Solved

Virus related web browser failure

Posted on 2012-03-28
20
993 Views
Last Modified: 2013-11-22
I have a client machine with unusable web browsers, you can ping by name or IP address, but no connection.

This occurs with or without firewall enabled, and I haven't had much luck trying to identify the bug in question.

This is a win7 pro 64 bit machine, the problem occurs on IE, Firefox, and Chrome.

Browsers work in safe mode, but not in normal mode.

Ran roguekiller, Thekiller, Malwarebytes, Combofix, Spybot search and destroy, and Yorkyt.

6b8683c4-2944-4715-8851-a2f4343bc1b.dll was found by combofix, looks pretty distinctive, anyone know what this is?
0
Comment
Question by:9660kel
  • 12
  • 7
20 Comments
 
LVL 28

Expert Comment

by:jhyiesla
ID: 37777870
Don't know what that DLL is, but here are some thoughts on the issue.

One, if you had a virus infection of some kind it could have so screwed up your machine that you may need to reload.  But before going to that extreme, check out a couple of things.

First, look and see what DNS servers the PC is attempting to use. I know that you can ping by name and this is most likely not it, but still worth checking.

Second, look in the browsers and see if a proxy is set. If it is and it's not yours or you don't use one, remove the proxy settings and most likely the browser will start to work.

Third, try logging on as a different user to make sure it's not limited to that profile.
0
 
LVL 5

Author Comment

by:9660kel
ID: 37777975
It's a clients computer, so it's not quite a matter of just deleting proxy settings or not, and as luck would have it, the system is back with the client for now.

I did look at the DNS server, and it was correct for the lab network. (I have an isolated subnet for possibly infected systems, and I recommend one for anyone who deals in pest removal)

I didn't get a chance to log in on a clean profile, but I was using a domain admin account, not the users account, so it's a good bet it's system wide.

I'm really interested in finding out what bug this is, as the behavior is kinda novel.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37780070
Was this problem received after removing the threat? If possible, have them replace AFD.sys with fresh copy.
0
 
LVL 5

Author Comment

by:9660kel
ID: 37780125
It's a regenerative threat, and as far as I can tell, I haven't removed anything that hasn't grown back.

Nice to see you on this BTW, do you have any ideas on which bug this might be?
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37780152
Thanks, Do you have any other details? Btw, I created a new tool to check SVCHOST for DLL's. I learned from last time. Anyways, If you can get more details I'll be more then merry to help out on this. I also added contact email as well in profile.
0
 
LVL 5

Author Comment

by:9660kel
ID: 37780616
Cool deal, I'm falling on my nose, so First thing in the morning, you'll see log files.

I've got a fairly full grouping.
0
 
LVL 5

Author Comment

by:9660kel
ID: 37784635
Okay, a bit later than I'd hoped, but here we go.
ComboFix--2-.txt
ComboFix.txt
RKreport-1-.txt
RKreport-2-.txt
TheKiller.txt
yorkyt.exe.log
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37785019
Try to fix this first hand.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)  <-- 0x00000001 user approval with UAC or 0x00000002 just for admin approval mode
"ConsentPromptBehaviorUser"= 3 (0x3)   <-- 0x00000001 enable user to elevate via UAC 0x00000000 disables elevation prompts and fails

Open in new window


--sha-w- c:\programdata\KGyGaAvL.sys <-- Divx driver?  Wrong directory for a system file to be located. Attributes are hiding this as well. Try having them uninstall Divx and see if this disappears from combofixes scan.
+ 2012-03-28 10:47 . 2010-03-13 02:28      68184              c:\windows\Temp\kladminkit\72ebec1f-9605-49a1-8e03-10c0dc56fa31.dll <-- Injectected dll


It appears there is file hijacking. TheKiller log shows.
HKCU\...\Explorer\Advanced: SuperHidden -> Resetted to '0'
HKLM\...\IEXPLORE.EXE\shell\open\command: @ -> Resetted to 'iexplore.exe'
HKLM\...\FIREFOX.EXE\shell\open\command: @ -> Resetted to 'firefox.exe'

Once you run TheKiller try to see if you can move the dll from the location c:\windows\Temp\kladminkit\ or wherever it is located in the c:\temp directory and see if it will move to the desktop.

Btw, Did you try jhyiesla's suggestion of trying to see if its limited to just one account?
0
 
LVL 5

Author Comment

by:9660kel
ID: 37785090
The UAC behavior is probably configured by admin. (they have voice software that hangs on UAC) If the setting is other than bypass, then we might need to look at it.

The problem is system wide, as I said earlier, but at this point, I've tried with both domain and local accounts, same problems.

I saw the injected dll file, notice how the name mutates? There also seems to be considerable use of GUIDs, or at least more than I've seen in other bugs. You can see in the lower part of the Combofix scans where some of the related entries have different GUIDs from scan to scan.

I'll see if I can get a copy of the dll, and upload it to virustotal, unless you have other plans for it.
0
 
LVL 5

Author Comment

by:9660kel
ID: 37785128
Virustotal comes back with nothing on the dll file. Red herring?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 5

Author Comment

by:9660kel
ID: 37785421
BTW, this system does not have Divx.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37785590
If you can get a copy send it passworded to my email. I can always do a good amount of work on it. :)
The UAC behavior is probably configured by admin. (they have voice software that hangs on UAC) If the setting is other than bypass, then we might need to look at it.
As UAC, if the administrator is using these settings for a bypass this would be a good reason the infection spread as far as it did.
BTW, this system does not have Divx.
Well, We definitely know its not a valid file and it's in the wrong place. Removing it should be the next step.

The trouble with W7 x64 is that in order to get a accurate snapshot of the process tree and all the objects. They need to be read from ring0 and the restrictions that apply for non-signed drivers is a pain as well. Otherwise, I would have my own anti-rootkit working for W7 x64 on this issue.

Have you attempted to take a look at the processes and all modules(*.dll) loaded with them? Sometime you get lucky and find the location its injected from as well.

Virustotal comes back with nothing on the dll file. Red herring?
Yes, I would truly say this is false. It's obvious they went through all the trouble to get this file onto the system and changed its signature.
0
 
LVL 5

Author Comment

by:9660kel
ID: 37785661
No hits on the sys file either, looks like we get to deal with an unknown, or fresh baked goodness.

I guess it's time to bust out xuetr and go fishing.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37785830
Xuetr doesn't work on W7 x64 unless they paid for Microsoft to sign there driver.
0
 
LVL 5

Author Comment

by:9660kel
ID: 37787330
Here's an interesting find in the process list, boinc.exe

This machine is not running seti@home or anything like it. Another tell is the process is showing zero modules, zero size, and zero usage. Don't know how I missed that the first sweep.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37787611
That process belongs to a research group and so do a few more. That is kind of odd.
0
 
LVL 5

Author Comment

by:9660kel
ID: 37787651
There is a bunch of stuff running under PiD 716, many are valid names, but same song, no modules, zero size, zero usage.

Now, we need to crack the shell and get at the nougatty center.
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
ID: 37792583
You know. Come to think of it. You have S&D already installed. Why dont you try checking for LSP's redirecting/canceling your traffic and uninstall one very specific file.

c:\program files\Easy-Hide-IP\rdr\EasyRedirect.exe [2012-02-08 3318488]

This software hijacks your Winsock as a 3rd party middle man filter. I'll bet you this file here is doing just that. I would also warn the client from using such software in the future..
0
 
LVL 5

Author Comment

by:9660kel
ID: 37792686
I'll give that a try, and let you know.
0
 
LVL 5

Author Closing Comment

by:9660kel
ID: 37792817
Nice call, I removed the program and everything is working as it should.

The client will definitely hear about using too many cleaner apps as well.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now