PDA

View Full Version : I might have a redirect virus



dragonash
08-30-2009, 01:05 AM
I honestly have no clue.

On my desktop box, I have Avira, SAS, win defender and the firewall all working together.

Lately I have been getting hit with server not found errors and tonight I seem to be getting slammed. I thought it might have been my modem since it seems to be taking longer then normal to powercycle sometimes when I unplug it, but right now i am on my laptop and getting to myu while it says "server not found" on my other comp.

I did hijack this and it found nothing when i loaded it to hijackthis.de

I have done scans with SAS and avira and nothing has been found. I am not getting redirected to a bunch of popup sites. WTF could be going on?

edit:
gaming and BT are not affected


New hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:57 AM, on 8/30/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Anthony\AppData\Local\Google\Update\Googl eUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClient Control) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE2EFC39-5F58-4CC9-BDC3-789E0C948FD8}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6922 bytes

Dr. Death
08-30-2009, 01:52 AM
What's with all the unknown owner crap? Is that something peculiar to Vista?

I don't see anything glaringly obvious there, but I'm no expert.

I've seen DNS servers get screwed up, either by attack or by misconfiguration, that makes certain sites "disappear" for a while.

dragonash
08-30-2009, 02:31 AM
well, i WAS thinking it was a time warner issue. But it's not happening on my laptop or my fiance's laptop. My host file is clean too.

I have avira scanning now and will follow it up with SAS. In a way, i want there to be a virus, just so I have a definitive answer. But i hope I dont lol

Bald_Yew
08-30-2009, 06:08 AM
Could try to verify it is/isn't DNS on the PC.

ipconfig /flushdns

Point it at OpenDNS
208.67.222.222
208.67.220.220

???

dragonash
08-30-2009, 09:24 AM
both SAS and avira came back clean

Bald - true, that is a good test. Right now i have it set to my router since it has all that info. But it's weird. Now I am not having problems. It's like it happens at night or something. I will try it when it acts up again.

shifty
08-30-2009, 08:39 PM
netstat -a

Do you see port 25 connections happening massively?

Install Malwarebytes. Update. Reboot in SAFE MODE, run full scan.
Download Combofix. Run in full.
Still happening?

dragonash
08-30-2009, 09:29 PM
nope, no port 25 spam.

i had my dns set to my routers ip
192.168.1.1, so Itook Balds advice and set the dns to my ISP's instead of the router (even though the router SHOULD do the work correctly). Right now, everything seems fine. That might be the fix, but it's a wait and see thing.

shifty
08-30-2009, 09:33 PM
I would still scan. Got hit with a nasty rootkit a couple weeks ago that was doing something similar. Only difference was it also had a port25 spam zombie component.

Here's the thing - if you're getting a 404 on a website, then not, then 404 again, you've got something else going on. Your computer and/or router will cache lookups, so you should never see such behavior.

dragonash
08-30-2009, 09:49 PM
will do then.

i will give an update when its complete

shifty
08-30-2009, 11:38 PM
What's with all the unknown owner crap? Is that something peculiar to Vista?

moreover, what's up with the services section?

i don't see anything bad either, but the rootkit i got, i was running Antivir in agressive mode, I clicked on a link to a site (torrentreactor), and got infected via PDF exploit almost immediately. didn't even have time to close the browser (less than 1 second to infected state).

the worst part about the rootkit was, it had several components and the files and the registry entries were HIDDEN from the Windows API, so the only way to see them was to kill the Windows shell and specifically run commands outside the shell.

VERY screwed up!!

Ninjahedge
08-31-2009, 09:21 AM
got infected via PDF exploit almost immediately.

So all this is Apple's fault?

;)

shifty
08-31-2009, 12:10 PM
Adobe, you mean?

Ninjahedge
08-31-2009, 01:42 PM
I thought they were pretty much joined at the hip, at least when it came to desktop publishing/etc......

(PS)

dragonash
08-31-2009, 04:37 PM
Shifty - Maleware bytes came back with nothing.
I was reading into combofix. Is it needed if malewarebytes didnt find anything? It seems like a very last resort thing.

edit:
also, I had hijackthis clean up the "missing" items in the services. so it should look neater

shifty
08-31-2009, 04:57 PM
It is a good last-minute thing. I would skip combofix.

I would look at your Antivir logfile, though - the logfile it prompts you to look at after your scan is complete - and check the section labelled "hidden objects search" to see if anything is being hidden from the windows API.

dragonash
08-31-2009, 10:48 PM
the only thing about hidden i found said:

Starting search for hidden objects.
The driver could not be initialized.

shifty
08-31-2009, 11:20 PM
That doesn't sound good at all. It should say something like this:

Starting search for hidden objects.
'39510' objects were checked, '0' hidden objects were found.


Sounds like there is a problem with your system, at least, I wonder if Administrator rights are required to run it in Vista? I never had this problem with Win7.

dragonash
09-01-2009, 06:36 AM
I have noticed a few people having similar problems in windows vista in regards to running Avira.

Maybe thats one of them. I remember that same exact thing when I initially loaded vista and ran avira for he first time. That was directly after a fresh install, so who knows. I will look into it at work.

behold:
http://forum.avira.com/wbb/index.php?page=Thread&postID=783810

but i dont think i ever downloaded the stand alone rootkit cleaner. I guess I will have to just uninstall and reinstall.

Then I read this link:
http://forum.avira.com/wbb/index.php?page=Thread&postID=775342&highlight=Starting+search+for+hidden+objects.+The+ driver+could+not+be+initialized#post775342

Considering how nasty rootkits are...that sounds like a load of sh!t just spouted by that moderator

http://forum.avira.com/wbb/index.php?page=Thread&postID=680891&highlight=Starting+search+for+hidden+objects.+The+ driver+could+not+be+initialized#post680891

at least this answer seemed to finally have a specific solution. So I just disabled defender and am running the scan now. Should take about an hour or so.

update:
drivers still failed to load. Seems to be a common problem with Avira

update 2:
http://en.wikipedia.org/wiki/Kernel_Patch_Protection

I guess it's true. As of now, getting a rootkit on a 64bit OS isnt really a threat

shifty
09-01-2009, 11:37 AM
Nice.

Dr. Death
09-01-2009, 01:45 PM
So Microsoft has locked out the A/V makers but not the hackers:


Also, because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.

and


It should be noted that Kernel Patch Protection only defends against device drivers modifying the kernel. It does not offer any protection against one device driver patching another.

from your wikipedia link.

Dr. Death
09-01-2009, 02:55 PM
When I do Avira's rootkit scan I get this:


HKEY_USERS\S-1-5-21-484763869-1715567821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{43FF0B8C-85A3-6CE4-738E-6BE55C361994}\iabpahdhinlhhibadp
[INFO] The registry entry is invisible.

There are 10 of them, all differing by just the very last alpha string.

Is this something to worry about, or is it from MS, such as the WPA protection stuff?

Avira's forum talks about hidden entries but there are no clear cut solutions other than "it's probably OK...leave them alone."

shifty
09-01-2009, 05:08 PM
That is something to worry about. You've got a rootkit (or the remnants of one), very similar to the one I got, and the indicator is the random string with the location/purpose of the registry key it's hiding from the Windows API. I'm telling you, the goddamn thing took me 8 hours to isolate. Between GMER, ComboFix, MWB and Antivir (in that order), I managed to kill it (in that order).

Avira has an "interactive mode" apparently that lets you do more with that.

sorry to be the bearer of bad news.

dragonash
09-01-2009, 08:21 PM
seems like im clean though. Maybe it was/is a problem with my router because ever since i made the dns in network settings my ISP's and not my router's, everything has worked!

Dr. Death
09-02-2009, 02:32 PM
ComboFix found some stuff:



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\14B.tmp
f:\recycler\NPROTECT
f:\windows\Downloaded Program Files\x64
f:\windows\Downloaded Program Files\x64\racodec.ax
f:\windows\Downloaded Program Files\x86
f:\windows\Downloaded Program Files\x86\racodec.ax
f:\windows\patch.exe
f:\windows\system32\_000008_.tmp.dll
f:\windows\system32\_000009_.tmp.dll
f:\windows\system32\_000010_.tmp.dll
f:\windows\system32\Cache
f:\windows\system32\drivers\hwdrv.sys
f:\windows\TEMP\logishrd\LVPrcInj01.dll
f:\windows\winhelp.ini


The highlighted one is a baddie I know.

After scanning with GMER and ComboFix (didn't use MWB) I did a complete scan once again with AntiVir and it came up clean (none of those hidden registry entries.) I'm doing another scan now with just the rootkit detection profile where I got the list before, just to be sure. I'm also doing SAS and will do GMER and ComboFix again.

shifty
09-02-2009, 02:48 PM
The following would cause me concern:

F:\14B.tmp
f:\windows\patch.exe
f:\windows\system32\_000008_.tmp.dll
f:\windows\system32\_000009_.tmp.dll
f:\windows\system32\_000010_.tmp.dll
f:\windows\system32\drivers\hwdrv.sys

Of course, that last one (you put in bold) is nasteeee and part of a rootkit.

I'm sure you've probably had it for a while and didn't know it. And who knows what kind of spying that person is doing on you right now .... Scary thought, eh?

Dr. Death
09-02-2009, 03:04 PM
Yeah I would have liked to see the creation date on that file before it was deleted.

shifty
09-02-2009, 04:04 PM
in the Cf logfile, it will tell you all files that were created within the last XX days. I would flip through it to see what it says.

Dr. Death
09-02-2009, 04:45 PM
It's 30 days and none of those files are in there.

shifty
09-02-2009, 06:14 PM
Yeah, tough to say. Although, I can tell you that one of those nasties was identified in the wild in April of this year, so you may've been running around with it for as long as 5-6 months.

shifty
09-02-2009, 06:15 PM
Oh, and you can find out the date.

Look in C:\qoobox or c:\temp\qoobox (I forget). All of the deletions by CF (I think) are placed in a quarantine folder at that place.

dragonash
09-05-2009, 05:59 PM
this is making me wanna do combofix anyway, just in case lol