Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: evbrown on October 31, 2008, 05:19:05 PM

Title: go.Google virus cleaned!
Post by: evbrown on October 31, 2008, 05:19:05 PM
This is my first post here. I have learned a great deal by reading messages on this forum and thought I should return the favor by sharing what has worked for me.

I am not sure how, but my PC received what I call the go.Google virus. It manifests by when you do a Google search, the list of sites it pops up all redirect to advertising sites via go.Google. This redirects under both IE and Firefox. Curiously, it does not redirect under the SeaMonkey browser.

When you try to run Avast, it does not let you connect to update your database, and when you run the scan it tells you no viruses found. Not!

This nasty virus has another behavior, it removes the safeboot option from the registry. So when you try to do a F8 safeboot to run cleaning programs, that is no longer available. I have read about getting to safeboot via msconfig, but never got around to trying that, I used a different method.

One other interesting behavior. When Windows is shutting down, and the “Saving your settings” screen is displayed, there is a barely perceptible flicker and the words shift slightly on the screen. I assume that the virus is working at that time to ensure that it has squirreled itself back in place prior to shut down.

Here is what I did:

To get around the safeboot problem, I created a BartPE boot disk via the instructions here: http://www.nu2.nu/pebuilder/  Once booted from BartPE, I needed a self installed virus checker. The ones that needed to be installed try to install to the boot CD, which will not work. I used Cure-It obtained from here: http://www.freedrweb.com/cureit/

The Cure-it program found and deleted the various entries: tdssdata.dll, tdssinit.dll, tdmain.dll, etc.

After the Cure-it program ran, I rebooted and ran Avast. This time it successfully updated. I ran a full scan and Avast found one additional remnant and deleted: C:\Windows\System32\tdssadw.dll

To restore the F8 functionality, I merged the .reg file found here: http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

All appears to be back to normal now. I am sure there are other programs that will do the same thing, I am just sharing what worked for me.

Thanks to all who give of there time here to help others in need. You are true servants!
Title: Re: go.Google virus cleaned!
Post by: CharleyO on October 31, 2008, 07:36:02 PM

welcome to the forums, evbrown.   :)

While you have done very well, your computer may not be completely clean.

From my research, it appears you had a rootkit, trojan, and/or other malware.

I suggest you also download, update, and run malwarebytes antimalware.

http://www.malwarebytes.org/mbam.php   (you can use it for free)


Title: Re: go.Google virus cleaned!
Post by: essexboy on October 31, 2008, 07:42:18 PM
Yep the tdserve rootkit is quite nasty

I have read about getting to safeboot via msconfig, but never got around to trying that, I used a different method.
If you did that you would be in a permanent boot loop and the only way to cure that would be to use your XP cd and recovery consol to replace the boot.ini/boot.cfg files.  You were very lucky
Title: Re: go.Google virus cleaned!
Post by: evbrown on November 01, 2008, 07:33:07 PM
Thank you CharleyO,

That was good advice. The Malwarebytes picked up more remnants missed by the other two programs.

Thanks again to all who serve here!
Title: Re: go.Google virus cleaned!
Post by: Lisandro on November 02, 2008, 10:57:42 PM
The Malwarebytes picked up more remnants missed by the other two programs.
To be sure you're clean, I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) (again) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
Title: Re: go.Google virus cleaned!
Post by: evbrown on November 08, 2008, 05:10:50 AM
Hi Tech,

I ran DrWeb CureIT!, SUPERantispyware, MBAM, avast! antirootkit, and the regular Avast program. All was good. Here is what HijackThis showed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:58 PM, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: G start.lnk = G:\A.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

End of file - 4388 bytes


Spot any unresolved problems?


Title: Re: go.Google virus cleaned!
Post by: DavidR on November 08, 2008, 04:38:37 PM
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.
   We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.

O4 - Global Startup: G start.lnk = G:\A.bat

What is the G: drive ?
If a USB drive, you shouldn't have it permanently left in your system, so there really shouldn't be a global startup for a temporary usb flash drive.
So I can only think that the Pstart is on the USB for portable applications ?

If you don't know what or create the a.bat file on G: - Try and find the a.bat file, open with notepad and check the contents, this could be used to start other malware files.
I would suggest it isn't a good idea to leave the portable drive in your system whilst doing this analysis.

Suspect: Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT and Fix in HJT (see below)
Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here in the topic.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.
Title: Re: go.Google virus cleaned!
Post by: evbrown on November 08, 2008, 08:14:27 PM
Those files are fine. PStart is a menuing application for the kicker. A.bat just starts pstart, if the USB is inserted after my startup files have run. I named it a.bat so it is at the top of the list.

Thanks. Looks like I am good for now.
Title: Re: go.Google virus cleaned!
Post by: DavidR on November 08, 2008, 09:18:43 PM
Other than a firewall that provides outbound protection and update to SP3 that is ;D

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

You might also want to pay a visit to this site http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/) as it says on the tin it checks your software to ensure those that may have exploits if out of date are checked to see if you are up to date.
Title: Re: go.Google virus cleaned!
Post by: IDTPJules on December 17, 2008, 12:13:32 PM
We identified this back in October... it required some work to remove this trojan.... also we ran Avast 4.7 boot scan to complete the job on all our computers.... it found other nasties too! Safe surfing folks! :o

If you do have the 'go-google.com' virus here's what you should do to remove it, allow you to search in safety again and allow your security download updates to work: :) - we've removed this from many computers in recent weeks - here we go:  :D

> Go to Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

> Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.

> Then search for “TDSSserv.sys”

> Right click on it, and select “Disable”

Note: If you select Uninstall, it will install itself again when you reboot the system, so DON’T select Uninstall.

> Restart your computer

Now I suggest you download Malawarebytes http://www.id-theftprotect.com/redir_adv.php?adv_id=563 (this is our safe link - cut and paste into your browser and you'll be taken straight to the download pages) and then run the scan and fix the problems it finds.

Best, Julian Evans
Title: Re: go.Google virus cleaned!
Post by: DavidR on December 17, 2008, 03:58:51 PM
Thanks for the input Julian.

Welcome to the forums.