Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect


  • This topic is locked This topic is locked
5 replies to this topic

#1 baylor

baylor

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 28 November 2009 - 02:26 AM

Hi everyone, my name is baylor and i'm a computer science instructor, so imagine how embarrassed i am that i can't figure out what's happening to my computer. It's a Windows XP SP3 laptop where i mostly use Firefox 3.5.5 (the latest i think). i Google a lot but today, many of the links Google gives me go to places they shouldn't go. For example, Google kitties, click the first link, roughly 75% chance you'll go to XXXX which will forward you to one of several dozen Web sites (they all look like sites whose names have expired). Not sure what's on those - new search engines maybe, possibly some malware (i think i've seen an ad for PC Defender or somesuch twice).

i've been working on this for the last 7 hours. i've seen a lot of viruses before and normally fixing them isn't too hard. My laptop uses a licensed McAfee that updates every day and at the hint of trouble, i run Malwarebytes. Neither, however, see a problem. So i ran SpyBot S&D, Spyware Doctor, SuperAntiSpyware, Panda Root Kit, Panda AntiVirus, GooredFix, Rootkit Revealer and combofix (which i thought would give me a menu of options; it did not, not even one to stop; i understand i might be denied help on this forum for running this so, um, sorry). None of them found anything. In Firefox i've turned off Accept Cookies (because i read it was a cookie exploit) and erased the XUL (because i read it was an XUL problem). i've verified everything in Autoruns and looked for odd processes in Process Explorer (i found nothing in either). i've cleared all my temp files and browser caches with CCleaner. i looked for odd processes in Device Manager (and realized they all looked odd so didn't touch any of them). i erased a randomly named *.sys driver in System32\Drivers that had a timestamp of today (the properties claimed to be Microsoft User Interface, language Russian). i installed the Firefox addon NoScript which blocks redirects (works pretty well but i still can't get to the real link i clicked on). i verified the links are what i think they are on the Google page (by checking page source and the status bar). i Googled a whole bunch about "Google search hijack" and trojan and other search terms. i've waded through my registry to keys people said might be the problem (i haven't seen them). i've rebooted a half dozen times. i've sacrificed small animals to nameless gods. Oh wait, i haven't done that one. Yet.

Out of curiosity, i tried a few things.
First, it happens if i go to Google directly rather than use the Firefox Google toolbar.
Second, it happens on Google Web search but not Image search.
Third, if i go to the same link over and over, it takes me to a different site each time.
Fourth, occasionally (but not too often), the link i clicked on comes up but a new tab opens, normally to the URL XXXX
Fifth, i tried this on Chrome and that's actually broken too, only worse because i don't have an easy way to disable cookies, javascript and redirects like i do in Firefox.
Sixth, recently (last two hours) i've noticed that IE has been starting up on my machine. No window but i see 2 processes in Process Explorer (which i immediately kill). Might be unrelated. i don't use IE except earlier today to get to Google to look up info on this.
Seventh, Yahoo didn't give me any problems, but i didn't do a lot of searching in it. i didn't try any other engines.
Eighth, the misrouted links don't happen anywhere else - if i make it to a page, i can click any link i want there and it's fine. It's only links off of google.com.

Hmm, real quick, let me check... netstat shows a few links i don't know, one of which is TCP port 2575 static.78-47-248-115.clients.your-server.de:http CLOSE_WAIT. No idea what that is. i'm behind a NetGear firewall and the Microsoft firewall. i also have TCP 1749 ip-212-117-174-177.server.lu:https CLOSE_WAIT. i can't tell if either is sending or receiving data.

What's throwing me is that none of the tools i have even see a problem. The problem shows up plenty over the last 4 years when i Google for it but nothing i've downloaded sees a problem and i obviously can't fix it.

To restate - when i click a link in Google, i often get sent to a random page such as ShoppingKey.com/search.php or oil-n-gasgifts.com/result.php which tries to redirect me to a Chinese site named XXXX to a URL such as fva2gzMe7e6xm0O5d3625a5a60e230dfa04ef970f6c20cde35k and 7Kp2ykkx8e4jAHU55fd2af76ef81bbcef5d0add4fcce6e5d27k. The page source of these pages is always the same:

Ideas?

EDIT: Removed links. You'd be surprised how many people would click on them

Edited by garmanma, 29 November 2009 - 07:59 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:41 AM

Posted 29 November 2009 - 08:03 PM

If it is the rootkit I'm am thinking of, you would be better served by wiping the drive and reinstalling the OS
Removal is not a quick process

:trumpet:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

==========================

:flowers:

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 baylor

baylor
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 29 November 2009 - 11:43 PM

If it is the rootkit I'm am thinking of, you would be better served by wiping the drive and reinstalling the OS


Then i hope it's not the one you're thinking of :thumbsup:

Just so you know, after my first post but before yours, i monitored that invisible IE connection that keeps popping up. It happens at a random interval (either 10m, 15m, 30m or 60m) and always opens two connections to sites that i think are in China (212.117.185.16 and 213.174.149.70). In googling, both are well known bad sites. To manage this, i configured my firewall to block outgoing connections to these sites and installed Process Blocker on my laptop, which kills iexplore.exe as soon as it starts (the trojan always uses IE, which is why it stood out; my default browser is Firefox). Doesn't fix the problem but hopefully stops me from infecting anyone else

A second thing worth mentioning is that i can run any EXE - i haven't had to rename anything to make it run. i also keep Process Explorer open at all times so i can monitor what's running

We Need to check for Rootkits with RootRepeal


This program seemed to find quite a bit, mostly about something called PCTCore and the file azdnvz.sys

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/29 21:11
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 004DBFE0
Image Path: 004DBFE0
Address: 0x9E2F3000 Size: 78720 File Visible: No Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9FDA4000 Size: 815104 File Visible: No Signed: -
Status: -

Name: PROCEXP111.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP111.SYS
Address: 0xF7A33000 Size: 7680 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9F42A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\mcafee_yzpiappvly2mx2i
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_8mu3pudxjfrmuht
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\system32\drivers\azdnvz.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\baylor\local settings\temp\acr5bfa.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
ServiceTable Hooked [0x867568a8]!

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf71c4e22

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf71a5cdc

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf71a5ece

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf71c5610

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf71c58c4

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf71c3b14

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf71c5d30

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf71c50e2

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\utils\system\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa46700b0

Hidden Services
-------------------
Service Name: afulioymoacu
Image Path: C:\WINDOWS\system32\drivers\azdnvz.sys

==EOF==


Please download Win32kDiag.exe


This didn't show anything. Here's the full file:

Running from: C:\downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\baylor\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


copy and paste this command into the open box: DIR...


Volume in drive C has no label.
Volume Serial Number is B0AF-F964

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 06:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 7,335,751,680 bytes free

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:41 AM

Posted 30 November 2009 - 07:17 PM

Hooked by "PCTCore.sys" at address 0xf71c50e2
Service Name: afulioymoacu
Image Path: C:\WINDOWS\system32\drivers\azdnvz.sys
04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes


Then i hope it's not the one you're thinking of

Go to the head of the class
Sorry, I had to say that

As I said , the fix is rather involved. This infection is very widespread
It will take up to a week to hear back from our HJT Team


Now that you were successful in creating those logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 baylor

baylor
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 01 December 2009 - 12:04 AM

OK, i'll follow the instructions on the HijackThis link you provided and submit the results to the next, very busy queue

As a note, i actually removed all the issues related to PCTCore.sys. Turns out, that wasn't a virus. It was something related to PC Tools that SpywareDoctor installed. i uninstalled SpywareDoctor (it hadn't been running but was installed) and re-ran the rootkit checker and it didn't see those entries anymore. But the problems continue, so we'll see what a Hijack log turns up

Thanks for the help!

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,987 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:41 AM

Posted 01 December 2009 - 10:54 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/275373/google-redirect/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users