brawsing-check.com : Search Engine Redirect

[TechguyUK]

ok, I'm stuggling with this one.

Customer called reporting Thinkpoint malware. I went over and did the usual to remove it...end the hotfix process with task manager and reset the explorer shell in the registry. Loaded MWB, updated it and did a full scan which found and removed a couple more issues - one of note was 'cleansweep.exe' which i've had problems with before. I then ran SAS - no issues found. Ran a full scan with MSE which also picked up a couple more issues and removed them. TDSSKiller finds nothing. So all is well I thought.

I'm about to hand the machine back to the customer when I notice Google searches are getting redirected to advertising via something called brawsing-check.com. I happens about 1:10 times I click on a link. I've reset IE8, checked for proxies (both in Internet Settings AND in the registry), rogue DNS entries, modified HOSTS file etc etc and I simply can't find the issue.

As of this morning, I've done a system restore to a week prior to when the customer started to experience the issue. The machine is running XP-SP3 with latest MS updates. There is nothing obvious in Autoruns or Process Explorer and I've just run full scans with TDSSKiller, GMER, MWB, MSE and a Kaspersky Rescue Disk 10 all with their latest updates and all report no issues found. I thought it could be a router hijack but the machine has been moved to my workshop and the redirect is still happening.

Anyone any more ideas?

 

[othersteve]

Hey Techguy,

I can probably kill whatever it is for you pretty quickly... if you've got a moment:

Download this, run it, and perform a Quick Scan.

Attach the resulting OTL.txt log file to your reply and I'll quickly scan through it and generate a fix.

 

[joydivision]

I would do a port scan to see if anything there is anything obvious. Have you checked all the services which svchost are running?

Does firefox or chrome redirect?

 

[TechguyUK]

OTL log attached.

Redirect happens in Firefox as well.

 

[othersteve]

Hey TechguyUK,

Nothing seems terribly amiss in that log, but I would start by downloading a fresh copy of TDSSKiller and running that, followed by:

Run OTL; paste the following into the Custom Scans/Fixes textbox:

:OTL
O4 - HKLM..\Run: []  File not found

:Reg

:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]

And see if it persists. If it does, it could very well be a router issue, which would require a reset to factory settings (the easiest way to resolve the issue).

Finally, if all else fails, you may wish to employ ComboFix on this machine... however I would first be sure to have a drive image on hand just as a safety measure.

I hope this helps!

 

[TechguyUK]

BINGO!.....tdl4 Rootkit detected on \HardDisk0

I didn't realise that there was a new version of TDSSkiller, my version was only a few months old as well!

Still, another day another lesson learned: Continually check the s/w toolset is fully up-to-date.

Many thanks for your input guys.

 

[Xander]

I'd definitely check the router's DNS settings before resetting it. There's been more and more reports of viruses logging into never-changed Admin profiles on routers and putting in their own DNS server setttings.

Edit (should refresh before posting more often):
Glad you found it. I'd recommend getting to know Ketarin to keep your toolkit updated. Set it to check for new versions of all your favourite scanners (TDSS, SAS, Combofix, etc) and even things like OTL / DDS and such referenced here. It's invaluable.

 

[othersteve]

Yup, sure sounded like TDSS to me. You'd be surprised to know how many techs miss these TDL rootkits behind the Fake AVs (most recently, Thinkpoint) and just cannot seem to figure out why the customers keep getting infected. I'm very often given PCs that others missed the rootkits on.

Anyway, glad to hear it's sorted out. Have a great weekend!