Devastating virus/worm attack

[cromag]

Not a professional, I don't do this as a job

However, as far as I'm aware:
a) not yet.

I would have though that it would be the likes of MBAM or SAS or other specific anti-spy/malware tools that scan the registry which would start to detect this as there doesn't seem to be a specific file to hunt down and identify.

I guess because this has been slow to happen some kind sole put together the gooredfix tool.

b) in this case it is harder to detect as it doesn't have an active file or it may be hidden by rootkit, so it is always going to be a game of catch up. Malware writers are always going to try to get more creative and that may lead to harder to detect malware until the catchup happens.

I don't know how it's defending itself, but as I noted in my opening post, scanning the Registry comes up clean, but SUPERAntiSpyware acts very strangely in the Registry:

Other than that, SUPERAntiSpyware acts ... strangely ... when scanning my Registry.  It increments a file counter as it scans each file but, when it gets to a certain count in my Registry the filenames begin to fly by very quickly, but the file counter does not increment.  What I can catch of these uncounted filenames includes some of the sites I've been redirected to, as well as sexually explicit names, and words like "porno" and "poker."  After 5 to 10 minutes of this the file names slow down and the file counter begins incrementing again.

While the suspicious entries are flying by the "Pause" button in SUPERAntiSpyware doesn't work.  When you click on "Pause" the button changes to "Resume" but the filenames still fly by.  After they start incrementing again the "Pause" button works properly.

[DavidR]

My reply that you have quoted was in relation to the post above it by MO770 about the comments/questions 1, 2, in Reply #13.

Not directly to you.

I tend not to even watch the SAS scan I go and have a cup of tea, etc. and come back when it is finished, so I haven't noticed that issue as I never tried pausing if I happened to be there during a scan. I would only be concerned if there were any errors displayed to the screen.

I would curtail the test google searches you are doing because one of the redirects could potentially be to a malicious site, which could be much more serious, rather than one just trying to make a fast buck.

So I would try the goored fix tool.

[jpshortstuff]

Hi there,

I don't know how it's defending itself, but as I noted in my opening post, scanning the Registry comes up clean, but SUPERAntiSpyware acts very strangely in the Registry:

Goored isn't defending itself, it has no capability to do so (yet). The issue you are having will be the consequence of something else.

As for why it isn't detected by MBAM yet, well, the developers have a sample and they have all the information they need about the infection. I would think that they just haven't got round to it yet.

GooredFix was written purely to automate the process of identifying the infected folder and registry value, making the life of helpers on Malware forums easier. You are right, it came about because it turned out the AVs, MBAM, SAS and other general ASs weren't getting it. There is nothing special about this infection really, it doesn't try and hide itself other than making the plugin hidden from Firefox's Add-Ons list. The installer might be bundled with other Malware, but as of yet this is undetermined (still looking for the source of this one).

Cheers,

-jpshortstuff

[DavidR]

Hi jpshortstuff,
Thanks for the input and welcome to the forums.

[jpshortstuff]

Thanks David

Incidentally, Goored works with JavaScript, so disabling JavaScript in your browser should stop the redirects while you are waiting for the solution that you choose.

GooredFix Option#1 is completely non-invasive and will only perform a very quick (practically instantaneous) scan to detect any presence of the infection. I made some big changes (version 1.5 now) yesterday to improve the method it uses for detection and removal of the infection. Give it a spin

-jpshortstuff

[essexboy]

Hi and welcome jpshortstuff - goored worked for me last time I used it on G2G so I guess I will have to look at the latest version on my machine Ta 

[jpshortstuff]

goored worked for me last time I used it on G2G so I guess I will have to look at the latest version on my machine Ta 

You can check the topic at GeeksToGo for detailed descriptions of all the changes and why they were made. We were still getting 100% detection and 0 FPs with the old versions, but the latest will be secure and versatile, and easier to update if new variants are released.

[DavidR]

I have just downloaded the latest version and did a trial run and I noticed the actual log is much lighter (I wouldn't expect to see much in the log as my system is clean.

I also see there is now no
=====List of possible loading points===== section.

Is that by design or just because there are none, that might be considered a possible goored loading point ?

[jpshortstuff]

It is by design. There is no longer a need for that section as the registry value and infected folder is enough. The tool will also no longer remove the loading point - Firefox refreshes them and will remove it once the registry value is removed.

[DavidR]

Thanks for the update.

[cromag]

Thanks, all, for the info and help.

And thanks, jpshortstuff , for your removal tool!  I ran it under supervision and Google, at least, seems to be working properly now -- no more side-trips.  Screwed up my Christmas shopping, though. 



Anyway, SUPERAntiSpyware is still acting strangely in the Registry, so I'm still trying to figure out what's going on there!

[DavidR]

I would suggest uninstalling SAS, reboot, download the latest version and install again.

[klynch_gdd]

First off - THANK YOU for the gooredfix. This was driving me crazy, I knew it was an issue with google and firefox. And when I ran firefox in safe mode and the issue disappeared I knew it was an issue with an addon or plugin. But I still couldn't find the offender. Gooredfix found it in two seconds, and removed it without issue. Now my google searchs are fine.

I use Avast and support your efforts. I most likely won't come back to this forum unless I see or have issues on something else I can't figure out. So, to all involved a hardy THANK YOU!!!

Kevin Lynch
Professional Computer Geek
California

[jpshortstuff]

Hi Kevin, glad to hear GooredFix helped you out.

I have put a guide up for removal of this infection using GooredFix:
http://www.247fixes.com/forums/index.php?showtopic=2710

I think you may have to register at the forums to see the guide, but its free as usual and very quick. I believe another forum in the Malware Removal community will also have a guide up shortly.

Hopefully people will start getting these guides and removal information topics (like this one) when the search for their symptoms through a search engine (from another browser though, otherwise they wont get anywhere )

Cheers,

-jp