Devastating virus/worm attack

[cromag]

Hello.  I'm an Avast! Home user, the free edition.

Thursday, December 4, I suffered a pretty devastating virus/worm attack.  I will probably end up re-installing everything from scratch, but I wanted to run this past you guys, as well as some odd behavior that preceded the attack -- it may or may not be related.

On Thursday, November 27, when I started my computer, Windows XP SP3 popped up an alert that my antivirus program was out of date.  I opened Avast!, but it reported that it was fully up to date.  I eventually discovered that my computer's clock was showing the wrong month -- it showed the correct time of day and date, but it was showing December instead of November.  I assumed it was a flaw in Windows and reset my clock.

Exactly one week later, on December 4, when I turned on my computer and ran Ad-Aware, it showed one of my programs to be a Trojan.  I've had the program for a year, but had not used it in 6 to 8 months.  Since I was confused by the report I (unfortunately) did not delete or quarantine it.  Instead I ran Malwarebytes Anti-Malware.  I immediately began getting alarms from Avast! about new Trojans being found, and too many identical outgoing emails.  MBAM eventually stopped the active attack.

I ran MBAM again, Spybot S&D, and SUPERAntiSpyware -- as well as Avast!  All scans are coming up as "no infected files found" ... but something is definitely going on.



My continuing obvious symptom is that Google searches are often, but not always, redirected.  The redirection often passes through sites that are reportedly involved in cyber-crime.

Other than that, SUPERAntiSpyware acts ... strangely ... when scanning my Registry.  It increments a file counter as it scans each file but, when it gets to a certain count in my Registry the filenames begin to fly by very quickly, but the file counter does not increment.  What I can catch of these uncounted filenames includes some of the sites I've been redirected to, as well as sexually explicit names, and words like "porno" and "poker."  After 5 to 10 minutes of this the file names slow down and the file counter begins incrementing again.

Then, on Tuesday, December 9, I got 6 automatic updates from Microsoft.  They seemed legitimate.  When I booted up after the updates were downloaded my destop was replaced with a white screen warning me that Windows had encountered an unexpected error and was turning off my active desktop as a precaution.

So, something is still wrong.



I am waiting for someone else to check my HijackThis logs, but I'm assuming I will need to do a format and full system reinstall.

Mostly, I wanted to report this.

[Jtaylor83]

Download HiJackThis and post a log here.

[newbie7]

Make sure you follow these procedures before performing a scan.

*Tick show hidden files and folder
*Un-tick hide extension for known files types (maybe not necessary,but just un-tick to scan thoroughly)
*Un-tick Protected operating system files (maybe not necessary,but just un-tick to scan thoroughly)
*Turn off system restore
*Restart computer in safe mode [F8] key

Then run any scan in safe mode,best is one scan at a time.

[DavidR]

What browser are you using (for the google redirects there is something like this in firefox called google.goored) ?

Try an avast boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

I don't know if you ran SAS and MBAM from safe mode (as newbie7 mentioned) as they are more effective from there. http://www.pchell.com/support/safemode.shtml

[cromag]

Thanks, newbie7 -- that is how I ran them.

DavidR, yes, I was reluctant to mention the devil's name (I didn't want to lead anyone there), but that is one of the places I pass through when redirected.  I am using Firefox 3.0.4.  I hadn't thought to schedule a boot-time scan.

I am waiting for someone to check my HijackThis log, and promised I would not make any changes to the system until they got back to me.  I'll keep you folks posted, and I am interested in anyone's advice or opinion.

Thanks again.

[cromag]

One additional symptom, perhaps?

Twice since the viruses first hit me last week I've discovered my computer "on" when I know I turned it "off."  The most recent episode was this evening: about an hour and a half after turning it off (and waiting to confirm it really was OFF) I looked over and saw the power light on.  I turned on the monitor and my desktop was there, as if normal.

I have no indication what, if anything, was going on.



To paraphrase the immortal Doctor Johnny Fever, "When someone is out to get you, paranoia is just good thinking."

[YoKenny]

cromag, check the Power settings for the LAN card or other adapters for resuming power settings.

[cromag]

Thanks, YoKenny.  Actually, my connection is right at my desk, so I've started unplugging from the internet when I shut down.  It's only been a couple of days, but so far no more unattended "power ups."

[cromag]

What browser are you using (for the google redirects there is something like this in firefox called google.goored) ?
...

DavidR, is there some known (but unknown to me) significance to the goored redirection?


And I'm also getting some through a site called goougly ... and some others.

[DavidR]

The significance is that this seems to be a redirection of google on firefox (as the quoted text states). I have no idea what form that redirection takes or where it ends up. There is a tool which is for use in the case of firefox to try and resolve the goored issue.

So it would have been nice if you had also said what browser you used when answering a question with a question

[cromag]

The significance is that this seems to be a redirection of google on firefox (as the quoted text states). I have no idea what form that redirection takes or where it ends up. There is a tool which is for use in the case of firefox to try and resolve the goored issue.

So it would have been nice if you had also said what browser you used when answering a question with a question

Sorry.  I guess I should feel lucky that I'm new at this kind of problem.

I am running Firefox 3.0.4.


The redirects are most obvious when searching for a consumer product and I get sent to a different shopping service.  For instance in a recent test I searched for "Cassette tape."  The first site on the list that Google returned was for Wikipedia, and I got there with no problem.  The second site was for "designboom.com," and when I tried to go there I was redirected -- this time via "goougly," but otherwise the same symptoms.

From Firefox's history:

Code: [Select]

http://www.google.com/search?q=cassette+tape&sourceid=navclient-ff&ie=UTF-8&rlz=1B3GGGL_en___US228
http://en.wikipedia.org/wiki/Compact_audio_cassette
http://goougly.com/c.php?url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCompact_audio_cassette&p=0

And from there I was sent to "couponmountain" instead of "designboom."

[DavidR]

Well first firefox 3.0.5 is now available and I would suggest that you update as there have been a number of security issues updated, I don't know if this is one.

I would guess that the goougly.com tried to pass itself of as Google ?

Before trying the tool below I would suggest you first do as suggested in the first reply, download hijackthis and post the contents of the log file.



####
Another tool just release to find the goored FF malware and remove it

FIND

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

FIX

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

[MO770]

I had the same problem with my Firefox redirecting on Google Searches.  It usually happened every other click.  I was starting to get upset because I could not clear it out.

I had run Spybot S&D as well as Malwarebytes and ended up with nothing. Avast, showed nothing either.

I did a search for www.goougly.com and got linked here.  I then had to search just goougly and got this thread.

I ran GooredFix and got the log list.  Most of the offending locations were of the {CAJ78394237&-GENERAL GARBAGE HERE} variety.  So I shutdown Firefox and nuked them manually.

Thus far I've deleted {} Bracketed directories with impunity on a few hundred machines during spy sweeps and never had an issue yet.  I didn't comb the registry for the Firefox Plugins, but the directory had nothing out of order, QuickTime, Adobe, Etc. 

I ran the fix anyway, and what I had deleted would have been what GooredFix would have fixed. Or at least that's how it appeared to me.

Thus far under minor tests, I've not had a redirect.

Now I as a professional have questions for the other professionals, 1) is there anything that detects Goored? 2) Is this symptomatic of a larger and harder to detect infection of some sort?

[DavidR]

Not a professional, I don't do this as a job

However, as far as I'm aware:
a) not yet.

I would have though that it would be the likes of MBAM or SAS or other specific anti-spy/malware tools that scan the registry which would start to detect this as there doesn't seem to be a specific file to hunt down and identify.

I guess because this has been slow to happen some kind sole put together the gooredfix tool.

b) in this case it is harder to detect as it doesn't have an active file or it may be hidden by rootkit, so it is always going to be a game of catch up. Malware writers are always going to try to get more creative and that may lead to harder to detect malware until the catchup happens.

[cromag]

...
I would guess that the goougly.com tried to pass itself of as Google ?
...

Not really.  The stops at "goougly", "goored", etc., are pretty much invisible.

Searches for "digital camera" are reliably redirected, so I ran one again.

This is what it looked like to me:

• Search for "digital camera" on Google
• First item on list is for "dpreview.com"
• Click on the first item on list
• Wait through a slightly longer than usual lag
• The screen opens for a different site

This time I wound up at the Pentax site, but I usually wind up at the digital camera showroom of alibaba.com.


This is what I got from Firefox's history:

Code: [Select]

http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=en&q=digital+camera&btnG=Google+Search&aq=t
http://66.230.188.67/click.php?c=eNodk8muskoAhB+I5Eg3Q8PiLEARGUVGYXMDdCNHQJEZwsP/5qaSqlQtavf97QwncF/bLV9abOn3d6d/aJFhvgG4HdK0ACBAEADmWxO1fqV3t8yO8jOOQJ03yu9OGC7NIc/TXJ6JEBeYhwIhOBcI5tICs/+JgKcRjUnGAQGk3x+CM6bAIKULgERAdnEHO7HfOBia63uTbge9S5blZbG5bLxBIMmLdjySWBPkeCznoyprWceLBAXVgIMagxr7omoVlCjie+T6nL7W7xB7dMMWTqeOBzAyJmoeAI/CQc4htSxWg8R+6ThH1HKGrBiEL/XSr4uQN+IxM3EuM50e5qlVMin9krGrOu2R5bMKqcPNObTHIrQJmiQjEB2oi4epzEhNymQ2krmkBKP1LVsnb5f0E+CwPgYOfc18pv+Q99RQmd0qCRXe+OpJmpY+CeFDruOUTaxPtXWRrVZZL2cJfOZlzNg3edlaSdziRXKjK2XH03CZYi7pqvANKgV9UIwVe4pSUiV3Em68vXl+jGfHPSVueh4i1i7CU/d89U9H+pg9cI5639JTtXl1fvLa4jYQTK6C0KDLtYzEHvbP8c4hlRuY/kyGT4h0zXt1F3vGMB+F90lRcrm0AjyboD4V1YP6qPE7tEMHSRxBKkg69v5Sa9OL7DasWd4HJzQHw8tI8jY5u09ZWrd+EvSVsq+V4WrjfB586fCiYQXuL1ezKXAk/YNzeMN7XGsNUp2xGtOfhG9Cbi4nXyxn5mGFK508Ht27X+2HsAzGnLSG5kULiIqenK+eRbUtQVuU61AxVEGJShX/WRPJ7ofmc17/PsZ4mmHsNXMwUQSP3btd/cxUkvZmeCVxuFdIhZPksomEDMXrjEJlWD1RcIMh60tgYelWeJjO6Ma3B0xl61pqYn5yDzg/jElgNjNlfmLRXb0USj2cM6SGA7UcYVKU0Ifr4J31q7LmbT5b05PjzKDbeFM/2yiMlPHUa7zi3IoDOKDPZkzz5XILL9U1eFHHmecohf3dEfwRhJ8vnz8MvdM7EOkfhv1yy/wAJHyHHe6YwYzZJG3WuBu+hE3yxz0zSH8x/187s+cwLM3Ifsd3nU7u2hhDcdgByr6A8QLLAIZOi+8JnTICS4OUR6jgxH9zSV8B
http://66.230.188.121/click.php?re=1&cc=eNodk8muskoAhB%2BI5Eg3Q8PiLEARGUVGYXMDdCNHQJEZwsP%2F5qaSqlQtavf97QwncF%2FbLV9abOn3d6d%2FaJFhvgG4HdK0ACBAEADmWxO1fqV3t8yO8jOOQJ03yu9OGC7NIc%2FTXJ6JEBeYhwIhOBcI5tICs%2F%2BJgKcRjUnGAQGk3x%2BCM6bAIKULgERAdnEHO7HfOBia63uTbge9S5blZbG5bLxBIMmLdjySWBPkeCznoyprWceLBAXVgIMagxr7omoVlCjie%2BT6nL7W7xB7dMMWTqeOBzAyJmoeAI%2FCQc4htSxWg8R%2B6ThH1HKGrBiEL%2FXSr4uQN%2BIxM3EuM50e5qlVMin9krGrOu2R5bMKqcPNObTHIrQJmiQjEB2oi4epzEhNymQ2krmkBKP1LVsnb5f0E%2BCwPgYOfc18pv%2BQ99RQmd0qCRXe%2BOpJmpY%2BCeFDruOUTaxPtXWRrVZZL2cJfOZlzNg3edlaSdziRXKjK2XH03CZYi7pqvANKgV9UIwVe4pSUiV3Em68vXl%2BjGfHPSVueh4i1i7CU%2Fd89U9H%2Bpg9cI5639JTtXl1fvLa4jYQTK6C0KDLtYzEHvbP8c4hlRuY%2FkyGT4h0zXt1F3vGMB%2BF90lRcrm0AjyboD4V1YP6qPE7tEMHSRxBKkg69v5Sa9OL7DasWd4HJzQHw8tI8jY5u09ZWrd%2BEvSVsq%2BV4WrjfB586fCiYQXuL1ezKXAk%2FYNzeMN7XGsNUp2xGtOfhG9Cbi4nXyxn5mGFK508Ht27X%2B2HsAzGnLSG5kULiIqenK%2BeRbUtQVuU61AxVEGJShX%2FWRPJ7ofmc17%2FPsZ4mmHsNXMwUQSP3btd%2FcxUkvZmeCVxuFdIhZPksomEDMXrjEJlWD1RcIMh60tgYelWeJjO6Ma3B0xl61pqYn5yDzg%2FjElgNjNlfmLRXb0USj2cM6SGA7UcYVKU0Ifr4J31q7LmbT5b05PjzKDbeFM%2F2yiMlPHUa7zi3IoDOKDPZkzz5XILL9U1eFHHmecohf3dEfwRhJ8vnz8MvdM7EOkfhv1yy%2FwAJHyHHe6YwYzZJG3WuBu%2BhE3yxz0zSH8x%2F187s%2BcwLM3Ifsd3nU7u2hhDcdgByr6A8QLLAIZOi%2B8JnTICS4OUR6jgxH9zSV8B&cu=3dec7bf66749ed5d4e498e9992f8c042&co=2656b67c9be392d2c9e40f3e38822bef&cr=0[/li]
http://feed.genieknows.com/yz/Monitor?enc=tJRgrWIdkZAFbcrZaQ9NstpfuRYH6SwKQN1SxziYlCEDQkv91kGdsgYlp0aEsB%2FdJBQSOqUEZppJ2TpsrKDSiENiRcE6%2BNe%2FA9nORDqqoc5dh1mdvAKcj4HrOzCvnw9FfDE8zl7N6Rti1BnVRf%2BZkdCznGGYSUMCPXgteWBsRYD1EamZH1n3IRWpxnohMfyZdKkE8H6Q7sxDGDk%2FXKbay2bYHZUAosgDGEbKKnC0ybTV0lF7GVP4xluV6lvXD2LEbyG65OVQMwpCLwH6pd3oymmXMoQ22RHAMp96SCPg7Zf6LRM067wdQ9h1gN91g%2Bs1am%2BET1XunR%2BJikhRHwSYKycTSULnmnglKCKdfNj1kTUqD%2FxvV%2BGt1%2F%2FMR%2BfI7355XCW1CtbFLJJyGqnsbzCOgp60Nu49Z1vInmiP%2By9S1ElhRY7Ej6l0ShEexzg6ZEocUc%2BYR5syc54RgYKocmrs9ENtDybPak6wv3vVl3M33jZH%2FWTiTBSU9BB3RVjlVHG25TLzAB48dgcxM%2Fi15KRYwrdP9df1Rt%2B9I699wPl2xZ8N8qocfbG4z0fRF6wDSXggE8Gn%2FtgDUNCTyQLQOvEHhK0kIXm0Zk91L8MGttpMMFVmfVrQJ%2B4gb0C4v5cQUSdXjxZeqpcZ8HCqeVRoF3E%3D&geniecid=1006442058
http://www.findstuff.com/search.php?query=digital+camera&source=gk&adgroupid=local3gk&partner=1006442058&subid=33363a38
http://www.findstuff.com/search.php?uvx=d8ZD2BFHuoLLxx378lUVWNgPk7LkBez5rnAAOatzVVxRqrj4XA63fOFfeZJQFNkG8I9xOJa8yrwa4LPNza_qxQTXImUd5EQ3u9YraCfZaJ78T9jf03MBFuehIgx4hDkeXvt_hu_T-2tPX1FM_Ne_ow%2A%2A
http://goougly.com/c.php?url=http%3A%2F%2Fwww.dpreview.com%2F&p=0
http://rc12.overture.com/d/sr/?xargs=15KPjg15lSnJamwr%2Dsc73MROaLxloaxca58cJvDpl7GtRd5iMxXOJ5b6THmsB8Te1xv1PdzPSU%2Dq8RKvf%2DkP2KFgyJRFOIEefpjdLJyo44PqmnX9EbsYRzy%2DLqn49NPnkOyl%2DBQpKznOvPIMCofnNJ%5Fo4D227Bvvxvws%2Dwx%2DQfE7LRtGBIzA3Zc8RQpLZ408HBL5gLSbFUdquckFKXBeo%5F6o94kL2UDg0TKV6m4xt5rCnzICYgrKnPYowJp7HvmI%2DYf7KpkYoPNhHRpeQ3sUnPjS%5FB39s2O4OzmSdqpEhVDqauJXMNvBxLmJ742v%5FbP400s2b2F5iaUzShNy04LioyB%5FKrbw2xIndtphOPZcQefM24q3nyNI%5FFACIjZ1QH%2DYL2NccD9VzFzxteOw%2E%2E
http://pixel1780.everesttech.net/1780/rq/1/4d74416a468c6985c97f5725cadca55f_7558666013_83193268013/url=http%3A//www.pentaximaging.com/
http://www.pentaximaging.com/?ef_id=1780:1:4d74416a468c6985c97f5725cadca55f_7558666013_83193268013:vvCMTEo-JyIAABfjvDgAAAAB:20081218021400


It looks like someone is trying to collect a commission as a referrer, but it seems like a lot of work for not much money.  That's why I wonder what else is going on.


BTW, I'm not trying to be obtuse about the logs, but I'm currently being helped through this by someone else, and I'm trying to keep it simple.  Besides, so far he's recommended the same scans and steps as you.