are having will be the consequence of something else.
As for why it isn't detected by MBAM yet, well, the developers have a sample and they have all the information they need about the infection. I would think that they just haven't got round to it yet.
GooredFix was written purely to automate the process of identifying the infected folder and registry value, making the life of helpers on Malware forums easier. You are right, it came about because it turned out the AVs, MBAM, SAS and other general ASs weren't getting it. There is nothing special about this infection really, it doesn't try and hide itself other than making the plugin hidden from Firefox's Add-Ons list. The installer might be bundled with other Malware, but as of yet this is undetermined (still looking for the source of this one).
Cheers,
-jpshortstuff
-
Hi jpshortstuff,
Thanks for the input and welcome to the forums.
-
Thanks David :)
Incidentally, Goored works with JavaScript, so disabling JavaScript in your browser should stop the redirects while you are waiting for the solution that you choose.
GooredFix Option#1 is completely non-invasive and will only perform a very quick (practically instantaneous) scan to detect any presence of the infection. I made some big changes (version 1.5 now) yesterday to improve the method it uses for detection and removal of the infection. Give it a spin :)
-jpshortstuff
-
Hi and welcome jpshortstuff - goored worked for me last time I used it on G2G so I guess I will have to look at the latest version on my machine Ta ;D
-
goored worked for me last time I used it on G2G so I guess I will have to look at the latest version on my machine Ta ;D
You can check the topic at GeeksToGo for detailed descriptions of all the changes and why they were made. We were still getting 100% detection and 0 FPs with the old versions, but the latest will be secure and versatile, and easier to update if new variants are released.
-
I have just downloaded the latest version and did a trial run and I noticed the actual log is much lighter (I wouldn't expect to see much in the log as my system is clean.
I also see there is now no
=====List of possible loading points===== section.
Is that by design or just because there are none, that might be considered a possible goored loading point ?
-
It is by design. There is no longer a need for that section as the registry value and infected folder is enough. The tool will also no longer remove the loading point - Firefox refreshes them and will remove it once the registry value is removed.
-
Thanks for the update.
-
Thanks, all, for the info and help.
And thanks, jpshortstuff , for your removal tool! I ran it under supervision and Google, at least, seems to be working properly now -- no more side-trips. Screwed up my Christmas shopping, though. >:(
Anyway, SUPERAntiSpyware is still acting strangely in the Registry, so I'm still trying to figure out what's going on there!
-
I would suggest uninstalling SAS, reboot, download the latest version and install again.
-
First off - THANK YOU for the gooredfix. This was driving me crazy, I knew it was an issue with google and firefox. And when I ran firefox in safe mode and the issue disappeared I knew it was an issue with an addon or plugin. But I still couldn't find the offender. Gooredfix found it in two seconds, and removed it without issue. Now my google searchs are fine.
I use Avast and support your efforts. I most likely won't come back to this forum unless I see or have issues on something else I can't figure out. So, to all involved a hardy THANK YOU!!!
Kevin Lynch
Professional Computer Geek
California
-
Hi Kevin, glad to hear GooredFix helped you out.
I have put a guide up for removal of this infection using GooredFix:
http://www.247fixes.com/forums/index.php?showtopic=2710
I think you may have to register at the forums to see the guide, but its free as usual and very quick. I believe another forum in the Malware Removal community will also have a guide up shortly.
Hopefully people will start getting these guides and removal information topics (like this one) when the search for their symptoms through a search engine (from another browser though, otherwise they wont get anywhere ;))
Cheers,
-jp