miekiemoes' Blog: Searchengine Redirects? It could be a patched ws2

Thursday, June 11, 2009

Searchengine Redirects? It could be a patched ws2_32.dll file...

I was helping someone yesterday (online support via forums) who was complaining about searchengine redirects. Redirections mainly went to mybig-portal.com, virus-detect-soft.com, edmonds.com, us.peeplo.com, directkitchenremodeling.com...

There are already many different infections responsible for searchengine redirections, I see several different ones every day.... so after a while, it's getting easier for me where to look/search.
The info is mainly gathered from logs (Registry loading points, Rootkit scans, etc).

However, this one was different. I just couldn't find the culprit. Same scenario as with the first Daonol/JsRedirect/Gumblar variant I discussed here last year (October 2008).
People who know me also know that I will search untill I find it, so I finally found the culprit - a patched ws2_32.dll file.
The ws2_32.dll is a legit Microsoft Windows file that contains the Windows Sockets API used by most Internet and network applications to handle network connections.
In this case, it was patched by malware. Its copies in the dllcache and ServicePackFiles\i386 folder were also affected. Reference thread here.
It wasn't detected by any scanner yet. Sophos Antivirus will now detect this one as Troj/WShack-B.

So if you encounter the same and just can't find the culprit of a searchengine Hijack after trying anything else - then it *may be a patched ws2_32.dll file. Don't delete that file if it's indeed patched/infected, but replace it with a clean copy.
If unsure/in doubt, post you issue in the forums.

Comments (6)

Logging you in...

Dashboard | Edit profile | Logout

Logged in as

+1 Vote up Vote down

Vespid · 825 weeks ago

I'm the guy with that issue she just fixed. I am truly amazed with the patience and persistence this incredible woman showed to get to the bottom of this. As we tried one failed solution possibility after another, I kept expecting the next post to say "sorry, i can't help you, the problem must be between the keyboard and the chair" but she kept on and on until she finally ferreted it out. I could not be more impressed!

Good luck with your new job - they're fortunate to have you. I hope I can be that useful to someone someday!

With high regards

Vespid
Minnesota, USA

0 Vote up Vote down

douglas · 824 weeks ago

hah- good to hear that I was not the only person driven insane by this!
i spent 3 days running hjt logs/ combofix/ fixwareout/ smitfarudfix...and just plain old going line by line through registry entries looking for something odd- and then bitdefender found ws2_32.dll...and then the cached copy and servicepack file as they were patched... was going to go home tonight and do a command line copy/paste from clean copy on disc

0 Vote up Vote down

NoName_341 · 822 weeks ago

C:WINDOWSsystem32WS2_32.dll section is writeable.... nice, nice

0 Vote up Vote down

Jerry Schott · 820 weeks ago

Yep..one solution is to replace ws2_32.dll with an uninfected copy. Google is now back to it's fast search speed and hopefully I will not experience random re-directs. MY question..where did this booger originate?
Thanks,
Jerry
jschott2@satx.rr.com

0 Vote up Vote down

dzeratul · 801 weeks ago

Hello, I really appreciate the work you have been doing!

However, I've been having the same problem. and i was just wondering if you had found any more variants and if you could re-update us with your information. I know you're busy, but if you had the time I'm sure we would all appreciate it

Thank you!

1 reply · active 801 weeks ago

+1 Vote up Vote down

miekiemoes 47p · 801 weeks ago

What do you mean with more variants? Above one I explained is the one that patches the legit ws2_32.dll file. There are still so many other variants that causes search engine redirects, which I also explained in older posts in this blog. Most scanners detect and delete these though, so that's why I only post variants here which are a bit more advanced to find in logs. In case you're dealing with a searchengine Hijacker and you can't find the culprit (if no scanners detect it), then I suggest you post your issue on one of the forums mentioned on the right here :)