Google Redirect Virus Or What?

[Sheryl]

Windows XP on a Lenovo laptop, browser is Firefox, antivirus is Kaspersky Internet Security 2011

I do not have google analytics, or if I do, it somehow got added on without my knowledge.

Every few bleeping seconds, the page tries to redirect to and I get a warning from Kaspersky that www.google-analytics.com/ga.js//ga is trying to download an object that contains a virus.

Problem not limited to certain websites, happens with all.

Ran Hijack this!, shows nothing. Ran the Kaspersky anti-virus, malwarebytes, combofix -- ditto, ditto, ditto

To my understanding the google-analytics site is a valid one so the virus alarm could be a Kaspersky false positive but the questions still remains why I keep redirecting there??

it's slowing down my connection and generally driving me nuts....

[Tywais]

Are you using Google DNS as I've seen problems with it causing re-directs for legit sites but Open DNS or the ISP DNS didn't.

[Phil Conners]

Google analytics is software deployed on websites to help track usage.

There are reports of Google analytics having been compromized with a virus payload but this would most likely just affect a single website, not all (or many) websites.

There are also examples of other AV software (bitdefender) finding false positives with Google analytics before.

The recommendation for this is to update the virus software. After that it's a good idea to clear the browser cache and restart the browser.

[MikeWill]

Most likely your PC is compromised by some threat (malware, worm, etc.).

Try to scan your system with

1. SUPERAntiSpyware Free Edition (http://www.superantispyware.com/),

2. GMER - Rootkit Detector and Remover (http://www.gmer.net/).

[MikeWill]

One quick question...

How do you know that "Hijack this!" didn't find anything?

[Sheryl]

One quick question...

How do you know that "Hijack this!" didn't find anything?

Findings to me look like they always do, I don't see anything new. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:31:43 PM, on 4/12/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.21256)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\PMHandler.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PMSveH.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thaivisa.com/forum/Health-Body-Medicine-f23.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll

O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm

O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--

End of file - 3989 bytes

[Sheryl]

Google analytics is software deployed on websites to help track usage.

There are reports of Google analytics having been compromized with a virus payload but this would most likely just affect a single website, not all (or many) websites.

There are also examples of other AV software (bitdefender) finding false positives with Google analytics before.

The recommendation for this is to update the virus software. After that it's a good idea to clear the browser cache and restart the browser.

I've already updated and run the antivirus as well as cleared the cache, and restarted browser mul;tiple times, only thing I haven't resorted to yet is uninstalling and reinstalling browser.

i know that it might be a false positive in terms of being a virus but the question remains of why I am redirected there at all. I can only think that some website I went to that had google analytuics with a virus, somehow installed it into my computer, but can't find where it lurks.

Will try the prorams suggested by Condo_bk

[Sheryl]

Are you using Google DNS as I've seen problems with it causing re-directs for legit sites but Open DNS or the ISP DNS didn't.

It's an ISP DNS (TOT broadband)...at least i assume the TOT service isn't a google DNS.

[Mrjlh]

My research shows it's a "malware virus". It's call the "google analytics virus". Oddly it can not be removed with any anti-virus program. You need to use a "Malware" removal program. It was suggested you try using: http://www.malwarebytes.org/mbam.php

I've never tried it or have needed it but they say it works good luck!.

[MikeWill]

One quick question...

How do you know that "Hijack this!" didn't find anything?

Findings to me look like they always do, I don't see anything new. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:31:43 PM, on 4/12/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.21256)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\PMHandler.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PMSveH.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thaivisa.com/forum/Health-Body-Medicine-f23.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll

O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm

O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--

End of file - 3989 bytes

Even though, I am not an expert to analyse your log, I marked in red what's to me looks peculiar. It is best to contact specialized forums, or maybe here somebody can help.

P.S.

Maybe, try to uninstalling/reinstalling your Google Toolbar.

Edited April 12, 2011 by Condo_bk

[Sheryl]

My research shows it's a "malware virus". It's call the "google analytics virus". Oddly it can not be removed with any anti-virus program. You need to use a "Malware" removal program. It was suggested you try using: http://www.malwarebytes.org/mbam.php

I've never tried it or have needed it but they say it works good luck!.

As mentioned in original post, I already ran malewarebytes with no result.

As for the superantispyware recommended by Condo, downloaded it but it doesn't run. (Maybe not compatable with XP??)

Any other suggestions, it is seriously driving me nuts. I have already tried emaisl to Kaspersky and google to no avail.

[Tywais]

Appears not the first time Kaspersky has had problems with this issue.

False positives - google. Some more recent reports show in the spybot forum on false positives.

Could you tell us what the exact error message of the virus/malware that it says it is blocking? Also, is your Kaspersky database up to date?

[Phil Conners]

I don't know superantispyware but one look at their website would make red lights flash for me.

If Malwarebytes don't find anything and you already tried clearing your cache for any residual fluff, chances are it's a false positive from Kaspersky.

Perhaps remove Kaspersky and try one of the other good, free AV products - avast or AVG for example.

[MikeWill]

My research shows it's a "malware virus". It's call the "google analytics virus". Oddly it can not be removed with any anti-virus program. You need to use a "Malware" removal program. It was suggested you try using: http://www.malwarebytes.org/mbam.php

I've never tried it or have needed it but they say it works good luck!.

As mentioned in original post, I already ran malewarebytes with no result.

As for the superantispyware recommended by Condo, downloaded it but it doesn't run. (Maybe not compatable with XP??)

Any other suggestions, it is seriously driving me nuts. I have already tried emaisl to Kaspersky and google to no avail.

Try this SUPERAntiSpyware Online Safe Scan.

Have you tried reinstalling Google Toolbar?

Edited April 14, 2011 by Condo_bk

[howto]

The MalwareBytes forum has several threads concerning this...

most recent began 2011-03-28 thru today

''Another Goggle Redirect Virus Thread''

http://forums.malwar...showtopic=79456

I note that title infers other threads...

and I see there it has been very involved towards removal,

which is still not yet complete.

Perhaps it may be best to join the MalwareBytes forum,

create a thread in this subforum

http://forums.malwar...php?showforum=7

and seek help from those experts.

Wish you the best.

[Supernova]

I don't know superantispyware but one look at their website would make red lights flash for me.

SUPERAntiSpyware is ranked right up there among the best anti-spyware programs. The interface is a little too cluttered for my liking, but I highly recommended it as an alternative to Malwarebytes.

It's also available as a portable app.

Edited April 14, 2011 by Supernova

[nikster]

There are reports of Google analytics having been compromized with a virus payload but this would most likely just affect a single website, not all (or many) websites.

Look at the dates in that link - these reports are from 2009. In the world of viruses and malware, that means it's pretty much guaranteed to be irrelevant now. If it's not from the last few months, it's invariably been patched already.

An actual virus coming in a JavaScript script would mean the browser has been compromised, and usually the vendors will update their browsers rather quickly in that case.

Maybe use Google Chrome for browsing, it's currently the most secure browser. Firefox should be pretty good too though.

Most likely this is a false alarm by Kaspersky.

[Phil Conners]

There are reports of Google analytics having been compromized with a virus payload but this would most likely just affect a single website, not all (or many) websites.

Look at the dates in that link - these reports are from 2009. In the world of viruses and malware, that means it's pretty much guaranteed to be irrelevant now. If it's not from the last few months, it's invariably been patched already.

An actual virus coming in a JavaScript script would mean the browser has been compromised, and usually the vendors will update their browsers rather quickly in that case.

Maybe use Google Chrome for browsing, it's currently the most secure browser. Firefox should be pretty good too though.

Most likely this is a false alarm by Kaspersky.

Yes, and that was also my conclusion in the post that you partly quoted me from: The recommendation for this is to update the virus software. I also recommmended in post #14 to replace Kaspersky with Avast or AVG.

Yes I know it was an old link, I was just referring to it to show that there has been other examples of AV software showing false positives for Google.

[Sheryl]

Yes, I agree it is may be a false positive, but the question remains why do I constantly get redirected to google analytics?

Does this happen if the website you are browsing uses it even though you yourself do not? I do not recall being redirected before.

????

Phil, vuirus software has been updated. As for switching antivirus programs, a rather big step. I can simply disable this particular alert in kaspersky if I'm sure it's no problem..but I'll still keep getting redirected to google analytics, which slows my browsing way, way down

BYW I tried removing firefox and installing IE. Same problem.

[Sheryl]

Appears not the first time Kaspersky has had problems with this issue.

False positives - google. Some more recent reports show in the spybot forum on false positives.

Could you tell us what the exact error message of the virus/malware that it says it is blocking? Also, is your Kaspersky database up to date?

Yes, databease is up to date.

Message is "(browser name -- and occurs both in IE and Fiorefox)/ Downloading object//www.google-analytics.com/ga.js//ga, containing virus. detected"

(this is what I am getting now in IE. I think -- not sure -- that in Firefox it ended as "access denied").

In the Kaseprsky log, it shows:

HEUR:Trojan.Script.Iframer followed by the url www.google-analtyics.com/ga.js//ga

[Phil Conners]

Yes, most larger/professional websites use Google Analytics (GA) in order to generate usage statistics. When you go to a Thaivisa page, the page itself calls Google Analytics. This normally should be transparent to you. I don't know why it would slow your browsing down, I don't notice it at all

You say you are "redirected" to GA - what exactly do you mean by that. Do you see a GA website, or is it just that you can see in the status bar that something is loading from GA?

Actually I would find switching browser a much bigger step than switching AV software

[Sheryl]

Yes, most larger/professional websites use Google Analytics (GA) in order to generate usage statistics. When you go to a Thaivisa page, the page itself calls Google Analytics. This normally should be transparent to you. I don't know why it would slow your browsing down, I don't notice it at all

You say you are "redirected" to GA - what exactly do you mean by that. Do you see a GA website, or is it just that you can see in the status bar that something is loading from GA?

It's in the status bar, things slow way down, then I get a notice from Kaspersky saying it has detected the site trying to download a file with a virsu..a series of warnings actually, first saying detected then (when I clear that) access denied. Slows things way, way down.

As mentioned, I can easily disable this alert. So if it's just a false alarm, no biggie. But is it normal for google analytics to download/atytemopt to download objects onto my computer?

[Phil Conners]

Yes, most larger/professional websites use Google Analytics (GA) in order to generate usage statistics. When you go to a Thaivisa page, the page itself calls Google Analytics. This normally should be transparent to you. I don't know why it would slow your browsing down, I don't notice it at all

You say you are "redirected" to GA - what exactly do you mean by that. Do you see a GA website, or is it just that you can see in the status bar that something is loading from GA?

It's in the status bar, things slow way down, then I get a notice from Kaspersky saying it has detected the site trying to download a file with a virsu..a series of warnings actually, first saying detected then (when I clear that) access denied. Slows things way, way down.

As mentioned, I can easily disable this alert. So if it's just a false alarm, no biggie. But is it normal for google analytics to download/atytemopt to download objects onto my computer?

Yes, anything you see in your browser needs to be downloaded to your PC before you can see it.

I am 100% sure there are no problems with Thaivisa and/or Google Analytics. I don't understand why it should slow down though, but it could perhaps be something to do with Kaspersky and the way it deals with what it perceives as a virus. I would still suggest uninstalling Kaspersky and install Avast or AVG, just to see if it makes a difference. It shouldn't take more than 10 minutes to do.

[Sheryl]

The issue was in no way limited to ThaiVisa, it was happening with every website I went to. I suspect the object being downloaded may not really have been from google analytics but rather was somehow disguised in that url. From what I could gather through google, there is an Iframe trojan about.

I ran the online Antispyware scan, it found a few infected files (apparently downloaded from the web, I didn't recognize the names of any of them) and a bunch of tracking cookies, deleted them but still had some trouble. then downloaded an d ran F-secure in safe mode, found >20 things which it labelled as "spyware" (seemed to be mostly cookies..?) after deleting them, problem solved.

knock on wood...

[hanuman1]

The issue was in no way limited to ThaiVisa, it was happening with every website I went to. I suspect the object being downloaded may not really have been from google analytics but rather was somehow disguised in that url. From what I could gather through google, there is an Iframe trojan about.

I ran the online Antispyware scan, it found a few infected files (apparently downloaded from the web, I didn't recognize the names of any of them) and a bunch of tracking cookies, deleted them but still had some trouble. then downloaded an d ran F-secure in safe mode, found >20 things which it labelled as "spyware" (seemed to be mostly cookies..?) after deleting them, problem solved.

knock on wood...

Hi Sheryl

I'm getting the exact same thing as you, starting from this morning. Any site I visit which uses Google Analytics is causing my AVG to display an alert for Blackhole Exploit Kit, citing the Google ga.js file as the culprit.

Are you still problem-free having used the fix you described above? I'm just about to try F-Secure Anti-Virus - hope this works.

Cheers

H.

By the way, when I downloaded Antispyware from antispyware.com, I got other AVG alerts saying the downloaded file was infected. Maybe my AVG's going nuts...I didn't run the download though.

Edited April 21, 2011 by hanuman1

[Phil Conners]

I would suggest getting AV software from a known entity like download.com.

It may of course be antispyware.com is bona fide, I just never heard of it before, and searching google for antispyware.com does raise a few flags.