clicking search page links,
results in randomly redirected URL pages
svchost.exe and rundll32.exe used to load malware/spyware DLL
Today, for the second time in a month, I was asked to help remove a spyware/malware from a computer running Windows XP SP3. In both cases, the symptoms were identical. The user immediately noticed something was wrong because their web browser started to behave oddly. Here is what happened:
- Open the web browser of choice (IE or Firefox or Opera) and load a search portal (Google, MSN or Yahoo) site
- type in something to search (“winter coat”)
- on the results page, if you right-click on a link and “open in new tab/window”, the page opens and immediately gets redirected to some other random page (usually some other portal site)
- HOWEVER, if you right-click on a link and select “copy shortcut”, then MANUALLY open a tab and paste the link, the page opens just fine
The first time this happened (Feb. 3, 2010), it was on a friend’s computer and he is a veteran IT person (network system administrator for 10+ years). He keeps his computer very secure, usually.
We checked the usual system settings (network settings, proxy settings, “odd” programs running, etc.). We ran the usual anti-spyware and anti-virus scans, call came back clean as usual.
Avast AntiVirus – clean
ClamAV – clean
HiJackThis – normal
MalwareBytes – clean
Spybot SD – clean
However, running the SysInternals utility, PROCEXP.EXE, I happened to notice this line:
C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\efsadub.dll”,DWLGXPLFFX
which was running as a sub-process under svchost.exe (C:\WINDOWS\system32\svchost.exe -k netsvcs).
The file “C:\WINDOWS\system32\efsadub.dll” (notice the “b” in the filename) had its special bits set as “read-only”, “hidden” and “system”. When we try to change the attributes, we get “Access Denied” (even from an Administrator account). Hell, we even tried to access this in Safe-Mode Command Prompt Only, we get the same error. We could not rename the file either, obviously.
I was finally able to change the attributes and rename the file after running “
For the VirusTotal analysis report on the file “efsadub.dll“, goto:
http://www.virustotal.com/analisis/b1ff584a9b490418a159ab4afe85ae1802e4c4634c942756640a4411467ef25d-1264975725
Today (March 5, 2010), a client called and his computer had the same symptoms. Again, I checked the usual suspects (running programs, etc.) and performed the usual scans (anti-virus, anti-malware, etc.). They all came back “clean”. However, I did notice that the signatures were slightly dated (about a month old). When I tried to update them, error messages resulted. MalwareBytes gave an error and hung in a loop. Symantec Anti-Virus LiveUpdates just failed.
ClamAV – clean
MalwareBytes – clean
Symantec Anti-Virus – clean
I then ran the PROCEXP.EXE utility from SysInternals. There were no odd DLLs loaded like the last time. Hmm… so this is not exactly the same as last time.
Since this had to be a malware that loaded at startup, I decided to check the System Services. I then noticed an “odd” service running named “Server WebCheckChannelAgent Performance Folder Provisioning Icon Driver CPL”, with a short-name of “srvoko6”. I tried to disable it and it kept resetting to “Automatic”.
Looking at the properties of this service, revealed that it was loading via “%SYSTEM%\svchost.exe –k netsvc6”. I searched the web on the terms “srvoko6” and “netsvc6”, I came across this site:
http://www.threatexpert.com/report.aspx?md5=c801bd4576fc95cb03e918950edd21a1
which mentions the “ok6o.dll” and “ok6o.sys” files. So I searched for those files, and found them (they were not hidden). Trying to rename them worked, but they were immediately recreated by the malware.
NOTE: the above ThreatExpert site reports that this service was also named “Office Workstation Remote”. This tells me that the service display name can vary.
Instead, I used “CACLS.EXE” to change access permissions to these files so that nobody (or system service) was allowed to access them. Rebooted the computer and verified that the malware was no longer actively running. This time, I was able to successfully disable the service and renamed the “ok6o.dll” and “ok6o.sys” files.
I was then able to restore permissions to those files and delete them. Updated signatures for MalwareBytes and Symantec Anti-Virus, followed by a complete system scan. This time those programs found the installer stub files “C:\WINDOWS\bill103.exe” and “C:\WINDOWS\rdr_1267369102.exe” (which most likely are random filenames the initial download script created).
For the VirusTotal analysis on the file “o6ko.dll“, goto:
http://www.virustotal.com/analisis/7d6d2edc4eac763bc687e578008474dc85245b1e55d5ca5ae958d220f4802fbf-1267641995
For the VirusTotal analysis on the file “o6ko.sys“, goto:
http://www.virustotal.com/analisis/d599b5fb31b6387ff7e540fabb655bbde0990ce9db1e6f1918bec6ac21d43278-1267374431
As you can see from the VirusTotal analysis reports, not all anti-virus scanners detect or flag these files. So, for most of these malware/spyware, it still requires manual detection and removal.
STRONG WARNING: be very careful of websites that tells you do download an executable to remove the malware/spyware. If you are not familiar with the website, DO NOT download and run the program, it can possibly install another piece of malwayre/spyware onto your computer. It is best to call a professional (or at least someone who knows with 100% certainty what they are doing) to clean your computer.
NOTICE: when renaming files and changing attributes or permissions, it is strongly advised that you do those via command-line commands in the “Command Prompt” window. If the malware/spyware is attached to the Windows Explorer process and/or its handles, it can intercept your mouse-click commands, making it seem like you did what you wanted to, but in reality the malware/spyware actually created another copy of itself with a different name and reinstalled itself using those new copies. The “Command Prompt” method is the most secure way of doing this work; however it is a lot of typing.
Feel free to post comments below if you need help or have recommendations.
©2010 Johnny Chin. All Rights Reserved.
clicking search page links,
results in randomly redirected URL pages
svchost.exe and rundll32.exe used to load malware/spyware DLL
Today, for the second time in a month, I was asked to help remove a spyware/malware from a computer running Windows XP SP3. In both cases, the symptoms were identical. The user immediately noticed something was wrong because their web browser started to behave oddly. Here is what happened:
- Open the web browser of choice (IE or Firefox or Opera) and load a search portal (Google, MSN or Yahoo) site
- type in something to search (“winter coat”)
- on the results page, if you right-click on a link and “open in new tab/window”, the page opens and immediately gets redirected to some other random page (usually some other portal site)
- HOWEVER, if you right-click on a link and select “copy shortcut”, then MANUALLY open a tab and paste the link, the page opens just fine
The first time this happened (Feb. 3, 2010), it was on a friend’s computer and he is a veteran IT person (network system administrator for 10+ years). He keeps his computer very secure, usually.
We checked the usual system settings (network settings, proxy settings, “odd” programs running, etc.). We ran the usual anti-spyware and anti-virus scans, call came back clean as usual.
Avast AntiVirus – clean
ClamAV – clean
HiJackThis – normal
MalwareBytes – clean
Spybot SD – clean
However, running the SysInternals utility, PROCEXP.EXE, I happened to notice this line:
C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\efsadub.dll”,DWLGXPLFFX
which was running as a sub-process under svchost.exe (C:\WINDOWS\system32\svchost.exe -k netsvcs).
The file “C:\WINDOWS\system32\efsadub.dll” (notice the “b” in the filename) had its special bits set as “read-only”, “hidden” and “system”. When we try to change the attributes, we get “Access Denied” (even from an Administrator account). Hell, we even tried to access this in Safe-Mode Command Prompt Only, we get the same error. We could not rename the file either, obviously.
I was finally able to change the attributes and rename the file after running “
For the VirusTotal analysis report on the file “efsadub.dll“, goto:
http://www.virustotal.com/analisis/b1ff584a9b490418a159ab4afe85ae1802e4c4634c942756640a4411467ef25d-1264975725
Today (March 5, 2010), a client called and his computer had the same symptoms. Again, I checked the usual suspects (running programs, etc.) and performed the usual scans (anti-virus, anti-malware, etc.). They all came back “clean”. However, I did notice that the signatures were slightly dated (about a month old). When I tried to update them, error messages resulted. MalwareBytes gave an error and hung in a loop. Symantec Anti-Virus LiveUpdates just failed.
ClamAV – clean
MalwareBytes – clean
Symantec Anti-Virus – clean
I then ran the PROCEXP.EXE utility from SysInternals. There were no odd DLLs loaded like the last time. Hmm… so this is not exactly the same as last time.
Since this had to be a malware that loaded at startup, I decided to check the System Services. I then noticed an “odd” service running named “Server WebCheckChannelAgent Performance Folder Provisioning Icon Driver CPL”, with a short-name of “srvoko6”. I tried to disable it and it kept resetting to “Automatic”.
Looking at the properties of this service, revealed that it was loading via “%SYSTEM%\svchost.exe –k netsvc6”. I searched the web on the terms “srvoko6” and “netsvc6”, I came across this site:
http://www.threatexpert.com/report.aspx?md5=c801bd4576fc95cb03e918950edd21a1
which mentions the “ok6o.dll” and “ok6o.sys” files. So I searched for those files, and found them (they were not hidden). Trying to rename them worked, but they were immediately recreated by the malware.
NOTE: the above ThreatExpert site reports that this service was also named “Office Workstation Remote”. This tells me that the service display name can vary.
Instead, I used “CACLS.EXE” to change access permissions to these files so that nobody (or system service) was allowed to access them. Rebooted the computer and verified that the malware was no longer actively running. This time, I was able to successfully disable the service and renamed the “ok6o.dll” and “ok6o.sys” files.
I was then able to restore permissions to those files and delete them. Updated signatures for MalwareBytes and Symantec Anti-Virus, followed by a complete system scan. This time those programs found the installer stub files “C:\WINDOWS\bill103.exe” and “C:\WINDOWS\rdr_1267369102.exe” (which most likely are random filenames the initial download script created).
For the VirusTotal analysis on the file “o6ko.dll“, goto:
http://www.virustotal.com/analisis/7d6d2edc4eac763bc687e578008474dc85245b1e55d5ca5ae958d220f4802fbf-1267641995
For the VirusTotal analysis on the file “o6ko.sys“, goto:
http://www.virustotal.com/analisis/d599b5fb31b6387ff7e540fabb655bbde0990ce9db1e6f1918bec6ac21d43278-1267374431
As you can see from the VirusTotal analysis reports, not all anti-virus scanners detect or flag these files. So, for most of these malware/spyware, it still requires manual detection and removal.
STRONG WARNING: be very careful of websites that tells you do download an executable to remove the malware/spyware. If you are not familiar with the website, DO NOT download and run the program, it can possibly install another piece of malwayre/spyware onto your computer. It is best to call a professional (or at least someone who knows with 100% certainty what they are doing) to clean your computer.
NOTICE: when renaming files and changing attributes or permissions, it is strongly advised that you do those via command-line commands in the “Command Prompt” window. If the malware/spyware is attached to the Windows Explorer process and/or its handles, it can intercept your mouse-click commands, making it seem like you did what you wanted to, but in reality the malware/spyware actually created another copy of itself with a different name and reinstalled itself using those new copies. The “Command Prompt” method is the most secure way of doing this work; however it is a lot of typing.
Feel free to post comments below if you need help or have recommendations.
Avast tonight released their updated VPS 091203-0 signature file which has been causing a lot of grief to everyone around the world with false-positives for the trojan/worm Win32:Delf-MZG[Trj].
The only fix for now is to disable updates and go back to a previous signature file that is not “bad”.
Luckily I have another machine which has not yet taken down this update, so I saved the 400.vps file from C:\Program Files\Alwil Software\Avast4\DATA into my USB key. I then copied this older version of the 400.vps file onto the computer with bad 091203-0 VPS signature file. I placed it into C:\ for easy access later (because we will be using the Command Prompt, so everything would be typed).
Now on the computer with the bad VPS signature file,
disable the Avast updates by setting it to “Manual”.
Reboot the computer (assuming Windows XP) into
and type the following:
cd “C:\Program Files\Alwil Software\Avast4\DATA”
ren 400.vps 400.vps.091203-0.bad
copy C:\400.vps
(this is why I recommended putting it in C:\ above, less typing)
Then reboot the computer back to Normal mode.
Your Avast VPS signatures should now be reverted to the older version.
Good luck!
Update: December 3, 2009 8:25AM EST
Avast released an updated signature file (VPS 091203-1) that is suppose to resolve the bug. Goto http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=377
.
©2010 Johnny Chin. All Rights Reserved.
Avast tonight released their updated VPS 091203-0 signature file which has been causing a lot of grief to everyone around the world with false-positives for the trojan/worm Win32:Delf-MZG[Trj].
The only fix for now is to disable updates and go back to a previous signature file that is not “bad”.
Luckily I have another machine which has not yet taken down this update, so I saved the 400.vps file from C:\Program Files\Alwil Software\Avast4\DATA into my USB key. I then copied this older version of the 400.vps file onto the computer with bad 091203-0 VPS signature file. I placed it into C:\ for easy access later (because we will be using the Command Prompt, so everything would be typed).
Now on the computer with the bad VPS signature file,
disable the Avast updates by setting it to “Manual”.
Reboot the computer (assuming Windows XP) into
and type the following:
cd “C:\Program Files\Alwil Software\Avast4\DATA”
ren 400.vps 400.vps.091203-0.bad
copy C:\400.vps
(this is why I recommended putting it in C:\ above, less typing)
Then reboot the computer back to Normal mode.
Your Avast VPS signatures should now be reverted to the older version.
Good luck!
Update: December 3, 2009 8:25AM EST
Avast released an updated signature file (VPS 091203-1) that is suppose to resolve the bug. Goto http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=377
.
Using TCPview, I noticed that I had a lot of TCP connections opened to cpe-24-29-138-176.nyc.res.rr.com. That struck me as very odd. I thought I had spyware loaded on my computer or something, and that bug was phoning-home.
Upon further investigation, I find that whenever I reloaded a NewEgg page, especially if it was a page with lots of images, several of these TCP sessions would open up again. So I decided to look at the source code of the NewEgg page.
Doing a NSLOOKUP on the hostname c1.neweggimages.com gave me a very interesting result.
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 24.29.138.176, 24.29.138.186
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
The IP addresses 24.29.138.176 and 24.19.138.186, both are residential RoadRunner cable modem dynamic IPs according to NYC RoadRunner; reverse resolving to cpe-24-29-138-176.nyc.res.rr.com and cpe-24-29-138-186.nyc.res.rr.com, respectively. 
It struck me very odd that Akamai would use such home-grade dynamic broadband connections to provide their expensive edge-of-network services.
A few minutes later, I did another NSLOOKUP and the IPs changed, as it should with the Akamai service to spread the traffic around their servers.
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 209.107.209.91, 209.107.209.122
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 77.67.91.72, 77.67.91.122
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
And as I am writing this blog entry, c1.neweggimages.com now resolves to:
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 24.29.138.172, 24.29.138.162
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
Once again traffic routed back onto RoadRunner residential service in NYC (reverse resolving to cpe-24-29-138-172.nyc.res.rr.com and cpe-24-29-138-162.nyc.res.rr.com). Looks like Akamai is using a lot of residential IPs within the NYC RoadRunner network.
As a result, some of these residential IPs do not work all the time, causing the NewEgg (and now BUY.COM) pages not to load and just hang.
Would you pay Akamai to basically host your images at someone’s home using a cable modem?
I know I would not pay premium dollars to get stuff hosted at a home. I like the redundancy of a data center.
©2010 Johnny Chin. All Rights Reserved.
Using TCPview, I noticed that I had a lot of TCP connections opened to cpe-24-29-138-176.nyc.res.rr.com. That struck me as very odd. I thought I had spyware loaded on my computer or something, and that bug was phoning-home.
Upon further investigation, I find that whenever I reloaded a NewEgg page, especially if it was a page with lots of images, several of these TCP sessions would open up again. So I decided to look at the source code of the NewEgg page.
Doing a NSLOOKUP on the hostname c1.neweggimages.com gave me a very interesting result.
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 24.29.138.176, 24.29.138.186
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
The IP addresses 24.29.138.176 and 24.19.138.186, both are residential RoadRunner cable modem dynamic IPs according to NYC RoadRunner; reverse resolving to cpe-24-29-138-176.nyc.res.rr.com and cpe-24-29-138-186.nyc.res.rr.com, respectively. It struck me very odd that Akamai would use such home-grade dynamic broadband connections to provide their expensive edge-of-network services.
A few minutes later, I did another NSLOOKUP and the IPs changed, as it should with the Akamai service to spread the traffic around their servers.
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 209.107.209.91, 209.107.209.122
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 77.67.91.72, 77.67.91.122
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
And as I am writing this blog entry, c1.neweggimages.com now resolves to:
Non-authoritative answer:
Name: a200.g.akamai.net
Addresses: 24.29.138.172, 24.29.138.162
Aliases: c1.neweggimages.com, images10.newegg.com.edgesuite.net
Once again traffic routed back onto RoadRunner residential service in NYC (reverse resolving to cpe-24-29-138-172.nyc.res.rr.com and cpe-24-29-138-162.nyc.res.rr.com). Looks like Akamai is using a lot of residential IPs within the NYC RoadRunner network.
As a result, some of these residential IPs do not work all the time, causing the NewEgg (and now BUY.COM) pages not to load and just hang.
Would you pay Akamai to basically host your images at someone’s home using a cable modem?
I know I would not pay premium dollars to get stuff hosted at a home. I like the redundancy of a data center.