Virus related web browser failure

I have a client machine with unusable web browsers, you can ping by name or IP address, but no connection.

This occurs with or without firewall enabled, and I haven't had much luck trying to identify the bug in question.

This is a win7 pro 64 bit machine, the problem occurs on IE, Firefox, and Chrome.

Browsers work in safe mode, but not in normal mode.

Ran roguekiller, Thekiller, Malwarebytes, Combofix, Spybot search and destroy, and Yorkyt.

6b8683c4-2944-4715-8851-a2f4343bc1b.dll was found by combofix, looks pretty distinctive, anyone know what this is?
LVL 5
9660kelAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jhyieslaCommented:
Don't know what that DLL is, but here are some thoughts on the issue.

One, if you had a virus infection of some kind it could have so screwed up your machine that you may need to reload.  But before going to that extreme, check out a couple of things.

First, look and see what DNS servers the PC is attempting to use. I know that you can ping by name and this is most likely not it, but still worth checking.

Second, look in the browsers and see if a proxy is set. If it is and it's not yours or you don't use one, remove the proxy settings and most likely the browser will start to work.

Third, try logging on as a different user to make sure it's not limited to that profile.
9660kelAuthor Commented:
It's a clients computer, so it's not quite a matter of just deleting proxy settings or not, and as luck would have it, the system is back with the client for now.

I did look at the DNS server, and it was correct for the lab network. (I have an isolated subnet for possibly infected systems, and I recommend one for anyone who deals in pest removal)

I didn't get a chance to log in on a clean profile, but I was using a domain admin account, not the users account, so it's a good bet it's system wide.

I'm really interested in finding out what bug this is, as the behavior is kinda novel.
Russell_VenableCommented:
Was this problem received after removing the threat? If possible, have them replace AFD.sys with fresh copy.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

9660kelAuthor Commented:
It's a regenerative threat, and as far as I can tell, I haven't removed anything that hasn't grown back.

Nice to see you on this BTW, do you have any ideas on which bug this might be?
Russell_VenableCommented:
Thanks, Do you have any other details? Btw, I created a new tool to check SVCHOST for DLL's. I learned from last time. Anyways, If you can get more details I'll be more then merry to help out on this. I also added contact email as well in profile.
9660kelAuthor Commented:
Cool deal, I'm falling on my nose, so First thing in the morning, you'll see log files.

I've got a fairly full grouping.
9660kelAuthor Commented:
Okay, a bit later than I'd hoped, but here we go.
ComboFix--2-.txt
ComboFix.txt
RKreport-1-.txt
RKreport-2-.txt
TheKiller.txt
yorkyt.exe.log
Russell_VenableCommented:
Try to fix this first hand.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)  <-- 0x00000001 user approval with UAC or 0x00000002 just for admin approval mode
"ConsentPromptBehaviorUser"= 3 (0x3)   <-- 0x00000001 enable user to elevate via UAC 0x00000000 disables elevation prompts and fails

Open in new window


--sha-w- c:\programdata\KGyGaAvL.sys <-- Divx driver?  Wrong directory for a system file to be located. Attributes are hiding this as well. Try having them uninstall Divx and see if this disappears from combofixes scan.
+ 2012-03-28 10:47 . 2010-03-13 02:28      68184              c:\windows\Temp\kladminkit\72ebec1f-9605-49a1-8e03-10c0dc56fa31.dll <-- Injectected dll


It appears there is file hijacking. TheKiller log shows.
HKCU\...\Explorer\Advanced: SuperHidden -> Resetted to '0'
HKLM\...\IEXPLORE.EXE\shell\open\command: @ -> Resetted to 'iexplore.exe'
HKLM\...\FIREFOX.EXE\shell\open\command: @ -> Resetted to 'firefox.exe'

Once you run TheKiller try to see if you can move the dll from the location c:\windows\Temp\kladminkit\ or wherever it is located in the c:\temp directory and see if it will move to the desktop.

Btw, Did you try jhyiesla's suggestion of trying to see if its limited to just one account?
9660kelAuthor Commented:
The UAC behavior is probably configured by admin. (they have voice software that hangs on UAC) If the setting is other than bypass, then we might need to look at it.

The problem is system wide, as I said earlier, but at this point, I've tried with both domain and local accounts, same problems.

I saw the injected dll file, notice how the name mutates? There also seems to be considerable use of GUIDs, or at least more than I've seen in other bugs. You can see in the lower part of the Combofix scans where some of the related entries have different GUIDs from scan to scan.

I'll see if I can get a copy of the dll, and upload it to virustotal, unless you have other plans for it.
9660kelAuthor Commented:
Virustotal comes back with nothing on the dll file. Red herring?
9660kelAuthor Commented:
BTW, this system does not have Divx.
Russell_VenableCommented:
If you can get a copy send it passworded to my email. I can always do a good amount of work on it. :)
The UAC behavior is probably configured by admin. (they have voice software that hangs on UAC) If the setting is other than bypass, then we might need to look at it.
As UAC, if the administrator is using these settings for a bypass this would be a good reason the infection spread as far as it did.
BTW, this system does not have Divx.
Well, We definitely know its not a valid file and it's in the wrong place. Removing it should be the next step.

The trouble with W7 x64 is that in order to get a accurate snapshot of the process tree and all the objects. They need to be read from ring0 and the restrictions that apply for non-signed drivers is a pain as well. Otherwise, I would have my own anti-rootkit working for W7 x64 on this issue.

Have you attempted to take a look at the processes and all modules(*.dll) loaded with them? Sometime you get lucky and find the location its injected from as well.

Virustotal comes back with nothing on the dll file. Red herring?
Yes, I would truly say this is false. It's obvious they went through all the trouble to get this file onto the system and changed its signature.
9660kelAuthor Commented:
No hits on the sys file either, looks like we get to deal with an unknown, or fresh baked goodness.

I guess it's time to bust out xuetr and go fishing.
Russell_VenableCommented:
Xuetr doesn't work on W7 x64 unless they paid for Microsoft to sign there driver.
9660kelAuthor Commented:
Here's an interesting find in the process list, boinc.exe

This machine is not running seti@home or anything like it. Another tell is the process is showing zero modules, zero size, and zero usage. Don't know how I missed that the first sweep.
Russell_VenableCommented:
That process belongs to a research group and so do a few more. That is kind of odd.
9660kelAuthor Commented:
There is a bunch of stuff running under PiD 716, many are valid names, but same song, no modules, zero size, zero usage.

Now, we need to crack the shell and get at the nougatty center.
Russell_VenableCommented:
You know. Come to think of it. You have S&D already installed. Why dont you try checking for LSP's redirecting/canceling your traffic and uninstall one very specific file.

c:\program files\Easy-Hide-IP\rdr\EasyRedirect.exe [2012-02-08 3318488]

This software hijacks your Winsock as a 3rd party middle man filter. I'll bet you this file here is doing just that. I would also warn the client from using such software in the future..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
9660kelAuthor Commented:
I'll give that a try, and let you know.
9660kelAuthor Commented:
Nice call, I removed the program and everything is working as it should.

The client will definitely hear about using too many cleaner apps as well.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.