Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects - Only Firefox affected


  • Please log in to reply
15 replies to this topic

#1 Geordi

Geordi

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 20 October 2010 - 08:34 PM

Hello! I'm getting a bit concerned with a google redirect virus that occurs only on Firefox (IE8 and Chrome are unaffected), which redirects to various search engines like scour and others. I've seen this topic come up a number of times on these forums from my searching that I've done, and there were quite a range of fixes for it, it seems.

Firstly, I have scanned with SuperAntiSpyware and Malwarebytes, and neither showed any results.
I did have a virus a few weeks ago [edit: actually a couple months ago] and got rid of most everything using those 2 applications.

I checked my Host file, and it appears to be normal. From what I can tell, there's no odd process running, either.

This is really the only apparent symptom except in IE8, the browser occasionally says "Connection reset" or something, I do not recall the error and it only happens every so often. Another error I'm not sure of is occasionally I lose Internet connectivity and sometimes the pages simply do not load. For instance, last night I did a tracert and there was an actual connectivity problem but there have been some occasions since the attack where the sites simply wouldn't load in any browser. Very odd.

As of now, these are the only apparent symptoms and I'd really like to avoid doing anything major to get rid of them. I've been playing high-intensity games with these issues with no problem and generally, I really haven't been having any problems with performance or anything.

Thanks in advance,

Geordi.

[Edit for additional information] I use the free version of Avira, and I have MBAM and SAS. My desktop is routed through a router, it is not directly plugged into the modem. Running on a 64-bit Windows 7 Machine, have had it for about a year now.

Edited by Geordi, 20 October 2010 - 08:36 PM.


BC AdBot (Login to Remove)

 


#2 Geordi

Geordi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 22 October 2010 - 08:58 PM

BUMP - I know they're generally discouraged but it fell back to page 5, still haven't done anything and the computer does seem to be in great shape besides this issue with Firefox.

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:37 AM

Posted 23 October 2010 - 08:48 AM

Please read and follow all these instructions.

Please download GooredFix and save it to your Desktop.

http://jpshortstuff.247fixes.com/GooredFix.exe

Double-click GooredFix.exe to run it.

A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Chewy

No. Try not. Do... or do not. There is no try.

#4 Geordi

Geordi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 25 October 2010 - 03:17 AM

Please read and follow all these instructions.

Please download GooredFix and save it to your Desktop.

http://jpshortstuff.247fixes.com/GooredFix.exe

Double-click GooredFix.exe to run it.

A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).


Here's the log, I can't really tell if it's found anything or not. I will continue to use Chrome and for the most part I've migrated to Chrome as my primary browser anyways. If you need me to do any additional investigation as far as seeing whether or not redirects still occur, let me know. Thanks.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 04:14 on 25/10/2010 (Geordi)
Firefox version 3.5.13 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [09:48 07/12/2009]
{AB2CE124-6272-4b12-94A9-7303C7397BD1} [06:43 26/09/2010]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [01:22 09/12/2009]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [03:13 17/08/2010]

C:\Users\Geordi\Application Data\Mozilla\Firefox\Profiles\8pqchi3q.default\extensions\
eafo3fflauncher@ea.com [20:00 28/06/2010]
personas@christopher.beard [06:06 11/07/2010]
service@touchpdf.com [01:42 30/04/2010]
{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [22:06 16/05/2010]
{73a6fe31-595d-460b-a920-fcc0f8843232} [19:07 11/10/2010]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [08:53 18/08/2010]
{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [10:00 13/06/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

-=E.O.F=-


#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:37 AM

Posted 25 October 2010 - 08:00 AM

Let's uninstall FireFox and remove your user settings and data.

http://support.mozilla.com/en-US/kb/uninstalling+Firefox
Chewy

No. Try not. Do... or do not. There is no try.

#6 Geordi

Geordi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 25 October 2010 - 12:47 PM

Let's uninstall FireFox and remove your user settings and data.

http://support.mozilla.com/en-US/kb/uninstalling+Firefox


Done! Next step please!

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:37 AM

Posted 25 October 2010 - 01:06 PM

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Chewy

No. Try not. Do... or do not. There is no try.

#8 Geordi

Geordi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 30 October 2010 - 02:26 PM

Running scan now, sorry for the delay. Please don't block this, I believe the issue has expanded to chrome as well.

Got a tab opened to cdn.optmd. :| (EDIT: Found out pop-up issues were due to new update to tvtropes or something, other users reporting getting popups on it too now.)

I had waited a while due to the fact this scan seems to take pretty long, in retrospect that was really stupid.


Edit2: Nearly done, it's found 3 threats thus far, some Java related trojans.

Edited by Geordi, 30 October 2010 - 07:29 PM.


#9 Geordi

Geordi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 30 October 2010 - 05:32 PM

Ho boy, here we go. Shortly after the scan found stuff, my Avira found AnVi and removed it. Getting scared atm. Web Scan is ALMOST over.

Edited by Geordi, 30 October 2010 - 07:28 PM.


#10 Geordi

Geordi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 30 October 2010 - 07:27 PM

C:\Users\Geordi\AppData\Local\Temp\jar_cache5126614691884518870.tmp multiple threats deleted - quarantined
C:\Users\Geordi\AppData\Local\Temp\jar_cache7317491179926535214.tmp Java/TrojanDownloader.Agent.NBU trojan deleted - quarantined
C:\Users\Geordi\AppData\Local\Temp\plugtmp-14\plugin-Notes1.pdf probably a variant of Win32/Agent.NMSCWXZ trojan cleaned by deleting - quarantined
C:\Users\Geordi\Documents\MP4ConverterSoftMP4toMP3Converter.zip a variant of Win32/Keygen.AJ application deleted - quarantined

This is all it found. Last one looks like it may be a false positive (edit: Actually not sure, pretty sure I never unzipped that. No loss there). Looks legit though, glad I toughed out that 4 hour scan. Pretty concerned about AnVi randomly popping up again- that's what I get hit with 2 months ago. Thankfully Avira didn't let it do anything and quarantined it RIGHT away. So that's good. Hopefully deletion of that TrojanDownloader has paused any major threats for now.

EDIT: Checked, and the ANVI folder is actually there though. Running MBAM in a hurry to get rid of it.

Edited by Geordi, 30 October 2010 - 07:32 PM.


#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:37 AM

Posted 30 October 2010 - 07:36 PM

MP4ConverterSoftMP4toMP3Converter.zip looks to be a torrent/p2p/warez file so I would assume it's a true detection, better safe than sorry

The others look like remnants of java and pdf exploit?

Just to be safe I would uninstall any old versions and reinstall the latest.

Any leftover issues?

Let's try one last faster clean and scan

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. (TFC will close ALL open programs including your browser!)
  • Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

After the reboot update MBAM and do a quick scan.

Note what the TFC removes

Edited by DaChew, 30 October 2010 - 07:39 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#12 Geordi

Geordi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 30 October 2010 - 07:37 PM

MP4ConverterSoftMP4toMP3Converter.zip looks to be a torrent/p2p/warez file so I would assume it's a true detection, better safe than sorry

The others look like remnants of java and pdf exploit?

Just to be safe I would uninstall any old versions and reinstall the latest.

Any leftover issues?


No immediate issues left that I can see. The AnVi folder is still there though, assumed MBAM scan would delete it but it did not, should I just manually delete it?

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:37 AM

Posted 30 October 2010 - 07:47 PM

I edited my reply, please read and post both MBAM logs please?
Chewy

No. Try not. Do... or do not. There is no try.

#14 Geordi

Geordi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 30 October 2010 - 08:02 PM

I edited my reply, please read and post both MBAM logs please?


Whew! The TFC Scan scared the daylights out of me, Windows said "Experienced critical error...Save your work you're about to be logged off", or something to that effect, and then just shut down. But yeah, it did seem to remove quite a bit and some temps out of the system32 folder. TFC doesn't provide a log though, right?

I'll update this post in a second after the MBAM scan. I expect it to be the same since I updated just before the last scan too.

Oh, and TFC sets system-critical files to view. Weird, read about it from another source before I ran the program (was ensuring it was compatible with w7 x64). But got that sorted out.

Do you propose I should re-install firefox after this scan and see if the google redirects still occur?

Oh yeah, and the anvi folder is still in Appdata/Roaming. Waiting for you to give me the go-ahead on manual deletion.

Edit: Confirmed, clean scan!
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5003

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/30/2010 9:09:11 PM
mbam-log-2010-10-30 (21-09-11).txt

Scan type: Quick scan
Objects scanned: 147788
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Geordi, 30 October 2010 - 08:26 PM.


#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:37 AM

Posted 30 October 2010 - 08:35 PM

:thumbsup:

Running on a 64-bit Windows 7 Machine


I forgot that, sorry about asking for a TFC

My 10 day memory is gone at my age?

Reinstall FF and manualy delete the problem folder, then test.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users