Author Topic: Yes, ANOTHER Google redirect victim! Please help.  (Read 9578 times)

0 Members and 1 Guest are viewing this topic.

Amalia

  • Guest
Yes, ANOTHER Google redirect victim! Please help.
« on: July 13, 2011, 07:35:17 PM »
This one seems to be making the rounds, doesn't it?  Same old story: Suddenly found that Firefox is trying to redirect me from Google results to various addresses; Avast stops it most of the time, with the result that every site on my search results appears compromised, which is bollocks.

Running Firefox 3.6.18 and Windows 7 Ultimate 32-bit.

I read the posts here for a while and am here to beg for help.  Ran OTS; I offer my log for analysis.  Thanks for your time.


Edit:  I believe I ran OTS before Malwarebytes Anti-Malware.  My Malwarebytes scan of a little while ago uncovered a trojan which I promptly had the program fix; I did not make further note of it, but the redirect problem has persisted after a reboot.
« Last Edit: July 13, 2011, 10:15:56 PM by Amalia »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #1 on: July 13, 2011, 10:08:13 PM »
Hi - I have had OTS zip the malware files could you upload them to Avast once we are done please

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Processes - Safe List]
YN -> autoinstallejcdsvc.exe ->
YY -> kbdaze32.exe -> C:\Windows\System32\KBDAZE32.exe
YY -> alttab32.exe -> C:\ProgramData\AltTab32.exe
[Win32 Services - Safe List]
YY -> (PeerDistSvc32) BranchCache  [Auto | Running] -> C:\Windows\System32\KBDAZE32.exe
[Registry - Safe List]
< FireFox Extensions [User Folders] > ->
YY -> XUL Cache   -> C:\Users\Iska\AppData\Roaming\mozilla\Firefox\Profiles\iadhecjg.default\extensions\{b446686b-0c86-4abb-b4b3-18a4ebbb8c30}
< FireFox Extensions [Program Folders] > ->
YY -> 走るフォクすけ -> C:\USERS\ISKA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\IADHECJG.DEFAULT\EXTENSIONS\RUNFOXKEH@NORAHMODEL.EXBLOG.JP
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-4101301263-791040741-1378103366-1000\] > -> HKEY_USERS\S-1-5-21-4101301263-791040741-1378103366-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{9D425283-D487-4337-BAB6-AB8354A81457}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  AltTab32.exe -> C:\ProgramData\AltTab32.exe
NY ->  KBDAZE32.exe -> C:\Windows\System32\KBDAZE32.exe
NY ->  AltTab32.dll -> C:\Windows\System32\AltTab32.dll
[Files/Folders - Modified Within 30 Days]
NY ->  1787000635 -> C:\Windows\System32\1787000635
NY ->  AltTab32.dll -> C:\Windows\System32\AltTab32.dll
NY ->  KBDAZE32.exe -> C:\Windows\System32\KBDAZE32.exe
NY ->  AltTab32.exe -> C:\ProgramData\AltTab32.exe
[Files - No Company Name]
NY ->  1787000635 -> C:\Windows\System32\1787000635
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Amalia

  • Guest
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #2 on: July 13, 2011, 10:23:33 PM »
Thank you for seeing to my post so quickly.  Please forgive my profound noobishness; I do not understand what you mean by asking me to upload the zipped malware files, as I do not know where they are located.  I had to go AFK while the fix was running.  When I returned, it had completed and popped the message saying I needed to reboot, but the program had frozen.  Upon reloading my desktop, the OTS log appeared.  I am attaching it now.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #3 on: July 13, 2011, 10:28:59 PM »
OK I will explain how to upload them when we are finished  ;D

A few checks now to see if we got it

Download aswMBR.exe ( 1.8mb ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan
 
 
On completion of the scan click save log, save it to your desktop and post in your next reply


THEN

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Amalia

  • Guest
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #4 on: July 13, 2011, 11:00:00 PM »
Haha, thanks again!  I have these programs, so I'm letting them do their thing.  This will take quite some time, if my earlier MWBAM scan of an hour was any indication.  I'll post the results ASAP.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #5 on: July 13, 2011, 11:12:12 PM »
Whilst we are waiting - do you still have the redirects ?

Amalia

  • Guest
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #6 on: July 13, 2011, 11:21:37 PM »
Do you mean the addresses to which it was trying to redirect me on Google?  All I have is this:

64.111.211.158

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #7 on: July 14, 2011, 12:15:08 AM »
Do you mean the addresses to which it was trying to redirect me on Google?  All I have is this:

64.111.211.158

Please post the aswMBR log so we can see the generation of the TDL you are infected.

Btw,are you from  greece?Amalia is a greek name ;D
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Amalia

  • Guest
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #8 on: July 14, 2011, 12:29:45 AM »
At the time of my last post, aswMBR was still in the early stages of its scan, so I could not upload anything yet.

Amalia seems to originally be an old Germanic name, though it is also used as a Hebrew name (and also Greek, apparently :D).  It is not mine, though; I am an American involved in the Society for Creative Anachronism.  Members of this group are encouraged to create for themselves a named persona representing a person who might have lived in the Middle Ages.  :D  I just decided to try it as my username.

I have attached the aswMBR log, as it's finally finished.  Starting MWBAM!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #9 on: July 14, 2011, 01:07:37 AM »
At the time of my last post, aswMBR was still in the early stages of its scan, so I could not upload anything yet.

Amalia seems to originally be an old Germanic name, though it is also used as a Hebrew name (and also Greek, apparently :D).  It is not mine, though; I am an American involved in the Society for Creative Anachronism.  Members of this group are encouraged to create for themselves a named persona representing a person who might have lived in the Middle Ages.  :D  I just decided to try it as my username.

I have attached the aswMBR log, as it's finally finished.  Starting MWBAM!
It's clean.Any other problems?
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Amalia

  • Guest
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #10 on: July 14, 2011, 01:19:53 AM »
Thank you!  Seems fine thus far; I was able to go to the first page of Google search results on "how to make a drinking horn", while before, I couldn't click most of those links without being redirected.  Still running MWBAM.

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #11 on: July 14, 2011, 01:22:23 AM »
Thanks goes to Essexboy,not me ;)!
Post the mbam log when the scan is finished.
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Amalia

  • Guest
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #12 on: July 14, 2011, 01:36:26 AM »
Well, I was actually just politely thanking you for asking.  Malwarebytes says nothing is infected, though.

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #13 on: July 14, 2011, 01:42:18 AM »
Well, I was actually just politely thanking you for asking.  Malwarebytes says nothing is infected, though.
Hmmm good ;D.
Read more about TDSS variants here:
http://www.securelist.com/en/analysis/204792131
and about TDL-4 here:
http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot
« Last Edit: July 14, 2011, 01:46:10 AM by Left123 »
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Amalia

  • Guest
Re: Yes, ANOTHER Google redirect victim! Please help.
« Reply #14 on: July 14, 2011, 01:44:36 AM »
Yep, everything seems to be running smoothly as before the infection.  Thanks ever so much for your time, essex; you do great work.

Read more abou TDSS variants here:
http://www.securelist.com/en/analysis/204792131
and about TDL-4 here:
http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot

Cool.  Will look at those right now.