Author Topic: Avast webhp redirection issue?  (Read 7965 times)

0 Members and 1 Guest are viewing this topic.

jeroenp

  • Guest
Avast webhp redirection issue?
« on: February 15, 2012, 11:03:57 PM »
Since a couple of days - I'm not completely sure which day - my Google chrome web search redirects to webhp.

My Google Chrome settings are these

{google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q=%s

I've run ComboFix (see the dump below).
Because of ComboFix, I had to disable the scanners (Avast! Antivirus and Window Defender).

Now comes the odd thing: if I *disable* Avast! Antivirus, then everything works fine.

Avast is version 6.0.1367 with Engine version 120215-1.

I have posted the same info on the MalwareBytes forum (http://forums.malwarebytes.org/index.php?showtopic=106188)

Since posting there, I found out that the issue seems limited to Google Chrome;
- FireFox google search is fine (i.e. no webhp redirect).
- Don't have the Google Search app in IE, but if I search through the Google.com page, search is fine as well (i.e. no webhp redirect).

A few questions:
- Is Avast hacked?
- Do I have a rootkit?
- What steps should I perform from now?

Other machines that were in the same network don'd seem to suffer from this behaviour (yet?), but to be sure, I have moved this particular machine to a quarantined portion of the network.

I will post the same info on the Avast forum.

--jeroen


ComboFix 12-02-15.01 - jeroenp 2012-02-15 19:03:37.2.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16316.13211 [GMT 1:00]
Running from: c:\users\jeroenp\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
(rest of the file removed, see the MalwareBytes forum link)
- - End Of File - - 261A61B51CDD4BD280D1843B5333DC15

This is the aswMBR log:

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-15 23:26:56
-----------------------------
23:26:56.223    OS Version: Windows x64 6.1.7601 Service Pack 1
23:26:56.223    Number of processors: 8 586 0x1E05
23:26:56.224    ComputerName: W701UJPL  UserName: jeroenp
23:26:57.565    Initialize success
23:27:00.495    AVAST engine defs: 12021501
23:27:31.670    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:27:31.673    Disk 0 Vendor: INTEL_SS 4PC1 Size: 572325MB BusType: 3
23:27:31.676    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1
23:27:31.679    Disk 1 Vendor: SAMSUNG_ 2AM1 Size: 953869MB BusType: 3
23:27:31.684    Disk 2  \Device\Harddisk2\DR2 -> \Device\Ide\IAAStorageDevice-2
23:27:31.688    Disk 2 Vendor: INTEL_SS 4PC1 Size: 572325MB BusType: 3
23:27:31.695    Disk 3  \Device\Harddisk3\SR0 -> \Device\SdBus-0
23:27:31.699    Disk 3 Vendor: (  Size: 1964MB BusType: 12
23:27:31.705    Disk 4  \Device\Harddisk4\DR3 -> \Device\Scsi\JMCF1Port1Path0Target0Lun0
23:27:31.710    Disk 4 Vendor: JMCR____  Size: 30559MB BusType: 1
23:27:31.717    Disk 0 MBR read successfully
23:27:31.723    Disk 0 MBR scan
23:27:31.729    Disk 0 Windows 7 default MBR code
23:27:31.737    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
23:27:31.744    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       572222 MB offset 206848
23:27:31.751    Service scanning
23:27:32.208    Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
23:27:32.797    Modules scanning
23:27:32.804    Disk 0 trace - called modules:
23:27:32.813    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys spjf.sys hal.dll
23:27:32.819    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800ded9790]
23:27:32.827    3 CLASSPNP.SYS[fffff88001a5143f] -> nt!IofCallDriver -> [0xfffffa800dc59480]
23:27:32.834    5 ACPI.sys[fffff8800118a7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa800dc58050]
23:27:34.056    AVAST engine scan C:\Windows
23:27:35.290    AVAST engine scan C:\Windows\system32
23:28:23.890    AVAST engine scan C:\Windows\system32\drivers
23:28:29.969    AVAST engine scan C:\Users\jeroenp
23:29:08.381    AVAST engine scan C:\ProgramData
23:29:14.179    Scan finished successfully
23:31:53.384    Disk 0 MBR has been saved successfully to "C:\Users\jeroenp\AppData\Local\Temp\MBR.dat"
23:31:53.393    The log file has been saved successfully to "C:\Users\jeroenp\AppData\Local\Temp\aswMBR.txt"
« Last Edit: February 15, 2012, 11:33:34 PM by jeroenp »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast webhp redirection issue?
« Reply #1 on: February 15, 2012, 11:27:07 PM »
Have you reset the chrome default search ?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast webhp redirection issue?
« Reply #2 on: February 15, 2012, 11:56:56 PM »
Did you also update Windows Defender? There was a false positive for google.com being infected with Blackhole Exploit Kit for which MS brought out an update,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

jeroenp

  • Guest
Re: Avast webhp redirection issue?
« Reply #3 on: February 16, 2012, 05:03:22 AM »
I updated Windows Defender; no change.
The Google Search settings are still the same.
I installed MBAM: it didn't find anything.

Result:
- Windows Defender off; Avast off: Google Chrome searching works (example: http://www.google.nl/search?aq=f&sourceid=chrome&ie=UTF-8&q=nu)
- Windows Defender on; Avast off: Google Chrome searching works (example http://www.google.nl/search?aq=f&sourceid=chrome&ie=UTF-8&q=nu)
- Windows Defender on; Avast on: Google Chrome searching redirects (example: https://www.google.com/webhp?sourceid=chrome-instant&ix=seb&ie=UTF-8&ion=1#sclient=psy&hl=en&site=webhp&source=hp&q=nu&pbx=1&oq=&aq=&aqi=&aql=&gs_sm=&gs_upl=&fp=f7fcb1e1d09b214&ix=seb&ion=1&ix=seb&ion=1&bav=on.2,or.r_gc.r_pw.r_cp.,cf.osb&fp=f7fcb1e1d09b214&biw=1331&bih=774&ix=seb&ion=1
- Windows Defender off; Avast on: Google Chrome searching redirects (example: https://www.google.com/webhp?sourceid=chrome-instant&ix=seb&ie=UTF-8&ion=1#sclient=psy&hl=en&site=webhp&source=hp&q=nu&pbx=1&oq=&aq=&aqi=&aql=&gs_sm=&gs_upl=&fp=f7fcb1e1d09b214&ix=seb&ion=1&ix=seb&ion=1&bav=on.2,or.r_gc.r_pw.r_cp.,cf.osb&fp=f7fcb1e1d09b214&biw=1331&bih=774&ix=seb&ion=1)

Something is wrong with Avast on my system in relation to Google Chrome on this particular systems (the other systems are fine)
What to do next?

I am willing to reinstall the complete system from scratch (it'll take about two days) if that is the most secure way.

--jeroen
« Last Edit: February 16, 2012, 05:12:23 AM by jeroenp »

jeroenp

  • Guest
Re: Avast webhp redirection issue?
« Reply #4 on: February 16, 2012, 06:25:28 AM »
Still stranges: closed all open Chrome pages, restarted Chrome, now it works fine with Avast installed or not.

So: some page in Google Chrome made it redirect to webhp.
Not sure which yet, but will reply here if/when I find out.

Thanks for all the help!

--jeroen

jeroenp

  • Guest
Re: Avast webhp redirection issue?
« Reply #5 on: February 16, 2012, 06:53:12 AM »
Note: this was not the right cause!

[Found the cause: the below ling forces webhp redirect in Google Chrome.


url]

--jeroen
« Last Edit: February 16, 2012, 01:44:11 PM by jeroenp »

jeroenp

  • Guest
Re: Avast webhp redirection issue?
« Reply #6 on: February 16, 2012, 08:36:52 AM »
I tried reproducing this on other systems, but so far it does not reproduce.
If anyone is interested in looking over my shoulder for deeper investigation: I'm open for that.
--jeroen

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: Avast webhp redirection issue?
« Reply #7 on: February 16, 2012, 09:01:20 AM »
Please dont make links clickable, we dont want unsuspecting user's clicking on thing's that may infect there systems - ( change the http to hxxp )

Thankyou

jeroenp

  • Guest
Re: Avast webhp redirection issue?
« Reply #8 on: February 16, 2012, 03:05:14 PM »
The issue is still intermittent, and not reproducible at will.
I think it is best to do a complete install from scratch on this machine.
What do you guys think?
--jeroen

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast webhp redirection issue?
« Reply #9 on: February 16, 2012, 05:29:45 PM »
Hi jeroenp,

First read more on this issue via this link: https://groups.google.com/a/googleproductforums.com/forum/#!category-topic/websearch/unexpected-search-results/cq4xbzFDYkU  from the Google Search forum posting started by Gliss Tech,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

jeroenp

  • Guest
Re: Avast webhp redirection issue?
« Reply #10 on: February 16, 2012, 05:33:55 PM »
I read that, but I'm not using any of the specialized searches.
Thanks for mentioning it though, as it might help someone else with a similar issue.

jeroenp

  • Guest
Re: Avast webhp redirection issue?
« Reply #11 on: February 16, 2012, 10:18:58 PM »
I can now reproduce this: on a similar Windows 7 x64 machine that has been off-line for a weeks, I followed these steps:

- ran all Microsoft patches
- updated Windows defender
- updated Avast!
- updated Chrome from 16.x to 17.0.963.56 m

Now most of the searches redirect to webhb kinds of URLs.
I think it has to do with the omnibox suggestion, but at least I think I can pin this down to a Chrome version.

Next step is to downgrade Chrome to 16.x (will do that after writing this message) and see what happens.

jeroenp

  • Guest
Re: Avast webhp redirection issue?
« Reply #12 on: February 16, 2012, 11:00:05 PM »
Yup, it is a change in Google Chrome.

Reverse chronological order (and it is really bad that Google does not keep on-line older versions of stable builds; how to do regression testing?)

rem 17.*.*.* full installer stable
wget -m -np http://dl.google.com/chrome/install/963.56/chrome_installer.exe
:: redirect to webhp most of the time
wget -m -np http://dl.google.com/chrome/install/963.46/chrome_installer.exe
:: no redirect

rem 16.*.*.* full installer stable
wget -m -np http://dl.google.com/chrome/install/912.77/chrome_installer.exe
:: no redirect
wget -m -np http://dl.google.com/chrome/install/912.75/chrome_installer.exe
:: no redirect

So: 17.0.963.56 redirects, and 17.0.963.48 and below don't redirect.

At http://googlechromereleases.blogspot.com/search/label/Stable%20updates?max-results=10000 you see that 17.0.963.56 got released on 20120215, 16.0.912.75 on 20120105 and the first non-available version 16.0.912.66 on 20111216. Which means that they keep less than 2 months of builds active for regression.

Hope this post helps others; I expect a lot more webhp reports because of the potential relation to rootkits.

At least it saves me a couple of days of reinstalling :)

--jeroen