Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection: background iexplore.exe processes, Firefox Google search redirects


  • Please log in to reply
1 reply to this topic

#1 Number100

Number100

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 03 July 2012 - 10:07 AM

Since these issues have apparently been solved, maybe this isn't the right place to put this. But I still have a couple of questions (at the bottom of this post) about where to go from here, and I'd be grateful if the advisers here could help me.


OK, I wrote out an extremely long post describing my system, the problem, and all the numerous things I'd tried in my attempts to solve it. But then... I ran ESET Online Scanner, which against my expectations was the one thing that APPARENTLY solved the issue! It turned out to involve this XUL Runner-related Firefox extension, and ESET was the first thing I'd tried that detected it and described it as a Trojan. Via one of the answers on that Mozilla support page, I found this thorough analysis of how the redirect infection works. Since removing the file my "googleads.g.doubleclick.net" redirects SEEM to have stopped. During my searches for a solution, I had noticed that page discussing XULRunner (as well as a couple of threads here on Bleeping Computer), and had noticed it listed as a greyed-out extension in my Add-ons list - but for some reason I hadn't taken that seriously as the cause of the problem.

However, I'm still going to post what I did, for two reasons: first, hopefully it will help others who have the same problem. Second, maybe the people here can recommend other things I should try to be sure my PC's completely clean. Third, I spent a lot of time writing this post and I didn't want to see it go to waste. ;)

Also, I admit that at one point, I used Combofix unsupervised, despite the warnings on this website not to do so, and I take full responsibility for that. It didn't brick my computer, and I still have the logs of the things it did, in case the quarantined files need to be restored and startup screen changes need to be undone before I uninstall it. Before I go ahead and use the "/uninstall" startup parameter to remove it, I have a couple of questions about it at the bottom of this post.



In summary:

1) I think the infection got onto my PC when I clicked the wrong Google Image search result in Opera, which opened up a tab with a clearly fake MS Security Essentials warning. It was obviously fake because it used the Aero window style instead of my XP theme. I closed it as quickly as possible, but it was apparently enough to get me infected. In future I will be sure to only browse with Firefox running NoScript in order to prevent "drive-bys" like this!

2) The hidden iexplorer.exe processes were solved by removing some registry entries, which were causing Rundll32.exe to execute functions in two randomly-named dlls on every startup.

3) TDSSKiller found a hidden TDSS filesystem on my HDD. The process of removing it caused Microsoft Security Essentials to detect Trojan.Win32/Alureon.EC in the TDSSKiller quarantine directory.

4) The Firefox Google search redirects via "googleads.g.doubleclick.net" apparently involved an extension which calls itself XULRunner, unrelated to the official Mozilla runtime environment. ESET was the only thing that described it as a Trojan, and removing this file has SO FAR solved those redirects. The weird thing is that IIRC the Last Modified date of this file was the 24 June, a couple of days BEFORE the iexplorer.exe and Google redirect symptoms manifested themselves...





Hopefully there's nothing else lurking on my PC, like a keylogger... during the course of these investigations I came across scary stuff like this article and this comment on how the TDSS rootkit works. Things like that got me worried about those nasty things that modify the MBR and create hidden partitions and filesystems in unused areas of the disk, and therefore are able to persist even after a format and OS reinstall...






My system:

OS with the problem: Windows XP SP3.

Also on my system: the Win7 Release Candidate from 2009 (which I only really keep for one old game that doesn't run properly in XP), and Ubuntu (installed via Wubi within the Win7 partition). When my PC boots, it first goes to the Win7 bootloader, with options for Earlier Version of Windows/Win7RC/Ubuntu; selecting Earlier Version takes me to the XP bootloader.


Background: A previous infection

Back at the start of May I had my first ever non-trivial malware infection. The symptoms of that were extremely obvious: Microsoft Security Essentials would detect W32/Ramnit.gen!a and apparently quarantine it on every reboot, recommend "Restart your PC to clean", and then it would be detected again on the next restart. While it was around, I couldn't launch Chrome, Opera, Malwarebytes and Spybot S&D (only Firefox), and I couldn't visit Microsoft Security Centre and sites like Mcafee and Symantec.

Obviously I changed all my passwords (from within Ubuntu rather than WinXP).

I eventually found that the Chameleon options included in Malwarebytes seemed to kill whatever process was stopping Malwarebytes, Chrome etc from running. Also, I asked elsewhere about what software I could use to scan from outside the infected Windows installation, and I was recommended the Linux-based Dr Web Live CD. I ran that, and I was impressed - it seemed to be one of the most thorough virus scanners I'd ever come across.

After numerous full scans with MSE, Dr Web, AVG, Avast, TDSSKiller and ESET Online Scanner, some of which detected and cured certain files, I seemed to be in the clear, so in the end I DIDN'T reinstall Windows XP.



During my attempts to solve that previous infection, I encountered a problem which is still present: For some reason I can't successfully boot XP into Safe Mode. It gets to the point of initialising giveio.sys, prompts me to press Enter, then BSODs. Hmmmm.







First symptom of this new infection: hidden iexplore.exe processes:

After getting that Opera popup, the first symptom I noticed was that in Task Manager, two iexplore.exe processes were running - but there was no IE browser window, and I had not used IE at all recently. According to Process Explorer the two processes were launched by svchost. Every time I killed those processes they reappeared within a few seconds.

I searched for people who had similar issues. Some people report two hidden iexplore.exe processes, others more. Some people said these processes had high CPU memory usage - mine just seemed to stick around 15MB (though I didn't keep them running long enough to see if they eventually increased). Other people reported browser search result redirects, and audio ads playing when no browser was open.


Second symptom: Firefox Google redirects:

You know the mini status bar at the bottom-left of the browser that displays the destination URLs of links? Well, normally, if I click and hold the left mouse button on a Google search result, until I release it the the mini status bar displays "google.co.uk/url?[some code]=[intended url]". Well, when I got infected, I noticed that in Firefox on Windows XP, usually it displays that google.co.uk url, but sometimes it will display "googleads.g.googledoubleclick.net[some code]" instead. That only happens in Firefox on Windows XP, regardless of whether or not I'm logged into Google; it doesn't happen in Chrome or Opera on XP, or Firefox under Ubuntu. I didn't test any search engines other than Google.

Now, if the status bar url displays "google.co.uk/url?[some code]" there are no problems. However, if the status bar url displays "googleads.g.googledoubleclick.net", there is approximately a 1 in 10 chance it will be redirected. The sites it redirects to include glam.co.uk, and an advert page for Enigma Software's "Spyhunter 4" (which, incidentally, plays an audio ad - maybe that was what the audio those other users were referring to).

After getting this infection, I installed Firefox's NoScript addon. One of its effects is to ensure that in Google searches the status bar always displays the true destination URL - neither the "google.co.uk/url?[some code]" nor "googleads.g.googledoubleclick.net[some code]" prefixes appear. I didn't get any redirects when it was enabled. In addition, NoScript told me that on Google searches it was blocking both "disable-instant-search.com" and "payppcadvertising.com" - here's a page listing that as a threat.) I tried temporarily removing NoScript from Firefox and then doing another Google search - sure enough, on one of the searches where the link displayed the "googleads.g" URL, it redirected me to an Ask.com search page instead.





What I tried to solve the first symptom:

1) Renaming iexplore.exe

I found that if I killed those iexplorer.exe processes and quickly renamed the program's filename in Program Files\Internet Explorer to a gibberish non-exe filename, another iexplore.exe would quickly appear in the same folder, and those two processes would appear again. (I did consider the possibility that this restoration of the IE executable might not be caused by the malware, but could be something that Windows itself does automatically - here's a post I found about that.)

If I booted into Ubuntu and renamed iexplore.exe from there, and then restarted Windows, the IE directory would NOT create a new copy of the program, and the two suspicious processes would NOT start. (But Windows Update prompted me to install IE8.)

That temporarily solved the symptom, but obviously there was more to it than that.


2) A Malwarebytes Quick Scan

It found this:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|rsqui (Trojan.Agent) -> Data: rundll32.exe "C:\Documents and Settings\Nick\Application Data\rsqui.dll",StrTokEx -> Quarantined and deleted successfully.



3) Dr Web Live

As I said above, during that infection in May I was recommended the Dr Web disc, which uses a Linux live CD environment to carry out malware scans. Since it seemed a very thorough virus scanner, and since I didn't want to spend much time running Windows while this problem was around, I thought it should be the first full scan I should try.

It found:

"C:\Documents and Settings/Nick/Application Data/huilap.dll - suspicious Trojan.Packed"
and
"System Volume Information/_restore{278E57B3-A87C-4BF5-AB47-12F919D410B5}/RP34/A0005923.dll - infected Trojan.Damaged.1"


I Googled the "huilap" filename, and since I couldn't find any search results for it, I trusted the scanner's conclusion, assumed it was some randomised filename made up by the malware, and quarantined then deleted it.

After that, I rebooted XP, and the iexplore.exe processes stopped appearing, even when iexplore.exe was present in Program Files\Internet Explorer. But then every time I started XP an error message appeared: "RUNDLL - Error loading C:\Documents and Settings/Nick/Application Data/huilap.dll, the specified module could not be found". Beyond that, I could use the OS fine.

I noticed that even though that huilap.dll file was stored in my Application Data directory (user:Nick), I got the same Rundll error message upon logging into the second user account that is set up on my PC.


4) System Restore and registry editing

I've never had much confidence in System Restore, but I thought I'd try a System Restore back to the 24th, before this problem came up. That made TWO Rundll error messages come up on boot: one for rsqui.dll (Malwarebytes had deleted the dll AND the registry key launching it), the other for huilap.dll as before (Dr Web had deleted the dll, but not the registry key).

So I ran regedit, and found that Windows/Currentversion/Run contained two entries

name - huilap
Type - REG_SZ
Data - "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Nick\Application Data\huilap.dll",GetImageInfoFromFileInMemory

name - rsqui
Type - REG_SZ
Data - rundll32.exe "C:\Documents and Settings\Nick\Application Data\rsqui.dll",StrTokEx


I deleted them both, which prevented those startup Rundll error messages. The hidden iexplore.exe processes had stopped too.

That was worrying: the 24th June was BEFORE this infection came up, so why did System Restore bring back a version of the registry that activated those dlls on startup? Had System Restore's version of the registry been infected, or had this malware already been present before the 24th? Or even: is it possible these two dlls entirely legitimate?



Fortunately this little process taught me where the registry keeps stuff it wants to run on startup! :)




So the above procedures prevented the appearance of those background iexplore.exe processes, and the rundll errors.




Now: here's everything I tried in order to solve the Google search redirects:


1) Check Firefox proxy settings, DNS settings, and hosts file

Couldn't see any problems with these. The hosts file was just full of the normal "127.0.0.1 www.badsite.com" entries that Spybot S&D had added to it.


2) Malwarebytes full scan

I did this from within normal Windows XP, because as I said, I can't use Safe Mode. It didn't find anything.


3) MSE full scan

Didn't find anything.


4) Ran ComboFix

Yes, I know: it's overkill to use it this early in the removal process. I'm well aware of the strong warnings not to use it use it without supervision from the pros here. But I ignored them: the program might not be a "one-size-fits all" solution, but the lack of very specific startup options and command line parameters sure makes it seem like one.

I take full responsibility for it.

Anyway, I've used it now, and these are the things I know it did:

a) Combofix quarantined a number of files. I can post the log if you need to see it.
B) Combofix restored the desktop shortcut to IE, which I'd manually removed long ago (via Display Properties > Desktop > Cutomise Desktop).
c) Combofix blanked out my hosts file (over the last few years, Spybot S&D had been adding a long list of blacklisted sites to the file).
d) As mentioned at the start, my system passes through two bootloaders: first, the Win7 bootloader, then the XP bootloader. To the XP screen, Combofix added "Microsoft Windows Recovery Console /cmdcons" as the default boot option, and "[do not select this] /debug" as another option.


I have the main Combofix log and the Quarantined Files log, if you need them.




5) Ran TDSSKiller

It found several files listed as Unsigned.Multi.Generic, and one Lockedfile.Multi.Generic: "spdt".

More worryingly, it found a TDSS filesystem on \Device\Harddisk0\DR0!

I chose to copy that to Quarantine (the files were: config.ini, tdl, rsrc.dat, tdlcmd.dll, data.db, data.js). As soon as I did so, Microsoft Security Essentials detected Trojan.Win32/Alureon.EC in C:\TDSSKiller_Quarantine\28.06.2012_03.21.13\tdlfs0000\tsk0003.dta

(I scanned that Quarantine directory with Malwarebytes - it didn't spot it as a threat!)

(Maybe MSE detected it because the process of something moving from a TDLFS filesystem onto an NTFS partition resembles the behaviour of the rootkit itself?)

So I ran TDSS Killer again, and this time, deleted it.




6) Next, I read about hidden partitions and MBR/boot sector viruses, and began panicking!

The presence of that TDSS filesystem got me worried about the possibility of more. I became concerned about the possibility that this might be one of those nasty things that modifies the MBR and creates hidden partitions and filesystems in unused areas of the disk, and therefore might come back even after a format and reinstall of the WinXP and Win7RC partitions.

Since Linux is better than Windows at detecting non-FAT/NTFS filesystems, I booted into Ubuntu and had a look at the partitions on the drive.

I didn't notice any hidden partitions on either drive:

- 320GB SATA drive "sda" NTFS WinXP (primary), NTFS Win7RC (primary), NTFS Data (extended) [home to My Documents]

- 80GB IDE/PATA drive "sdb": This drive's layout is a bit of a mess. these days I only use it for backups, but it's still partitioned the way it was when it was the primary HDD in my old PC: an NTFS partition for WinXP (still flagged as bootable, even though there's no longer an OS on there), two FAT32 partitions for documents, and three ext2 partitions left over from a Mandrake Linux installation way back in 2003: /boot, /, and /home.

Presumably that means there are four locations a boot sector virus could hide: the SATA drive's MBR, the boot sector of the SATA drive's WinXP partition, the boot sector of the SATA drive's Win7RC partition, and the IDE drive's ancient WinXP partition (which no longer has Windows on it but is still flagged as bootable).

I read about fixing the MBR, and wondered if it would be complicated by the presence of multiple OSs on the disk. I asked elsewhere, and was told that since I've got both WinXP and Win7RC installed, and the Win7 bootloader takes priority because it was installed after XP, I shouldn't simply use WinXP's fixmbr command.


I haven't yet run aswMBR...



7) Uninstall and reinstall Firefox

Initially, I uninstalled FF and chose to KEEP my personal data, then reinstalled. The problem was still there. (Since it turned out that the issue was extension-related, in retrospect that's not surprising. Perhaps uninstalling FF and choosing to remove personal data would have got rid of it?)


8) Should I reinstall XP?

At this point I was strongly considering reinstalling Windows XP entirely, perhaps with a bit of repartitioning: partly to give Windows XP more space (when I first formatted the disk, I gave Win7RC too much space compared to XP), and partly to make sure that the boot sectors of each partition are cleaned, as well as the MBR. Hopefully a reinstall would restore my ability to use Safe Mode!

But then I tried one more thing...


9) Ran ESET Online Scanner

Within ten minutes it had found this:

C:\Documents and Settings\Nick\Local Settings\Application Data\{D50A3D67-BD9F-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul

JS/Redirector.NIQ trojan


"XUL?" I thought. "XULRunner was that Firefox addon thing I'd read about before, but hadn't really investigated!"

Removed it and voila! SO FAR, there have been no more appearances of "googleads.g.doubleclick.net" in the Firefox status bar, and SO FAR (touch wood) no more redirects!

I found this thorough analysis of how the redirect infection works. My files are slightly different to those described there: I have the directory C:\Documents and Settings\Nick\Local Settings\Application Data\{D50A3D67-BD9F-11E1-8270-B8AC6F996F26}\ containing the files chrome.manifest and install.rdf, and chrome\content subfolders containing that browser.xul file. I also have another folder, C:\Documents and Settings\Nick\Local Settings\Application Data\{D50A6EA7-BD9F-11E1-8270-B8AC6F996F26} (a slightly different string of characters) containing files: background.html, icon.png (0 bytes), manager.js and manifest.json. I can't read javascript, but they don't look friendly, though I haven't deleted them yet. Firefox isn't supposed to store anything official there, is it?

Those files are dated 24 June 2012 - so apparently I've been infected a couple of days longer than I thought! No wonder my System Restore back to the 24th didn't get rid of it!




NOW WHAT?

OK, so now this infection is APPARENTLY completely cleaned up. But I want to be as sure as possible there's nothing else hanging around. I realise I can never be completely sure it's gone, but I'd like to be as sure as is reasonably possible without reaching tinfoil-hat levels of paranoia!




Something strange I noticed: before all this happened, when using Firefox, typing in google.com or using the search bar would normally redirect me to my local site, google.co.uk. During the course of my investigations, I used http://www.google.com/ncr to prevent me from being redirected to .co.uk, to see if the redirects were happening from both versionf of the site (and also because NoScript had .com on its whitelist but not .co.uk). Now, I don't get redirected to the localised .co.uk site at all any more, whether I'm logged into Google or not! Weird.




I still have Combofix saved to my desktop. I'd like to get rid of it. What's the correct way to go about this?

As I mentioned, running it made a few changes:

a) Quarantined a number of files (and added the .vir extension to them).
B) To the XP bootloader screen, it added "Microsoft Windows Recovery Console /cmdcons" as the default boot option, and "[do not select this] /debug" as another options.
c) Restored a desktop shortcut to IE (it's not one of those normal shortcuts, but the IE-specific one where right-clicking it takes you to IE's Internet Properties). The way I'd intentionally removed it long ago is via Display Properties > Desktop > Cutomise Desktop. But now, I open that menu and IE isn't listed at all! Weird.

Before uninstalling Combofix, should I restore those files that it quarantined - do you need to see a log? And will uninstalling Combofix restore my old bootloader options, or will I need to chnage it manually?


I'm going to uninstall Opera (because that was seemingly the thing that got me infected in the first place), and make sure I only use Firefox with NoScript enabled. But other than the standard full scans with Malwarebytes, ESET Online, MSE, Dr Web, AVG and Avast... anything else you think I should try to be as sure as possible that there's nothing else lurking?

If I go and run aswMBR, how should I interpret its results?





Again, sorry about the length of this post - but I kept a thorough log of everything I did as I went along, and didn't want to see it go to waste! Hopefully this post might also be of help to anyone else who has similar issues.

Edited by Number100, 03 July 2012 - 10:21 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:30 AM

Posted 03 July 2012 - 10:13 AM

7) Uninstall and reinstall Firefox

Initially, I uninstalled FF and chose to KEEP my personal data, then reinstalled. The problem was still there. (Since it turned out that the issue was extension-related, in retrospect that's not surprising. Perhaps uninstalling FF and choosing to remove personal data would have got rid of it?)


Probably yes :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users