Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Redirected to fake site


  • This topic is locked This topic is locked
20 replies to this topic

#1 piyushj

piyushj

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 25 February 2015 - 10:15 AM

When I search something on google(the original one) the search results are displayed on another page which looks just like google but is not.

Here is the URL
http://www.google.com/search?nord=1&site=&source=hp&q=google&oq=google&gs_l=hp.3..0l10.9917.10500.0.10701.7.3.0.4.4.0.132.363.0j3.3.0.msedr…0…1c.1.62.hp..1.6.269.0.wlKtwfEazKU#gsc.tab=0&gsc.q=google&gsc.page=1

Similar problem with yahoo and bing.

This issue is found regardless of ANY browser you use. I have tried chrome,firefox and opera

I have tried many solutions.
MalwareBytes,TDSSKiller,ADWcleaner,EEK,Hitman pro,Roguekiller,Full Scan by my antivirus,reset hostfile,reinstall all browsers,flushdns but to no avail.

Please help !!!

 

 

Please find the requested logs attached.

 

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:45 PM

Posted 01 March 2015 - 02:09 PM

hi,

 

Your post is a few days old. If you still need help simply reply back and we can try to see what is going on.


How Can I Reduce My Risk to Malware?


#3 piyushj

piyushj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 01 March 2015 - 02:20 PM

Hi Shelf life,

Thanks for the reply. Yes , I do still need help. I have sort of found a workaround by adding a new custom search engine to firefox which uses the IP address instead of  google.com. But anytime you search directly by going to google.com , it will give you fake results.



#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:45 PM

Posted 01 March 2015 - 04:10 PM

Why do you think its a fake site? :

 

http://scanurl.net/?u=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnord%3D1%26site%3D%26source%3Dhp%26q%3Dgoogle%26oq%3Dgoogle%26gs_l%3Dhp.3..0l10.9917.10500.0.10701.7.3.0.4.4.0.132.363.0j3.3.0.msedr%E2%80%A60%E2%80%A61c.1.62.hp..1.6.269.0.wlKtwfEazKU%23gsc.tab%3D0%26gsc.q%3Dgoogle%26gsc.page%3D1&uesb=Check+This+URL#results

 

Do you use a proxy for certain web addresses. I see this in the log:

 

AutoConfigURL: [S-1-5-21-1313778808-2513441447-2750907728-1002] => http://wpad.com.gr/proxy.pac


How Can I Reduce My Risk to Malware?


#5 piyushj

piyushj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 01 March 2015 - 04:19 PM

Well , first the site is visibly different(slightly),you are no longer logged in , and i have seen the source code(it uses google custom search api)

Firebug says that the IP for the request is 93.190.137.240. Which does not look to be in google IP ranges.

 

I dot use any proxy.Not really sure what the log means or what to do about it. If you could just explain me a little bit that would be of help.

 

Thanks for the help


Edited by piyushj, 01 March 2015 - 04:20 PM.


#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:45 PM

Posted 01 March 2015 - 04:36 PM

so you checked in your browsers that none of them are set to use a proxy to access the internet?


How Can I Reduce My Risk to Malware?


#7 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:45 PM

Posted 01 March 2015 - 04:48 PM

 

what the log means

 

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/


How Can I Reduce My Risk to Malware?


#8 piyushj

piyushj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 01 March 2015 - 04:48 PM

Yes definitely. I even installed a new one (Opera),to check whether it comes up with something different. But no, its the same fake site ,regardless of any browser you use.I do not use any proxy solutions at all.



#9 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:45 PM

Posted 01 March 2015 - 05:02 PM

ok. Well lets look closer at this; AutoConfigURL: because i think this can be set in the registry and not show up in any browser setting. I looked at the rest of the FRST log and it looks ok so that seems like a good starting point anyway.

 

Iam in linux now. I will boot into Windows and poke around the registry.


How Can I Reduce My Risk to Malware?


#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:45 PM

Posted 01 March 2015 - 05:33 PM

Still looking in the registry but heres the PAC file:

 

function FindProxyForURL(url, host) {

 

  if (shExpMatch(host, "www.bing.com")) return "PROXY 93.190.137.240:8080";

if (shExpMatch(host, "*.search.yahoo.com")) return "PROXY 93.190.137.240:8080";

ga = /^https?:\/\/www\.google\.[a-zA-Z.]+\/?$/;if (ga.test(url)) { return "PROXY 93.190.137.240:8080" }

 

gb = /^https?:\/\/www\.google\.[a-zA-Z.]+\/\?(.*)$/;if (gb.test(url)) { return "PROXY 93.190.137.240:8080" }

 

gc = /^https?:\/\/www\.google\.[a-zA-Z.]+\/search\?(.*)$/;if (gc.test(url)) { return "PROXY 93.190.137.240:8080" }

 

gd = /^https?:\/\/www\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (gd.test(url)) { return "PROXY 93.190.137.240:8080" }

ge = /^https?:\/\/www\.google\.[a-zA-Z.]+\/s\?(.*)$/;if (ge.test(url)) { return "PROXY 93.190.137.240:8080" }

return "DIRECT";

}


How Can I Reduce My Risk to Malware?


#11 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:45 PM

Posted 01 March 2015 - 05:47 PM

traceroute to the ip, removed my hops

 

Tracing route to proxy.reverse.dns [93.190.137.240]

over a maximum of 30 hops:

 

  7    20 ms    18 ms    19 ms  xe-5-0-1.edge5.Dallas3.Level3.net [4.59.32.73]

  8   131 ms   131 ms   131 ms  ae-239-3615.edge6.Amsterdam1.Level3.net [4.69.162.250]

  9   134 ms   134 ms   134 ms  WORLDSTREAM.edge6.Amsterdam1.Level3.net [213.19.195.22]

10   140 ms   143 ms   134 ms  proxy.reverse.dns [93.190.137.240]

 

Trace complete.

 

We can use FRST to remove that line and see how that goes


How Can I Reduce My Risk to Malware?


#12 piyushj

piyushj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 01 March 2015 - 05:47 PM

I kack a little in the knowledge of this stuff .can you tell me where did you get the PAC file from ? Cause That is Exactly the problem. Google search is getting redirected to 93.190.137.240 . Do in need to delete some registry key ?



#13 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:45 PM

Posted 01 March 2015 - 05:58 PM

Ok so open notepad and copy/paste whats below in the code box into notepad:


AutoConfigURL: [S-1-5-21-1313778808-2513441447-2750907728-1002] => http://wpad.com.gr/proxy.pac
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

Save what you copied/pasted into notepad as: fixlist.txt

Save it in the same location that you have FRST.  Start FRST like before except this time click on the Fix button and wait.
The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

 

 


How Can I Reduce My Risk to Malware?


#14 piyushj

piyushj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 01 March 2015 - 05:58 PM

Ok , Was able to fix it using FRST. Thanks a Lot for your help !! .



#15 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:45 PM

Posted 01 March 2015 - 06:02 PM

its in the log here:

 

AutoConfigURL: [S-1-5-21-1313778808-2513441447-2750907728-1002]


Edited by shelf life, 01 March 2015 - 06:38 PM.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users