Google redirects - Secure Connection Failed google.com:443

[surfy]

Hello,

I am trying to help my son fix his laptop. Every time he opens Mozilla Firefox he gets pop up message that Secure Connection Failed www.google.com:443 uses an invalid security certificate. The pop up message appears every 5 minutes or so.
I uninstalled Mozilla and tried to download again. I googled Mozilla and tried to get on the site to download but it wouldn't download. I went back to google's results and tried a different site. On some links there was a redirect and Avast blocked the site due to it having malicious code. I was able to download Mozilla by logging on to the computer as a regular user as opposed to an admin.
If I google Mozilla on Mozilla Firefox or IE and hover the cursor over the results I can see that many will be redirected.


I have attached a Malwarebytes log

I tried to run OTL but it starts scanning and then it says Invalid File: Not a cabinet File.
C:\System rollback data\Restore Archive\00000023\00000001\0\Attrib\Windows\Driver Cache


Any help is greatly appreciated.

[Jtaylor83]

That means you may either have the Alureon/TDSS Rootkit or Goored.

Please Download GMER.

Extract the contents of the zipped file to desktop.

Double click GMER.exe.


    * If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
    * In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
          o IAT/EAT
          o Drives/Partition other than Systemdrive (typically C:\)
          o Show All (don't miss this one)

      Click the image to enlarge it

    * Then click the Scan button & wait for it to finish.
    * Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
    * Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

[surfy]

Hello,

Thank you for replying to my topic.

I tried running this tool but the computer took a couple of hours and when it was time to save it became unresponsive. It froze and wouldn't let me do anything. I had to manually shut the computer. I turned it on and tried again but same thing happened. I have Antivirus off, I am not doing any work on it so it can run freely. I even tried renaming the file.

Last week when I started to suspect that something may be wrong I ran a scan. I have attached the log. I wanted to post a more recent one but I can't get passed this problem.

[Jtaylor83]

Please follow essexboy's instructions.


Edit: You don't seem to have a rootkit which is good news.

[surfy]

Hello,

Thank you for your reply. I managed to get a GMER log today and was able to save.

I followed essexboy's instructions but I can't get the OTL scan to complete.
I have tried several times but keep getting
Invalid File: Not a cabinet File.
C:\System rollback data\Restore Archive\00000023\00000001\0\Attrib\Windows\Driver Cache

Is there a way around this?

Thank you for your help.

[Hermite15]

some proxies are also the cause of such pop ups from Google or Mozilla secured sites (https)

[surfy]

Is there something I can check for that?
However, the redirects are a definite sign that something is wrong. I tried to google Alureon/TDSS Rootkit and I noticed that there was a redirect. I just hovered over the link and I see it will take me somewhere else. I googled the same search with another computer and hovered over the results and there is no redirect there.

[essexboy]

Hi reference the sticking on the cab file.  OT has now fixed that error so you will need the latest version .  Are the redirects in FF only ?

 Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[surfy]

Hello,
I downloaded the new version (that was very quick adding a new version). Thank you so much. 
It is currently scanning so I am using another computer to post.
The redirects also occur with IE8. 

[surfy]

Please see the logs attached.
 

[polonus]

Hi surfy & essexboy,

Some background reading from a report by MBAM's miekiemoes:
http://miekiemoes.blogspot.com/2009/06/searchengine-redirects-it-could-be.html

polonus

[essexboy]

OK looks like it played havoc with your host file so I will fix that first - were you able to GMER ?

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
[2010/04/21 18:57:35 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Alex\?p?f??e?a e??as?a?\abc.exe
[2010/02/15 12:50:41 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\4fc239b
[2010/02/14 20:04:04 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\SATJYTV

:Files
c:\program files\premieropinion

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[surfy]

Hello,
Thank you for your reply.
I have posted a recent GMER. Please see attachment in Reply #4. I named the file logc.
I will start the scans now and post when they have completed.
Thanks again..

[essexboy]

Oops I seee it now and it looks OK

[surfy]

Hello,

I just completed the requested scans. I opened Mozilla and there was no Secure Connection Failed pop up..
Just a note. The abc.exe file on the desktop is actually the GMER.exe. I renamed it when I had trouble running the tool.

Please see attached logs.

Thanks again for your help.