Avast webhp redirection issue?

Since a couple of days - I’m not completely sure which day - my Google chrome web search redirects to webhp.

My Google Chrome settings are these

{google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q=%s

I’ve run ComboFix (see the dump below).
Because of ComboFix, I had to disable the scanners (Avast! Antivirus and Window Defender).

Now comes the odd thing: if I disable Avast! Antivirus, then everything works fine.

Avast is version 6.0.1367 with Engine version 120215-1.

I have posted the same info on the MalwareBytes forum (http://forums.malwarebytes.org/index.php?showtopic=106188)

Since posting there, I found out that the issue seems limited to Google Chrome;

  • FireFox google search is fine (i.e. no webhp redirect).
  • Don’t have the Google Search app in IE, but if I search through the Google.com page, search is fine as well (i.e. no webhp redirect).

A few questions:

  • Is Avast hacked?
  • Do I have a rootkit?
  • What steps should I perform from now?

Other machines that were in the same network don’d seem to suffer from this behaviour (yet?), but to be sure, I have moved this particular machine to a quarantined portion of the network.

I will post the same info on the Avast forum.

–jeroen

ComboFix 12-02-15.01 - jeroenp 2012-02-15 19:03:37.2.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16316.13211 [GMT 1:00]
Running from: c:\users\jeroenp\Desktop\ComboFix.exe
AV: avast! Antivirus Disabled/Updated {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus Disabled/Updated {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender Disabled/Updated {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

  • Created a new restore point
    .
    (rest of the file removed, see the MalwareBytes forum link)
    • End Of File - - 261A61B51CDD4BD280D1843B5333DC15

This is the aswMBR log:

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-15 23:26:56

23:26:56.223 OS Version: Windows x64 6.1.7601 Service Pack 1
23:26:56.223 Number of processors: 8 586 0x1E05
23:26:56.224 ComputerName: W701UJPL UserName: jeroenp
23:26:57.565 Initialize success
23:27:00.495 AVAST engine defs: 12021501
23:27:31.670 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
23:27:31.673 Disk 0 Vendor: INTEL_SS 4PC1 Size: 572325MB BusType: 3
23:27:31.676 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IAAStorageDevice-1
23:27:31.679 Disk 1 Vendor: SAMSUNG_ 2AM1 Size: 953869MB BusType: 3
23:27:31.684 Disk 2 \Device\Harddisk2\DR2 → \Device\Ide\IAAStorageDevice-2
23:27:31.688 Disk 2 Vendor: INTEL_SS 4PC1 Size: 572325MB BusType: 3
23:27:31.695 Disk 3 \Device\Harddisk3\SR0 → \Device\SdBus-0
23:27:31.699 Disk 3 Vendor: ( Size: 1964MB BusType: 12
23:27:31.705 Disk 4 \Device\Harddisk4\DR3 → \Device\Scsi\JMCF1Port1Path0Target0Lun0
23:27:31.710 Disk 4 Vendor: JMCR____ Size: 30559MB BusType: 1
23:27:31.717 Disk 0 MBR read successfully
23:27:31.723 Disk 0 MBR scan
23:27:31.729 Disk 0 Windows 7 default MBR code
23:27:31.737 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
23:27:31.744 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 572222 MB offset 206848
23:27:31.751 Service scanning
23:27:32.208 Service sptd C:\Windows\System32\Drivers\sptd.sys LOCKED 32
23:27:32.797 Modules scanning
23:27:32.804 Disk 0 trace - called modules:
23:27:32.813 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys spjf.sys hal.dll
23:27:32.819 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa800ded9790]
23:27:32.827 3 CLASSPNP.SYS[fffff88001a5143f] → nt!IofCallDriver → [0xfffffa800dc59480]
23:27:32.834 5 ACPI.sys[fffff8800118a7a1] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0xfffffa800dc58050]
23:27:34.056 AVAST engine scan C:\Windows
23:27:35.290 AVAST engine scan C:\Windows\system32
23:28:23.890 AVAST engine scan C:\Windows\system32\drivers
23:28:29.969 AVAST engine scan C:\Users\jeroenp
23:29:08.381 AVAST engine scan C:\ProgramData
23:29:14.179 Scan finished successfully
23:31:53.384 Disk 0 MBR has been saved successfully to “C:\Users\jeroenp\AppData\Local\Temp\MBR.dat”
23:31:53.393 The log file has been saved successfully to “C:\Users\jeroenp\AppData\Local\Temp\aswMBR.txt”

Have you reset the chrome default search ?

Did you also update Windows Defender? There was a false positive for google.com being infected with Blackhole Exploit Kit for which MS brought out an update,

polonus

I updated Windows Defender; no change.
The Google Search settings are still the same.
I installed MBAM: it didn’t find anything.

Result:

Something is wrong with Avast on my system in relation to Google Chrome on this particular systems (the other systems are fine)
What to do next?

I am willing to reinstall the complete system from scratch (it’ll take about two days) if that is the most secure way.

–jeroen

Still stranges: closed all open Chrome pages, restarted Chrome, now it works fine with Avast installed or not.

So: some page in Google Chrome made it redirect to webhp.
Not sure which yet, but will reply here if/when I find out.

Thanks for all the help!

–jeroen

Note: this was not the right cause!

[Found the cause: the below ling forces webhp redirect in Google Chrome.

url]

–jeroen

I tried reproducing this on other systems, but so far it does not reproduce.
If anyone is interested in looking over my shoulder for deeper investigation: I’m open for that.
–jeroen

Please dont make links clickable, we dont want unsuspecting user’s clicking on thing’s that may infect there systems - ( change the http to hxxp )

Thankyou

The issue is still intermittent, and not reproducible at will.
I think it is best to do a complete install from scratch on this machine.
What do you guys think?
–jeroen

Hi jeroenp,

First read more on this issue via this link: https://groups.google.com/a/googleproductforums.com/forum/#!category-topic/websearch/unexpected-search-results/cq4xbzFDYkU from the Google Search forum posting started by Gliss Tech,

polonus

I read that, but I’m not using any of the specialized searches.
Thanks for mentioning it though, as it might help someone else with a similar issue.

I can now reproduce this: on a similar Windows 7 x64 machine that has been off-line for a weeks, I followed these steps:

  • ran all Microsoft patches
  • updated Windows defender
  • updated Avast!
  • updated Chrome from 16.x to 17.0.963.56 m

Now most of the searches redirect to webhb kinds of URLs.
I think it has to do with the omnibox suggestion, but at least I think I can pin this down to a Chrome version.

Next step is to downgrade Chrome to 16.x (will do that after writing this message) and see what happens.

Yup, it is a change in Google Chrome.

Reverse chronological order (and it is really bad that Google does not keep on-line older versions of stable builds; how to do regression testing?)

rem 17...* full installer stable
wget -m -np http://dl.google.com/chrome/install/963.56/chrome_installer.exe
:: redirect to webhp most of the time
wget -m -np http://dl.google.com/chrome/install/963.46/chrome_installer.exe
:: no redirect

rem 16...* full installer stable
wget -m -np http://dl.google.com/chrome/install/912.77/chrome_installer.exe
:: no redirect
wget -m -np http://dl.google.com/chrome/install/912.75/chrome_installer.exe
:: no redirect

So: 17.0.963.56 redirects, and 17.0.963.48 and below don’t redirect.

At http://googlechromereleases.blogspot.com/search/label/Stable%20updates?max-results=10000 you see that 17.0.963.56 got released on 20120215, 16.0.912.75 on 20120105 and the first non-available version 16.0.912.66 on 20111216. Which means that they keep less than 2 months of builds active for regression.

Hope this post helps others; I expect a lot more webhp reports because of the potential relation to rootkits.

At least it saves me a couple of days of reinstalling :slight_smile:

–jeroen