Google resolving to 87.125.87.99 or 64.125.87.101

srlincoln
srlincoln used Ask the Experts™
on
Got a virus on an XP SP3 computer the other day.  
Have run Malwarebytes to remove bad registry and file entries.   Have deleted a hidden Hosts file from the etc directory.
Whenever I ping www.google.com on the pc, it's trying to go to either 87.125.87.99 or 64.125.87.101
NSLookup cannot resolve www.google.com   it tries to look at my local dns server, then does a 2 second time out ... seeming not ever trying to go the outside world to check the non-authoritative dns servers
I have NO idea where it's getting these IPs from, file, registry or what.   Doesn't matter what user I'm logged in as either, so if it's registry, must be in the Local Machine area.

Anyone else ever deal with this and resolve?   I don't want to re-image the machine yet as I'm extremely curious as to how the el' a setting like this could be set on searching type websites only.
I say that because I can go to yahoo.com , but if I do an actual search, it fails out as if it was being redirected to a bad site that is obviously down now.

Sam
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I wonder if this is the same as what was posted recently try looking at this thread.

http://www.experts-exchange.com/Security/Vulnerabilities/Q_27209876.html

Author of the Year 2011
Top Expert 2006
Commented:
Malwarebytes is only one weapon in the armory for fighting malware and you should run a rogue process stopper before doing the MBAM scan.

Rogue-Killer-What-a-great-name

A couple of other tools to use are TDSSKILLER (or FixTDSS.exe from Symantec) found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

Let us know the results and we can take the next steps.
***************

It is also possible that an infected router is causing this. Details here:
http://www.experts-exchange.com/A_5327.html - Infected Router - Google Search Redirects Even on a Clean System
Sudeep SharmaTechnical Designer

Commented:
@younghv,

You missed link for FixTDSS from Symantec.

@srlincoln,

Here is the link
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I hope that would help

Sudeep
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Author

Commented:
One thing I don't want as answer is to download a bunch of tools to find the problem.   I want to know the root cause.  Where in the registry or what file is causing the redirection.   It doesn't seem that any of the posts in that other thread ever get to where the problem actually stemmed from.

Seems to me that if you booted the PC in safe mode w/networking that the problem would not exsist if there was a hidden service or an extra ordinary service loading.   This PC has a full, working version of McAfee Enterprise running on it.

It seems to be deeper than just a running service or program the way it's being choosy with nslookup and all.

This is the only system having the problem so Infected router...nope.

S
Technical Designer
Commented:
@srlincoln

younghv has suggested TDSSKIller which scans for the rootkits which are undetectable by most of the Anit-Viruses. I would suggest you to follow his advice first and scan the system with TDSSKiller or FixTDSS if TDSSKiller doesn't find anything.

Infected router is for additional information in case you have other computer behaving in the same manner.
Author of the Year 2011
Top Expert 2006

Commented:
The Experts trying to help you really don't have a lot of information to go on. It appears as though you have some kind of re-direct malware still on your system.

Denigrating the advice we offer is not really the best way to encourage volunteers to keep helping you.

You are the one who used improper procedures to clean your system and I was giving you the proper methods.

If you want to work through this problem, I will be glad to give you the best advice I have. If you don't want to follow the advice, I will go help someone else.

Your choice.

As far as "Seems to me that if you booted the PC in safe mode w/networking..." no legitimate Expert volunteer will tell you to do that - unless your system will not boot to Normal Mode (or as a last resort).
Author of the Year 2011
Top Expert 2006

Commented:
You might also want to check your "HOSTS" file (open it with Notepad) located at:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC (in XP).

It should look something like this (unless YOU have modified it):

#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

******************
Any other entries MAY have been made by the malware.

Author

Commented:
I'm not meaning to be dejecting of the advice and I will attempt to do additional scans with other tools.  What I'm saying is that I'm trying to find someone who has already dealt with this problem and actually found the root cause of why a computer would choose to ping to these particular IPs only for Google, Bing, Yahoo (search engines)   It's obvious malware and obviously some file or setting has been changed.   I have yet to find where anyone has found a solution to this problem and can legitimately say something to the effect that "it was a setting in the registry @ HKLM...."     Know what I'm saying?  

And WTF are you talking about with "improper procedures"?   How do you know what procedures I have even attempted?     Safe mode is a good way to test if there is a bad service running BTW...
I have found that Malwarebytes actually catches and removes more things when run in this mode than in Normal.

You are welcome to go "help" someone else.
Author of the Year 2011
Top Expert 2006

Commented:
"And WTF are you talking about with "improper procedures"?"

Since you ask, I will be more specific - and then unsubscribe.

Using Malwarebytes (or any other scanner) without first running a rogue processor stopper is an "improper procedure". You are the one who described your procedure in the original question - and it is 'improper'.

Although there are frequently solid symptoms that point to a specific tool/scanner, I can't recall dealing with this specific situation - and I do malware repair all day/every day. It is my business to know these things (literally).

When we (Experts) cannot offer targeted advice based on the information available, we have to start eliminating the 'possibles' - then deal with what is left.

I'll let others work with you now - but don't forget to check your HOSTS file.

/unsubscribe.

Author

Commented:
If you had actually read my original question, you would have seen that I said I deleted the HOSTS file..even the hidden one.... just saying.

BTW - I've been in IT since 90', I do this everyday too.  I'm not some goofball 14 year old kid.   When you talk about elimanating possibilities, if you boot a computer in safe mode with networking, and it STILL does it...you've eliminated a bunch of possibilities in my book.

Anyway, on to actually trying to find the ROOT cause of this problem.  

Author

Commented:
Okay, so I downloaded and ran   TDSSKiller and it found ACPI.sys to be infected.     Looks like I'm going to have to call McAfee and ask them why their Enterprise software can't seem to detect an infected file..yes?  Such BS.

So I'm left wondering why acpi.sys would effect dns for google.com and the likes, but I'm resolved to say that since it was a virus, being associated with acpi.sys really has no correlation.  acpi.sys does not have anything to do with DNS, search engine preferences and the like...yes?     Correct me if I'm wrong.  How it was affecting the outcomes of nslookup and all that...I'd still like to know.

I'm guessing that the infected process was recognizing any traffic going to google.com and other internet searches and attempting to re-direct.

I will admit,  Younghv had good suggestions, but seemed to take things a bit personal when I was explain how I didn't want just a bunch of suggestion of scanning tools and all.
I will also admit that I'm a little on edge right now with the passing of my father-in-law and my wife being gone for over 2 weeks attending to the after business of all that.    Please excuse me for being ohhhh snap-py

Sam

Author of the Year 2011
Top Expert 2006

Commented:
Sorry to hear about what you're going through. We've all been through rough patches and sometimes cordiality suffers (I'm guilty of that).

As you know, the methods of infection are many and varied - and you probably won't be able to actually trace the source.

The variants of malware and the methods of infection are almost limitless and neither McAfee nor any other single vendor is going to give you 100% protection.

We have had some really great discussions here on EE about building "Defense in Depth" for systems/networks with a variety of software and hardware recommendations.

This question is kind of toasted - not only with the comments, but the fact that is has been closed.

Most Experts won't look at it again to see further discussion.

If you would like to open a new question, describe your system/network architecture and ask for recommendations for improving security.

We do have a lot of SysAdmins/Network Security types who will weigh in and give you their thoughts.
Author of the Year 2011
Top Expert 2006

Commented:
Forgot to mention...
"acpi.sys" is just a likely target file 'name' for malware. As I recall, it sits down in the c:\windows\System32\DRIVERS\ folder and is going to be replaced readily when you do driver/system updates.

Often the malware writers will target legitimate files (file names) for writing their little crap applications - because when we look at it we tend to think "Oh yeah, good old acpi.sys - that's a safe file."

There is no way for me to know what that file was actually telling your system to do (it can do about anything the black-hearted malware moron wants it to), but in this case it was affecting your browser.

Some of the really sharp malware fighters know exactly which file goes in which folder, so they can spot problems if it is out of place - plus the writers will often modify the file name slightly (apci.sys) and your eye will tend to skip over it.

We have a couple of Experts here who can get right down in the weeds with this stuff and if you post a new question, I'll ping them to take a look.

Author

Commented:
SSharma...you just blew my mind.... LOL   That's some deeeeep matrix stuff there hee hee!  Cool info for sure.  I don't think most people think about viruses/malware being that deeply embedded on a PC.

Thanks for both of your help.
This infection that prevents using the three most common search sites (google, bing, yahoo) is still out there and prevalent. I had the SAME symptoms as above where www.google.com kept resolving to 87.125.87.99 instead of a correct IP address. The malware (possibly several different species of it) was installed when my son browsed to hijacked website, and presumably clicked somewhere he shouldn't have. Using tools such as Malwarebytes, online forums, and basic sleuthing, I was able to remove bad registry entries with values such as "findgala", and files in the Application Data directories with values such as "Smart Engine" and "APdff_8047.exe". The HOSTS files didn't appear to be affected, but I replaced it anyway with a clean version. It was until I used kaspersky's TDSSkiller that the final infected file was found:

[InfectedObject]
Type: Service
Name: ACPI
Type: Kernel driver (0x1)
Start: Boot (0x0)
ImagePath: system32\DRIVERS\ACPI.sys
Suspicious states: Forged file

I too would like to know how the driver file was capable of targeting selected websites.

The symptoms were very interesting. I could not successfully browse to www.google.com or search.google.com, but I could visit news.google.com. Also, any web page I visited that included client-side google analytics would be unable to load that command. Some embedded facebook modules on web pages would also not load.
Dave MessmanIT Consultant

Commented:
I had a user who had his google searches redirected to 87.125.87.99 the other day.  I had taught him to use Malwarebytes in safe mode, so he was able to clear the main fakealert virus, but still is google searches and google apps were being redirected.  This was the only sign of infection.  In the end, I ran combofix which found rootkit malware that it said could be leading to networking issues.  After letting combofix do its clean, the redirection was gone.  So as of 5/11/12, Combofix was able to solve this issue for me.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial