Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Browser Hijacker (Going-on-earth) infection

  • This topic is locked This topic is locked
2 replies to this topic

#1 Thenno


  • Members
  • 2 posts
  • Local time:11:22 PM

Posted 22 March 2011 - 09:38 PM


Hi, sorry for posting here as a new user, but I'm quite lost with this problem and I've seen threads where you succesfully helped people in similar trouble.

I've been infected by a malicious piece of software. Symptons are:
- I've noticed so far is that it randomly redirects my browser to sites which are blocked by my Noscript add-on
- Searches (using Google/Bing/Yahoo) with the word goingonearth are redirected to some unhelpful MS Help page.
- MS Security Centre is disabled, and can't be re-enabled. I'm pretty sure it was enabled before the infection.

My (up to date) Avira virusscanner started to give detections right away, and cleaned up quite a bit (events attached as Avira_events.txt).
Since then, I've done the following:

- Ran a full system scan with Avira Antivir.
- Ran Malwarebytes' Antimalware bytes with outdated definitions, found some infections (log saved, attached).
- Killed processes cqoroa.exe, cpl.exe and cpn.exe, which seemed unusual to me. They kept returning though.
- Noticed a lot of IE8 pop-ups, while I NEVER use IE8, so I removed IE8 from my machine.
- Noticed a lot of infections were coming from .../Appdata/Local/Temp, so I moved the map to trash.
- Update Malwarebytes' Antimalware, ran again. Found 10+ infections (log saved, attached).
- Removed an obvious malicious startup entry in msconfig
- Rebooted. Antimalware automatically ran at startup.
- Ran Antimalwar again, no detections. No more cqoroa.exe/cpl.exe/cpn.exe.
- Performed another full system scan with Avira Antivir, no detections.
- Updated and ran CCleaner.exe, cleaned my trash (including the previously deleted AppData/Local/Temp folder) and other temp. files.
- Checked if Java was up to date. It was.
- Checked hosts file. Only commented lines.
- Checked proxy settings, TCP/IPv4 and IPv6 protocols. Nothing unusual, no dns modifications or proxies.
- Flushed dns (ipconfig /flushdns).
- Ran tdsskiller.exe from Kaspersky's Lab as administrator (got it directly from there). No threats found.
- Updated Firefox to Firefox 4.0, suspecting a compatibility problem with my (automatically) updated Noscript and the old Firefox.
- Did a check with another PC owned by me on the same (sub-)network. No malware, virusses or redirections there.
- Ran OTL, logs here attached below (this is OTL.Txt, extras.txt also available if useful).
- Ran DDS from this forum. DDS.txt posted below, attach.txt attached (zipped). Had to allow bleepingcomputer to run javascript, but I guess that's okay ;).
- Ran GMer as administrator, but couldn't set it up as required in the preparation guide. Ran a scan with default settings, it found no system modifications.
- Noticed the entries from OTL:
[2011-03-22 22:29:44 | 000,000,306 | -HS- | C] () -- C:\Windows\tasks\MMLBQOZ.job
[2011-03-22 22:29:43 | 000,108,544 | RHS- | C] () -- C:\Windows\SysWow64\sysprint4.dll
These are of the exact moment I ran the malicious program which triggered the problems in the first place.
I couldn't find these in my windows folder though, they're not there or somehow hidden.
- Posted topic here.


The problem still persists and I don't know what to do now. I really hope you can help me.


Edited by Thenno, 23 March 2011 - 06:29 PM.

BC AdBot (Login to Remove)


#2 Thenno

  • Topic Starter

  • Members
  • 2 posts
  • Local time:11:22 PM

Posted 23 March 2011 - 06:29 PM

Needed a secure computer for my work, so I reinstalled the whole system after trying ETES Scan and ComboFix and no help.

Attachments and logs removed for privacy reasons.

Thanks for the great service you're providing anyways!

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:08:22 AM

Posted 24 March 2011 - 04:13 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users