Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Invisible Infection - No Win Update, Pop-ups, Redirects


  • Please log in to reply
7 replies to this topic

#1 shade_v2

shade_v2

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 08 June 2010 - 01:41 PM

I'm a computer repair tech and we've stumbled onto something in the shop that we can't beat. We've seen it twice in the past week, fought it for three days, and in both instances were forced to backup, wipe out, and reinstall the client's machine. It has proven invisible to all our scans, as well as all manual attempts to locate it.

PAY ATTENTION: I cannot provide log files. I cannot try "this" or "that," or run such-and-such tool and see what happens. These were client machines. They have been serviced and returned to the client. What I am looking for by sharing this case is aid in discovering where and how this infection is starting up. If you have had experience with this virus in the passed month - as I am sure it is something brand new - I'd like to hear what you've tried, regardless of whether it has worked or not. All infections have to get initialized somewhere. Wherever this one's hooking in, it doesn't leave a trace -- or at least, we can't find it.

So far, we've only seen it in Windows XP.

SYMPTOMS:

1.) update.microsoft.com and windowsupdate.microsoft.com are inaccessible via Internet Explorer. (404)
2.) Sites like sendspace.com and transferbigfiles.com throw the same quick 404 that windows update does when you try to upload them a file.
3.) Occasional, infrequent, pop-ups.
4.) Occasional, infrequent search result redirects.
5.) Symptoms appear in safe mode as well.
6.) In both instances, other more common infections were initially present; detected and removed.

Incidentally, I can access Microsoft Update by the backdoor through links on Microsoft's download center, but the site throws an error pretty immediately after installing Microsoft's update add-on. Also, the redirections and pop-ups are very infrequent; much moreso than usual with this kind of proxy-style infection. The designer clearly wanted it to linger in the background of the machine forever.

ATTEMPTED FIXES:

1.) Hijackthis log is clean. (Normal and Safe Mode)
2.) Sophos Anti-Rootkit finds nothing worth mention.
3.) Malwarebytes log is clean. (Normal and Safe Mode)
4.) AVG scan is clean. (Normal and Safe Mode)
5.) No "/start" hijacks in registry.
6.) Nothing glaringly suspicious in 'Application Data' under any user.
7.) No proxy server declared in Internet Options.
8.) Hosts file is clean.
9.) Reset IE does not fix.
10.) Roll-back IE8 to IE7 does not fix.
11.) OS 'Repair' from installation media does not fix.
12.) AUReset tool does not cure Windows Update -- fails to install 'Windows Installer 3.1' and the update immediately following it; completes the rest of its cycle successfully.

We surely made a hundred other attempts as well. These are just the most notable. The absence of a detectable start-up hook suggests that the infection has directly infected a critical operating system file that starts with the OS even in safe mode. But the fact that an OS Repair didn't resolve the issue contradicts that assumption, as it should have replaced all such files with clean versions from the disc...

This is my first post in any repair forum and my first call for aid in six years. What say you BleepingComputer?

Edited by Orange Blossom, 08 June 2010 - 04:59 PM.
Move to AV forum. ~ OB


BC AdBot (Login to Remove)

 


#2 shade_v2

shade_v2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 08 June 2010 - 10:09 PM

I really don't think this post belongs where Orange Blossom has relocated it.

Edited by shade_v2, 08 June 2010 - 10:12 PM.


#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 AM

Posted 08 June 2010 - 10:17 PM

It is probably the TDSS, TDL3, or Alureon rootkit. There is a lot of it around at the moment.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 shade_v2

shade_v2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 09 June 2010 - 01:45 PM

Yet another system came in with this infection today, atop a few others, of course. I looked up TDSS - I'll have to do more reading on it later - and ran Kaspersky's TDSSKiller Tool, as recommended. It found an infected driver on the machine and after reboot I am able to use Windows Update. I will monitor the system for further popups or redirects.

I've glanced quickly at the literature on TDSS and it's variants and I am both impressed and disappointed to find that traditional Rootkit scanners will not detect the infection. I am loathe to add such specific tools to my bag as TDSSKiller, which only detects the one fundamental type of infection. Should any freeware tool be or become capable of detecting TDSS as well as traditional rootkits, I would very much appreciate the heads-up.

All thanks be to Budapest! I'd never heard of such a thing before you mentioned it.

(...and I renew my challenge to Orange Blossom's redirection of this thread. ;D )

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 AM

Posted 09 June 2010 - 04:14 PM

Generally GMER will show signs of the infection.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:50 PM

Posted 09 June 2010 - 05:05 PM

PAY ATTENTION: I cannot provide log files. I cannot try "this" or "that," or run such-and-such tool and see what happens. These were client machines. They have been serviced and returned to the client.


This is why your topic has been moved to this forum.

~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 shade_v2

shade_v2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 10 June 2010 - 08:29 PM

Thanks for GMER. I'll give it a try.

#8 RedDawn

RedDawn

  • Members
  • 454 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:50 PM

Posted 11 June 2010 - 06:04 PM

shade_v2

13 Antivirus Rescue Disks for your toolkit.

Also, have a look at UBCD4Win and SARDU.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users