goingonearth redirect virus - how do I remove this from firefox?
July 25, 2011 5:29 AM   Subscribe

goingonearth redirect virus - how do I remove this from firefox? How can it evade anti-malware ?

I'm running malwarebytes and avira antivirus they both say my PC is clean.

Still in FIREFOX when I do a search this virus takes over.

I've been trying everything on the web - seriously how do I remove this? How can it evade software!!!

has someone written a tool to remove this?
posted by flexiverse to Computers & Internet (16 answers total)
 
The virus isn't in 'firefox', it's in your computer. Browser doesn't matter.

Before suggesting any other software, are you running these programs in Safe Mode?

You'll need to restart your PC in Safe Mode at the very least - press F8 when it is loading up, before it gets to the Windows screen (I usually just keep hitting it)

A black and white screen will come up and you'll want to choose 'Safe mode' initially. You can always restart and do this again and choose another mode, you haven't done anything permanent.

Once you've loaded up an ugly, looks-funny version of Windows in Safe Mode, run your antivirus programs again.

And get into the habit of scanning anything downloaded before launching it in the future.
posted by cobaltnine at 5:40 AM on July 25, 2011


Oooh. This is a fun one. We might have to do a little "live" troubleshooting, because what I'm seeing is that this isn't well taken care of by the normal stuff.

Download aswMBR, give it a run, and post the log back here (or in a MeMail to me).

Also, grab TDSS Killer and give that a run.

Report back from there, I'll try to monitor the thread for your updates.
posted by deezil at 5:47 AM on July 25, 2011


This is a case of DNS redirection. What OS are you using?
posted by alby at 5:51 AM on July 25, 2011


Antivirus is only as good as what it knows to detect (sure there's heuristics too, but even this can be fooled). Either Avira or Microsoft Security Essentials might pick up on what happened once the DATS are updated to detect your particular infection. But keep in mind, over 70 thousand variants of malware are being released monthly nowadays, many of which are written to evade popular antivirus programs. Welcome to the warfront!

First and easiest thing to do, is to take a look at your startup (start/run and type "msconfig") tab in msconfig. Uncheck anything there that looks suspicous and reboot...you don't have to worry about what's unchecked as you can recheck it later if it's needed. Also look at the services tab in msconfig and check the "Hide Microsoft Services" checkbox. Uncheck anything suscpicious from there as well.

See if you can get a copy of HijackThis running (you might need to use a different PC and transfer it to a USB thumbdrive or CDR...just make sure the USB thumbdrive hasn't been in your infected PC for awhile before hand...just in case)

Deezil's got a very good start for you to follow to see if you might have a rootkit. I would also give GMER a go along with those which can pick up on non-TDSS or non-MBR/Torpig/etc variant rootkits.

This also might be a case of DNS redirection as alby mentioned. Double check your TCP/IP settings under your Network Adapter's properties (start/run and type "control ncpa.cpl"). When looking at your TCP/IP settings you want to make sure that DNS is being obtained automatically, or is the correct DNS IP. (eg. if you're using Google DNS or OpenDNS). In FireFox and Internet Explorer, go under options and make sure your browser is not set to use a proxy, which would be another cause for redirection.

Also, if you can get a copy of Malwarebytes installed, update it and run a full scan. You might need to use a different PC to get any of the programs suggested however, as DNS redirection might make it a pain to accomplish. (unless IE works and FF does not...in that case I'd highly suspect your proxy settings).
posted by samsara at 6:42 AM on July 25, 2011


You don't need to run more software.

The goingonearth virus has been removed by Malwarebytes and Avira but neither of those will fix the DNS problem, which will redirect all net traffic and probably lead to further infection. You need to fix your DNS problem, including flushing the cache.

Of course the best idea is to nuke it from orbit: DBAN and reinstall the OS.
posted by alby at 6:58 AM on July 25, 2011


has someone written a tool to remove this?

Yes.

This is a tough one, but it can be done. Malwarebytes can't remove it.

You need Combofix. Even Malwarebytes endorses Combofix.

Read about it here:

Malwarebytes Forum
Bleeping Computer Forum
Bleeping Computer: How to use Combofix
CNET Forum

Download it here:
Combofix.org
CNET
posted by Herodios at 6:58 AM on July 25, 2011


This might be just a personal preference, but I really don't recommend using combofix unless I have a good feel for what variety of malware is installed and am ready to assist bringing a PC back to life if combofix bombs out for whatever reason. It's like a heavy shot of anti-biotics which is not always a good thing, and can sometimes make a system fairly unstable if used in the wrong scenario or without certain precautions.

If you decide to use combofix, read the warnings on the bleeping computer forum very closely and make sure your antivirus is fully disabled beforehand. It may prove to be a quick fix, but has its risks so use your best judgement from what you read about this program. It's very useful when used properly.
posted by samsara at 7:45 AM on July 25, 2011


I have used combofix successfully, specifically to remove the goingonearth highjack. It wrked perfectly (Win XP machine).

That said, I also endorse everything Samsara said above.
posted by Herodios at 8:52 AM on July 25, 2011


Response by poster: Can't see anything useful here, I've tried everything that's been mentioned here!
windows 7 64 bit.

aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-25 16:58:46
-----------------------------
16:58:46.431 OS Version: Windows x64 6.1.7600
16:58:46.433 Number of processors: 4 586 0xF0B
16:58:46.436 ComputerName: HANIFF-PC UserName: Haniff
16:58:50.015 Initialize success
16:59:20.193 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
16:59:20.196 Disk 0 Vendor: WDC_WD5000AAKS-08V0A0 05.01D05 Size: 476940MB BusType: 3
16:59:20.200 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\Si3114r51Port6Path0Target0Lun0
16:59:20.203 Disk 1 Vendor: ST332062 3.AA Size: 305245MB BusType: 8
16:59:20.207 Disk 2 \Device\Harddisk2\DR2 -> \Device\Scsi\Si3114r51Port6Path1Target0Lun0
16:59:20.212 Disk 2 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 8
16:59:20.243 Disk 0 MBR read successfully
16:59:20.249 Disk 0 MBR scan
16:59:20.254 Disk 0 Windows 7 default MBR code
16:59:20.259 Service scanning
16:59:23.161 Modules scanning
16:59:23.167 Disk 0 trace - called modules:
16:59:23.184 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
16:59:23.190 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80058ea060]
16:59:23.200 3 CLASSPNP.SYS[fffff8800197843f] -> nt!IofCallDriver -> [0xfffffa80053b2e40]
16:59:23.207 5 ACPI.sys[fffff88000fad781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80053d2060]
16:59:23.215 Scan finished successfully
16:59:44.034 Disk 0 MBR has been saved successfully to "C:\Users\Haniff\Desktop\MBR.dat"
16:59:44.047 The log file has been saved successfully to "C:\Users\Haniff\Desktop\aswMBR.txt"
posted by flexiverse at 9:23 AM on July 25, 2011


With Windows 7, make sure you're right-clicking and running these tools as Administrator too just to get past any UAC restrictions.

With that in mind however, you might want to make a bootable USB or CD to get around any rootkit circumvention that is going on (rootkits by their very nature work to hide their payload and defend against detection or removal).

There have been reports of success using the Microsoft Standalone System Sweeper from sevenforums. Kapersky's Rescue Disk is also top notch. More rescue CDs can be found here.

The reason a bootable rescue CD might work in place of running the virus scanner on the working system (or in safe mode), is that it takes the possibility of a rookit hiding traces and protecting itself largely out of the equation. Good luck, and keep us posted on your progress! At a certain point you might want to nuke and reload, but if you have the time to try some of these approaches you might save some time having to set up a PC from scratch (plus...it can sometimes be fun figuring out the puzzle).
posted by samsara at 10:31 AM on July 25, 2011


Response by poster: TDSS Killer tried, didn't find anything
combofix - tried, didn't find anything
Malwarebytes - truly useless why do I even run this?
ipconfig /flushdns - really makes no difference
stopzilla - says it's found a redirect virus removed but it's still there !!!
Microsoft Standalone System Sweeper - Useless wouldn't even work

hitman pro - founds lot's of other things, but not spotted any google redirect virus.

This is truly insane, all these virus companies and they can't remove this?

Have I moved to some weird parallel universe where no virus company can remove a common virus???

HELP!!!
posted by flexiverse at 4:28 AM on July 26, 2011


Antivirus programs and tools are just scripted methods of malware removal. Give the Kapersky CD a try. Otherwise you might want to take this to a professional for removal.

Did GMER not find anything suspicious? If it did, any details would be helpful on the file or disk location it pointed out (usually in red for rootkits)

Also, if you're not ready to wipe and reload and would like more in depth help, I can walk you through some more involved steps that aren't scripted. First I'll need for you to run a full scan with OTL and make sure to check off the LOP and Purity checks. Minimal Output is fine for this run.

Paste the results in pastebin so you can delete it afterwards (the results also might be large, so more than one pastebin page might be needed. You also might want to clean up any personal information you won't want seen such as real name, etc) I've removed thousands of rootkits like this manually, it's just a matter of finding the file or spot on the hard drive that's responsible for the redirection. Often they are just files sitting in the user's or all user's appdata, or in the windows\system32 folder as a dll or sys under drivers. Rarely are they MBR based (mebroot/torpig).

You may have a very new variant of goingonearth for which no auto-removal scripts have been developed yet by virus companies. How are you sure it is goingonearth btw, did a previous scan point it out? Just want to make sure that is what has been detected previously...there's a few other redirect malwares that are more nefarious.
posted by samsara at 5:18 AM on July 26, 2011


Best answer: It seems better, but I've no idea why it's better.

Everything I've tried is saying there is nothing there so hard to tell.

The last thing I tried was this. No-one suggested this???

UnHackMe - First BootWatch AntiRootkit

http://greatis.com/unhackme/

The software itself looks like some dodgy virus malware!

Get this though - EVEN THIS SAID MY PC WAS CLEAR !!!
posted by flexiverse at 4:28 AM on July 28, 2011


UnHackMe looks good from its Web of Trust rating. Glad it's cleared up! To prevent future infections you can check my profile for a malware prevention guide....as well as deezil's profile for additional information on malware removal. Happy and safe computing!
posted by samsara at 5:50 AM on July 28, 2011


Response by poster: I still have no idea if it's gone, nothing has said its found anything and removed it.

This is not my idea of fixing a problem!


I'm just a bit surprised that no-one has mentioned unhackme, but me!
posted by flexiverse at 3:06 AM on July 29, 2011


Well...there's a set of commonly used tools and a bajillion obscure and untested ones. You took a risk with unhackme, but so far so good right? Since I haven't seen any OTL logs, so I wouldn't recommend banking or doing anything important on this PC until it is wiped and reloaded. Unhackme might have simply broken the dll chain that was causing redirection, but when AV programs and scanners say things are clean, it's not always the case as you've seen. It's very possible you're malware free now...I would occasionally run checks for Zeus, TDSS, Conficker, etc as the detection engines are updated for newer variants. The trojans and rookits of today are nothing like they were 5 years ago. Ever since these guys figured out there was money to be made in online banking, the level of sophistication has become mind numbing.

Anyway, good luck. While things seem functional, the only way to really feel like the problem is completely fixed is by doing a wipe-reload at some point. Treat your computer now as if it has been compromised. And when you redo it, make an administrator account and reduce your own rights to avoid malware from getting to the system level like this one did.
posted by samsara at 5:33 AM on July 29, 2011


« Older Missing Adobe Reader plug-ins in Safari for OS X...   |   Help with my Joomla rss feed issues Newer »
This thread is closed to new comments.