Quick Fix: have a program named procmon.exe running (copy of notepad.exe) to disable malware temporarily. This should let you run searches & download fixes. This is only temporary while you clean the system. Read this post for more details and please let me know in comments if this does or does not work for you.
The system did indeed have a corrupted atapi.sys file as noted in the comments, though I did not end up using ComboFix to clean it – I was able to replace the file with the identically-sized but binary-different one from the most recent service pack (C:\Windows\ServicePackFiles\i386\atapi.sys) and have not seen the same problem recurring.
In addition, if you need to prevent it from redirecting while you download fixes, you may be able to simply copy notepad.exe (or another common executable) to the name procmon.exe and run that. Last night while I still had the infection active it did not seem to redirect while procmon was running under that name, possibly as a measure to avoid detection.
At this point (several days after initial infection, more than a week after initial reports in the wild) I suspect that many of the tools linked below are updated with definitions that cover this malware so you can probably get by with simply running updated versions of those.
I’m tracking an issue where a theoretically-clean PC is still being redirected from search results. I’ll be updating this post as I find more information.
I’m working on a PC that was infested with a variety of malware – I suspect a PDF exploit since it had an old version of Acrobat Reader and I cleaned at least one such exploit off, but there were a variety of things on there.
At this point the PC in question appears to be clear, however it still redirects search results from Google (and possibly others) to a failing domain r3953724.cn. It appears that this may be a redirection through other sites – it looks like there’s a jump from Google to another site (e.g. ecila.ceic.com, buffaloaviation.com, fashionvalleycoupons.com) to r3953724.cn. As I was writing this and testing it started directing not to the failing site but to other advertisments.
An interesting note is that if Procmon.exe (from Sysinternals/Microsoft Technet) is running (or another program named to that) the redirection does not happen. Presumably this is an attempt to avoid detection. Similarly, if procmon.exe is renamed, redirection does happen.
This is not caused by an add-on in Internet Explorer – running with add-ons disabled still has the problem, and I’ve seen other reports that I believe indicated that Firefox was also affected, so this is presumably at the DNS or TCP/IP level.
No great luck in cleaning this out – it’s inconsistent in its behavior, but it does affect both IE and Firefox. I can see the DNS queries in Wireshark, but it’s not clear what’s triggering them. My suspicion is that something at the TCP/IP level is filtering the search engine results and replacing the expected redirection response with its own redirection response.
Unfortunately, I’ve more than run out of time to investigate it tonight, and taking the PC with me is not an option so I’ll have to return tomorrow.
[contact-form 2 “Was This Useful”]