It works regardless of what browser is used, and it only seems to affect Google.com search results (so Bing has a use after all).

Some searching, especially for "webplains.net" suggests this may be the work of a known malware, TDSS, that can be removed with a one-off Kaspersky tool. I ran the tool, but it reported nothing out of the ordinary. Furthermore I can't find any tools that help with removing malware on 64-bit systems.

I don't really have anything to boot off to have a look at the filesystem. I can't see any malware in my current filesystem (of course, that's how rootkits work) - but I did find a malware file in my SysWow64 directory that has since been deactivated (it setup a Scheduled Task to rundll.exe itself on system startup).

My computer doesn't have an optical drive, so I'll have to boot from a USB stick, but I don't know what system is best for this. I have run the official WinPE in the past and I wasn't too impressed with it, but BartPE leaves a lot to be desired. Unfortunately the HDD in my laptop cannot be removed without breaking the warranty (as it involves the complete removal of the underside cover).

Any suggestions?

So for a windows solution there's a connect beta right now of System Sweeper - http://connect.microsoft.com/systemsweeper

Webplains doesn't seem to be using root kits though, from what I can see. Did you remove the system TDSSserve.sys hidden device first? And checked proxy settings once rebooted and scanned?

BTW, how did you discover you had this malware?

You should probably download something like AVG to do a scan of your system. If that doesn't work, you might want to consider formatting your machine and starting over.

Buy a 2.5" HDD caddy, copy off all of the files you need, format it including destroying the MBR (if it has one) then use a USB Key to reinstall Windows and copy your files back across. 

Even if you were able to remove the rootkit, you likely won't get all of the components or be able to determine if it added a reinfection vector (e.g. added malware CA, HOSTS corruption, new trusted sites, et al).    

The more I learn the less willing I am to ever attempt to remove infections. "Reinstall Windows" is the call of both the guru and low-hanging technical fruit alike. 

37 minutes ago, Kryptos wrote

I would agree with ManipUni's appoach.  You could run this: RootkitRevealer v1.71 

What I like to know W3bbo is how you got it? You are probably up-to-date with your patches on MicrosoftUpdate and don't run executable stuff from e-mail attachments nor do you download malware from websites and click yes on the UAC dialog. Was it Flash or Java that allowed your pc to get infected? Are they up-to-date?

Even if the infection is not a rootkit, what is to say that the infection has not put in enough hooks to always have a backdoor in place no matter how many different virus cleaners you run on it.  Whack-a-mole style.

Save your data files and blow that partition away.

I presume you have other machines with which you can download the Win7 ISO and use the Windows 7 USB/DVD Download Tool ( http://wudt.codeplex.com/ ) to reinstall.

There is also the option to do an in place upgrade of Windows 7 to see if that might work.  Although I don't know how it would distinguish a viral hook from any other legitimate hook.

In conclusion ... Blow it away and reinstall!

1 hour ago, ZippyV wrote

What I like to know W3bbo is how you got it? You are probably up-to-date with your patches on MicrosoftUpdate and don't run executable stuff from e-mail attachments nor do you download malware from websites and click yes on the UAC dialog. Was it Flash or Java that allowed your pc to get infected? Are they up-to-date?

The #1 way of getting infected is not being exploited, but running an exe written directly by the malware author. These tend to be either
a) Quick download my smileys!
b) Run this program to get rid of malware!
c) Run me because I am *popular game* / crack for a *popular game*! 
d) Click me to install codecs to watch *popular movie* / porn
e) Install this toolbar to use *popular application*
f) Install this toolbar to use *seemingly popular website*
g) Friend sends "Run this program it's amazing" which then installs malware and sends "Run this program it's amazing" to all of your friends. 

Only after all of these does drive-by infections kick in as methods of infecting computers - and again malware authors are lazy and tend to use easy-to-exploit bugs or bugs whose PoC are easy to turn around, which in practise means you need to be quite out of date for drive-by-downloads to work.

h) Someone breaks into a trusted software vendor and injects it into your favourite desktop application. 

In theory if they signed their releases it wouldn't be an issue, but very few Open Source Windows application installers do (e.g. Filezilla, GAIM, [The] GIMP, et al).   

Last time a roommate of mine reported his computer behaving odd and after checking and finding malware I recommend reinstalling Windows. I forgot to mention he shouldn't reinstall his applications from backed up installer executables and so he promptly reinfected his fresh windows again. Bah. He gave up and ran his computer infected, obviously I avoided any software that he tried to give me on USB keys like a plague.

Don't advertise that you got infected and did not do a proper sanitation of your (build?) environment. You aren't making me confident your software on your web properties are safe, there are enough scary stories on the internet with compromised upsteam. This paragraph will self destruct in a few hours. 

43 minutes ago, Royal​Schrubber wrote

 

Don't advertise that you got infected and did not do a proper sanitation of your (build?) environment. You aren't making me confident your software on your web properties are safe, there are enough scary stories on the internet with compromised upsteam. This paragraph will self destruct in a few hours. 

A certificate authority has gone offline this week because their servers were used to distribute malware. *boggle*

13 hours ago, blowdart wrote

Didn't you use to say you didn't run antivirus? *grin*

So for a windows solution there's a connect beta right now of System Sweeper - http://connect.microsoft.com/systemsweeper

Webplains doesn't seem to be using root kits though, from what I can see. Did you remove the system TDSSserve.sys hidden device first? And checked proxy settings once rebooted and scanned?

Yes, I am put to shame. To make things even worse I had UAC disabled at the time.

13 hours ago, cbae wrote

This came up on Bing search.

BTW, how did you discover you had this malware?

I started noticing google search links were being hijacked. I ran my Live HTTP Headers extension for Firefox and it showed that HTTP 301 redirects were being inserted. At first I thought Wikipedia was hacked (as it only affected links to WP to begin with). Then it started happening to other links and in other browsers, I ruled out anything at my ISP and realised something was amiss locally.

Process Explorer revealed that the Task Scheduler was launching rundll.exe with a program argument to a DLL called "dswaved.dll" under SysWow64. I quickly terminated it and extracted the file. The question remains how Task Scheduler was manipulated.

5 hours ago, evildictait​or wrote

That's very foolish of you.

You should probably download something like AVG to do a scan of your system. If that doesn't work, you might want to consider formatting your machine and starting over.

I'm running a Trend Micro house call right now, but I'm sceptical - rootkits usually can't be detected by AV software by their very nature.

4 hours ago, ManipUni wrote

Why waste time attempting to remove it? The Windows installation is suspect, it is beyond repair. 

Buy a 2.5" HDD caddy, copy off all of the files you need, format it including destroying the MBR (if it has one) then use a USB Key to reinstall Windows and copy your files back across. 

Even if you were able to remove the rootkit, you likely won't get all of the components or be able to determine if it added a reinfection vector (e.g. added malware CA, HOSTS corruption, new trusted sites, et al).    

The more I learn the less willing I am to ever attempt to remove infections. "Reinstall Windows" is the call of both the guru and low-hanging technical fruit alike.

You missed the part where I said the HDD was inaccessible.

Nonetheless, Sony was meant to collect my laptop for repairs last week (hint: they didn't) so there's not much on it anyway.

4 hours ago, Kryptos wrote

I would agree with ManipUni's appoach.  You could run this: RootkitRevealer v1.71 

RootkitRevealer only works on 32-bit systems.

3 hours ago, ZippyV wrote

*snip*Doesn't work anymore because the rootkit writers would keep finding ways to circumvent it.

 

What I like to know W3bbo is how you got it? You are probably up-to-date with your patches on MicrosoftUpdate and don't run executable stuff from e-mail attachments nor do you download malware from websites and click yes on the UAC dialog. Was it Flash or Java that allowed your pc to get infected? Are they up-to-date?

The Date Created field on the DLL file I recovered was at 2011-11-05 01:22.

I checked my browser history, I was browsing two websites at the time, stackoverflow.com, and a thread on iphonedevsdk.com - I'm going to assume Jeff Atwood's website is secure, but iphonedevsdk.com runs vBadvanced 3.1.0 which is an old version. A cursory Google search suggests that version of vBadvanced has a number of security vulnerabilities that may have been broken.

Assuming that's the case, the vector was that broken website, and something in my browser, possibly Flash or Acrobat (though I am running the latest version of both of these softwares). But the odd thing is that I run Flashblock in Firefox, so I'm stuck for ideas.

2 hours ago, davewill wrote

@W3bbo: A simple google toolbar infection combined with some entries in the Hosts file could exhibit the behavior as well.  It may not be a rootkit.  Then again, if it is a rootkit you need to blow that partition away and recreate it.  If you don't take the approach to just reinstall Windows, then you will spend more time analyzing and trying to clean and then more time still wondering and watching if it was actually clean.

Even if the infection is not a rootkit, what is to say that the infection has not put in enough hooks to always have a backdoor in place no matter how many different virus cleaners you run on it.  Whack-a-mole style.

Save your data files and blow that partition away.

I presume you have other machines with which you can download the Win7 ISO and use the Windows 7 USB/DVD Download Tool ( http://wudt.codeplex.com/ ) to reinstall.

There is also the option to do an in place upgrade of Windows 7 to see if that might work.  Although I don't know how it would distinguish a viral hook from any other legitimate hook.

In conclusion ... Blow it away and reinstall!

Looks like I'll be taking that path.

1 hour ago, evildictait​or wrote

*snip*

The #1 way of getting infected is not being exploited, but running an exe written directly by the malware author. These tend to be either
a) Quick download my smileys!
b) Run this program to get rid of malware!
c) Run me because I am *popular game* / crack for a *popular game*! 
d) Click me to install codecs to watch *popular movie* / porn
e) Install this toolbar to use *popular application*
f) Install this toolbar to use *seemingly popular website*
g) Friend sends "Run this program it's amazing" which then installs malware and sends "Run this program it's amazing" to all of your friends. 

Only after all of these does drive-by infections kick in as methods of infecting computers - and again malware authors are lazy and tend to use easy-to-exploit bugs or bugs whose PoC are easy to turn around, which in practise means you need to be quite out of date for drive-by-downloads to work.

I can assure you, I haven't been running any programs like that. This appears to be an example of the worst kind of drive-by download you can get: unauthorised remote code execution.

1 hour ago, ManipUni wrote

Don't forget secret option

h) Someone breaks into a trusted software vendor and injects it into your favourite desktop application. 

In theory if they signed their releases it wouldn't be an issue, but very few Open Source Windows application installers do (e.g. Filezilla, GAIM, [The] GIMP, et al).   

Now you've got me scared. I recently downloaded and installed the ffmpeg binaries from http://ffmpeg.zeranoe.com/builds/, but that was hours before any problems started appearing.

1 hour ago, Royal​Schrubber wrote

Format windows partition and delete all executables on all other partitions on internal and external storage devices that had writing access.

Last time a roommate of mine reported his computer behaving odd and after checking and finding malware I recommend reinstalling Windows. I forgot to mention he shouldn't reinstall his applications from backed up installer executables and so he promptly reinfected his fresh windows again. Bah. He gave up and ran his computer infected, obviously I avoided any software that he tried to give me on USB keys like a plague.

Don't advertise that you got infected and did not do a proper sanitation of your (build?) environment. You aren't making me confident your software on your web properties are safe, there are enough scary stories on the internet with compromised upsteam. This paragraph will self destruct in a few hours. 

Good point, why would any potential customer or client of mine want to be trust in someone who lets his own laptop get infected?

Fortunately "W3bbo" isn't associated with my "real-life" business identity

1 hour ago, Bass wrote

How did you discover this? From your router?

See above: after I noticed search results being hijacked.

Oddly enough, searching for "webplains.net" in Google, gave me an immediate 301 redirect to http://support.microsoft.com/kb/827315 - the evidence suggests that that redirect was caused by the malware - perhaps the author was under duress when he wrote it? (In any event, that Microsoft support article didn't help).

I just put the captured dodgy file through MSE, Kaspersky, and Trend Micro, and none of them reported it as being malware.

If none of these AV programs can detect malware, what's the point of running it at all?

1 hour ago, W3bbo wrote

I'm running a Trend Micro house call right now, but I'm sceptical - rootkits usually can't be detected by AV software by their very nature.

On the contrary. That's actually one of the rare things that AV companies are good at. AVs go out of their way to make sure any common strain of malware in the wild gets pick up by them. If you're the first to be hit with a new strain they might not pick it up straight away, but if you got it from dodgy executables, drive-by-downloads or publically known exploits on the internet the AV will have seen it and signatured it.

I can assure you, I haven't been running any programs like that. This appears to be an example of the worst kind of drive-by download you can get: unauthorised remote code execution.

If you're running latest OS / browser / flash it won't have been a drive-by download attack. Zero days are traded for hundreds of thousands of dollars on the black market and criminals aren't stupid enough to use them on machines that don't have something really valuable on them.

Now you've got me scared. I recently downloaded and installed the ffmpeg binaries from http://ffmpeg.zeranoe.com/builds/, but that was hours before any problems started appearing.

Lots of malware is bundled with the single task of download and run executables from a known source. The original exploit kit or executable author then "sells" installs to the criminals behind zeus and other malware who are then responsible for monetizing the infected computers - either through credit card theft, information theft, attaching the computer to a bot-net for DDoS and so on.

This behaviour can cause a delay between you running something dodgy and it getting picked up by AV vendors, or between you running something and your computer starting to behave maliciously.

To be honest, I know you think you probably haven't done anything wrong and it's easier to blame ingenious hackers and exploits, but the reality is that exploits are the exception rather than the norm (and almost exclusively against old machines running Windows XP and running software that hasn't been patched for months on end) for client machines getting infected.

Interestingly, it says it's found "2 threats".

It won't tell me what they are until the scan's over, it'll be interesting to see what they are.

39 minutes ago, W3bbo wrote

I'm running the TrendMicro House Call on my laptop still. Been going for over 6 hours now and it's only 60% complete :o

Interestingly, it says it's found "2 threats".

It won't tell me what they are until the scan's over, it'll be interesting to see what they are.

Didn't you say had hardly any data on this HD? Dayam.

6 hours ago, W3bbo wrote

To all those who said I should use AV software:

I just put the captured dodgy file through MSE, Kaspersky, and Trend Micro, and none of them reported it as being malware.

If none of these AV programs can detect malware, what's the point of running it at all?

That is because the "dodgy file" you refer to is really part of DirectX. See the file listed here. There is some other executable that you missed that is the real culprit.

Seriously, running something like MSE takes no noticeable resources, and I run some heavy duty realtime music applications at low buffer latencies without any audio glitches. And I don't see what the big issue is with leaving UAC turned on. Once in a while I have click on "Yes/No". I really can't remember the last time I had an infection, it has been years now.

26 minutes ago, cbae wrote

*snip*

Didn't you say had hardly any data on this HD? Dayam.

I meant to clarify that as "hardly any data worth keeping" - i.e. personal documents, it still feels the need to scan my 80GB collection of legitimately acquired MP3s, the MSDN content installations and of course, the tens of gigabytes that Microsoft Windows likes to amass in the WinSxS directory.

It's now 2011-11-06 00:40 and it's just hit 70%, so far it's found 4 threats, I note that for as long as I've been watching it it's been scanning my Firefox cache - so if the malware installer found its way through there it makes sense.

I'll post a follow-up when I check back in the morning.

56 minutes ago, W3bbo wrote

*snip*

I meant to clarify that as "hardly any data worth keeping" - i.e. personal documents, it still feels the need to scan my 80GB collection of legitimately acquired MP3s, the MSDN content installations and of course, the tens of gigabytes that Microsoft Windows likes to amass in the WinSxS directory.

Well obviously it's going to scan all your MP3s, one of those might contain viral code. As for WinSxS, it's a bunch of hard links to files elsewhere, it doesn't really occupy "tens of gigabytes"

If there's nothing worth keeping though I don't really see the point of trying to disinfect the machine, reformatting and reinstalling is really the only sane option anyway. And this time leave UAC on and actually use a proper on-access virus scanner at all times.

However all of them were inactive (i.e. just passive virulent files that weren't configured by the system to be loaded anywhere). Curiously enough, it flagged a JPEG file as a virus. I inspected it with a binary editor and apparently it was a renamed zip file containing an EXE. It came attached with some email.

22 minutes ago, Bass wrote

That must be a pretty crappy rootkit if you could detect it without even switching operating systems.

1 hour ago, W3bbo wrote

The scan completed a short while ago, 7 threats were found in total.

However all of them were inactive (i.e. just passive virulent files that weren't configured by the system to be loaded anywhere). Curiously enough, it flagged a JPEG file as a virus. I inspected it with a binary editor and apparently it was a renamed zip file containing an EXE. It came attached with some email.

Live and learn, eh?

1 hour ago, Bass wrote

That must be a pretty crappy rootkit if you could detect it without even switching operating systems.

On the contrary. The way rootkit detectors work is they ask for the same information in about 100 different ways. If any of them disagree with the others then something is wrong. E.g. if you enumerate the files in a folder and see nothing, but do an NtQueryObject on the directory and discover that it contains 1 file, then something is amiss. The point is that rootkits can hook stuff, but unless they hook everything (which requires a lot of time, effort and Winternals knowledge) they're going to screw up and will get caught.

Also AVs tend to look for heuristics as well as file signatures, so if an image gets mapped from disk but the file doesn't show up in an ZwOpenFile then something is wrong.

5 hours ago, W3bbo wrote

The scan completed a short while ago, 7 threats were found in total.

However all of them were inactive (i.e. just passive virulent files that weren't configured by the system to be loaded anywhere). Curiously enough, it flagged a JPEG file as a virus. I inspected it with a binary editor and apparently it was a renamed zip file containing an EXE. It came attached with some email.

The thing is, you now know the system was infected but you don't really know it isn't still compromised by something the anti-virus tool didn't spot. So you've lost the best part of a day scanning a system and you can still only be sure it's clean by reinstalling everything. Not unsurprised to see executables hidden inside renamed files though, that's pretty common.

3 hours ago, PaoloM wrote

*snip*Using a better browser (with real security features) and an av would have prevented all that to show up on your system.

++

Eventually everyone I've ever known to make the statement "I don't need an AV, I know what I am doing" has ended up in exactly this position.

And if the rootkit answers correctly all 100 ways? The fact of the matter is though, there is no perfect security. Intrusion detection with no false negatives has been shown to be an undecidable problem.[1]

[1]: http://vxheavens.com/lib/afc01.html

4 minutes ago, spivonious wrote

I've successfully removed some pretty nasty viruses, but if there's no data on there that you care about, just wipe out the partition table and start over. It's much, much faster. Hours versus days.

what I'd like Microsoft (or anyone) to make, is a program that inspects a HDD and ensures the boot path from the boot sector to loading the desktop is free of contamination - which means you can safely boot it up and run a manual scan at your leisure knowing your system isn't compromised in a way that betrays your trust in it.

5 minutes ago, W3bbo wrote

*snip*

what I'd like Microsoft (or anyone) to make, is a program that inspects a HDD and ensures the boot path from the boot sector to loading the desktop is free of contamination - which means you can safely boot it up and run a manual scan at your leisure knowing your system isn't compromised in a way that betrays your trust in it.

And how would you do that? There are so many points that you can plug into legitimately, and of course a myriad of software that does it, which has updates.

Or of course you can take the trusted boot option, but then, well, you get a lot of complaints that Microsoft is trying to control your software so only Microsoft sourced programs will run.

14 hours ago, blowdart wrote

*snip*

And how would you do that? There are so many points that you can plug into legitimately, and of course a myriad of software that does it, which has updates.

Or of course you can take the trusted boot option, but then, well, you get a lot of complaints that Microsoft is trying to control your software so only Microsoft sourced programs will run.

Microsoft could include as part of the install process, a separate, trusted minimal Windows installation (there are a plethora of ways to protect it), that can be used strictly for antivirus and malware scanning. In other words, they can build in to the installation the same thing that technicians cobble together every day with Hirens or UBCD4Win for the exact same purposes. Or just extend the current system recovery image that lets you do system restore and startup file check to include the ability to run virus or malware scans.

15 hours ago, blowdart wrote

*snip*

And how would you do that? There are so many points that you can plug into legitimately, and of course a myriad of software that does it, which has updates.

Or of course you can take the trusted boot option, but then, well, you get a lot of complaints that Microsoft is trying to control your software so only Microsoft sourced programs will run.

On the other hand, it seems perfectly valid request to add boot option that only loads Microsoft signed executables on the boot steps.

Afterall, most drivers on x64 supposed already have supplied driver that have done that. And non-device drivers are usually non-critical for diagnostic boot and can be appropiately skipped in this scenerio.

There could be other categories, but when this plan puts out, those affected will seek to have Microsoft sign their binaries.