Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infect with ? google redirect??


  • This topic is locked This topic is locked
28 replies to this topic

#1 stalker878

stalker878

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 15 May 2010 - 09:18 AM

Recently infected with an unknown virus/malware which was supposedly removed by kaspersky, eset, malwarebytes, spyware search N destroy, ad-aware.
Ran Gooredfix twice, problem still existed.
Check host file, no other entries present.

The problem now is that whenever I use google/fireofx/IE, I am frequently directed to this web address with funny symbols and stuff: hxxp://www.py+9’—žhŒd.com/#@%C2%B16_%C3%A1Du%0F%C2%AD%C3%95%C2%AFdf%C3%BC%C3%A1K%C3%BD=%C3%9C%C3%93%C3%85E%C2%A2%E2%80%B9%C2%BCfr%C3%A5%C2%BC%E2%80%93;%C3%9D%C5%BE%02%06%1A%E2%80%9A%C3%AB7%13u%C3%8B%E2%80%B9t%C2%9D%C3%BD%C2%BCE2#%1E%C3%BBJ%C3%88%C5%92^


Whenever the rediect appears, my Eset will also pop-up a window but with varying IP and address:




Pop-ups appear to stop with disabled javascript in FF options - hence the suspicion of google redirect.

Please help..

thank you!

Al

Attached Files


Edited by Orange Blossom, 15 May 2010 - 02:02 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:10 PM

Posted 15 May 2010 - 06:20 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 stalker878

stalker878
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 15 May 2010 - 09:45 PM

Hi mOle, I am here.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:10 PM

Posted 16 May 2010 - 10:03 AM

Yes, there's redirecting going on. Just to check, which country are you in?


Second we have a rootkit showing in Gmer so please run Combofix and we'll try and remove it.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 stalker878

stalker878
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 16 May 2010 - 04:03 PM

I am in Australia...
Will get on to the combofix. How about recovery console?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:10 PM

Posted 16 May 2010 - 06:06 PM

Australia? Oh, lovely. Come on the England 20/20 team! laugh.gif

I was just checking as the redirects are being channelled to an IP in the Netherlands. We'll get to that.

QUOTE
How about recovery console?


What do you mean?
Posted Image
m0le is a proud member of UNITE

#7 stalker878

stalker878
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 16 May 2010 - 06:52 PM

Do i have to install it? I thought recovery console was present on the winxp bootable cd?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:10 PM

Posted 16 May 2010 - 06:58 PM

No, if you have it already go ahead and click No at the query. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 stalker878

stalker878
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 16 May 2010 - 07:54 PM

Hi Mole!

What I mean is that the recovery console can be initiated from the winxp bootable cd without installation?
Thats what I remembered that if you press F8 during xp boot? - is it the console where you can copy files over from the winxp cd to your harddisk if files are corrupted?

Thanks.

Al

UPDATE - its the same thing.. hahaa.. I am confusing myself.. I can boot into recovery console from the cd.. tongue.gif

Edited by stalker878, 16 May 2010 - 07:59 PM.


#10 stalker878

stalker878
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 16 May 2010 - 08:02 PM

Can you tell me what trojan is that? How come kasperksy and Eset failed to detect it? I ran a couple of rootkit scanners as well in addition to the battery of spyware and malware scanners...

Is data being sent to the servers (ie, is information being compromised) or that ESET is blocking outward access?

#11 stalker878

stalker878
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 16 May 2010 - 11:56 PM

Hi Mole,

Combofix log is attached.

I also attached a screenshot of a dialog box displayed by combo fix about files trying to attach to combofix.

Thanks!

Attached Files



#12 stalker878

stalker878
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 17 May 2010 - 04:29 AM

Hi Mole,

can you also tell me which lines show rootkit activity & redirection?

Thanks!

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:10 PM

Posted 17 May 2010 - 07:22 PM

QUOTE
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe


Search Settings. Looks legitimate but it's a browser redirect, the .exe file runs the program.


The Combofix log looks good - not sure the rootkit scan is right so we will continue the clean up for now. Sometimes the malware makes alterations that stick in the system after the threats are removed. Are you still getting redirects?


Please run ESET's online scanner next

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Edited by m0le, 17 May 2010 - 07:25 PM.

Posted Image
m0le is a proud member of UNITE

#14 stalker878

stalker878
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 17 May 2010 - 07:59 PM

Hi Mole,

I am still having redirections. Apparently some tip i found on the net - disabling javascript helps to reduce the redirections.
Did the Combofix show any rootkit activity?

I am worried that the trojan/virus/malware has left changes/backdoors for more infections to occur.. Moreover this bug seems to be undetectable by most anit-spyware and anti-malware scans I did.. wacko.gif


Does the online scan differ from the ESET 4.2 that I have on the PC? Or has the ESET been infected as well (ie. no self-protection?)?


If possible could you put some running commentary or explanations? I am interested to learn about this as well! thumbup.gif

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:10 PM

Posted 17 May 2010 - 08:12 PM

I will do my best to commentate but bear in mind certain tools and processes must be kept secretive. I will answer any questions you have before we're done. smile.gif

ESET online is safer than ESET on the PC, which can be infected itself or compromised as to be unreliable.

The Gmer log shows this:

QUOTE
File C:\WINDOWS\system32\drivers\ACPIEC.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification


This means that a legitimate file has been modified in a suspicious way and TDL3, the new form of TDSS rootkit is present. Combofix removes most of these but not this one apparently. The atapi.sys file shows modification but is not our target, just a clue.

To remove the threat we need to replace the infected file with a clean backup copy. We can run System Look to find one

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    ACPIEC.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Edited by m0le, 17 May 2010 - 08:14 PM.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users