Intermittant Google Search Redirects

I had a bit of Mal-Ware that was cleaned up in an earlier post, but still have a lingering issue. When I search via Google, the results will return, and the majority of the time, I click the result and am directed to the correct site. A few times a day I get redirected to a different site than what is listed.
A good example was went I went to post here. Did a Google search for Avast Forum, and the results returned. I clicked in the first result, and was redirected here:
hxtp://www.stopsign.com/se/se600d.php?n=s_7s_anti_softn&kw=7s_anti_softn_t20110324_se_avast&uid=7351b0831c5004e613a5d35c92e42162&bit_mask=0&bit_sample=3919897404&ver=online&b=%26qq_mycatalogshop.com_xu_52bf537d5ccccdca8d8756ef1317e958_xd_20110516&pg=%26mss_se_spin&SV=mss_se_spin
I did a back in the browser, reclicked the same link, and was brought to the Avast Forums. The redirect links are random, as I usually don’t get the same ones everytime.
A have run DDS and have attached the logs. What do I need to do to finish cleaning it up?

This sounds like a different infection - does it occur on a specific webpage ? Stopsign was a rogue AV a few years ago but they are believed to have cleaned their act up

The redirect is always on the Google Search results page, and it is random as to which results get redirected.
I was able to determine over the weekend the redirected page url will always be redirected to the same site the first time, and is consistent depending on what you are searching for.
Example:
Everytime I search for MSDN Subscription Download, the #1 returned results is the correct page.

It will always redirect me the first time to this page:
hxtp://bm-network.com/qwp/download/?m=5&r=22719

It should be this url:
http://msdn.microsoft.com/en-us/subscriptions/downloads/default.aspx

I found this to be consistent:

After I go back in the browser, it will not happen again until I close the browser, restart it and search again, or I change what I am searching for, then it will redirect as it a new search.

OK lets have a look see (I am not a great fan of DDS as it forces you to use combofix for removal )

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Attached is the OTS log. Had to zip it as it was just over the max. attachment size, and renamed it to Log to get past the filters. ;D

Nothing apparent there - do the other computers using your router have the same problem ?

I did the same MSDN and Avast tests on 6 other systems in the house. 1 of them has the same OS, fixes, and drivers, and they do not get the redirects.
I did do another test on the PC in question. IE 9 does not get the redirects when searching, just FireFox.

Could you do another OTS scan please and paste this script in

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

Attached is the OTS log. Had to zip it as it was just over the max. attachment size, and renamed it to Log to get past the filters.

I am going to download the FireFox DNS Cache Flusher, not that it will fix it, but at least I know FireFox’s DNS Cache is cleared.

I installed the FireFox add-in DNS Cache 1.7 and flushed Firefox’s DNS cache. I tried the MSDN Search, and the Avast Search and there were no redirects. I am hoping this fixed it. I will post back tomorrow either way and let you know if it is. or is not fixed. I would have thought if this was the problem, FireFox’s would have checked it’s DNS Cache every time, and the redirect would have been there everytime.

I fear that is the problem with trying to resolve redirects in firefox alone, it places files in many different locations that they are hard to find. My normal solution to this is to do a full uninstall of Firefox (everything) and then a re-install

Issue is still there. I uninstalled FF, deleted all the profiles and install directories, reinstalled FF and it is still there. I was able to locate where the redirect is going.

Here is the url:
http://64.111.211.161/c.php?s=eNo1kkuvokAQhX-Qibe76efCBYqiKAoqAm4m0NAIF98iaPrHD7OYVCp1FpXzLc6pNEIMCg21649GGgyhAcj_gwCEgEAOGSCI6Tg6nqThj7SEktEcK0OklCkqhOQiVZjnLDE4EfIPIhCmkCqWpplKeiGZkpAkGSc4S7DSwuiJ-fo6a7P6U1SmabqTH7pbl2HxLTdjMDW7-I5ss3ybQVncZtaqgD0OlvbsVj3DggT05uyCd_4xKD78PsLDogGPcUZCtY5aP5l5HVMo8dxuNgbfqHh4jR-29x_Im42oVLre-yqc7m_cm8el31lm9D0k2-sJbczxpDt_RLlD9M22Azs-V_S1XFvgsphbi9zy2ot_8ZEbqMYJ7NNZdMfUX98d24uTXfY9fqC3MzfnkmMSKzB7fooNXW7Zxofl1T3fFLkisV8tvcxwXJPtzmN6Xy0G5ba3eMziF6jD1n9uB0Ek3et0zqfLKlr-EJcArwkTAh00R531bOxiM7D8il_IrxXQIM_Edxu3DpYvHwZi9w7MfV477hSTGkoqrEnn2eha31VSl1S11iMizbPtE2d0iDAbItgvYFoL0ms4hAAMGdJAa6QzIzNW9dgK0KHKIueWzet9Ytd1avtNjMSr__o32tBpVFdxtD2ltrhIdHrLCalSBEaaYoZARvPEyHKZcMxI2veGJwgbuSGR0AlXHOIUGwBLDnMuc85yI08VwYpxnP0FmdnVBQ

The url is the same, so I am assuming there is still malware on my system somewhere. So far MWB, Spy Bot, and Hit man can’t find it. I also found that if I use IE long enough, I get the same redirects. I have a feeling I will end up formatting and reloading everything from scratch, which I am trying to avoid. I did add the IP to the avast block list. A screenshot of the browser history is attached.

OK aswMBR is down at the moment so lets look at the MBR

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

The scan came up clean. I have attached the log file.

I can not see where it is originating from

Although on checking out the dns I got this

We could not find any information about the requested domain. This error happens when a domain does not exist

The only other alternative would be a Dr Web scan - but that will take several hours

I found the little bugger finally, or at least it looks like it, no redirects to the ip, or attempts since I removed 2 suspect files from a directory.

I was doing some js work, and threw a few lines in to use FF to do a Google search for MSDN Subscrptions, and redirect to the MSDN Subscription site. I had a script reference show up, I did not put in the code, but it threw that suspicious url in my code as I was testing it.

Here is where the files are that look like they are causing the problem:
C:\Users\Dale\AppData\Local{21AF0C3C-2C80-4082-9E63-2B1692207969}\chrome\content

The 2 files are:
_cfg.js
overlay.xul

I looked in these files and don’t see anything suspicious, but since I moved them I have not had a redirect. I am thinking I may not even need the directory with the GUID, but there are 2 files that also look a bit suspicious, and checking on 2 other Windows 7 PC’s, as well as Windows Servers (2008, 2008R2, 2003, 2003R2), there is a directory named with a GIUD (None of them are the same GUID), that have no contents.

Located in the GUID Directory (C:\Users\Dale\AppData\Local{21AF0C3C-2C80-4082-9E63-2B1692207969})are these 2 files:
chrome.manifest
install.rdf

I am thinking maybe I should move everything below C:\Users\Dale\AppData\Local{21AF0C3C-2C80-4082-9E63-2B1692207969} since the others systems I looked at are empty.

I found 2 Registry keys referencing the directory GUID that also don’t exist on the other systems:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions
HKEY_USERS\S-1-S-21-XXXXXXXXXXXXXXXXXXXXXXXXXX\Software\Mozilla\Firefox\Extensions

I am hoping this finally takes care of it. I will update it tomorrow with the result, good or bad.

This was the culprit, no more redirects. I zipped the files up and ran them through VirusTotal, and it is fact MalWare. I posted in the TotalVirus thread, and if Avast wants the files I can forward them via email. I was able to inject this via a java script on a test box and infect the PC as a regular user.

VirusTotal link:
http://www.virustotal.com/file-scan/report.html?id=137e9afb4c49ceab45fff506f5a92b5cddedcac1694adcd5eb6b962d28dce5c1-1305819545

Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Sneaky - I guess I will have to ask OT to add that to the standard scan parameters

Hey guys, im having the same issue.

I dont have the smae registry entries as him
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions
HKEY_USERS\S-1-S-21-XXXXXXXXXXXXXXXXXXXXXXXXXX\Software\Mozilla\Firefox\Extensions

Regardless of the fact I AM using firefox I dont have those entries.

The same goes for the file location
C:\Users\Dale\AppData\Local{21AF0C3C-2C80-4082-9E63-2B1692207969}\chrome\content

All I can get to is C:\Users\Dale\AppData\Local\ the following folders are not there.

This issue is getting increasingly annoying. Does anyone have any recommendations or fixes for this issue?