Author Topic: Blocked 78.110.175.21 and bogus google links  (Read 24787 times)

0 Members and 1 Guest are viewing this topic.

ozwally

  • Guest
Blocked 78.110.175.21 and bogus google links
« on: January 01, 2009, 07:02:20 AM »
I started having a problem today, similar to some other posts I've seen here and on other sites.
Symptom 1:
Every few minutes I get a Network Shield warning that it blocked access to malicious site 78.110.175.21...
(only while firefox is running)

Symptom 2:
Searching for anything with google (via firefox) shows the usual titles and text for the search results but the links are to completely unrelated sites.

E.g. searching for "oblivion" in firefox / google gives a result:
==
The Elder Scrolls IV: Oblivion - Wikipedia, the free encyclopedia
The Elder Scrolls IV: Oblivion is a single-player role-playing video game developed by Bethesda Game Studios and published by Bethesda Softworks and the ...
www. antivirus 2009-freescan .com - 268k - Cached - Similar pages
==
(^^^NOTE THE URL, edit now space-ified for safety)

This problem in firefox happens with all of these 3 methods:
- GoogleLite add-on
- firefox's built in Search box
- Searching on the www.google.com page itself

Symptom 3:
I see a "Waiting for 7.7.7.0 " in the status bar of firefox (bottom left) when I start the search, before it starts displaying the results page.

I updated my avast virus defs today and did a full scan but nothing found.
Can anyone advise how I can find and fix this?

Thanks,
Wally

Firefox 3.0.5
(with Googlebar lite 4.6.8 )
Avast home 4.8 (virus defs version 081231-1)
Win XP Pro SP3
« Last Edit: January 01, 2009, 08:23:55 AM by ozwally »

bahog

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #1 on: January 01, 2009, 07:29:16 AM »
Wally,

Exactly the same problem. I am infected by something and I cannot find it. I have used the usual suspects, HJT and SuperAntiSpyware but Avast is still warning me that it is blocking an attempted connection to 78.110.175.21, a known infected site. Any help would be appreciated to get rid of this, currently, annoying pop up.

Thanks

Bahog

Offline spydier

  • Newbie
  • *
  • Posts: 2
Re: Blocked 78.110.175.21 and bogus google links
« Reply #2 on: January 01, 2009, 07:48:12 AM »
I have the same issue on the laptop, popup says "blocked" etc

Browser search re-directs

I have found some old info similar on Techguy but it is still not exactly the same...

http://forums.techguy.org/web-email/594428-ie7-hijacked.html

Anyone have further info? run all scans etc  ???

Jtaylor83

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #3 on: January 01, 2009, 08:14:00 AM »
It maybe an infection from the Zlob trojan or maybe you clicked on the "I'm Feeling Lucky" button.

Ozwally, please edit the link by putting spaces between the letters.

feral2U

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #4 on: January 01, 2009, 08:18:42 AM »
Im also experiencing this issue and in the 15 yrs of IT and networking I have never been so hard pushed to try and clean something out.
HJT logs are clear, ran half a dozen other recommended proggies to kill this and still it keeps coming back.
PRocess explorer does not show a rogue process opening with firefox or IE.
3 rootkit detectors and still nothing.
Multiple packet captures did not help diagnose what is going on.
Reset all the TCP IP stack and now over 15 hrs later I am at the point where I am considering reinstalling windows.
I have to consider that this machine is compromised.

I removed the google search from firefox and things settled down for a few hours but as soon as I yahooed then I got whacked again.
I have blocked all Iframes, java script, removed java and still this thing is there.
I am brain dead on this one after the hours of scanning and registry scouring.
The time put into this would have been better spent reinstalling.

Avast has disappointed me with this one, the log files are not even loading up in log viewer and avast does not write the events to event log in windows.
I have to manually dig into the Avast home folder to read the logs.
I just dont know which way to go but whatever this bug is it is dug in like a tick.

I do not believe this is the Zlob trojan the symptoms are not quite the same and the registry values that Zlob changes are not present.
In fact my run once and run values are clean as a whistle and only contain legit values.
Unless there is a new variant and it is still in the wild.
Mind you avast should have picked it up I have scanning cranked to maximum on all levels.
Cheers

ozwally

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #5 on: January 01, 2009, 08:22:26 AM »
I read somewhere (can't remember where now) that this issue is Javascript related.
So I turned off Javascript in firefox, and now my searches generally look correct.
E.g. The oblivion search now gives the correct URL, and it goes back to the bad one if I turn javascript back on before searching.
(Symptom 2)

With Javascript off, I also don't see the "Waiting for 7.7.7.0" (Symptom 3)

But I still see avast's alert "blocked access to malicious site 78.110.175.21", when firefox starts and periodically after that.
(Homepage http://www. google .com/ig?hl=en)

Maybe there's multiple problems here.
I also ran malwarebytes AM (quick scan only so far) and this found and removed a bunch of "Trojan.DNSChanger" infected files and registry keys.
(But afterwards, turning Javascript back on in firefox brings back the bogus google search links)

feral2U

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #6 on: January 01, 2009, 08:29:03 AM »
I read somewhere (can't remember where now) that this issue is Javascript related.
So I turned off Javascript in firefox, and now my searches generally look correct.
E.g. The oblivion search now gives the correct URL, and it goes back to the bad one if I turn javascript back on before searching.
(Symptom 2)

With Javascript off, I also don't see the "Waiting for 7.7.7.0" (Symptom 3)

But I still see avast's alert "blocked access to malicious site 78.110.175.21", when firefox starts and periodically after that.
(Homepage http://www. google .com/ig?hl=en)

Maybe there's multiple problems here.
I also ran malwarebytes AM (quick scan only so far) and this found and removed a bunch of "Trojan.DNSChanger" infected files and registry keys.
(But afterwards, turning Javascript back on in firefox brings back the bogus google search links)

This is interesting, however I have a script blocker add on in firefox as well so I can allow and deny sites based on my risk assessment, if this is a java vulnerability then it is a major problem for all concerned.
The IP in question is owned by the Russian Business Network and they are not a very nice bunch, spammers and what not.
I have just marked google as being untrusted with noscript and that cleaned up the search links nicely.
I am going to update my Java installation with the latest version and see if that has any impact, but Iam not going to hold my breath.
I still expect to see the block showing up.
Cheers
« Last Edit: January 01, 2009, 08:33:21 AM by feral2U »

CharleyO

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #7 on: January 01, 2009, 08:37:26 AM »
***

Welcome to the forums, ozwally.   :)

Check to see if your java is up to date. Use javaRa (Download Windows Binary .zip file) to both delete the old versions and then search for the newest update.

http://raproducts.org/javara.html


***
« Last Edit: January 01, 2009, 08:42:01 AM by CharleyO »

feral2U

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #8 on: January 01, 2009, 09:30:54 AM »
***

Welcome to the forums, ozwally.   :)

Check to see if your java is up to date. Use javaRa (Download Windows Binary .zip file) to both delete the old versions and then search for the newest update.

http://raproducts.org/javara.html


***

Gday Charley

Unfortunately updating the java runtimes does not resolve this issue.
I was skeptical that this would be the end of it anyway, this issue runs a lot deeper than just the Java, this malicious little bugger is going to get worse before it gets better for a lot of people I think.

I suspect that there are a lot of infected machines out there but they just dont know it yet.
Fortunatley Avast's network scanner picks it up but after that the ball is dropped as Avast only identifies the browser exe files as the culprits trying to make the connection and does nothing more.

I am devoting one more hour of research to this then it is backup an reformat, I am not inclined to sit here working on a compromised machine.
I usually would go down that path straight away but decided to see if these new programs could do what they claimed but at the end of the day, 7 programs and many hours of scanning from safe mode and registry editing have to this point been disappointing, good learning exercise though.

:Cheers:

feral2U

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #9 on: January 01, 2009, 10:34:25 AM »
I have been doing a little digging and no surprise here, this is the results for who owns the offending IP address that this bug is trying to talk to.

---------------------------------------------------------------------
(Asked whois.ripe.net:43 about 78.110.175.21)

 inetnum:        78.110.175.0 - 78.110.175.255
 netname:        LIMIT-SUREHOST-IP-1
 descr:          LIMIT SUREHOST IP RANGE 1
 country:        RU
 admin-c:         AAS188-RIPE
 tech-c:          AAS188-RIPE
 status:         ASSIGNED PA
 mnt-by:          UKSERVERS-MNT
 source:         RIPE  Filtered
 person:         Alexander A Solovyov
 address:        LIMT Group Ltd.
 address:        Karpinskogo 97a
 address:        Moscow
 address:        111423
 address:        Russian Federation
 phone:          7 342 2763167
 e-mail:         abuse@limt.ru
 
 e-mail:         info@surehost.ru
 
 e-mail:         svr.band@gmail.com
 
 nic-hdl:         AAS188-RIPE
 source:         RIPE  Filtered
 route:          78.110.160.0/20
 descr:          UK Dedicated Servers Limited
 origin:         AS42831
 mnt-by:          UKSERVERS-MNT
 source:         RIPE  Filtered

------------------------------------------------------------------------------------

Of course the cold war is over and the russians are our friends now BWAHAHAHAHAHA!
Now to determine which authority is the best to pass this info onto.
I suspect that the server that firefox and IE are trying to contact is some sort of command and control server and once that contact has been made then further malware and bots would be sent back to the host for nefarious purposes.
I think Auscert might be a good place to start.

Cheers

Nobody71

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #10 on: January 01, 2009, 10:40:27 AM »
I found a potential solution on another website (can't remember which as I have been looking everywhere)...

delete/rename/move the file
c:\windows\system32\wdmaud.sys
NOT
c:\windows\system32\drivers\wdmaud.sys

I didn't even have to restart the PC - but the AVAST messages stopped...  I just hope that is really the only culprit...

feral2U

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #11 on: January 01, 2009, 11:43:42 AM »
I found a potential solution on another website (can't remember which as I have been looking everywhere)...

delete/rename/move the file
c:\windows\system32\wdmaud.sys
NOT
c:\windows\system32\drivers\wdmaud.sys

I didn't even have to restart the PC - but the AVAST messages stopped...  I just hope that is really the only culprit...

Dude!!! your a legend, at this point hahahahaha!
I just renamed that file and then moved it to a quarantine folder.
Rebooted and have not had one attempted connection to the russian mafia homepage.
Google is behaving as well.

If I dont get any more errors in the next 24hrs if I ever meet you I will buy you a beverage.
The file in question according to MS is meant to be 80kb and lives in the drivers folder under system32, the one I found was 23kb, I ran a scan against it and found nothing.
 Iam about to dissect that little bugger and have a good look at it in a dll editor and see if there is anything interesting inside.

Will post what I find if anything, I just hope it has no brothers and sisters floating around waiting for some event to trigger.
We shall see.

Cheers
« Last Edit: January 01, 2009, 11:45:28 AM by feral2U »

stillness

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #12 on: January 01, 2009, 03:20:27 PM »
Deleting wdmaud.sys from the drivers folder didn't fix my problem (exact symptoms as everybody else with 7.7.7.0 and 78.110.175.21) .  BTW as soon as I delete the file, another one pops back up in that folder.

spg SCOTT

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #13 on: January 01, 2009, 03:26:18 PM »
Deleting wdmaud.sys from the drivers folder didn't fix my problem (exact symptoms as everybody else with 7.7.7.0 and 78.110.175.21) .  BTW as soon as I delete the file, another one pops back up in that folder.

I think you may have deleted the wrong one, Nobody71 said the one in the system32 folder, not the drivers:

I found a potential solution on another website (can't remember which as I have been looking everywhere)...

delete/rename/move the file
c:\windows\system32\wdmaud.sys
NOT
c:\windows\system32\drivers\wdmaud.sys


I didn't even have to restart the PC - but the AVAST messages stopped...  I just hope that is really the only culprit...

hope this helps...

stillness

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #14 on: January 01, 2009, 03:48:04 PM »
Yes!  I had the wrong folder!  Deleting c:\windows\system32\drivers\wdmaud.sys worked perfectly!  Thanks Nobody71!