Sneaky bastards...

[Fumoh]

So of course, it's Thanksgiving, I'm home for the day with family, and they tell me that their PC is acting "weird".

I'm looking for a little insight, because apparently I'm missing something. Here is what's happening:

No popups, nothing terribly annoying like rogue spyware or anything, however whenever you search for anything, you'll click the link that you're interested in and it will open a new browser window to some crapware.

Let's say I'm fed up and search for some security sites to get some nice anti-spyware or virus scan software. If I try and go to trendmicro.com or whatever, I get a 404 error. I can nslookup the addresses fine, however if I type in "ping trendmicro.com" or "ping safer-networking.org" it's just hitting my loopback address. I've checked my hosts file, and it's empty, so that's ruled out.

Is there anywhere else where name resolution occurs that I'm not aware of? Whatever it is it has to be local, because I can nslookup the domains fine.

I've also noticed that there's a process run by SYSTEM that's called iexplore.exe. I've searched the system for it but the only thing that comes up is the (supposedly) real IExplore.exe located under program files. Unfortunately, even when I kill this process, the same issue occurs.

I've checked the registry and msconfig startup stuff, and I see nothing suspicious. I've deactivated everything in there as well, but to no avail.

Spybot hasn't picked anything up, and when I ran hijack this I didn't see anything suspicious. I may post the log later when I can.

Regardless, I'll be taking the PC home for the weekend to work on it more. I'll post again when I have more info.

Any comments are appreciated. Thanks!

 

[bsobel]

Name resolution is done by winsock, you probbably have a rouge provider in there. Additoinally from the symptoms, that machine is infected and it might be easier to format/reinstall. You can resetting the winsock stack, but I suspect you might have a persistent infection...

 

[law9933]

MalwareBytes & SuperAntispyware are often thought to be the best manual scanners+free.

 

[law9933]

The 4th & last two posts here may be of interest.

http://forums.anandtech.com/me...=2247985&enterthread=y

 

[Fumoh]

Awesome, thanks for the responses. I'm back home now, and I brought the PC with me. I'm going to fire it up and work on it some. I'll probably do what you suggested Bsobel, and just back up a few word docs and such then wipe the drive, but I'd like to check it out to satisfy my curiosity.

I'll check back in tomorrow with an update.

Thanks again.

 

[Fumoh]

I ran the utility that wipes winsock and resets it, however that didn't change much. Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:39 AM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

--
End of file - 4960 bytes


Nothing really weird from what I can see.

Here's what happens when I search: If I go to google, and search for anandtech, the first result URL comes up as the following:
http://go.google.com/?u=0089dc...&said=v2test6&mppc=234

Which launches a new window that redirects to an ad.

I'm going to work on it for a little bit longer... I'm going to ultimately wipe the drive but I still want to try and figure out where all this shit is hiding.

 

[CuriousMike]

This is out of my league, but I spent some time over on the MalwareBytes forums, and some of the tools I saw recommended:
->hpHosts(-Setup-Win32.exe)
->SiteHound

If you can install both (either) of those, I wonder if the behaviour you're seeing would change.
i.e., perhaps one of the above will block the sites your rogue agent is trying to push you too.

I guess their router didn't follow you home ( did it?) -- if so, RESET the router.
( And if it didn't, and you never find out what the machine has, be wary of your router. )

 

[SagaLore]

You're TCP/IP settings (dns) may be hijacked. What is your output for "ipconfig /all" ?

 

[Fardringle]

I'm looking at a computer right now that is infected with what appears to be the same virus reported in the original post. I'll add some more details if anyone is interested in helping to track down this ugly new virus.

Every search engine (Google, Yahoo, and even engines built into other sites like MSN and CNN) produces the invalid search results that Fumoh mentioned. Attempts to go directly to any legitimate malware or security help site (spybot.com, lavasoft.com, malwarebytes.com, etc.) by typing the address in the browser address bar is rerouted to LOCALHOST in every browser I have tried including IE 6, IE 7, Google Chrome, Opera, and Firefox. Non-security sites seem to work normally. DNS and IP information reported by IPCONFIG /ALL is correct (i.e. no invalid DNS server address). It seems as if this infection is redirecting name resolution attempts before they get to a browser. However, the hosts file is empty and resetting Winsock and the TCP/IP stack have no effect.

No currently installed security program except AntiVir will load. SuperAntiSpyware gets a Windows application error when I try to open it. MalwareBytes doesn't even try to open. Attempts to reinstall either of those, or to try to install any new malware removal tool fails - they either get application errors or don't respond at all. This behavior is the same in normal and Safe mode.

AntiVir appears to run and update itself normally and it reports a single infection of a file C:\Windows\System32\Drivers\tdssmxoe.sys.

As an interesting side note, a web search for the file name on the infected machine produces several results leading to sites insisting that I install a variety of known fake security applications. Sneaky.

A web search on a non-infected machine seems to indicate that this file is associated with a rootkit called TDSServ. However, there are no other traces of the rootkit that I can find, and yet the infection persists even when the file tdssmxoe.sys is removed from the machine and the file re-appears after the system is rebooted. There is nothing unusual in the startup list in MSCONFIG or in the \RUN keys of the Registry.

I really should just wipe the computer clean and go with a new Windows installation, but I'm intrigued since this seems to be a particularly "intelligent" virus that is able to identify and block almost all attempts to clean it (by blocking malware software and web sites). I'm going to play around with it for a while and I'll post back if I find anything useful.


edit: After some more searching, I found two fake Windows services named HVZ and LAMZ pointing to executable files of the same name in the Local Settings\Temp folder of the user's profile. I deleted the services from the registry but I couldn't delete either of those two files from the disk even in the console/command prompt version of Safe Mode.

I was able to boot using an Ultimate Boot CD recovery disk and delete those offending files. I also ran complete system scans using every malware removal tool on the CD and none of them reported any infections of any kind. However, the system is still compromised so it looks like formatting time. Now I have to decide if I want to be nice to the user and risk infecting my network with the virus by hooking it up to back up their files to my storage server (I don't have a USB drive big enough right now), or if I want to just tell them that there's no way to save their 30+ GB of pictures and home movies that shouldn't be on a work computer in the first place...


edit again: It appears that the virus is some how forcing Windows to ignore the TCP/IP settings of the computer and is redirecting all browser/DNS requests to the web site cdn1.eyewonder.com which is then returning valid results for sites it doesn't care about, and invalid results for security related sites and Google/Yahoo searches. I put that address in the restricted sites zone in Internet Explorer and all web browsing stopped (error 404 on every page).

 

[Fumoh]

Thanks for the replies everyone.

Saga: My first suspicion was DNS hijacking/poisoning, so I checked the settings on the adapter and they were what they should be. Just to make sure I did an ipconfig /flushdns, but that didn't fix it.

Fardringle: I ran a scan using Super Antispyware (God that is the worst name for a legit spyware package...) and it detected a similar trojan/rootkit. Super Antispyware deleted the executable, which is interesting because if it was currently running it wouldn't have been able to. I would have had to boot into safe mode or use a live CD to remove the executable. I scoured my registry and removed any references to it, and double-checked all my processes using Process Explorer to make sure there was nothing amiss. Still, the PC was doing the same exact thing.

double yew tee eff.

I had a spare 80 gig hard drive, which was an upgrade from the original, so I used that to replace the infected one. I'm gonna slap the infected drive into a PC of the same model that I have at home so I can play some more in my spare time. I'll post back again if I have any breakthroughs

Thanks for everyone's help, you're all awesome!

 

[Fardringle]

This is a warm and fuzzy update, so I decided that it needed a new post instead of just an edit to my previous post...


I decided to keep playing around with this infected system, mostly just to satisfy my own morbid curiosity before wiping it clean. On a hunch, I updated my 9-month-old Ultimate Boot CD with the newest versions of the malware removal tools then booted to the new copy of the CD. The new versions of A-Squared and SuperAntiSpyware found and removed a combined 17 infected files and registry entries (including the source executable of the TDSServ rootkit). No other removal tools reported any infections. After cleaning the detected files, the computer is now happily puttering along in Windows again! All malware removal tools install and run normally and web searches return the results that they should. It's possible that the system is still infected but I'm going to run daily scans with a variety of tools for the next two days just to see what happens. This will also give me time to find out where my USB tools/backup drive wandered away to so I can back up the user's files if I decide to wipe out the system. It also gives me a chance to make the user "sweat" a little in hopes that they won't infect the computer again any time soon.