Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google toolbar changed, search redirected


  • Please log in to reply
16 replies to this topic

#1 Capn Easy

Capn Easy

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 27 November 2009 - 04:51 AM

Hello again -- I was here with a severe problem about a year ago. It took several weeks, and a lot of help, but I got cleaned.

I also learned a few things. I have since installed the NoScript and Cookie Whitelist addons to Firefox, I installed the free version of ZoneAlarm, and I installed a Hosts file managed by Hostsman. I am running Avast! as my antivirus program and I update and run MBAM every day. I'm using Windows XP SP3, and Firefox 3.5.5, and I keep check on my software with Secunia PSI 1.5.0.0.

Tonight I noticed some disturbing things. First, some options on my Google toolbar were turned on that had never been turned on before -- I didn't do it. Second, after checking in with a couple of forums and poking through Archive.org I did a Google search -- and when I clicked on the top item I was redirected. I've since tried it a few times and when I run the identical search and click on the first result I get redirected to the same site. If I click back a page to the search and click on the top result again I go to the proper site.

The Google search term is: "bob and ray" "music factory"

The first result on the Google search results page is:

Bob & Ray: The Lost Episodes: Volume 5
The Online Home of Bob and Ray. ... Story Teller (1:18); Farley Hubler, 42 Year Old
Industrialist Failure in 1968 (2:33); Music Factory Outro (1:11) ...
www.bobandray.com/albums/lost5.html - Cached




The first time I click on that result after running the search I am redirected to :

hXXp://webeasysearch.com/search/search.php?q=%26quot%3Bbob%20and%20ray%26quot%3B%20%26quot%3Bmusic%20factory%26quot%3B&aff=32135&saff=0




If I go back to the search page and click on the first result again I get to the correct page:

http://www.bobandray.com/albums/lost5.html



As soon as I realized what was happening (after scratching my head and trying it again) I closed Firefox, updated MBAM, and ran a Quick Scan. The results are:

Malwarebytes' Anti-Malware 1.41
Database version: 3241
Windows 5.1.2600 Service Pack 3

11/27/2009 4:15:24 AM
mbam-log-2009-11-27 (04-15-24).txt

Scan type: Quick Scan
Objects scanned: 117518
Time elapsed: 8 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



My last scan was last night.



I'd appreciate some guidance by a staff member to see if I've somehow picked up some new malware. I'd be crushed -- I've really been trying to stay safe!

Thanks!

BC AdBot (Login to Remove)

 


#2 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 15 December 2009 - 09:36 PM

Resubmitting -- format problem

This post could be deleted by admin if necessary

Edited by Capn Easy, 15 December 2009 - 09:48 PM.


#3 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 15 December 2009 - 09:52 PM

The above was my original post.

Since then I can add the following:

Right after posting I ran Avast! -- both a conventional full scan and a boot-time scan. Both came up clean.

The Google Toolbar definitely has changed. I checked and it reported that it was version 6.1.20091119W. This would seem to indicate that the Toolbar had been updated on 11/19/2009. I don't know when or how mine was updated -- it operation definitely changed between the last time I used it, early in the morning hours of 11/26 and when I next used it late in the evening of 11/26. As far as I know, I get notified when a Firefox add-on has been updated and asked if I want to install the update -- I can't remember being asked to install an update to the Google Toolbar.

For about 2 weeks I was actively testing Google searches to see if they would be hijacked. The only search term that got hijacked was "bob and ray" "music factory" -- no other searches seem to be affected. Here is the text from my browser's history file showing the hijacks:

See next post for the history. I had trouble making sure the links were broken.

Sorry for any inconvenience.




I have been using Google a lot, and have not had any other search terms get redirected.



I'd love to know that this is harmless, perhaps a stray malware trace leftover from last year, but mostly I need to know.



So ... anyone up for a challenge? :thumbsup:


NOTE: Trouble including the history file -- I'll post it soon.

Edited by Capn Easy, 15 December 2009 - 10:02 PM.


#4 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 15 December 2009 - 09:59 PM

Let's see if the history file works this time --



----------------------------------------------------

11/28/2009

hXXp://www.bobandray.com/albums/lost5.html
hXXp://webeasysearch.com/search/search.php?q=%22bob+and+ray%22+%22music+factory%22&said=ns2
hXXp://webeasysearch.com/?q=97vP68zw3%2B%2Fy7uTr1%2FTl68Czz%2B%2F17%2BTe0Pzn0cv03OvA7OLBv%2F%2Fj1c%2B7oPXn7%2BK75OjL%2F6D29OP32fP06rvKtMD13%2BjQ8uX%2Fv%2FXktci2yNWz6eLBt%2FWg9vTj99nv9rvJ0uHzy9LHs8rsw%2F7I77K2yce7u6D29OP32fLv6%2BO7y9LPt8nS17fJ0uWyyde7u6D29OP32fTj4OP04%2FS7587UtuXC6fDKteK14v%2Bz6OS0v%2BjkwdPz37S%2F8sq1yOrf3szs58K%2F6eTCt%2Brk79z%2B1tXM7%2BS0z%2FTf0bPtzbXM7uPVz%2FTP67e35bTq7M203O7ftdTw5ejt78zoyPDi3szs3NHq7dbRs%2B7i68j159HQ8%2BLFt%2Bvc79z%2F5M7pv8vTz%2FzUtuLO0sC%2F6uTqv%2BDet9DSy%2BzPsszr6urW0NDT1O%2B2sg%3D%3D&c=%86
hXXp://www.google.com/search?hl=en&q=%22bob+and+ray%22+%22music+factory%22&sourceid=navclient-ff&rlz=1B3GGGL_en___US228&ie=UTF-8
hXXp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
file:///C:/Documents%20and%20Settings/Kevin/Application%20Data/Mozilla/Firefox/Profiles/x7vx2cpb.default/GoogleToolbarData/components/suggest_window.html
hXXp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official



11/29/2009

hXXp://www.bobandray.com/albums/lost5.html
hXXp://webeasysearch.com/search/search.php?q=%22bob+and+ray%22+%22music+factory%22&said=ns2
hXXp://www.google.com/search?hl=en&q=%22bob+and+ray%22+%22music+factory%22&sourceid=navclient-ff&rlz=1B3GGGL_en___US228&ie=UTF-8
hXXp://webeasysearch.com/?q=dTlNaU5yXW1wbGZpVXZnaUIxTW13bWZcUn5lU0l2XmlCbmBDPX1hV005IndlbWA5ZmpJfSJ0dmF1W3F2aDlINkJ3XWpScGd9PXdmN0o0Slcxa2BDNXcidHZhdVttdDlLUGNxSVBFMUhuQXxKbTA0S0U5OSJ0dmF1W3BtaWE5SVBNNUtQUX1KfmM3SXM5OSJ0dmF1W3ZhYmF2YXY5ZUxWNGdAa3JIN2A3YH0xamY2PWpmQ1FxXTY9cEg3SmhdXE5uZUA9a2ZANWhmbV58VFdObWY2TXZdUzFvTzdObGFXTXZNaTU1ZzZobk82XmxdN1ZyZ2pvbU5qSnJgXE5uXlNob1RTMWxgaUp3ZVNScWBHNWlebV59ZkxrPUlRTX5WNGBMUEI9aGZoPWJcNVJQSW5NME5paGhUUlJRVm00MA%3D%3D&c=%04
hXXp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
file:///C:/Documents%20and%20Settings/Kevin/Application%20Data/Mozilla/Firefox/Profiles/x7vx2cpb.default/GoogleToolbarData/components/suggest_window.html
hXXp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official


-----------------------------------------------------


That's better.


Anyway, any takers? :thumbsup:

#5 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 18 December 2009 - 03:25 AM

Well, things get interestinger and interestinger ... at least, for me.

For the first time since well before my very selective Google redirect, Malwarebytes complained of an infected file. It was picked up on a full scan this evening. In a quick scan earlier with the same database (there hadn't been an update) no problems were found. Also, full scans on 11/27, 11/28, 11/30 and 12/03 had not found any problems. Also, I've been doing at least one quick scan daily (often two quick scans daily) and none of them have complained.

The log:

Malwarebytes' Anti-Malware 1.42
Database version: 3382
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/18/2009 1:36:54 AM
mbam-log-2009-12-18 (01-36-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 261662
Time elapsed: 1 hour(s), 23 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP314\A0049145.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.




I quarantined and deleted the file, and restarted the computer immediately, as directed. I also then set a new restore point and removed all previous restore points.

I checked my logs in Avast! for anything with A0049145 in the name, but Avast! didn't have any mention of it.


In other news, I removed the Google toolbar. I didn't want to do that because I've found it very useful, but I just don't trust it anymore. I checked the Application Data and it appears that uninstalling this addon left its directory of data behind. Should I delete this manually?



So, is this likely something I should be worried about?

Edited by Capn Easy, 18 December 2009 - 03:26 AM.


#6 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 22 December 2009 - 12:21 AM

Well, I seem to be talking to myself here, but what the heck.

Since this all began, about a month ago, I've done multiple scans w/MBAM and a couple scans with Avast! and nothing came up, except the one problem on Dec 18th.

But today when I started the computer ZoneAlarm (Free) went frantic with attempts by agent.exe to access ports, etc. I recognized it as the name of a legit program, Installshield, but that wasn't normal behavior, so I updated and ran a full MBAM scan. Here's the log:



Malwarebytes' Anti-Malware 1.42
Database version: 3406
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/21/2009 8:30:41 PM
mbam-log-2009-12-21 (20-30-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 251345
Time elapsed: 1 hour(s), 20 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{0fcdc8c0-8297-4d27-85d2-84effa002f13} (Trojan.Small) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{57e7a0d2-05a2-4743-9268-0af49f56d56c} (Trojan.Small) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b7afd990-e814-4cc7-925a-c3938f71b81b} (Trojan.Small) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{13289e82-7a5d-4ed5-bec9-2c3b34a88ed0} (Trojan.Small) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b9e3f918-328c-410a-b2e3-2abf9e209974} (Trojan.Small) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dtopMFC.ocx (Trojan.Small) -> Quarantined and deleted successfully.






After running MBAM, and restarting it as directed, I ran a boot-time scan with Avast! which found nothing. Still, given my experience, I believe that something is in there.

Edited by Capn Easy, 22 December 2009 - 12:23 AM.


#7 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 22 December 2009 - 03:27 PM

I also ran another full MBAM scan, which came up clean, but ZoneAlarm is still showing that agent.exe is attempting to get out one or more times every minute. Most of these appear to be loopback attempts. ZoneAlarm seems to be stopping them.

#8 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 22 December 2009 - 06:22 PM

Well, now it appears that MBAM may have had a false positive issue.

Still, the behavior of "agent.exe" changed radically yesterday. It is still making near constant attempts to get past the firewall. Prior to starting the computer yesterday this simply did not happen.

I'll include a screenshot of part of the firewall log. I'd really, really love to hear from anyone who can offer advice or an opinion.

Thanks.



Posted Image

#9 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:12:12 PM

Posted 22 December 2009 - 09:37 PM

Can't read the fuzzy screen shot.
I think it shows destination being local host.
Considering agent.exe is or is a part of some updating service,
http://www.ehow.com/about_5200781_agent_exe_.html
it likely, very likely needs the loopback (127.0.0.1:ports).
Loopback means the computer is talking to itself, it's not going anywhere. Run IE and watch TCP/view. IE can't function without loopback. Many programs do it, Windows update being one.
If it's legit, allow it trusted rights in the Programs list. If it's not, then ZA is doing its job blocking.

Probably you need to figure out what programs are automatically updating, as mentioned in the link.

And post HijackThis log in the HJT section here to make sure you do not have some scumware trojan, but I have a hunch you do not. Though I don't know a thing about google toolbar or any of those other things you mentioned. I do know that google toolbar and all the other toolbars people install do update often, automatically. So if you installed it, for whatever reason, it's updating, I guess.

Edited by tos226, 22 December 2009 - 09:43 PM.


#10 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:12:12 PM

Posted 23 December 2009 - 04:10 PM

Likely spyware considering the robtex listing server names
Webeasysearch.com
http://safeweb.norton.com/report/show?url=...amp;x=0&y=0
http://www.robtex.com/dns/webeasysearch.com.html

#11 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 24 December 2009 - 01:49 AM

Thanks for he reply, tos226.

At this point I'm just not sure. I only ever had the one search term redirected, and I was running everything I could think of through Google. And I haven't had a single redirect since removing the toolbar.

After I removed the toolbar Firefox had an update. When I updated it warned me that the Google Toolbar was no longer compatible -- if I remember correctly it was because of concerns about whether it could be updated securely.

The agent.exe seems to be the legit component of Installshield. Someone pointed me towards information on turning it off, which I may try. I did try sending an email to the company from their website, but I haven't gotten a reply. They seem to be geared towards corporations more than individuals.


Anyway, it's been a while and I wound up soliciting opinions at several sites. Most folks who've answered say they don't think this is a security problem. Continued full scans with MBAM are coming up clean, as are standard scans, boot-time scans, and a thorough scan with Avast.

I guess I'll mostly keep my eye on it and see where it goes.

Edited by Capn Easy, 24 December 2009 - 01:35 PM.


#12 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 25 December 2009 - 04:03 AM

Well, that didn't work.

I never got a reply back from the company. They say that there should be an item in the Start menu to control/schedule the updates, but I don't have one. They provide an installer to install the control/schedule program in the event there is no Start menu item -- the installer seemed to run okay, but didn't add a Start menu item or any obvious way to control the updates.

Anyway, that's where I am now.



and Happy Holidays!

#13 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:12:12 PM

Posted 25 December 2009 - 04:55 AM

Okay, I may have found it. It looks like I have at least two programs that use InstallShield -- Acronis True Image Home, and RecordNow! Neither seemed to offer a way to control or schedule updates.

I still need Acronis, but RecordNow! was an old CD burner that I have not used in some time. I uninstalled RecordNow! and its updater, and rebooted. Since then agent.exe has not tried to get past ZoneAlarm and has not popped up in Windows Task Manager.

I still have "agent.exe" in the UpdateService folder, but it's quiet.

I'll know better after a little more time, but that may have fixed it.



Thanks for the reply, tos226 -- I really appreciate it.

I'm still bothered that these apparently unrelated symptoms occurred so close to each other -- I've never been a big believer in coincidence. At this point I have no noticeable symptoms, but the Google redirect is still not fully explained. I think I'll enter a period of "watchful waiting" for a while.

Thanks again, and happy holidays!

#14 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:12:12 PM

Posted 25 December 2009 - 08:28 PM

I have no UpdateService folder. I run XP. So what might it be? Where is it?
I have both Acronis and RecordNow.
They never update. Why would they need to update? to run a backup or burn a CD, now really!
No sign of any agent thing on my comp.
And I have a ton of programs that used InstallShield to install. I see it under ProgramFiles.

Happy holidays and Happy New Year to you as well :thumbsup:

Edited:
You say "I did try sending an email to the company from their website, but I haven't gotten a reply." what company? who issued that agent thing?

Edited by tos226, 25 December 2009 - 08:40 PM.


#15 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:12:12 PM

Posted 25 December 2009 - 08:59 PM

You might try to download, follow the instructions exactly and run
http://technet.microsoft.com/en-us/sysinte...s/bb897445.aspx
Don't worry about the two blank something they'll list. Worry about rootkits.

Another to download and run is gmer. Only scan. Do not change any settings, no monitoring, nothing. Then in the scan log look for red entries of weird items
http://www.gmer.net/

If any weird items are detected you should request here help for malware removal.

This is the last bunch of things I can possibly contribute. The end.

Edited by tos226, 25 December 2009 - 08:59 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users