GoingOnEarth Virus/Malware

[Ray Davies]

I've reached the end of the line, you guys are my last hope.

Anybody knows how to get rid of this damn virus? It redirects search
pages to google and other sites, like goingonearth.com

Already tried Avira, MalwareBytes, the MS scanner (msert), Spybot,
Combofix (the virus mucks it up by changing folder names and permissions
and it won't run) and also the hosts file (nothing there). Autoruns doesn't
show anything suspicious either.

It even makes it impossible to search for removal solutions on the web,
it redirects all results with "goingonearth" to an unrelated site which
offers no solutions whatsoever.

I know chances are I will need to reformat and reinstall Windows but
thought I should give one last try here.

Thanks in advance.

 

[David H. Lipman]

I've reached the end of the line, you guys are my last hope.

Anybody knows how to get rid of this damn virus? It redirects search
pages to google and other sites, like goingonearth.com

Already tried Avira, MalwareBytes, the MS scanner (msert), Spybot,
Combofix (the virus mucks it up by changing folder names and permissions
and it won't run) and also the hosts file (nothing there). Autoruns doesn't
show anything suspicious either.

It even makes it impossible to search for removal solutions on the web,
it redirects all results with "goingonearth" to an unrelated site which
offers no solutions whatsoever.

I know chances are I will need to reformat and reinstall Windows but
thought I should give one last try here.

Thanks in advance.

Please create an account here and try o get resolutionj...
http://forums.malwarebytes.org

 

[Nobody > (Revisited)]

I've reached the end of the line, you guys are my last hope.

Anybody knows how to get rid of this damn virus? It redirects search
pages to google and other sites, like goingonearth.com

Already tried Avira, MalwareBytes, the MS scanner (msert), Spybot,
Combofix (the virus mucks it up by changing folder names and permissions
and it won't run) and also the hosts file (nothing there). Autoruns doesn't
show anything suspicious either.

It even makes it impossible to search for removal solutions on the web,
it redirects all results with "goingonearth" to an unrelated site which
offers no solutions whatsoever.

I know chances are I will need to reformat and reinstall Windows but
thought I should give one last try here.

Thanks in advance.

For the record, it's not a virus, it's a browser hijack trojan.

Nitpicky, I know. Just call them both malware and let the purists sort
it out.


MBAM (MalwareBytes AntiMalware) should do it, but there are some steps
that aren't obvious unless you've been around this stuff.

Do a fresh download of MBAM's install file on a clean computer (to make
sure you have the latest version and defs) and rename it to something
like "skunk.exe" (just the filename, not the .exe part)

Transfer it to the infected pooter, preferably onto the hard drive.

Start said victim pooter in SAFE mode, on the "Administrator" titled
account, and install MBAM. DO NOT GO ONLINE.

Reboot, again in SAFE as "Administrator" and run it, DO NOT GO ONLINE.

Reboot again as normal and see if the browser is "yours" again, not
GoingOnEarth's.

Let MBAM update itself, then run it again in normal mode just to be safe.

Why the extra steps? Doing all this in SAFE mode bypasses the "hooks"
that the trojan uses to avoid stopping/blocking any cleaning attempts.
I added a couple "just because".
The renaming is done in case the malware is looking for (and blocking)
filenames specific to known malware-stomping application.
Putting the install file on the hard drive is just a butt-cover in case
you can't access a thumbdrive or optical drive in SAFE mode.

As for the permissions issue, there's no way of knowing if MBAM fixed
it or not until you try to access those files/folders.

Taking ownership with "bare Windows" is a pain, whether the bad
ownership is caused by malware or just another random Windows "feature".

A simple registry tweak can add "Take Ownership" as a right-click menu
item in Windows Explorer, and I do it on all Winboxes I deal with unless
it's a corporate machine. That way you can fix that problem as soon as
you find it, no matter what the cause.

Search for "Take ownership right click", it's no big secret and it's all
over the web. Don't worry if they are talking about Win 7, Vista or XP,
it's the same for all.








--
"Shit this is it, all the pieces do fit.
We're like that crazy old man jumping
out of the alleyway with a baseball bat,
saying, "Remember me motherfucker?"
Jim “Dandy” Mangrum

 

[Ray Davies]

For the record, it's not a virus, it's a browser hijack trojan.

Nitpicky, I know. Just call them both malware and let the purists sort
it out.


MBAM (MalwareBytes AntiMalware) should do it, but there are some steps
that aren't obvious unless you've been around this stuff.

Do a fresh download of MBAM's install file on a clean computer (to
make sure you have the latest version and defs) and rename it to
something like "skunk.exe" (just the filename, not the .exe part)

Transfer it to the infected pooter, preferably onto the hard drive.

Start said victim pooter in SAFE mode, on the "Administrator" titled
account, and install MBAM. DO NOT GO ONLINE.

Reboot, again in SAFE as "Administrator" and run it, DO NOT GO ONLINE.

Reboot again as normal and see if the browser is "yours" again, not
GoingOnEarth's.

Let MBAM update itself, then run it again in normal mode just to be
safe.

Why the extra steps? Doing all this in SAFE mode bypasses the "hooks"
that the trojan uses to avoid stopping/blocking any cleaning attempts.
I added a couple "just because".
The renaming is done in case the malware is looking for (and blocking)
filenames specific to known malware-stomping application.
Putting the install file on the hard drive is just a butt-cover in
case you can't access a thumbdrive or optical drive in SAFE mode.

As for the permissions issue, there's no way of knowing if MBAM fixed
it or not until you try to access those files/folders.

Taking ownership with "bare Windows" is a pain, whether the bad
ownership is caused by malware or just another random Windows
"feature".

A simple registry tweak can add "Take Ownership" as a right-click menu
item in Windows Explorer, and I do it on all Winboxes I deal with
unless it's a corporate machine. That way you can fix that problem as
soon as you find it, no matter what the cause.

Search for "Take ownership right click", it's no big secret and it's
all over the web. Don't worry if they are talking about Win 7, Vista
or XP, it's the same for all.

Thank you very much for your detailed reply, I will do everything exactly
as you said this afternoon and let you know what happens.

 

[Ray Davies]

Please create an account here and try o get resolutionj...
http://forums.malwarebytes.org

Thank you, I will do that later on this afternoon when I have access to a
clean machine.

I see there has been several posts already about this g-o-i-n-g-o-n-e-a-r-
t-h redirector (I have to disguise the word or else the computer goes
crazy) but apparently no solution has been found yet? But I'm probably not
getting the full search results as the virus inteferes with everything
containing that word.

Here's something that I forgot to mention in the OP that I've tried but was
unable to get anywhere:

C:\>ipconfig /displaydns

Windows IP Configuration
Could not display the DNS Resolver Cache.

C:\>ipconfig /flushdns

Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.

I'm running as admin, any ideas?

Thanks again.

 

[David H. Lipman]

UPDATE: Shortly after posting the above I realized the DNS service wasn't
running, so I had it started manually and then set it to automatic.

This time I did not get an error flushing the DNS but it seems to be
still poisoned somehow - see below:

As you can see all of those domains are also entries in my hosts file
created by Spybot S&D so no harm (I guess?) but I'd like to know how to
clear them out of my dns cache.

Thanks again you all.

There is no sense in clearing them out of the DNS cache if the entries are in an
etc/hosts file.

I want you to try soemthing different. Download my Multi-AV Scanning Tool and run the
Trend Micro and then Sophos modules and see in "detect only" mode and see if anything is
detected.

If EITHER comes up with a ddetection which contains "patched" then don't let it perform a
removal. Report back the findings. If it is a legitimate file that is patched and it is
removed then you could end of in a BSoD condition which we wat to avoid.

If then NONE of the malware is detected with the name "patched" the files can be removed.

 

[Ray Davies]

There is no sense in clearing them out of the DNS cache if the entries
are in an etc/hosts file.

Yea, I have hundreds of entries there but the question is why those
particular ones cannot be flushed out? How does this despicable piece of
code manage to do this?

I have also tried resetting TCP/IP with "netsh int ip reset c:
\resetlog.txt" to no avail.

Then I found a post somewhere suggesting certain files be deleted and
miraculously that seems to have worked, at least thus far. I'll post an
image of these 4 files and paths that are still sitting in my recycle bin
because it's easier than copying it by hand:

http://i.imgur.com/4s05O.png

What do you know - no more redirects, and I was even able to flush the
dns without any issues. If any of you bug hunters out there would like
to examine them let me know and I'll gladly email it to you or post it at
a file hosting site somewhere, like despositfiles.com.

I've tried openning qmgr0.dat with notepad out of curiosity but not much
could be seen there, not sure what would be the best app to peek into it.

I did try Multi-AV like you suggested too but it was taking too darn long
(over 3 hours) and by then the problem seemed to have been resolved so I
cancelled it. Will keep it in mind should the problem rear its ugly head
again in the future.

Thanks again.

 

[David H. Lipman]

Yea, I have hundreds of entries there but the question is why those
particular ones cannot be flushed out? How does this despicable piece of
code manage to do this?

I have also tried resetting TCP/IP with "netsh int ip reset c:
\resetlog.txt" to no avail.

Then I found a post somewhere suggesting certain files be deleted and
miraculously that seems to have worked, at least thus far. I'll post an
image of these 4 files and paths that are still sitting in my recycle bin
because it's easier than copying it by hand:

http://i.imgur.com/4s05O.png

What do you know - no more redirects, and I was even able to flush the
dns without any issues. If any of you bug hunters out there would like
to examine them let me know and I'll gladly email it to you or post it at
a file hosting site somewhere, like despositfiles.com.

I've tried openning qmgr0.dat with notepad out of curiosity but not much
could be seen there, not sure what would be the best app to peek into it.

I did try Multi-AV like you suggested too but it was taking too darn long
(over 3 hours) and by then the problem seemed to have been resolved so I
cancelled it. Will keep it in mind should the problem rear its ugly head
again in the future.

Thanks again.

If you can get those files to; http://www.uploadmalware.com/

I'd appreciate it.

 

[Nobody > (Revisited)]

If you can get those files to; http://www.uploadmalware.com/

I'd appreciate it.

Same here. Post the results URL.

--
"Shit this is it, all the pieces do fit.
We're like that crazy old man jumping
out of the alleyway with a baseball bat,
saying, "Remember me motherfucker?"
Jim “Dandy” Mangrum

 

[Virus Guy]

How does this despicable piece of code manage to do this?

Because you're running an NT-based version of windoze.

You run it because of peer pressure.

I run win-98se, and I just laugh and shake my head at all the people
that run XP/Vista/Seven.

You run it because you're told that it's made with the finest, silkiest,
most expensive code. Just like the emperor with no clothes. He also
had the invisible wool pulled over his eyes.

 

[Ray Davies]

Same here. Post the results URL.

I'm really sorry but when I tried uploading the files I realized my recycle
bin was unexplicably empty They're not in the original directory
either.

Not sure what happened there, all I did since then was to uninstall
combofix, run ccleaner (and I made damn sure the "empty recycle bin" wasn't
ticked) and rebooted the machine once or twice. I know it wasn't multi-av
because they were there long after I had the scan stopped.

But I'm very confident that I can still find the .exe file that installed
the virus/malware in the first place, would that do? I'll upload that by
the end of today if you guys still want it.

 

[David H. Lipman]

From: "Ray Davies" <[email protected]>

I'm really sorry but when I tried uploading the files I realized my recycle
bin was unexplicably empty They're not in the original directory
either.

Not sure what happened there, all I did since then was to uninstall
combofix, run ccleaner (and I made damn sure the "empty recycle bin" wasn't
ticked) and rebooted the machine once or twice. I know it wasn't multi-av
because they were there long after I had the scan stopped.

But I'm very confident that I can still find the .exe file that installed
the virus/malware in the first place, would that do? I'll upload that by
the end of today if you guys still want it.

We will be happy to take the malware associate with this or the malware dropper associated
with this (subject matter thread) or any malware submissions at;
http://www.uploadmalware.com/

If you enter my name with submission with a contact email address I could provide further
information. (At your discretion).

 

[FromTheRafters]

Virus Guy wrote:

The usual crap.