Goog1e installer virus

KonFusion

Hey folks,

Following on from a thread I posted in the Windows forum, I found I had the goog1e virus.

I installed MBAM, updated, ran a scan and used it to remove the virus.

Though the virus was found by MBAM, I experienced none of the maladies from the virus (no redirects etc. no perceivable one's anyway) that I noticed, apart from the window unfocusing randomly every 20-30 seconds (which I presume was due to the virus).

Just wondering if there are any post removal tips to ensure it's gone, and possibly reverse any damage it may have done?

KonFusion

Redacted

mp22

Did you run malwarebytes in safe mode?

KonFusion

mp22 wrote: »

Did you run malwarebytes in safe mode?

Negative. Shall do when I get home.

mp22

KonFusion wrote: »

Negative. Shall do when I get home.

Yes always best to run malware bytes in safe mode.

ASJ112

Do you have the log from when mbam found and removed the infection ?

KonFusion

mp22 wrote: »

Yes always best to run malware bytes in safe mode.

Ran it in safe mode. Nothing found.

Latest log below.

Any suggested next steps?

KonFusion

ASJ112 wrote: »

Do you have the log from when mbam found and removed the infection ?

Indeed I do.

Here ya go:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.16.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Shane :: SHANE-PC1 [administrator]

Protection: Enabled

17/12/2012 00:41:47
mbam-log-2012-12-17 (00-41-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 241564
Time elapsed: 11 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Shane\Downloads\goog1e__installer.com (Trojan.Pirminay) -> Quarantined and deleted successfully.

(end)

ASJ112

If you want a further look to see if it got elsewhere then do this


Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Quick Scan button. Do not change any settings. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files here

KonFusion

Redacted.

ASJ112

looks ok. Open OTL copy and paste this in the custom scan/fixes box

:OTL
O32 - AutoRun File - [2009/02/07 08:10:22 | 000,000,047 | R--- | M] () - \autorun.inf -- [ CDFS ]
O33 - MountPoints2\{0708d0e9-72c4-11e1-96f3-bcaec5159d13}\Shell - "" = AutoRun
O33 - MountPoints2\{0708d0e9-72c4-11e1-96f3-bcaec5159d13}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{3a317f67-66db-11e0-886b-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{3a317f67-66db-11e0-886b-806e6f6e6963}\Shell\AutoRun\command - "" = E:\lge.exe
O33 - MountPoints2\{75f73018-737f-11e1-b7e9-bcaec5159d13}\Shell - "" = AutoRun
O33 - MountPoints2\{75f73018-737f-11e1-b7e9-bcaec5159d13}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{75f73028-737f-11e1-b7e9-bcaec5159d13}\Shell - "" = AutoRun
O33 - MountPoints2\{75f73028-737f-11e1-b7e9-bcaec5159d13}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{7e873a79-d3b8-11e0-bae8-bcaec5159d13}\Shell - "" = AutoRun
O33 - MountPoints2\{7e873a79-d3b8-11e0-bae8-bcaec5159d13}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{7e873b89-d3b8-11e0-bae8-bcaec5159d13}\Shell - "" = AutoRun
O33 - MountPoints2\{7e873b89-d3b8-11e0-bae8-bcaec5159d13}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{a8609b6e-8fda-11e0-8414-bcaec5159d13}\Shell - "" = AutoRun
O33 - MountPoints2\{a8609b6e-8fda-11e0-8414-bcaec5159d13}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{a8609b7c-8fda-11e0-8414-bcaec5159d13}\Shell - "" = AutoRun
O33 - MountPoints2\{a8609b7c-8fda-11e0-8414-bcaec5159d13}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{cba998cf-45d7-11e1-bfa9-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{cba998cf-45d7-11e1-bfa9-806e6f6e6963}\Shell\AutoRun\command - "" = \Autorun.exe -- [2010/03/13 01:48:04 | 000,385,024 | R--- | M] (TP-LINK TECHNOLOGIES CO., LTD.)
O33 - MountPoints2\{d605e7b0-74e1-11e1-a71a-bcaec5159d13}\Shell - "" = AutoRun
O33 - MountPoints2\{d605e7b0-74e1-11e1-a71a-bcaec5159d13}\Shell\AutoRun\command - "" = E:\AutoRun.exe
[2012/12/18 18:24:27 | 000,000,505 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.ics

:Commands
[PURITY]
[EMPTYTEMP]
[EMPTYFLASH]
[RESETHOSTS]
[EMPTYJAVA]
[CREATERESTOREPOINT]
[Reboot]
:Files
ipconfig /flushdns /c
C:\goog1e__installer.com /s


click run fix post the log it gives you. No need to put it in a codebox


Also do you recognise this folder ?

C:\Users\Shane\AppData\Roaming\0ad

KonFusion

ASJ112 wrote: »

Also do you recognise this folder ?

C:\Users\Shane\AppData\Roaming\0ad

Yup. It's the folder for a Mount & Blade custom mod game

Logs on the way. OTL is currenting hanging on "Moving C:\goog1e__installer.com..."

ASJ112

the fix should only take a few minutes. if it appears frozen you can remove this line from the fix and re-do it

C:\goog1e__installer.com /s

KonFusion

ASJ112 wrote: »

the fix should only take a few minutes. if it appears frozen you can remove this line from the fix and re-do it

C:\goog1e__installer.com /s

Here's the log:

All processes killed
========== OTL ==========
File move failed. \autorun.inf scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0708d0e9-72c4-11e1-96f3-bcaec5159d13}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0708d0e9-72c4-11e1-96f3-bcaec5159d13}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0708d0e9-72c4-11e1-96f3-bcaec5159d13}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0708d0e9-72c4-11e1-96f3-bcaec5159d13}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a317f67-66db-11e0-886b-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3a317f67-66db-11e0-886b-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a317f67-66db-11e0-886b-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3a317f67-66db-11e0-886b-806e6f6e6963}\ not found.
File E:\lge.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{75f73018-737f-11e1-b7e9-bcaec5159d13}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75f73018-737f-11e1-b7e9-bcaec5159d13}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{75f73018-737f-11e1-b7e9-bcaec5159d13}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75f73018-737f-11e1-b7e9-bcaec5159d13}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{75f73028-737f-11e1-b7e9-bcaec5159d13}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75f73028-737f-11e1-b7e9-bcaec5159d13}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{75f73028-737f-11e1-b7e9-bcaec5159d13}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75f73028-737f-11e1-b7e9-bcaec5159d13}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7e873a79-d3b8-11e0-bae8-bcaec5159d13}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7e873a79-d3b8-11e0-bae8-bcaec5159d13}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7e873a79-d3b8-11e0-bae8-bcaec5159d13}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7e873a79-d3b8-11e0-bae8-bcaec5159d13}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7e873b89-d3b8-11e0-bae8-bcaec5159d13}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7e873b89-d3b8-11e0-bae8-bcaec5159d13}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7e873b89-d3b8-11e0-bae8-bcaec5159d13}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7e873b89-d3b8-11e0-bae8-bcaec5159d13}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8609b6e-8fda-11e0-8414-bcaec5159d13}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8609b6e-8fda-11e0-8414-bcaec5159d13}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8609b6e-8fda-11e0-8414-bcaec5159d13}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8609b6e-8fda-11e0-8414-bcaec5159d13}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8609b7c-8fda-11e0-8414-bcaec5159d13}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8609b7c-8fda-11e0-8414-bcaec5159d13}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8609b7c-8fda-11e0-8414-bcaec5159d13}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8609b7c-8fda-11e0-8414-bcaec5159d13}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cba998cf-45d7-11e1-bfa9-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cba998cf-45d7-11e1-bfa9-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cba998cf-45d7-11e1-bfa9-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cba998cf-45d7-11e1-bfa9-806e6f6e6963}\ not found.
File move failed. \Autorun.exe scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d605e7b0-74e1-11e1-a71a-bcaec5159d13}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d605e7b0-74e1-11e1-a71a-bcaec5159d13}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d605e7b0-74e1-11e1-a71a-bcaec5159d13}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d605e7b0-74e1-11e1-a71a-bcaec5159d13}\ not found.
File E:\AutoRun.exe not found.
C:\Windows\SysNative\drivers\etc\hosts.ics moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 6275710 bytes
->Temporary Internet Files folder emptied: 6884965 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 163740602 bytes
->Google Chrome cache emptied: 345079500 bytes
->Flash cache emptied: 1837 bytes

User: Public

User: Shane
->Temp folder emptied: 16114391066 bytes
->Temporary Internet Files folder emptied: 320031693 bytes
->Java cache emptied: 1578514 bytes
->FireFox cache emptied: 91480320 bytes
->Google Chrome cache emptied: 369755146 bytes
->Apple Safari cache emptied: 3845120 bytes
->Flash cache emptied: 58418 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 839714758 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 36045600 bytes
RecycleBin emptied: 944291575 bytes

Total Files Cleaned = 18,352.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Guest
->Flash cache emptied: 0 bytes

User: Public

User: Shane
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Guest
->Java cache emptied: 0 bytes

User: Public

User: Shane
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Shane\Downloads\cmd.bat deleted successfully.
C:\Users\Shane\Downloads\cmd.txt deleted successfully.
File\Folder C:\goog1e__installer.com not found.

OTL by OldTimer - Version 3.2.69.0 log created on 12192012_000228

Files\Folders moved on Reboot...
File move failed. \autorun.inf scheduled to be moved on reboot.
File move failed. \Autorun.exe scheduled to be moved on reboot.
C:\Users\Shane\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

KonFusion

Wow....must clear temp folders more often.

ASJ112

looks good, no malware on that machine. having any problems ?

KonFusion

ASJ112 wrote: »

looks good, no malware on that machine. having any problems ?

Not that I can perceive.

Thanks a great deal for the help