I started noticing google search links were being hijacked. I ran my Live HTTP Headers extension for Firefox and it showed that HTTP 301 redirects were being inserted. At first I thought Wikipedia was hacked (as it only affected links to WP to begin with). Then it started happening to other links and in other browsers, I ruled out anything at my ISP and realised something was amiss locally.
Process Explorer revealed that the Task Scheduler was launching rundll.exe with a program argument to a DLL called "dswaved.dll" under SysWow64. I quickly terminated it and extracted the file. The question remains how Task Scheduler was manipulated.
Why waste time attempting to remove it? The Windows installation is suspect, it is beyond repair.
Buy a 2.5" HDD caddy, copy off all of the files you need, format it including destroying the MBR (if it has one) then use a USB Key to reinstall Windows and copy your files back across.
Even if you were able to remove the rootkit, you likely won't get all of the components or be able to determine if it added a reinfection vector (e.g. added malware CA, HOSTS corruption, new trusted sites, et al).
The more I learn the less willing I am to ever attempt to remove infections. "Reinstall Windows" is the call of both the guru and low-hanging technical fruit alike.
You missed the part where I said the HDD was inaccessible.
Nonetheless, Sony was meant to collect my laptop for repairs last week (hint: they didn't) so there's not much on it anyway.
*snip*Doesn't work anymore because the rootkit writers would keep finding ways to circumvent it.
What I like to know W3bbo is how you got it? You are probably up-to-date with your patches on MicrosoftUpdate and don't run executable stuff from e-mail attachments nor do you download malware from websites and click yes on the UAC dialog. Was it Flash or Java that allowed your pc to get infected? Are they up-to-date?
The Date Created field on the DLL file I recovered was at 2011-11-05 01:22.
I checked my browser history, I was browsing two websites at the time, stackoverflow.com, and a thread on iphonedevsdk.com - I'm going to assume Jeff Atwood's website is secure, but iphonedevsdk.com runs vBadvanced 3.1.0 which is an old version. A cursory Google search suggests that version of vBadvanced has a number of security vulnerabilities that may have been broken.
Assuming that's the case, the vector was that broken website, and something in my browser, possibly Flash or Acrobat (though I am running the latest version of both of these softwares). But the odd thing is that I run Flashblock in Firefox, so I'm stuck for ideas.
@W3bbo: A simple google toolbar infection combined with some entries in the Hosts file could exhibit the behavior as well. It may not be a rootkit. Then again, if it is a rootkit you need to blow that partition away and recreate it. If you don't take the approach to just reinstall Windows, then you will spend more time analyzing and trying to clean and then more time still wondering and watching if it was actually clean.
Even if the infection is not a rootkit, what is to say that the infection has not put in enough hooks to always have a backdoor in place no matter how many different virus cleaners you run on it. Whack-a-mole style.
Save your data files and blow that partition away.
I presume you have other machines with which you can download the Win7 ISO and use the Windows 7 USB/DVD Download Tool ( http://wudt.codeplex.com/ ) to reinstall.
There is also the option to do an in place upgrade of Windows 7 to see if that might work. Although I don't know how it would distinguish a viral hook from any other legitimate hook.
The #1 way of getting infected is not being exploited, but running an exe written directly by the malware author. These tend to be either a) Quick download my smileys! b) Run this program to get rid of malware! c) Run me because I am *popular game* / crack for a *popular game*! d) Click me to install codecs to watch *popular movie* / porn e) Install this toolbar to use *popular application* f) Install this toolbar to use *seemingly popular website* g) Friend sends "Run this program it's amazing" which then installs malware and sends "Run this program it's amazing" to all of your friends.
Only after all of these does drive-by infections kick in as methods of infecting computers - and again malware authors are lazy and tend to use easy-to-exploit bugs or bugs whose PoC are easy to turn around, which in practise means you need to be quite out of date for drive-by-downloads to work.
I can assure you, I haven't been running any programs like that. This appears to be an example of the worst kind of drive-by download you can get: unauthorised remote code execution.
Format windows partition and delete all executables on all other partitions on internal and external storage devices that had writing access.
Last time a roommate of mine reported his computer behaving odd and after checking and finding malware I recommend reinstalling Windows. I forgot to mention he shouldn't reinstall his applications from backed up installer executables and so he promptly reinfected his fresh windows again. Bah. He gave up and ran his computer infected, obviously I avoided any software that he tried to give me on USB keys like a plague.
Don't advertise that you got infected and did not do a proper sanitation of your (build?) environment. You aren't making me confident your software on your web properties are safe, there are enough scary stories on the internet with compromised upsteam. This paragraph will self destruct in a few hours.
Good point, why would any potential customer or client of mine want to be trust in someone who lets his own laptop get infected?
Fortunately "W3bbo" isn't associated with my "real-life" business identity
See above: after I noticed search results being hijacked.
Oddly enough, searching for "webplains.net" in Google, gave me an immediate 301 redirect to http://support.microsoft.com/kb/827315 - the evidence suggests that that redirect was caused by the malware - perhaps the author was under duress when he wrote it? (In any event, that Microsoft support article didn't help).