Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects and firefox crashes


  • This topic is locked This topic is locked
15 replies to this topic

#1 magsrevs

magsrevs

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 03 March 2009 - 08:40 AM

Hi,

I've only noticed this behaviour over the last week or so, and I've tried quite a few things to fix it but nothing has worked so far, I'm hoping someone can help.

Symptoms:
Google redirects on just about all searches (except Wikipedia pages)
cmd from start->run won't execute
regedit didn't work either, I fixed that but now it doesn't work again (I use a copy of regedit now)
msconfig does work
firefox crashes fairly regularly

AVG finds nothing wrong, Malwarebytes finds nothing wrong, Kaspersky finds nothing wrong.

Any ideas? Any help would be greatly appreciated.
Below is the log from the latest full Malwarebytes scan I did this morning.
(Note: I tried recently installing service pack 3 but it hung on me, I haven't tried again since)

Thanks,
Rich

Malwarebytes' Anti-Malware 1.34
Database version: 1807
Windows 5.1.2600 Service Pack 2

3/03/2009 1:14:11 PM
mbam-log-2009-03-03 (13-14-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 174324
Time elapsed: 38 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:14 AM

Posted 03 March 2009 - 09:44 AM

Welcome to BC!

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 magsrevs

magsrevs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 03 March 2009 - 10:45 AM

Thanks for the welcome! Seems like a great site, just a shame spyware has brought me here :thumbsup:

Okay, I have tried GooredFix previously, but here's the log from the most recent Find Goored:

GooredFix v1.91 by jpshortstuff
Log created at 15:43 on 03/03/2009 running Option #1 (Mags)
Firefox version 3.0.6 (en-GB)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:14 AM

Posted 03 March 2009 - 10:49 AM

Nothing found... hmmm

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 magsrevs

magsrevs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 03 March 2009 - 12:11 PM

I downloaded and installed SDFix, but when I boot into safe mode it won't run. I thought maybe AVG 8 might be interfering (although I had disabled it) so I uninstalled AVG but still no joy.

I noticed that regedit and cmd also don't run within safe mode. Those two and SDFix exhibit the same behaviour when I try to run them - task bar and everything on the desktop disappears briefly and an alert box informs me that windows is running in safe, click Yes to continue in safe mode, No to use system restore to restore to a previous state (ie it's as if the system 'resets' and I've just booted into safe mode).

I'm guessing that SDFix needs cmd to run, and that the spyware/virus whatever has disabled cmd.exe

I tried the handful of fixes from the How To Use SDFix thread to try and get cmd working, but none of them seem to have fixed the problem. Is there a registry entry created by the malware that I need to delete?

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:14 AM

Posted 03 March 2009 - 03:53 PM

Let's try an online scanner and then we can return to SDFix

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)[/color]
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 magsrevs

magsrevs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 03 March 2009 - 05:16 PM

That reckoned it didn't find anything either . . .

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3905 (20090303)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d4d78b7d9edba14c8e0d8ccad79b4f9b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-03 10:01:34
# local_time=2009-03-03 10:01:34 (+0000, GMT Standard Time)
# country="Australia"
# osver=5.1.2600 NT Service Pack 2
# scanned=548000
# found=0
# scan_time=3601

#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:14 AM

Posted 03 March 2009 - 06:08 PM

No, it didn't, but we aren't finished with it either :thumbsup:

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 magsrevs

magsrevs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 04 March 2009 - 07:38 AM

Excellent, something found at last:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/04/2009 at 12:13 PM

Application Version : 4.25.1014

Core Rules Database Version : 3784
Trace Rules Database Version: 1741

Scan type : Complete Scan
Total Scan Time : 02:47:56

Memory items scanned : 223
Memory threats detected : 0
Registry items scanned : 5707
Registry threats detected : 28
File items scanned : 103796
File threats detected : 1

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_oreans32
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\ControlSet003\Enum\Root\LEGACY_oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

#10 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:14 AM

Posted 04 March 2009 - 07:43 AM

That is good news. The thing it has found is a rootkit. I would change all on-line passwords.

Please rerun SuperAntiSpyware and update and rerun Malwarenytes. Post their new logs.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 magsrevs

magsrevs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 04 March 2009 - 08:27 AM

Oh, very nasty. Just did some research on Wiki, and found this under the Removal section of the Rootkit topic:

"I suppose traditional rootkits could be made to be as hard to remove as possible even when found, but I doubt there is much incentive for that, because the typical reaction of an experienced sysadmin on finding a rooted system is to save the data files, then reformat [and reinstall]. This is so even if the rootkit is very well known and can be removed 100%."

It also mentions that booting into safe mode is not guaranteed to remove the rootkit process (although of course there's no way to know how accurate that information is). Is there any way of knowing what rootkit I had and whether it has actually been 100% removed from my system?

I spose buying a new hard drive and reinstalling everything again is an option (I'm on a MacBook with a 60gb hard drive so have been contemplating updating to a larger hard drive anyway), but it's gonna be a real pain! Or are there tools out there (hopefully SuperAntiSpyware being one of them) that can guarantee my system is clean?

Thanks for all your help so far, it is much appreciated!

#12 magsrevs

magsrevs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 04 March 2009 - 11:56 AM

The second run of SAS and the run of Malwarebytes (with updated db) didn't find anything, but google still redirects . . .


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/04/2009 at 03:47 PM

Application Version : 4.25.1014

Core Rules Database Version : 3784
Trace Rules Database Version: 1741

Scan type : Complete Scan
Total Scan Time : 02:48:04

Memory items scanned : 237
Memory threats detected : 0
Registry items scanned : 5704
Registry threats detected : 0
File items scanned : 103919
File threats detected : 0




Malwarebytes' Anti-Malware 1.34
Database version: 1817
Windows 5.1.2600 Service Pack 2

4/03/2009 4:51:02 PM
mbam-log-2009-03-04 (16-51-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 172799
Time elapsed: 41 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:14 AM

Posted 04 March 2009 - 07:11 PM

oreans32 has been associated with Trojan-Agent infections.

Since you are still having redirects, I think we should move to the HJT forum. Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

Edited by rigel, 04 March 2009 - 07:12 PM.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 magsrevs

magsrevs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 05 March 2009 - 04:08 AM

I've downloaded dds.scr, but when I try to run it the DOS prompt appears briefly and then disappears. Same happens in safe mode.

cmd.exe still won't work from start->run, so I'm guessing whatever I have is preventing cmd from running and also any .scr or .bat files.

#15 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:14 AM

Posted 05 March 2009 - 08:47 AM

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users