Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Redirect Infection: "Happili," "findsearchengineresults," "gimmeanswers"


  • Please log in to reply
5 replies to this topic

#1 Demetrious

Demetrious

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 06 March 2012 - 09:36 AM

My Firefox installation recently began redirecting Google results at random to the domains listed in the topic. Following bleepingcomputer's guide on this infection, I downloaded and ran Kaspersky's TDSSkiller program, which found "C:\WINDOWS\System32\Drivers\sptd.sys" and quarantined and deleted it, along with three related controls/process files. Unfortunately, the redirects still continue, despite repeated scans with TDSSkiller and several malware scanning programs revealing nothing new. Additionally, the machine takes an excessive amount of time to boot Windows.

System Info: Microsoft Windows XP Service Pack 2 (yes, I know,) Media Center Edition, 32 bit. Dell factory install. Firefox ver. 8.0.1 (with NoScript installed) is affected. I have the Windows Recovery Console installed on the drive.

Software Used: I have performed full scans with MalwareBytes (Free Edition), SuperAntiSpyware (Free Version,) HitManPro(30-day trial,) McAfee Stinger, GMER, ESET Online Scanner and Kaspersky TDSSkiller. All programs used the latest version and latest database updates. With the exception of TDSSkiller, as noted above, and ESET, which detected only the TDSSkiller quarantined copy of sptd.sys, none of these programs detected any infections or problems.

Actions Taken: Guessing that the rootkit was slain, but its damage remained, I tried to ensure Firefox wasn't being redirected by simpler means. I verified that no proxies are set for use, double-checked that my set DNS server had not been changed (I had specified specific DNS servers for use; these values were unchanged but I set it back to "automatic" to be sure,) flushed the DNS cache, cleared all cookies from the redirect destination pages from Firefox manually, and ran a Hijackthis scan to look for any registry-enabled redirects, but to my untrained eye, nothing jumped out. No uninvited add-ons or extensions have been added to Firefox, that I can tell. I do utilize Daemon Tools Lite CD emulation; I removed all virtual drives and ran the Defogger.exe application prior to all scans.

Symptoms: Most of the redirects end up at this page (screenshot), where, most of the time, they end; the scripts presumably blocked by NoScript. This (screenshot) is the source of that page; which seems to be nothing more then a javascript call which performs the redirect. After setting "automatic" DNS selection and clearing the resolver cache, however, I saw my browser being redirected to other pages which would (after two or three automated refreshes) successfully redirect despite NoScript. Setting Google as "untrusted" prevents the redirects from occurring at all after clicking Google links. These (screenshot) are the cookies left by these redirect pages.

This is either the result of altered settings beyond my grasp, or a very persistent rootkit/bootkit requiring more aggressive tools. Unfortunately said tools are equivalent to hunting through the MBR with a bazooka, so I turn to those who know what they're doing.

With the exception of the TDSSkiller automated scan and Firefox cookies, I have made no alterations or deletions to my file system.

Edited by Demetrious, 06 March 2012 - 09:48 AM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:33 AM

Posted 06 March 2012 - 12:25 PM

Welcome aboard Posted Image

Does the redirection happen in IE as well?

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Demetrious

Demetrious
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 06 March 2012 - 01:43 PM

Thank you for the prompt reply. Apparently this infection functions via creating a hidden extension?

Internet Explorer AND Google Chrome are not affected by redirects.

GooredFix log follows:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 13:40 on 06/03/2012 (Admin)
Firefox version 8.0.1 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{FDE03944-16D0-4635-A471-B2A8CA3B0011} -> Success!
Deleting C:\Documents and Settings\Admin\Local Settings\Application Data\{FDE03944-16D0-4635-A471-B2A8CA3B0011} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:45 18/11/2006]
{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} [17:23 09/11/2011]

C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\xy35zdow.default\extensions\
foxyproxy@eric.h.jung [20:26 12/02/2012]
{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [18:14 22/12/2011]
{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [22:14 25/03/2011]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [20:27 28/12/2011]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d}(2) [02:25 15/12/2007]
{e0204bd5-9d31-402b-a99d-a6aa8ffebdca} [05:45 24/05/2010]
{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [11:25 03/03/2012]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [19:02 29/10/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [23:20 03/09/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [15:32 18/02/2010]

-=E.O.F=-

[I should note that the Foxy-Proxy add-on is not being used.)

Edited by Demetrious, 06 March 2012 - 01:52 PM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:33 AM

Posted 06 March 2012 - 02:29 PM

How is redirection now?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Demetrious

Demetrious
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 06 March 2012 - 06:13 PM

After extensive testing, the redirects are no longer in evidence! Thank you very much for your time and your help; you've saved me a ton of trouble.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:33 AM

Posted 06 March 2012 - 06:42 PM

Good news :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users