A clever little malware...

[Zanaffer]

I'm having difficulty with one of my client's machines. It seems to have been infected with some extremely vicious malware.

The malware itself is quite subtle. I seek to disable enough of the malware's functions so that my cleanup tools will work.

I don't even have a virus name to reference this by at the moment. Here's what it does:

1. It pops up web browser windows in whatever web browser happens to be open. This includes firefox portable, interestingly enough.

2. It hides the BHOs from HiJackThis. For this reason, I don't have a virus name, as I am unable to look up the .dlls responsible. Hell, if I could get a name for this malware, I could probably kill it.

3. It prevents any internet traffic to certain sites, including *.symantec.com. I didn't browse long, but one of the customer complaints is that "some web sites don't work," so there is probably a list of sites this malware is blacklisting.

4. It makes safe mode crash during boot so safe mode is currently unusable.

Tools at my disposal:

1. Symantec Antivirus Corporate and NOD32, installed on separate clean computers. I tried a Symantec scan and it came up a few files put in there by malware (tdssl.dll in specific) and those were cleaned, but it did not nuke the BHOs' .dll file apparently as HiJackThis is still crippled.

2. HiJackThis with enough knowledge to use it, provided the BHOs are accessible.

3. As mentioned above, I have access to two clean computers. Both of which have autorun turned off, and up-to-date scanners.

4. A flash drive with a write-protect switch.

5. Internet access through a heavily corporate firewall. Additional malware is unlikely to be downloaded when the machine is online.

6. Boot CDs including UBCD4Win and Parted Magic and Ubuntu.

Of course, I could always just nuke the thing, and I probably will anyways to be safe, but this is a first that I've come across something quite this interesting. I've never seen a malware hide the BHOs from HiJackThis before. This is not your typical AntiVirus2008/2009/VistaAntivirus infestation.

[NiceCarpet]

Try running SmitFraudFix, more often than not it works on hard-to-remove spyware.

Good Luck. : )

[Reacon]

Try running SmitFraudFix, more often than not it works on hard-to-remove spyware.

Good Luck. : )

I would recommend SDFix, but it needs safeboot so...

[redvamp128]

I would also use this tool--- It may have blocked your ctl-alt-del task manager... but it probably didn't block this one.

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Process Explorer...

Also I would boot with Ubuntu and mount the drive and check the Local locations--- Temp folders, User Start menu Startup Folder--- as well as manually remove the IE temp Cache. Also Check the USER Desktop to see if it has seeded itself as a Desktop Web Page. Also try running Stinger.exe..(not from Ubuntu) http://vil.nai.com/VIL/stinger/

[naquis]

I have run into this kind of thing before and have had great luck with Malwarebytes Anti-malware. I suggest you try it and see if it resolves your issue. If not please also try, smitfraudfix, sdfix, and combofix.

[Zanaffer]

That would be a good step, however this particular malware does not look like your usual vundo-variant that SmitFraudFix was designed to tackle. Vundo and its variants all seem to have some sort of fake AV or tuneup or registry cleaner UI that pops up and demands money, I don't see any of that with this particular malware... hence me describing it as "subtle."

Another issue is that when I do run SmitFraudFix, I like to do so from Safe Mode, which is currently inaccessible.

EDIT: I forgot to mention that I already cleared out the usual hiding places: The temp folders, and I also looked for suspicious looking folders or files in the program files folder too. Nada.

[redvamp128]

cmd line possible --sfc /scannow

Also check the hosts file--- It could be as simple as a redirect for all web traffic to their site.

You can use Ubuntu for that one...it opens just like a txt file.

That Hosts file could be the one blocking those websites.

Also try Spybot Search and Destroy.

http://www.safer-networking.org/index2.html

Also a quick edit-- of the hosts file (if you know the site it is taking them to) could block that site and give you the chance to minimize damage (or redownload) of the Software.

Edited October 6, 2008 by redvamp128

[Zanaffer]

Very good advice. Thanks for the tip off to Process Explorer. It may, or may not be, exactly what I'm looking for.

[zeroday]

Download autoruns from MS SysInternals, it shows stuff that other apps don't show. Look through the dll lists of things that load, you'll notice the dodgy ones, usually they are random chars in the system32 dir. Delete them or rename and then delete in safe mode.

[dmelanson24]

I've been cleaning out machines for 3 years, and in that time, Malwarebyte's Anti-Malware is by far the best software I have used. Disable all start up programs using MSCONFIG, install and run MBAM, remove threats. Boot to safe mode (if possible), update and run MBAM again (as a full scan, not partial), and remove any threats found. You are officially clean. Run AVG free scan to ensure safety. PM me with questions/results! Good luck!

[White Cuban]

reformating is out of the question?

[Zanaffer]

Oh, thanks for replying, I had forgotten I had made this thread. The computer in question has been reformatted and reinstalled already. But this is after I did defeat the virus. Turns out that, according to NOD32, the malware was a virtumonde (Vundo) variant. However, I did find out that I could manually browse to the BHOs in the registry manually by using regedit and then look up their corresponding CLSID via simple search, this allowed me to track down the actual DLL file that was loading as a BHO that prevented HiJackThis from being able to see the BHOs.

NOD32 also was able to detect all the copies of the malware that squirreled themselves away inside the Windows folder. The system looked clean, however there was some funny page rendering problems left in IE which prompted me to wipe and reload the system.

Thanks for the hints everyone.