clicking search page links,
results in randomly redirected URL pages
svchost.exe and rundll32.exe used to load malware/spyware DLL
Today, for the second time in a month, I was asked to help remove a spyware/malware from a computer running Windows XP SP3. In both cases, the symptoms were identical. The user immediately noticed something was wrong because their web browser started to behave oddly. Here is what happened:
- Open the web browser of choice (IE or Firefox or Opera) and load a search portal (Google, MSN or Yahoo) site
- type in something to search (“winter coat”)
- on the results page, if you right-click on a link and “open in new tab/window”, the page opens and immediately gets redirected to some other random page (usually some other portal site)
- HOWEVER, if you right-click on a link and select “copy shortcut”, then MANUALLY open a tab and paste the link, the page opens just fine
The first time this happened (Feb. 3, 2010), it was on a friend’s computer and he is a veteran IT person (network system administrator for 10+ years). He keeps his computer very secure, usually.
We checked the usual system settings (network settings, proxy settings, “odd” programs running, etc.). We ran the usual anti-spyware and anti-virus scans, call came back clean as usual.
Avast AntiVirus – clean
ClamAV – clean
HiJackThis – normal
MalwareBytes – clean
Spybot SD – clean
However, running the SysInternals utility, PROCEXP.EXE, I happened to notice this line:
C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\efsadub.dll”,DWLGXPLFFX
which was running as a sub-process under svchost.exe (C:\WINDOWS\system32\svchost.exe -k netsvcs).
The file “C:\WINDOWS\system32\efsadub.dll” (notice the “b” in the filename) had its special bits set as “read-only”, “hidden” and “system”. When we try to change the attributes, we get “Access Denied” (even from an Administrator account). Hell, we even tried to access this in Safe-Mode Command Prompt Only, we get the same error. We could not rename the file either, obviously.
I was finally able to change the attributes and rename the file after running “
For the VirusTotal analysis report on the file “efsadub.dll“, goto:
http://www.virustotal.com/analisis/b1ff584a9b490418a159ab4afe85ae1802e4c4634c942756640a4411467ef25d-1264975725
Today (March 5, 2010), a client called and his computer had the same symptoms. Again, I checked the usual suspects (running programs, etc.) and performed the usual scans (anti-virus, anti-malware, etc.). They all came back “clean”. However, I did notice that the signatures were slightly dated (about a month old). When I tried to update them, error messages resulted. MalwareBytes gave an error and hung in a loop. Symantec Anti-Virus LiveUpdates just failed.
ClamAV – clean
MalwareBytes – clean
Symantec Anti-Virus – clean
I then ran the PROCEXP.EXE utility from SysInternals. There were no odd DLLs loaded like the last time. Hmm… so this is not exactly the same as last time.
Since this had to be a malware that loaded at startup, I decided to check the System Services. I then noticed an “odd” service running named “Server WebCheckChannelAgent Performance Folder Provisioning Icon Driver CPL”, with a short-name of “srvoko6”. I tried to disable it and it kept resetting to “Automatic”.
Looking at the properties of this service, revealed that it was loading via “%SYSTEM%\svchost.exe –k netsvc6”. I searched the web on the terms “srvoko6” and “netsvc6”, I came across this site:
http://www.threatexpert.com/report.aspx?md5=c801bd4576fc95cb03e918950edd21a1
which mentions the “ok6o.dll” and “ok6o.sys” files. So I searched for those files, and found them (they were not hidden). Trying to rename them worked, but they were immediately recreated by the malware.
NOTE: the above ThreatExpert site reports that this service was also named “Office Workstation Remote”. This tells me that the service display name can vary.
Instead, I used “CACLS.EXE” to change access permissions to these files so that nobody (or system service) was allowed to access them. Rebooted the computer and verified that the malware was no longer actively running. This time, I was able to successfully disable the service and renamed the “ok6o.dll” and “ok6o.sys” files.
I was then able to restore permissions to those files and delete them. Updated signatures for MalwareBytes and Symantec Anti-Virus, followed by a complete system scan. This time those programs found the installer stub files “C:\WINDOWS\bill103.exe” and “C:\WINDOWS\rdr_1267369102.exe” (which most likely are random filenames the initial download script created).
For the VirusTotal analysis on the file “o6ko.dll“, goto:
http://www.virustotal.com/analisis/7d6d2edc4eac763bc687e578008474dc85245b1e55d5ca5ae958d220f4802fbf-1267641995
For the VirusTotal analysis on the file “o6ko.sys“, goto:
http://www.virustotal.com/analisis/d599b5fb31b6387ff7e540fabb655bbde0990ce9db1e6f1918bec6ac21d43278-1267374431
As you can see from the VirusTotal analysis reports, not all anti-virus scanners detect or flag these files. So, for most of these malware/spyware, it still requires manual detection and removal.
STRONG WARNING: be very careful of websites that tells you do download an executable to remove the malware/spyware. If you are not familiar with the website, DO NOT download and run the program, it can possibly install another piece of malwayre/spyware onto your computer. It is best to call a professional (or at least someone who knows with 100% certainty what they are doing) to clean your computer.
NOTICE: when renaming files and changing attributes or permissions, it is strongly advised that you do those via command-line commands in the “Command Prompt” window. If the malware/spyware is attached to the Windows Explorer process and/or its handles, it can intercept your mouse-click commands, making it seem like you did what you wanted to, but in reality the malware/spyware actually created another copy of itself with a different name and reinstalled itself using those new copies. The “Command Prompt” method is the most secure way of doing this work; however it is a lot of typing.
Feel free to post comments below if you need help or have recommendations.
©2010 Johnny Chin. All Rights Reserved.
clicking search page links,
results in randomly redirected URL pages
svchost.exe and rundll32.exe used to load malware/spyware DLL
Today, for the second time in a month, I was asked to help remove a spyware/malware from a computer running Windows XP SP3. In both cases, the symptoms were identical. The user immediately noticed something was wrong because their web browser started to behave oddly. Here is what happened:
- Open the web browser of choice (IE or Firefox or Opera) and load a search portal (Google, MSN or Yahoo) site
- type in something to search (“winter coat”)
- on the results page, if you right-click on a link and “open in new tab/window”, the page opens and immediately gets redirected to some other random page (usually some other portal site)
- HOWEVER, if you right-click on a link and select “copy shortcut”, then MANUALLY open a tab and paste the link, the page opens just fine
The first time this happened (Feb. 3, 2010), it was on a friend’s computer and he is a veteran IT person (network system administrator for 10+ years). He keeps his computer very secure, usually.
We checked the usual system settings (network settings, proxy settings, “odd” programs running, etc.). We ran the usual anti-spyware and anti-virus scans, call came back clean as usual.
Avast AntiVirus – clean
ClamAV – clean
HiJackThis – normal
MalwareBytes – clean
Spybot SD – clean
However, running the SysInternals utility, PROCEXP.EXE, I happened to notice this line:
C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\efsadub.dll”,DWLGXPLFFX
which was running as a sub-process under svchost.exe (C:\WINDOWS\system32\svchost.exe -k netsvcs).
The file “C:\WINDOWS\system32\efsadub.dll” (notice the “b” in the filename) had its special bits set as “read-only”, “hidden” and “system”. When we try to change the attributes, we get “Access Denied” (even from an Administrator account). Hell, we even tried to access this in Safe-Mode Command Prompt Only, we get the same error. We could not rename the file either, obviously.
I was finally able to change the attributes and rename the file after running “
For the VirusTotal analysis report on the file “efsadub.dll“, goto:
http://www.virustotal.com/analisis/b1ff584a9b490418a159ab4afe85ae1802e4c4634c942756640a4411467ef25d-1264975725
Today (March 5, 2010), a client called and his computer had the same symptoms. Again, I checked the usual suspects (running programs, etc.) and performed the usual scans (anti-virus, anti-malware, etc.). They all came back “clean”. However, I did notice that the signatures were slightly dated (about a month old). When I tried to update them, error messages resulted. MalwareBytes gave an error and hung in a loop. Symantec Anti-Virus LiveUpdates just failed.
ClamAV – clean
MalwareBytes – clean
Symantec Anti-Virus – clean
I then ran the PROCEXP.EXE utility from SysInternals. There were no odd DLLs loaded like the last time. Hmm… so this is not exactly the same as last time.
Since this had to be a malware that loaded at startup, I decided to check the System Services. I then noticed an “odd” service running named “Server WebCheckChannelAgent Performance Folder Provisioning Icon Driver CPL”, with a short-name of “srvoko6”. I tried to disable it and it kept resetting to “Automatic”.
Looking at the properties of this service, revealed that it was loading via “%SYSTEM%\svchost.exe –k netsvc6”. I searched the web on the terms “srvoko6” and “netsvc6”, I came across this site:
http://www.threatexpert.com/report.aspx?md5=c801bd4576fc95cb03e918950edd21a1
which mentions the “ok6o.dll” and “ok6o.sys” files. So I searched for those files, and found them (they were not hidden). Trying to rename them worked, but they were immediately recreated by the malware.
NOTE: the above ThreatExpert site reports that this service was also named “Office Workstation Remote”. This tells me that the service display name can vary.
Instead, I used “CACLS.EXE” to change access permissions to these files so that nobody (or system service) was allowed to access them. Rebooted the computer and verified that the malware was no longer actively running. This time, I was able to successfully disable the service and renamed the “ok6o.dll” and “ok6o.sys” files.
I was then able to restore permissions to those files and delete them. Updated signatures for MalwareBytes and Symantec Anti-Virus, followed by a complete system scan. This time those programs found the installer stub files “C:\WINDOWS\bill103.exe” and “C:\WINDOWS\rdr_1267369102.exe” (which most likely are random filenames the initial download script created).
For the VirusTotal analysis on the file “o6ko.dll“, goto:
http://www.virustotal.com/analisis/7d6d2edc4eac763bc687e578008474dc85245b1e55d5ca5ae958d220f4802fbf-1267641995
For the VirusTotal analysis on the file “o6ko.sys“, goto:
http://www.virustotal.com/analisis/d599b5fb31b6387ff7e540fabb655bbde0990ce9db1e6f1918bec6ac21d43278-1267374431
As you can see from the VirusTotal analysis reports, not all anti-virus scanners detect or flag these files. So, for most of these malware/spyware, it still requires manual detection and removal.
STRONG WARNING: be very careful of websites that tells you do download an executable to remove the malware/spyware. If you are not familiar with the website, DO NOT download and run the program, it can possibly install another piece of malwayre/spyware onto your computer. It is best to call a professional (or at least someone who knows with 100% certainty what they are doing) to clean your computer.
NOTICE: when renaming files and changing attributes or permissions, it is strongly advised that you do those via command-line commands in the “Command Prompt” window. If the malware/spyware is attached to the Windows Explorer process and/or its handles, it can intercept your mouse-click commands, making it seem like you did what you wanted to, but in reality the malware/spyware actually created another copy of itself with a different name and reinstalled itself using those new copies. The “Command Prompt” method is the most secure way of doing this work; however it is a lot of typing.
Feel free to post comments below if you need help or have recommendations.
While on New York Fox 5 News website, I came across this article:TSA Scanners May Violate Rights, Risk Health
What caught my eye, is this section:
Not only has the use of full-body image scanners raised the ire of passengers and serious questions about their constitutionality, but they may also present a serious health risk.
The devices operate on a combination of X-ray technology and millimeter wave technology . Relatively new on the scene, millimeter wave technology has been proven capable of interfering with human DNA. The ultimate results of this exposure remain unknown. Though technically medical devices, the scanners have never been tested or approved by the FDA.
This new “millimeter wave” X-ray technology seems to raise some serious concerns. I, for one, am concerned for my family when it comes to these full body scanners. Some of the questions were raised on the Stranded Passengers blog site are of serious concern. Things like, would it cause birth defects? Cause infertility? Cause birth defects in future babies? Can it cause brain damage? The “millimeter wave” is believed to damage DNA, which cannot be “fixed” or “repaired”. It can permanently affect you and your offspring, as DNA is passed to your future children and grandchildren.
The other technology used in full body scanners is called “backscatter X-ray“.
Other references:
http://strandedpassengers.blogspot.com/2010/01/full-body-scanners-used-on-air.html (they have links to BusinessWeek and New York Times articles)
http://www.reddit.com/r/science/comments/aopsk/the_energy_emitted_by_millimeter_wave_scanners/
©2010 Johnny Chin. All Rights Reserved.
While on New York Fox 5 News website, I came across this article:TSA Scanners May Violate Rights, Risk Health
What caught my eye, is this section:
Not only has the use of full-body image scanners raised the ire of passengers and serious questions about their constitutionality, but they may also present a serious health risk.
The devices operate on a combination of X-ray technology and millimeter wave technology . Relatively new on the scene, millimeter wave technology has been proven capable of interfering with human DNA. The ultimate results of this exposure remain unknown. Though technically medical devices, the scanners have never been tested or approved by the FDA.
This new “millimeter wave” X-ray technology seems to raise some serious concerns. I, for one, am concerned for my family when it comes to these full body scanners. Some of the questions were raised on the Stranded Passengers blog site are of serious concern. Things like, would it cause birth defects? Cause infertility? Cause birth defects in future babies? Can it cause brain damage? The “millimeter wave” is believed to damage DNA, which cannot be “fixed” or “repaired”. It can permanently affect you and your offspring, as DNA is passed to your future children and grandchildren.
The other technology used in full body scanners is called “backscatter X-ray“.
Other references:
http://strandedpassengers.blogspot.com/2010/01/full-body-scanners-used-on-air.html (they have links to BusinessWeek and New York Times articles)
http://www.reddit.com/r/science/comments/aopsk/the_energy_emitted_by_millimeter_wave_scanners/
References:
http://cbs2.com/national/predator.drones.hacked.2.1375262.html
http://online.wsj.com/video/news-hub-was-us-intelligence-compromised/A0CDCC4B-0DB5-4C0E-A41C-FC2C16CA3BE7.html
I cannot believe the video feeds are NOT encrypted! In this day and age, what is the Department of Defense thinking?
©2010 Johnny Chin. All Rights Reserved.
References:
http://cbs2.com/national/predator.drones.hacked.2.1375262.html
http://online.wsj.com/video/news-hub-was-us-intelligence-compromised/A0CDCC4B-0DB5-4C0E-A41C-FC2C16CA3BE7.html
I cannot believe the video feeds are NOT encrypted! In this day and age, what is the Department of Defense thinking?
Jessica Biel most ‘dangerous’ celeb in cyberspace. Followed by Beyoncé, Jennifer Aniston, Tom Brady, and Jessica Simpson to round out the top 5.
Source: http://news.cnet.com/8301-1009_3-10317029-83.html?part=rss&subj=news&tag=2547-1_3-0-20
Suggestion: use a safer browser like Mozilla Firefox 3.5.
©2010 Johnny Chin. All Rights Reserved.
Jessica Biel most ‘dangerous’ celeb in cyberspace. Followed by Beyoncé, Jennifer Aniston, Tom Brady, and Jessica Simpson to round out the top 5.
Source: http://news.cnet.com/8301-1009_3-10317029-83.html?part=rss&subj=news&tag=2547-1_3-0-20
Suggestion: use a safer browser like Mozilla Firefox 3.5.
Using TCPview, I noticed that I had a lot of TCP connections opened to cpe-24-29-138-176.nyc.res.rr.com. That struck me as very odd. I thought I had spyware loaded on my computer or something, and that bug was phoning-home.
Upon further investigation, I find that whenever I reloaded a NewEgg page, especially if it was a page with lots of images, several of these TCP sessions would open up again. So I decided to look at the source code of the NewEgg page.
Doing a NSLOOKUP on the hostname c1.neweggimages.com gave me a very interesting result.
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 24.29.138.176, 24.29.138.186
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
The IP addresses 24.29.138.176 and 24.19.138.186, both are residential RoadRunner cable modem dynamic IPs according to NYC RoadRunner; reverse resolving to cpe-24-29-138-176.nyc.res.rr.com and cpe-24-29-138-186.nyc.res.rr.com, respectively. 
It struck me very odd that Akamai would use such home-grade dynamic broadband connections to provide their expensive edge-of-network services.
A few minutes later, I did another NSLOOKUP and the IPs changed, as it should with the Akamai service to spread the traffic around their servers.
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 209.107.209.91, 209.107.209.122
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 77.67.91.72, 77.67.91.122
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
And as I am writing this blog entry, c1.neweggimages.com now resolves to:
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 24.29.138.172, 24.29.138.162
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
Once again traffic routed back onto RoadRunner residential service in NYC (reverse resolving to cpe-24-29-138-172.nyc.res.rr.com and cpe-24-29-138-162.nyc.res.rr.com). Looks like Akamai is using a lot of residential IPs within the NYC RoadRunner network.
As a result, some of these residential IPs do not work all the time, causing the NewEgg (and now BUY.COM) pages not to load and just hang.
Would you pay Akamai to basically host your images at someone’s home using a cable modem?
I know I would not pay premium dollars to get stuff hosted at a home. I like the redundancy of a data center.
©2010 Johnny Chin. All Rights Reserved.
Using TCPview, I noticed that I had a lot of TCP connections opened to cpe-24-29-138-176.nyc.res.rr.com. That struck me as very odd. I thought I had spyware loaded on my computer or something, and that bug was phoning-home.
Upon further investigation, I find that whenever I reloaded a NewEgg page, especially if it was a page with lots of images, several of these TCP sessions would open up again. So I decided to look at the source code of the NewEgg page.
Doing a NSLOOKUP on the hostname c1.neweggimages.com gave me a very interesting result.
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 24.29.138.176, 24.29.138.186
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
The IP addresses 24.29.138.176 and 24.19.138.186, both are residential RoadRunner cable modem dynamic IPs according to NYC RoadRunner; reverse resolving to cpe-24-29-138-176.nyc.res.rr.com and cpe-24-29-138-186.nyc.res.rr.com, respectively. It struck me very odd that Akamai would use such home-grade dynamic broadband connections to provide their expensive edge-of-network services.
A few minutes later, I did another NSLOOKUP and the IPs changed, as it should with the Akamai service to spread the traffic around their servers.
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 209.107.209.91, 209.107.209.122
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 77.67.91.72, 77.67.91.122
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
And as I am writing this blog entry, c1.neweggimages.com now resolves to:
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 24.29.138.172, 24.29.138.162
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
Once again traffic routed back onto RoadRunner residential service in NYC (reverse resolving to cpe-24-29-138-172.nyc.res.rr.com and cpe-24-29-138-162.nyc.res.rr.com). Looks like Akamai is using a lot of residential IPs within the NYC RoadRunner network.
As a result, some of these residential IPs do not work all the time, causing the NewEgg (and now BUY.COM) pages not to load and just hang.
Would you pay Akamai to basically host your images at someone’s home using a cable modem?
I know I would not pay premium dollars to get stuff hosted at a home. I like the redundancy of a data center.
Reference Source: TechCrunch – Censorship 2.0: China Blocks Google Search, Apps, Gmail, And More
Google for some reason started to blocking access to everything Google today. It is really preventing my clients with China offices from doing their work. Especially since they use Google Apps for their e-mail. When will China join the rest of the world and realize that the network is now global for many companies.
China must have done something with their Great Firewall to even block proxy traffic. My client has a proxy server in the US which they use in Firefox. Even that was blocked today. It results in a message saying that the “network was interrupted”.
Anyone know of a way to prevent that (blocking of the proxy, that is)?
©2010 Johnny Chin. All Rights Reserved.
Reference Source: TechCrunch – Censorship 2.0: China Blocks Google Search, Apps, Gmail, And More
Google for some reason started to blocking access to everything Google today. It is really preventing my clients with China offices from doing their work. Especially since they use Google Apps for their e-mail. When will China join the rest of the world and realize that the network is now global for many companies.
China must have done something with their Great Firewall to even block proxy traffic. My client has a proxy server in the US which they use in Firefox. Even that was blocked today. It results in a message saying that the “network was interrupted”.
Anyone know of a way to prevent that (blocking of the proxy, that is)?
©2010 Johnny Chin. All Rights Reserved.
Well, my friend Jimmy found it and posted on his blog.
So here is an article on FoxNews.
Cyberspies Penetrate U.S. Electrical Grid,
Leave Software That Could Disrupt System
Leave Software That Could Disrupt System
©2010 Johnny Chin. All Rights Reserved.
Well, my friend Jimmy found it and posted on his blog.
So here is an article on FoxNews.
Cyberspies Penetrate U.S. Electrical Grid,
Leave Software That Could Disrupt System
Leave Software That Could Disrupt System
©2010 Johnny Chin. All Rights Reserved.