Files Sent: Nasty goingonearth browser hijacker.

[lllbob]

Just got rid of a new variant goingonearth dot com browser hijacker from a family members pc.

Symptom: When you search on google and click a link, it redirects you.

Runs a hidden scheduled task! ( Gjtquun.job )
Uses the run dll executable to execute cero6.dll which is the hijacker.
Adds two registry entries to execute the task. Gjtquun
Disables the windows security center.
Adds a boat load of trojans and what have ya. which gets removed by most, but leaves the cero6 dll hijacker.

* Quick fix.. Run SB or malwarebytes to remove the 100's of trojans... then...
Move or delete the file cero6.dll to another folder with the free software called "Unlocker". That seemed to also remove the hidden task.
Registry entries require manual removal. (Gjtquun)
Flush dns required. command prompt: ipconfig /flushdns
All temps file must also be removed. run ccleaner several times.
Use spybot to re-enable security center REG key. then enable security services in system services and start service.
Goingonearth is now going going GONE.

Files attached include: 2 reg entries.txt 1 cero6.dll Sys Infected: Windows7 x64bit. Firefox: Anti-virus: Avast "currently failed".

Dang.. I didn't think to use the anti-virus that I use on my pc. Avira lol!

Result: 2/ 43 (4.7%) from virustotal.
=========================================================================
AhnLab-V3 2011.08.09.00 2011.08.09 -
AntiVir 7.11.13.2 2011.08.09 TR/Crypt.XPACK.Gen
Antiy-AVL 2.0.3.7 2011.08.09 -
Avast 4.8.1351.0 2011.08.09 -
Avast5 5.0.677.0 2011.08.09 -
AVG 10.0.0.1190 2011.08.09 -
BitDefender 7.2 2011.08.10 -
CAT-QuickHeal 11.00 2011.08.09 -
ClamAV 0.97.0.0 2011.08.10 -
Commtouch 5.3.2.6 2011.08.09 -
Comodo 9688 2011.08.09 -
DrWeb 5.0.2.03300 2011.08.10 -
Emsisoft 5.1.0.8 2011.08.09 -
eSafe 7.0.17.0 2011.08.09 -
eTrust-Vet 36.1.8493 2011.08.09 -
F-Prot 4.6.2.117 2011.08.09 -
F-Secure 9.0.16440.0 2011.08.09 -
Fortinet 4.2.257.0 2011.08.09 -
GData 22 2011.08.09 -
Ikarus T3.1.1.107.0 2011.08.09 -
Jiangmin 13.0.900 2011.08.09 -
K7AntiVirus 9.109.4973 2011.08.02 -
Kaspersky 9.0.0.837 2011.08.10 -
McAfee 5.400.0.1158 2011.08.10 -
McAfee-GW-Edition 2010.1D 2011.08.10 -
Microsoft 1.7104 2011.08.09 -
NOD32 6364 2011.08.09 -
Norman 6.07.10 2011.08.09 -
nProtect 2011-08-09.01 2011.08.09 -
Panda 10.0.3.5 2011.08.09 -
PCTools 8.0.0.5 2011.08.09 -
Prevx 3.0 2011.08.10 -
Rising 23.70.01.03 2011.08.09 -
Sophos 4.67.0 2011.08.10 -
SUPERAntiSpyware 4.40.0.1006 2011.08.10 Trojan.Agent/Gen-Falprod[RE].Process
Symantec 20111.2.0.82 2011.08.10 -
TheHacker 6.7.0.1.275 2011.08.09 -
TrendMicro 9.500.0.1008 2011.08.09 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.10 -
VBA32 3.12.16.4 2011.08.08 -
VIPRE 10119 2011.08.10 -
ViRobot 2011.8.9.4613 2011.08.09 -
VirusBuster 14.0.160.1 2011.08.09 -
Additional information
MD5 : 22e9a59bd0604f09f458cfe7d3387f04
SHA1 : 0da041a85ef145c7f398a81f26f6935bbafd4f60
SHA256: 0c9e82890d803889d174628169ae9f5b99ccc4b56ef49179cb28c40950ea78cd
=========================================================================
Pass to file sent is: infected