Google Search worm: phoney results, what action?

I seem to have been infected with something that spoofs the first page of a Google search (and apparently is interfering with some other redirection/links, in odd situations). First page looks right, but the actual links/URLs are different than they should be, and it happens in all browsers.

I've seen a few notes about this, but haven't seen the solution, and a full NOD32 scan comes up clean.

Next steps?

Thanks,
will

 

Download ESET SysInspector and create a log, then email it off to support("at")eset[dot]com with this threads URL in the subject.

 

Thanks, Elapsed, I've sent it off, appreciate the tip.

will

 

no joy so far, support didn't see anything funny in the log, and really haven't had any suggestions except to install the latest Nod, which I've done, but I was already pretty up to date.

So, SOMEONE else must have dealt with this redirection of their browsers to a spoofed search results page, I'm really having a hard time figuring out next moves, probably a restore . . .

 

There might be something wrong with your hosts file (C:\Windows\System32\drivers\etc\HOSTS)

Paste it's contents here, or if it's too large, use pastebin.com

 

Yeah, I thought of that, but there's only one line in my Hosts file:

127.0.0.1 localhost

I really do appreciate your thinking about this, thanks.

 

Who is your ISP? If you have a router, could you change the DNS fetch IPs to #1 208.67.222.222 #2 208.67.220.220 (OpenDNS IPS) Reboot your router, then your computer, and see if you still have the problem?

 

We've had something similar on several machines here, and have never been able to totally get rid of it. The best we could do was run SDFix and SpyBot S&D whilst in safe mode, then replacing the hosts file with a protected one.

This made the popups blank, and stopped the redirects, but we're still unable to get rid of it.

 

Elapsed: THanks. Comcast provides the internet access, but I do have a router. I'll have to look at this DNS change a little, thought, before I fiddle with that, this is new to me. And it is a workaround, but I don't think it solves the underlying program, something must be loaded on my compuater.

Arceon: Hmm, that's discouraging. My Hosts files seems fine, however, and I don't get any popups, were you getting messages?

 

Ours was a variant of Antivirus2009 so it will be slightly different to yours (the popups etc) but the redirect appears to be the same thing.

The one thing that sticks out in my mind that i changed was disabling a couple of BHO's in IE. They were called things like b23ygy.dll and clearly shouldn't have been there.

So i'd give that and SDFix a go, see how it goes from there.

 

There are a number of (variants of) infections around at the moment which cause this behaviour, a number of which I have encountered on client machines of late. I also find that NOD32 (and quite a few other A/Vs, to be fair) detect nothing. The best tool I have found to deal with this kind of infection is ComboFix, available here:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please don't download from sources other than those listed on the Bleeping Computer page - there are a number of rogue copies of ComboFix about.

 

I very rarelyl use IE, but the behavior appears in Opera, IE 6, and Firefox. Would fiddling with the BHO's affect all browsers?

 

Nope. It's an IE thing.

 

Thanks, I'll give that a look. You're right about NOD32, I have everything updated to the minute, and it doesn't see anything.

Thanks

 

I restored my system drive from a backup that I new predated the symptoms, and things seem to be back to normal.

I appreciate all the help and comments people contributed, and learned some things that I can apply to get ready for the next problem that's bound to come along.

THANKS.

Will