Wednesday, January 28, 2009

A run-in with Defender-Review browser hijack malware

WARNING: this is long and technical.

It was about 6:30 last night when my son said "That's wierd, mom's computer just rebooted". I asked him if he did it and he said no, he was in the middle of playing one of his online games. I thought uh-oh, not now -- I'm just way too busy.

(update: I was running AVG free version 8 on this machine at the time and it did not see this.)

When it rebooted, all looked normal except for a supposed Windows Firewall Message that it had blocked an attempt by Win32.Zafi.B to talk out through the firwall. The Keep Blocking and Unblock buttons were grayed out and a third button was there -- it said something about fix it -- so I clicked it and like magic, IE7 opened up viewing Defender-Review [.] com where it tried to tell me that I had viruses and I had to buy their AV software to fix it.

So I immediately unplugged the network cable. Next I went to another computer on another network and did research on the supposed virus and the web site that popped up. The virus was an old email virus from 2004. Little chance of that happening because we use Pegasus on that machine and I don't allow attachments to be opened. And email was scanned on the way in.

So I focused on the web site - I wondered "is their marketing budget so low that they have to resort to hijacking to get people to come to their site?". I quickly learned enough through Google to see that it was a browser hijack. Oh, by the way, this was the first hour wasted.

Next I tried the basics. I opened Firefox and it wouldn't open on the desktop. It appeared in Task Manager, but did not open the first time. I killed it and tried until it eventually appeared with a strange message about blocking and to click on some links -- view source showed that it was an embedded window in the original. And NetScanTools Pro's URL Grabber pulled in the text portion of URLs without a problem -- it is completely safe. OK, definitely browser hijacking.

So I next launched msconfig. As soon as I went to the Startup tab it started blinking rapidly and the computer went through the fastest shutdown I've ever seen. Now I was mad.

I restarted it and went into Safe Mode. I started msconfig and carefully examined the Startup section (I knew they had to use this) and found what I was looking for--an out of place entry with an apparently random exe name (I've seen this method before):
(checked box) xpsdg6420222 -- "C:\Documents and Settings\%username%\Application Data\Google\xpsdg6420222.exe" 2 -- Software\Microsoft\Windows\CurrentVersion\Run

I immediately UNCHECKED it, pressed OK and went to that FAKE Google directory and removed the EXE and a DLL that was with it -- sorry I can't remember the exact name of the DLL -- I think it was mjkdpl.dll. They both had no versioning or authoring resources and Google toolbar is not installed.

Then I searched for that filename with regedit and found one instance of it. I didn't write down where -- sorry!

Next I rebooted and I now had control of the browsers. But wait! that's not all: the next morning I did more research and found that there may be more "droppings" -- kind of like the elk poop in our yard -- on the computer.

So I searched the hard drive for all files created yesterday and sorted by time so I could see the ones created when the problem was first noticed. I found several. I noticed that 3 minutes before a group of strange files (all had no versioning resources) there was one 2MB file called acr442b.tmp. While viewing it in notepad, I saw "pdf" at the beginning. Maybe a coincidence, maybe not. That computer had Acrobat Reader 7.1 on it. So I uninstalled it and installed reader 9. The old version might have been the infection vector, but it also could have been a clicked on popup -- I can't get an 11 year old to remember.

Back to the file list. I found and removed these:

C:\Documents and Settings\%username%\Local Settings\Temp\acr442b.tmp
C:\Documents and Settings\%username%\Application Data\Adobe\usanaz.exe (21kb)
C:\Documents and Settings\%username%\Application Data\AdobeUM\manol.exe (13kb)
C:\Documents and Settings\%username%\Application Data\AppleComputer\xerks.exe (1kb)
C:\Documents and Settings\%username%\Application Data\Corel\rasim.exe (16kb)
C:\Documents and Settings\%username%\Application Data\Cyberlink\gdi32.dll (12kb)
C:\Documents and Settings\%username%\Application Data\Help\kernell32.dll (10kb -- note the extra 'l' in kernel -- a dead giveaway)

Note: I did not find sinashi.exe, msclock.exe, netsk.exe as some sites have reported -- probably a versioning issue. I even searched again for them in Safe Mode.

I also found but could not remove this one because it was 'in use':
C:\Windows\System32\drivers\svchost.exe (48k)

Now I'm PO'd again because svchost.exe DOES run as part of the operating system, but that's not where its supposed to be located. It should be in System32, not down in drivers and it should be 14K. Be sure to leave the svchost.exe that is in C:\Windows\System32 alone. It's part of the operating system. The one down in "drivers" has to go.

OK, back to Safe Mode. Now I opened regedit to search for all instances of "drivers/svchost.exe". I found these places:
(this runs it at startup)
HKCU/Software/Microsoft/Windows/CurrentVersion/Run/svchost.exe c:\windows\system32\drivers\svchost.exe
HKCU/Software/Microsoft/Windows/Shell/Noroam/MUICache/%SystemRoot%\system32\drivers\svchost.exe
(these poke a hole in Windows Firewall for their malicious svchost to send data)
HKLM/System/ControlSet001/Services/SharedAccess/Parameters/FirewallPolicy/DomainProfile/AuthorizedApplications/List %windir%/system32/drivers/svchost.exe:*:Enabled:svchost
HKLM/System/ControlSet002/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List %windir%/system32/drivers/svchost.exe:*:Enabled:svchost

It was not in CurrentControlSet which was wierd.

Then I deleted C:\Windows\System32\drivers\svchost.exe.

Then I rebooted normally and temporarily installed Symantec Endpoint Protection 11 and scanned the whole machine. Nothing. I also installed Malware Bytes Anti-Malware -- 6 minor cookie things which were apparently unrelated.

I think I got it all. I hope this helps someone else remove this trash that illegally took control of our PC. I am a programmer and an MS user since DOS 3.1, so I'm well aware of some of these tricks and knew where to look. If I were an average non-technical user, I would have been hosed because no scans caught it. As it was I wasted 3 hours on this.

I'm going to try and Knoppix up and running off a boot CD so my son can play his online games without worries. Try your stupid hijacking tricks against that. And try selling your software the way we sell ours: by being innovative (legally) and providing good value for your customers.

13 comments:

Anonymous said...

This same exact thing happened to me. I'm on a mac but I'm running Windows so it was harder to get into safe mode, but I went through everything you did, step by step before finding this page, including the msconfig BS. Even found the same file first. Searched for it in google, and this post was the only thing that showed up. Thanks for everything to look for

Anonymous said...

I also got this problem just now. Coincidence? Probably, probably not. Either way, i was able to get rid of them with AVG; managed to pick up the files and all of the drops as well. I hope no one else gets this; it was quite scary at first.

JohnG said...

I had the same problem this morning, and Trend Micro did not catch it. But I was able to delete almost all of the exe and dll files. In my case, sinashi.exe also showed up. All the bad apps and dll's were located in C:\Documents and Settings\%username%\Application Data, and were in various software folders, two of which (\Yahoo and \Google)were newly created. I have a duplicate copy of svchost.exe in C:\WINDOWS\system32\drivers, but there is still a copy in \system32 as well. I also have the same registry keys that you listed in HKCU, with duplicates in HK_Users, as well as the keys you listed in HKLM, with duplicates in HKLM/System/CurrentControlSet and HKLM/System/ControlSet003. One question though: did you delete C:\WINDOWS\System32\drivers\svchost.exe and all the registry instances of it?

Kirk Thomas said...

svchost.exe (14kb) is only supposed to be in windows/system32. There are references to it all throughout the registry. Do not delete those. Only delete svchost.exe (note the larger filesize) from windows/system32/drivers and ONLY delete references to it from the registry. ie. Delete references to c:windows\system32\drivers\svchost.exe from the registry. There are a few.

Anonymous said...

Thank you for this post. The virus arrived at 7.18am (Local Melbourne Time) yesterday morning 29th of Jan. I spent most of the evening last night tracking down the problem.

It completely disabled my firefox to the point that I had to uninstall it, and i had to resort to IE *ugh* for a while. Until it began to not let me download any files. Then the power went out (due to the heat here in Melbourne)

Loaded up Opera this morning and found your post and managed to disable it all. AVG found and disabled the trojan (the dll file - kpldlpl.dll) but didn't do anything to the exe file. I had to follow the MSConfig instructions in safe mode to get rid of it.

Once again thank you for your post. It saved my ass.

Hot and Bothered in Melbourne (three days of 43 degrees celsius straight and counting)

Anonymous said...

Kirk - This is a GREAT review of how simple things can cause us such pain.
Great review - Thanks...Oldcommguy

Anonymous said...

I love you. Yes, I do. I love you. This just happened to me about an hour. Did a quick Google search and came across your post with very, very helpful detailed directions. I'm still cleaning it up.

Anonymous said...

In the registry, I also found these:

HKLM/System/ControlSet004/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List %windir%/system32/drivers/svchost.exe:*:Enabled:svchost

and in this folder: HKCU/Software/Microsoft/Windows/Shell/Noroam/MUICache

I found this entry:

"C:\Documents and Settings\%username%\Application Data\Google\xpsdg6420222.exe

You didn't mention it in your post but based on all the advice before I assume these should be deleted too!

Here goes.

Anonymous said...

Thank you. I also wasted 3 hours disabling their piece of work... Very clever group of criminals... I kept a copy of the popup (a picture)... After spending an hour looking for the Win32.Zafi.B virus and cursing at my antivirus I followed the popup to its process and saw the 'xpsdg640222.exe' name... that's when Flags went up and I quickly realized zafi was a diversion...

Thank you very much for posting detailed instructions.

Anonymous said...

Thanks for taking the time and trouble to post this helpful warning and method. We picked up this hijack last night and by following your guidance I have got it off our PC.
Thanks again.

Anonymous said...

Thanks for your post. The symptoms you described (sudden reboot, the popup, SVChost) were the same as what I ran into. Ultimately I used Malwarebytes in Safe Mode to get rid of this.

Your hunch about PDF file is interesting. The computer I was working on has Adobe version 8, and did not have the latest security patches for it installed. It may have been the way this laptop picked it up also.

Anonymous said...

Thanks for the post. Got this earlier this evening from my first (and last) visit to Piratebay.org (a BitTorrent tracker) this evening. Thanks for the detail. I'm running an AdAware scan and will run HijackThis afterwards to make sure nothing else is lurking... I have some choice words for those who write these things, but I've already yelled them out loud several times. :-\

Again, thanks for your post.

John said...

Kirk, thank you! Thank you! Thank you! I've been working since Sunday on trying to get rid of this annoyance.
(shouldn't this be illegal? Can't ICANN or 3W or someone shut these bandits down? "Hey, dat's a nice computer you got...be a shame if anyt'ing happened to it...so buy my software.")

Your step-by-step was great.
My exe file was vgwsn871850.
I never found a 2Mb tmp file on my "infected" days.
and xerks.exe and rasim.exe were in different folders (same file size, however).

My initial "find/search on vgwsn871850" in regedit gave three instances (so folks should use Find Next ... or whatever continues the search of your registry).

PS - searching "drivers\svchost.exe" was great advice. I deleted all of them (that listed driver before the svchost.exe)

Thank you again.
And thank you (plural) for the comments left here.

(I'm glad I finally searched AVG+defender-review ... wish I'd done it days ago)