(Fix) r3953724.cn Malware/Adware Redirections

Quick Fix: have a program named procmon.exe running (copy of notepad.exe) to disable malware temporarily. This should let you run searches & download fixes. This is only temporary while you clean the system. Read this post for more details and please let me know in comments if this does or does not work for you.

Update/Fix:

The system did indeed have a corrupted atapi.sys file as noted in the comments, though I did not end up using ComboFix to clean it – I was able to replace the file with the identically-sized but binary-different one from the most recent service pack (C:\Windows\ServicePackFiles\i386\atapi.sys) and have not seen the same problem recurring.

In addition, if you need to prevent it from redirecting while you download fixes, you may be able to simply copy notepad.exe (or another common executable) to the name procmon.exe and run that. Last night while I still had the infection active it did not seem to redirect while procmon was running under that name, possibly as a measure to avoid detection.

At this point (several days after initial infection, more than a week after initial reports in the wild) I suspect that many of the tools linked below are updated with definitions that cover this malware so you can probably get by with simply running updated versions of those.

Original:

I’m tracking an issue where a theoretically-clean PC is still being redirected from search results. I’ll be updating this post as I find more information.

I’m working on a PC that was infested with a variety of malware – I suspect a PDF exploit since it had an old version of Acrobat Reader and I cleaned at least one such exploit off, but there were a variety of things on there.

At this point the PC in question appears to be clear, however it still redirects search results from Google (and possibly others) to a failing domain r3953724.cn. It appears that this may be a redirection through other sites – it looks like there’s a jump from Google to another site (e.g. ecila.ceic.com, buffaloaviation.com, fashionvalleycoupons.com) to r3953724.cn. As I was writing this and testing it started directing not to the failing site but to other advertisments.

The cleaning tools I’ve used on it so far are AVG 9.0, Avira’s Rescue CD, MalwareBytes Anti-Malware, SuperAntiSpyware, GMER, and the Sysinternals tools.

An interesting note is that if Procmon.exe (from Sysinternals/Microsoft Technet) is running (or another program named to that) the redirection does not happen. Presumably this is an attempt to avoid detection. Similarly, if procmon.exe is renamed, redirection does happen.

This is not caused by an add-on in Internet Explorer – running with add-ons disabled still has the problem, and I’ve seen other reports that I believe indicated that Firefox was also affected, so this is presumably at the DNS or TCP/IP level.

Update:

No great luck in cleaning this out – it’s inconsistent in its behavior, but it does affect both IE and Firefox. I can see the DNS queries in Wireshark, but it’s not clear what’s triggering them. My suspicion is that something at the TCP/IP level is filtering the search engine results and replacing the expected redirection response with its own redirection response.

Unfortunately, I’ve more than run out of time to investigate it tonight, and taking the PC with me is not an option so I’ll have to return tomorrow.

[contact-form-7 404 "Not Found"]

6 comments to (Fix) r3953724.cn Malware/Adware Redirections

  • Rod I

    I have the same issue. For now, I have the local loopback in host file pointed to r3953724.cn to avoid the google redirect.
    Malware, CA AV, CA PP not detecting anything. IE Addons disabled as well.

    • I’ve left it with Kaspersky’s boot CD scanning to see if it’ll pick anything up. It doesn’t seem to be actively going out, but when you use the browser it does redirect.
      I’ve left a note for the users in the office to not use it, because not all of the redirects are failing – some are going to a variety of hacked sites, which then redirect to advertising or malware (one of those redirects to a malware site was caught by AVG).

  • Propeller Head

    It’s a rootkit in atapi.sys. I successfully cleaned my infection last night. Use the newest version of ComboFix – it detects and cleans it. Make sure you allow it to install the recovery console if it’s not already resident. Good luck!

  • Grateful_Reader

    Thanks a million, Propeller Head — that did the trick! How the heck did you figure this out?

    Mad props, my friend. =)

  • Agreed, kudos to Propellor Head – I had seen atapi.sys show up on something in a scan – HijackThis perhaps – but hadn’t paid any attention to it because it was in the right place, with the right name, and I was working with CD-based files since I couldn’t download directly.

  • Propeller Head

    You’re very welcome guys – glad I could help! 8^)