Kramer8u
asked on
Google redirect malware / rootkit
help
I am using Windows 7 Home premium .
When I use the Internet explorer or firefox and search something on Google, it redirects me to a travel site or eshop or obscure search engine relative to the search string or term , but not the actual real site, term or product.
This behaviour only seems to happen when you use the actual search textbox on the google web page and click a search result, and not every time or perhaps only once.
The redirect URL shows at thebottome of IE as below:
http://77.91.228.48/click.php?c=0c9a... being the most common one. sometimes it goes through 2 or 3 urls before a page loads.
seems to be russian in origin ( no surprises !)
IF you just press back to go back to the search page to click on the link again. The second time I press the link, it goes to the correct page .
There is old talk online of it being related to a TSS rootkit?. but with no solutions
Also talk of some sort of script injection ito the browser page probably by a rootkit but im lost without tools i can use on 64bit.
The initial infection was a scareware app that malwarebytes did remove but this symptom still stays no matter what i do.
Also added its own DSN server into the windows settings, which i have manualy got aroung to allow updates for security softwares.
I have tried :
ipconfig / Flushdns
Malwarebytes anti malware: nothing found
hijackthis : cant see anything suspiciuos
superantispyware: nothing found
full virus scan eset and AVG : nothing found
TSS rootkit removal tools from kasperski : usbaudio.sys MD5 suspect so i removed it : No result.
Can't run root repeal cause its 64bit windows
Can't run combofix cause its 64bit windows
Has anyone delt with a new mutation of this nasty?
or good rootkit tools for 64bit. or a solution would be brilliant
Thanks in advance
I am using Windows 7 Home premium .
When I use the Internet explorer or firefox and search something on Google, it redirects me to a travel site or eshop or obscure search engine relative to the search string or term , but not the actual real site, term or product.
This behaviour only seems to happen when you use the actual search textbox on the google web page and click a search result, and not every time or perhaps only once.
The redirect URL shows at thebottome of IE as below:
http://77.91.228.48/click.php?c=0c9a... being the most common one. sometimes it goes through 2 or 3 urls before a page loads.
seems to be russian in origin ( no surprises !)
IF you just press back to go back to the search page to click on the link again. The second time I press the link, it goes to the correct page .
There is old talk online of it being related to a TSS rootkit?. but with no solutions
Also talk of some sort of script injection ito the browser page probably by a rootkit but im lost without tools i can use on 64bit.
The initial infection was a scareware app that malwarebytes did remove but this symptom still stays no matter what i do.
Also added its own DSN server into the windows settings, which i have manualy got aroung to allow updates for security softwares.
I have tried :
ipconfig / Flushdns
Malwarebytes anti malware: nothing found
hijackthis : cant see anything suspiciuos
superantispyware: nothing found
full virus scan eset and AVG : nothing found
TSS rootkit removal tools from kasperski : usbaudio.sys MD5 suspect so i removed it : No result.
Can't run root repeal cause its 64bit windows
Can't run combofix cause its 64bit windows
Has anyone delt with a new mutation of this nasty?
or good rootkit tools for 64bit. or a solution would be brilliant
Thanks in advance
You might have got a BHO installed. A BHO is like a plugin to your browser. On IE click on Tools->Manage Add-ons and look in the enabled list if you see any thing suspicious disable or delete it. Similarly you can check on Firefox by clicking Tools->Add-ons.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys Himan pro did finda a DLL but no rootkit .
the DLL was qmpehsoe.dll and once removed seems to have stopped the google redirects .
One question though in looking up information on TDL3 rootkit 64bit see below :
http://www.computersecurityarticles.info/antivirus/tdl3-rootkit-x64-goes-in-the-wild/
It says it modyfies the MBR with "bootkit" code.
I'd like to be sure i killed this one
How do I recreate / overwite with a fresh , windows 7 64bit MBR to make sure this "bootkit" is toast
Shoudl I post a seperate question???
the DLL was qmpehsoe.dll and once removed seems to have stopped the google redirects .
One question though in looking up information on TDL3 rootkit 64bit see below :
http://www.computersecurityarticles.info/antivirus/tdl3-rootkit-x64-goes-in-the-wild/
It says it modyfies the MBR with "bootkit" code.
I'd like to be sure i killed this one
How do I recreate / overwite with a fresh , windows 7 64bit MBR to make sure this "bootkit" is toast
Shoudl I post a seperate question???
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hitman x64 fixed the exact same problem for me on a Windows 7 x64 this 77.91.228.48 re-direct was left behind by (fake) Anti Virus 2010 as far as I can tell. Thanks Bros:)