BiggAndyy

It’s baaaack.

There are a lot of sites that suggest what I have done.  Most others are variations on the same theme: download, run, reboot and automagically the problem is gone.

It wasn’t gone, and if you are a propeller-head wannabe like myself I want to know WHAT the thing is, WHERE it hides, and HOW to manually remove it.  Since many viruses are polymorphic these days, the file names change but the M.O. usually does not.  I want to be able to recognize the pattern to get rid of the redirects when I see the patterns.

To this end I began to question the methodology of how this thing works, what method of infection and propagation it uses, and even where it may be actually hiding.  Since Firefox, Internet Explorer, and Opera are all affected on my machine I naturally went to [HKCR]\applications\firefox.exe\shell\open\command\ to see if there is a redirect in the Default key.  There was not, nor were there redirects in IE, and Opera registry keys.

I checked several more of the popular places in the registry but nothing suspicious at a glance so I moved on to JAVA.  I disabled JAVA script execution in Firefox, no help.  I removed JAVA script from the machine, no help, reinstalled with newest version, no help.

Same with Flash, disable, unintstall, reinstall, no help.  I broke out sysinternals and watch the process log when visiting Google and Bing and Yahoo, nothing interesting there.

I am still in the beginning phases of the forensics but I am wondering if the redirects are being made to the results pages at the machine.  Perhaps there is a compromised DNS server(s) or switches that is perpetrating this redirect?  Since no one appears to be able to stay clean for very long I am wondering.

Next step will be to redirect my TCP/IP settings to OPENDNS and see if there is a difference.  I’ll keep you posted.

Ok folks, this took some time but I was able to remove this stupid thing from my computer.  Here is the simple two step process (thanks to bleepingcomputer.com for the assist).

Here were the offending files from my system, once they were removed the problem went away.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO)

c:\documents and settings\%username%\application data\Sun\Java\deployment\cache\6.0\19\3233acd3-2c60c271 (Trojan.FakeAlert)

Once this file was removed and the HKEY deleted the browsers were back to normal.  I used

• RKILL.COM – from bleeping computer This program will kill the processes of most known root kits.
• Malwarebytes – from Malwarebytes.org This will scan your entire computer and find malware very effectively.

Here is the process:

1. Download the programs and update Malwarebytes by logging in and letting it update automatically.
2. Start your computer in SAFE MODE.
3. Run RKILL.
4. Run MALWAREBYTES.
5. Enjoy a newly malware free computer and no more of the find-quick-results redirect trojan.

You can also try manually removing the entries above.  I usually like to manually fix a system just because the more I know how trojans and viruses work the better I can get the problem taken care of quickly for the user.