Google Search worm: phoney results, what action?

Discussion in 'ESET NOD32 Antivirus' started by wk4nod4m, Jan 21, 2009.

Thread Status:
Not open for further replies.
  1. wk4nod4m

    wk4nod4m Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    8
    I seem to have been infected with something that spoofs the first page of a Google search (and apparently is interfering with some other redirection/links, in odd situations). First page looks right, but the actual links/URLs are different than they should be, and it happens in all browsers.

    I've seen a few notes about this, but haven't seen the solution, and a full NOD32 scan comes up clean.

    Next steps?

    Thanks,
    will
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Download ESET SysInspector and create a log, then email it off to support("at")eset[dot]com with this threads URL in the subject.
     
  3. wk4nod4m

    wk4nod4m Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    8
    Thanks, Funkydude, I've sent it off, appreciate the tip.

    will
     
  4. wk4nod4m

    wk4nod4m Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    8
    no joy so far, support didn't see anything funny in the log, and really haven't had any suggestions except to install the latest Nod, which I've done, but I was already pretty up to date.

    So, SOMEONE else must have dealt with this redirection of their browsers to a spoofed search results page, I'm really having a hard time figuring out next moves, probably a restore . . .
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    There might be something wrong with your hosts file (C:\Windows\System32\drivers\etc\HOSTS)

    Paste it's contents here, or if it's too large, use pastebin.com
     
  6. wk4nod4m

    wk4nod4m Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    8
    Yeah, I thought of that, but there's only one line in my Hosts file:

    127.0.0.1 localhost

    I really do appreciate your thinking about this, thanks.
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Who is your ISP? If you have a router, could you change the DNS fetch IPs to #1 208.67.222.222 #2 208.67.220.220 (OpenDNS IPS) Reboot your router, then your computer, and see if you still have the problem?
     
  8. Arceon

    Arceon Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    15
    Location:
    Manchester
    We've had something similar on several machines here, and have never been able to totally get rid of it. The best we could do was run SDFix and SpyBot S&D whilst in safe mode, then replacing the hosts file with a protected one.

    This made the popups blank, and stopped the redirects, but we're still unable to get rid of it.
     
  9. wk4nod4m

    wk4nod4m Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    8
    Funkydude: THanks. Comcast provides the internet access, but I do have a router. I'll have to look at this DNS change a little, thought, before I fiddle with that, this is new to me. And it is a workaround, but I don't think it solves the underlying program, something must be loaded on my compuater.

    Arceon: Hmm, that's discouraging. My Hosts files seems fine, however, and I don't get any popups, were you getting messages?
     
  10. Arceon

    Arceon Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    15
    Location:
    Manchester
    Ours was a variant of Antivirus2009 so it will be slightly different to yours (the popups etc) but the redirect appears to be the same thing.

    The one thing that sticks out in my mind that i changed was disabling a couple of BHO's in IE. They were called things like b23ygy.dll and clearly shouldn't have been there.

    So i'd give that and SDFix a go, see how it goes from there.
     
  11. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    There are a number of (variants of) infections around at the moment which cause this behaviour, a number of which I have encountered on client machines of late. I also find that NOD32 (and quite a few other A/Vs, to be fair) detect nothing. The best tool I have found to deal with this kind of infection is ComboFix, available here:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please don't download from sources other than those listed on the Bleeping Computer page - there are a number of rogue copies of ComboFix about.
     
  12. wk4nod4m

    wk4nod4m Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    8
    I very rarelyl use IE, but the behavior appears in Opera, IE 6, and Firefox. Would fiddling with the BHO's affect all browsers?
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Nope. It's an IE thing.
     
  14. wk4nod4m

    wk4nod4m Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    8
    Thanks, I'll give that a look. You're right about NOD32, I have everything updated to the minute, and it doesn't see anything.

    Thanks
     
  15. wk4nod4m

    wk4nod4m Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    8
    I restored my system drive from a backup that I new predated the symptoms, and things seem to be back to normal.

    I appreciate all the help and comments people contributed, and learned some things that I can apply to get ready for the next problem that's bound to come along.

    THANKS.

    Will
     
Thread Status:
Not open for further replies.