Posted 11 March 2009 - 09:46 AM
Hi, it's my first post here and just wanted to say that this forum has been invaluable in the past while fighting malwares. I've just finished removing a new one that is very strange and on which I cannot find any information. It look like I'm the only one ever infected by it!
I suspect the malware got through a Firefox 3.0.6 vulnerability, it happened one day before the release of version 3.0.7. I've noticed the symptoms quite fast: general slowdown, explorer context menu blocking IO and finally the obvious redirection of links from google, but only for a few ones. Also, trying to open cmd.exe or regedit.exe killed explorer, forcing it to restart, this was easily bypassed by renaming them.
This virus, among other things, took control of kernel32.dll threads and used some processes like: jusched, explorer, lsass, spoolsv, scvhost (the main one and another with DCOM and terminal service stuff) and winlogon. Every five seconds it was doing some weird file manipulation. First it created a file called ymihh.sca in current user "Local Settings" folder then closed it. Just after that, it was (re)creating the sqlsodbc.chm file of system32 folder, then read it and closed it. While waiting, the hijacked kernel32 threads were in DelayExecution state, while normal ones are usually waiting in WrLpcReceive state. When trying to delete manually ymihh.sca and killing the processes and/or threads creating it, sometimes it was recreated as ymihh.scax or even padded with more 'x' at the end, until it reached the file name size limit.
I've tried to run the latest versions of Spybot, Malwarebytes, BitDefender, Kaspersky, Trend Micro and even Norton. They all found nothing but for Spybot some tracking coockies from previous users and Kaspersky with false positives, namely Spicework and TightVNC installers. After that, I tried SmitFraudFix, ComboFix and VundoFix. Only VundoFix found something into a Visual Studio help dll (Microsoft.VisualStudio.OfficeTools.Designer.ni.dll). HijackThis looked normal as well as GMER output. I did try some other tools, but none revealed anything. The virus was still there with the same symptoms as before. I also looked at network traffic with Wireshark to see if it was trying to do something when replugging the network cable. Nothing unusual there too.
At that point I started to get creative and used Process Explorer to identify and suspend all rogue kernel32 threads. That stopped the file manipulation right away and after a couple of minutes cmd.exe and regedit.exe were accessible again. That seemed to have stopped it. Yet rebooting made it reappear, then I stopped it again and openned autoruns to disable all user startup processes. Upon rebooting this time there was no trace of this annoying malware. I've reenabled every startup process, hoping to find the culprit, but to my astonishment, there was no trace left of the virus.
This machine is running Windows XP SP3 and is quite loaded. It got all full MS dev environment since VS 6.0 until 2005, plus some Express Editions as well. Also, I was running with blackbox (bbLean) as a shell instead of explorer.
So, do someone recognize this malware or it's something new? Is there a way to ensure that my computer is really clean now? If someone need them, I have kept a copy of ymihh.sca, sqlsodbc.chm and Microsoft.VisualStudio.OfficeTools.Designer.ni.dll. My HijackThis log will follow.