Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


rle822x.cn - online-scaner-software - repeated trojan infection

  • Please log in to reply
4 replies to this topic

#1 fuzzyduck


  • Members
  • 2 posts
  • Local time:08:13 AM

Posted 13 December 2009 - 12:32 PM


Noticed sometime ago that my computer was running slow and then started to get re-directed from clicking links from "within" browser search result pages (IE8 and Google Chrome) - Green Eye Globe on IE tab (with yellow bug?) displays and get re-directed via rle822x.cn to random ad pages and then after a couple of re-directs to online-scaner-software, which gives a security centre display, your machine in vulnerable etc - and tries to install trojandownloader - Microsoft Security Essentials catches it and removes it, but IE/Chrome is locked and the only way to get out of it is to kill off the browser process. I've scanned with McAfee (didn't find anything - even though I'd updated!!) I then scanned with Microsoft Security Essentials, which found a couple of things I then scanned with SpyBot, which found a couple of other things and finally MalwareBytes (which found a couple of other things) - all with the latest updates in safe mode.

I'm running MalwareBytes again today (new definitions from yesterday) - full scan. I would have run ComboFix, but I'm wary that the links referred to from this site are broken, so I'm not sure where to download it from?

I don't really want to re-pave the machine if I can help it, but my wife uses the machine and uses it for all sorts of things.

Help much appreciated....

BC AdBot (Login to Remove)


#2 cookmiester


  • Members
  • 65 posts
  • Gender:Male
  • Location:Stoke-on-Trent
  • Local time:08:13 AM

Posted 13 December 2009 - 12:36 PM

Hmm, i can only think of either a system restore, or if push comes to shove, a re installation of windows. Try a system restore then run a virus scanner with hueristics on high sensitivity. Then run MBAM and other apps you use.

#3 fuzzyduck

  • Topic Starter

  • Members
  • 2 posts
  • Local time:08:13 AM

Posted 13 December 2009 - 02:29 PM

I've done a search around (using a different machine ;-) ) and have found a couple of other folks having the same issue/reference to rle822... - it's not registered in DNS, so my assumption is that it's resolving via an IP address. The online-scaner-software domain is a registered domain name and tagged as a malware site

I guess I need to know if anything can find it - if it can then at least we all then know which tools can find it etc. The question then becomes can it be fixed - if not then re-install...

#4 garmanma


    Computer Masochist

  • Members
  • 27,809 posts
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:13 AM

Posted 14 December 2009 - 10:28 PM

Mbam is best run in normal mode if possible
Update mbam and run a FULL scan
Please post the results

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 dianedp


  • Members
  • 1 posts
  • Local time:02:13 AM

Posted 08 January 2010 - 02:54 PM

:thumbsup: I fixed the Google links redirecting to rle822x.cn.

After fixing a trojan/malware infection, I wound up with Google redirecting my search results to various websites, followed immediately by rle822x.cn. The only way to avoid it was right clicking the link and choosing to open in background or duplicated tabs.

Hijack This! showed no redirects, BHOs, or other suspicious items. Avira, Spyware Blaster, Malware Bytes...all of them showed a clean machine.

I changed my "hosts" file, and I added rle822x.cn to it. This stopped the page from loading, but still left me with a "cannot load site" message and required me to go back and take the long way through. The only information on the web said I had to reformat my system. (Something I avoid like the plague.)

I performed a simple edit in my Configuration file, and can now go directly to any page from both my Google search results and my Google home page links.

Fixing it requires editing values (in mine, only three) in the Firefox configuration. You will keep a copy of the original value. Disclaimer: Don't do this unless you're comfortable changing the values, I'm not responsible for errors, etc, etc...

Type about:config in the address bar.
Type :patterns" in the search bar.
I have the extensions adblock plus and the filter for it installed as extensions, and "patterns" gave me 4 results, 3 with string values (really, really long strings!).
My results were adblock.patterns, extensions.adblockplus.synch.Filterset.G.patterns, and fgupdater.patterns.

Right click the first entry, choose copy. Paste it to a word processing document. (This is your backup.) Go back to the entry, right click, and choose edit. Go to the end (right arrow key), type one space, then type rle822x.cn.

Repeat this action for the other two. (You may have more or less.) Save the document with your original entries as backup.

You should now be able to use Google normally, without being redirected or hijacked by the rle822x whatever-it-is.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users