Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware or DNS redirection ?


  • This topic is locked This topic is locked
4 replies to this topic

#1 paradoox

paradoox

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 PM

Posted 05 May 2015 - 11:47 AM

I'm having an odd problem which seems to be some sort of malware or dns redirction with a XP SP3 machine at volunteer run non-profit I help out at.  (No one is paid.)  I've been working on this for about 2 days off and on.

 

Within the last month or so, people started noticing weird results with Google Chrome.  Certain things would fail like trying to open www.gmail.com (error was host not found).   In IE8, it got a certificate error.  If the certificate error was ignored you wound up at https://www.gmail.com/intl/en/mail/help/about.html.  Things seemed to work in Firefox except you also wound up at that URL.  

 

I noticed that Malwarebytes was not running (probably because the trial period had expired).  I entered a license but it was unable to update (unable to communicate with server - also suggests DNS issues).

 

I was unable to download Spyhunter (it would never start to download IIRC).

 

Similar machines plugged in to the same network worked fine.   

 

ipconfig /all showed nothing weird.

 

I took the disk home (where I am now), installed it in the same model hardware (Dell Optiplex 755) and noticed similar problems.  So, this isn't HW or time or even ISP related.

 

I ran a full scan using the current version of Norton 360 and found nothing important (I think this found a softonic downloader .exe, which I think has been there for a while; even if this was the infection vector, there should be some other signature of the actual infection).

 

I copied Spyhunter.something.com using the alternative installation instructions from another machine and as soon as I started it, the machine would freeze and need a hard restart (this *might* be a red-herring).

 

I noticed the hosts file (\windows\system32\drivers\etc) had an entry 0.0.0.0 for www.bdsmlibrary.com and apparently has since 12/07/2012, so I think that is another red-herring. Just to be sure I replaced the hosts file with a clean copy from one of my home machines running XP.  The problems persisted (www.gmail.com and unable to install spyhunter or update malwarebytes).

 

I tried turning dns caching off as per one of the recommendations on the Spyhunter forums (net stop dnscache).  The problems persisted (with www.gmail.com and unable to install spyhunter or update malwarebytes).

 

At this point I booted to safe mode with networking (where I am now).

 

(in safe mode) I was able to install spyhunter using the alternative installation instructions.  I was also able to update malwarebytes.  

 

(in safe mode) I ran spyhunter.  It found nothing relevant (85 tracking cookies; they were cleaned and didn't come back on a subsequent run).

 

(in safe mode) I ran malwarebytes.  It found nothing relevant (the softonic installer .exe described above and the fact the logoff was missing from the start menu).

 

The problems (most notably opening www.gmail.com getting weird results or failing depeding on the browser) persist.

 

Now, I could have just re-imaged this machine for less trouble than I've gone through already, but I'm really curious to know what is going on especially if it stops it from happening in the future.  Besides running Norton 360, I do plan to make sure the Malwarebytes is running in the future.

 

Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:50 PM

Posted 09 May 2015 - 07:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
CloseProcesses:

HKLM\...\Run: [] => [X]
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  <==== ATTENTION!
FF Plugin: @viewpoint.com/VMP -> C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll [2002-06-07] ()
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
U1 WS2IFSL; No ImagePath
C:\Documents and Settings\admin\Local Settings\Temp\patchw32.dll
C:\Documents and Settings\admin\Local Settings\Temp\patch.exe

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 paradoox

paradoox
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 PM

Posted 10 May 2015 - 04:18 PM

Thanks.  Things seem much better now.  gmail works as expected in all browsers and malwarebytes is able to update.  Enclosed is the log.  Any thoughts on why none of our AV stuff caught this?  And is there any point in my reporting it to Norton?

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:50 PM

Posted 11 May 2015 - 10:24 AM

This was possibly the culprit.
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] <==== ATTENTION!
Where it comes from is unknown to me.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:50 PM

Posted 17 May 2015 - 08:26 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users