PAY ATTENTION: I cannot provide log files. I cannot try "this" or "that," or run such-and-such tool and see what happens. These were client machines. They have been serviced and returned to the client. What I am looking for by sharing this case is aid in discovering where and how this infection is starting up. If you have had experience with this virus in the passed month - as I am sure it is something brand new - I'd like to hear what you've tried, regardless of whether it has worked or not. All infections have to get initialized somewhere. Wherever this one's hooking in, it doesn't leave a trace -- or at least, we can't find it.
So far, we've only seen it in Windows XP.
1.) update.microsoft.com and windowsupdate.microsoft.com are inaccessible via Internet Explorer. (404)
2.) Sites like sendspace.com and transferbigfiles.com throw the same quick 404 that windows update does when you try to upload them a file.
3.) Occasional, infrequent, pop-ups.
4.) Occasional, infrequent search result redirects.
5.) Symptoms appear in safe mode as well.
6.) In both instances, other more common infections were initially present; detected and removed.
Incidentally, I can access Microsoft Update by the backdoor through links on Microsoft's download center, but the site throws an error pretty immediately after installing Microsoft's update add-on. Also, the redirections and pop-ups are very infrequent; much moreso than usual with this kind of proxy-style infection. The designer clearly wanted it to linger in the background of the machine forever.
1.) Hijackthis log is clean. (Normal and Safe Mode)
2.) Sophos Anti-Rootkit finds nothing worth mention.
3.) Malwarebytes log is clean. (Normal and Safe Mode)
4.) AVG scan is clean. (Normal and Safe Mode)
5.) No "/start" hijacks in registry.
6.) Nothing glaringly suspicious in 'Application Data' under any user.
7.) No proxy server declared in Internet Options.
8.) Hosts file is clean.
9.) Reset IE does not fix.
10.) Roll-back IE8 to IE7 does not fix.
11.) OS 'Repair' from installation media does not fix.
12.) AUReset tool does not cure Windows Update -- fails to install 'Windows Installer 3.1' and the update immediately following it; completes the rest of its cycle successfully.
We surely made a hundred other attempts as well. These are just the most notable. The absence of a detectable start-up hook suggests that the infection has directly infected a critical operating system file that starts with the OS even in safe mode. But the fact that an OS Repair didn't resolve the issue contradicts that assumption, as it should have replaced all such files with clean versions from the disc...
This is my first post in any repair forum and my first call for aid in six years. What say you BleepingComputer?
Edited by Orange Blossom, 08 June 2010 - 04:59 PM.
Move to AV forum. ~ OB