Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seemingly Random Chinese Browser Hijacks


  • This topic is locked This topic is locked
9 replies to this topic

#1 Secret-HQ

Secret-HQ

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 25 November 2008 - 12:56 PM

SYMPTOMS:

For the past day or so, I've been seeing random calls to my default browser targeted at various Chinese URLs. Full scans and Intelli-Scans (quick scans of commonly problematic areas) with Spyware Doctor with AntiVirus turn up nothing unusual.

The calls are infrequent (every few hours?), but they tend to come back-to-back for a few minutes when they happen. My default browser (Maxthon 2) doesn't have to be open for one of the URLs to load; whatever's behind this can call up the browser and pass the URL to it. It seems to happen most often at startup or shortly thereafter.

Nothing has been added to Favorites, and my home page hasn't been changed.

On two occasions when no browser was open, I've caught these calls opening Maxthon as a child of wmiprvse.exe, under System Processes. (Very unusual — to me, at least.) As far as I can tell, this is a harmless Windows process, but it sounds as if it could be used to covertly launch a browser, so maybe it's just being exploited by some nasty on my hard drive.

URLs I'VE BEEN REDIRECTED TO (so far):

<http://www.5181888.cn/iphao.html>
<http://detail.zol.com.cn/>
<http://www.qq452.cn/8/?cid=1092>
<http://www.hexun.com/?B28>
<http://international.caixun.com/?wt.mc_id=exad003>
<http://www.oyesgo.com/r.aspx>
<http://stock.hexun.com/?b28>

TROUBLESHOOTING to date:

I've run HijackThis 1.99 and removed a few unknown/missing-value entries (mostly from the ActiveX/O16 section, but one or two known annoyances from the BHO section that I don't think are related while I was in there). I've also run Registry Mechanic and checked for any recent installs as best I can.

ENVIRONMENT:

I'm running Spyware Doctor with AntiVirus 6.0.0.386 and have performed a Full Scan (in Normal Mode, not Safe Mode) since the issue surfaced. (Spyware Doc detected no threats.)

If anyone recognizes any patterns or potential threats, I'd certainly appreciate the insight! :thumbsup:

LOG FILES:

RSIT/HijackThis Log

RSIT/HijackThis Info File

(These were originally posted directly to this thread, but they were so long I kept tripping over them. It seems easier to work with them this way, but I'm out of bounds and need to move them back into the thread proper, please just let me know.)


UPDATE 1:

A Spyware Doc with AV scan in Safe Mode turned up two files infected with Found_By_Browser_Defender. This has shown up in previous (Normal Mode) SDwAV scans and seems to have cleaned properly. The infected files were .URL files (shortcuts) that are periodically synched across multiple computers. None of the other files (on other PCs) seem harmful when opened with Notepad, and the URL within them should be safe. (It's more info about my browser, and the URL is used to provide access to information on the browser's home page.)

No recurrence of the hijacks yet, but I'll keep my eyes open.


UPDATE 2:

A couple of hours later, and the browser calls are back — but I've also moved a few archives across the network, and it's possible I picked up a backup of the infected file from one of the other PCs. (I'll check momentarily.)

Note that none of the other PCs have exhibited these symptoms, so if this machine has been reinfected, it seems reasonable to think that an infected .URL file may be working in concert with something still resident on this PC. Perhaps I should flush my System Restore as well? (Too much to do this morning to run another Full Scan in Safe Mode, but I can do that when I wrap up later today and flush System Restore in the morning.)

Edited by Orange Blossom, 27 November 2008 - 07:17 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 Secret-HQ

Secret-HQ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 25 November 2008 - 01:13 PM

For anyone reading while I was adding to the original post, I'm all done now. :thumbsup:

#3 Secret-HQ

Secret-HQ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 29 November 2008 - 08:43 AM

UPDATE 3:

Found and deleted all instances of the .URL file that seems to be the source of the infection on my network computers and storage drives. (I moved a couple that may or may not predate the infection to a CD you know, "just in case.")

No redirects or browser calls since then, but I haven't been in front of the computer much.



Ran a TrendMicro Housecall online scan (in Safe Mode) while I was away from the computer for Thanksgiving, and it turned up the following bits of malware:

TROJ_DELF.HDO
TROJ_DLOADE.DWK
TROJ_GAMETHI.DLM
TROJ_AGENT.ASJG
TROJ_MESOUM.AA
TROJ_CLICKER.BPD
JS_PSYME.BBH


Housecall reported successful cleaning on all infections except TROJ_MESOUM.AA, which it detected in a .DLL file:

C:\WINDOWS\system32\mspdfd.dll

So I used The Avenger to delete the file on reboot.

I'll run another TrendMicro scan and a Kaspersky scan overnight (as time permits) during the next couple of days.

META:

@ Orange Blossom: Thanks for hiding those links. I made a couple of quick attempts to do so the other day, but they kept getting linkified if I did anything other than load them up with spaces or bad characters (which, in hindsight, is what I should have done).

I've also been avoiding adding posts to the original topic before someone else replies but as the "edit" button seems to have disappeared from my original posts, I'll continue providing updates in new posts. (If this is bad form, I hope someone will let me know.)

Edited by Secret-HQ, 29 November 2008 - 08:49 AM.


#4 Secret-HQ

Secret-HQ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 30 November 2008 - 03:44 PM

UPDATE 4:

Forgot to mention earlier that I've disabled and flushed System Restore. I haven't re-enabled it just yet, since I'm still finding new nasties.



I ran the Kaspersky Online Scanner scan overnight in Safe Mode and turned up several bits of malware.

Kaspersky Report here.

I've ignored everything detected in my archived Outlook .PST files, as I don't want to delete an entire year's worth of messages to get at one potentially infected attachment. (I may later look for a method of scanning PSTs to detect bad attachments and attempt to clean up those files. As it is, they've been dragged forward for years, and I don't imagine they're a great threat. If anyone knows otherwise, please feel free to disabuse me of that notion. :) )

I did delete the entire Housecall quarantine folder, all the infected .ICO files, and C:\WINDOWS\system32\sovlost.exe using The Avenger.

The result I'm most uncertain about is Kaspersky's detection of Trojan.Win32.Patched.dq in this file:

C:\WINDOWS\system32\spoolsv.exe

... which is a legitimate Windows file. According to everything I've read about it online, it's particularly vulnerable to having spyware placed inside it or being mimicked by bad guys but I can't tell how safe it is to delete, so I've left it alone for now.



On the "good news" front: No new browser calls sending me to Chinese sites in the last couple of days. :)

Next step will be fresh Full Scans with Spyware Doctor with AntiVirus and TrendMicro Housecall.



Since no one has chimed in yet, I'm guessing that the staff are pretty busy and/or the right person hasn't stumbled across the thread yet which is absolutely understandable! but if it's because I'm breaking a Forum rule, please post a quick link and let me know, so I can straighten up and fly right! :thumbsup:

(It's just too darn handy to use this thread to hold additional information and help me keep track of what I've discovered so far.)

#5 Secret-HQ

Secret-HQ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 01 December 2008 - 11:00 AM

UPDATE 5:

Left the browser open overnight in Normal Windows Mode and woke up this morning to nine new tabs, all pointed to <http://stock.hexun.com/?b28>. (The URL has been blocked in Spyware Doc, so none of the pages loaded.)

#6 Secret-HQ

Secret-HQ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 03 December 2008 - 12:57 AM

UPDATE 6:

New browser calls tonight, all to <http://stock.hexun.com/?b28> and a new one, <http://news.hexun.com/?b28>.

:thumbsup:

#7 Secret-HQ

Secret-HQ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 03 December 2008 - 01:25 PM

UPDATE 7:

A new TrendMicro Housecall scan in Safe Mode turned up one result:

TROJ_AGENT.ZZAS

The browser (IE7) crashed during clean-up, so I'm not certain if the cleaning was successful. I'll check again later.

#8 Secret-HQ

Secret-HQ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 03 December 2008 - 06:20 PM

For what it's worth, I've also caught my browser (Maxthon), Microsoft Word, and even Outlook running (at times) as child processes of this Windows process:

C:\WINDOWS\system32\wbem\wmiprvse.exe

... which itself occasionally run as a child of:

C:\WINDOWS\system32\svchost.exe

I doubt it's related, but I also wanted to note a DLL error with msvcrt.dll from the other day, since it seemed to coincide with the first hijacks.

Edited by Secret-HQ, 04 December 2008 - 12:46 PM.


#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:15 PM

Posted 13 December 2008 - 10:03 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:15 PM

Posted 20 December 2008 - 01:04 PM

Due to the lack of feedback, this Topic is now closed.

In case you still have problems, please Start a new topic.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users