I had one of my users come and grab me saying that their Internet wasn't working. Anyone who has worked long enough with computers knows this can mean anything but since I was just using the Internet to pull up some information, so I knew it wasn't building wide.
I followed her to her desk and she launched Internet Explorer 8. It opened and then instantly closed itself. Odd, I opened my self and it did the same thing but stayed open a little longer. I popped open task manger to ensure nothing funny was happening. Didn't see anything funny. I jumped into "Internet Options" and changed the home page to http://www.google.com/ since it is really basic and I thought maybe a page was causing the problem.
Opened IE again and this time it would stay open but the one tab kept crashing and the recovering the tab over and over again. I went ahead and went the through the same process as above and changed it to a blank page then reopened IE. Same behavior.
I thought maybe it was possibly malware behavior but wasn't really sure. Fired up Process Explorer and Process Monitor by Sysinternals. Process Monitor didn't seem to show anything odd. I then went to Process Explorer thinking that now it was probably a dll loaded with IE with causing a problem. Went to properties, and then Threads for iexplorer. I noticed one of the dlls that was pretty active was yt.dll. I looked at the top of IE and noticed a toolbar, after searching to confirm my thoughts the dll belonged to the yahoo toolbar. I uninstalled the tool bar and reopened IE. It was working fine.
Not sure what changed that caused the sudden problem, no updates happened in that time frame but if you start to have the same problem hope this helps.
UPDATE - I am seeing alot of traffic on this post and from the comments we can tell it's happening to multiple people and it started today. I only had one user with the problem. I saw a yahoo question about this apparently with vista it will tell you that yahoo toolbar is the problem, which would have made the proble easier. My user had xp and it told me nothing other than crashing. I will be contacting yahoo, if they don't already know. Curious if it's a certain toolbar version.
UPDATE 2 - I did see that the following update got installed yesterday on the computer: KB2079403. You can read the following link by microsoft http://support.microsoft.com/kb/2079403 and it seems to apply to all versions of windows. Dark stated his had a similar issue but that he had no such updated, and the last update was 11/19. So furhter proof it's most likely not microsoft update.
Update 3 - It looks like probably the problem had to do with an older version of the toolbar. Most people don't update theirs. What caused it to break today is still a mystery.
FOR THOSE WANTING JUST THE FIX AND NOT THE STORY
-Just uninstall the Yahoo toolbar.
-Install the latest version of the toolbar if you still want it. (Latest version seems to be working)
Wednesday, December 15, 2010
Friday, December 10, 2010
Using Sysinternals Desktops to assist in removing a virus
Sysinternals Desktops |
I was asked to look at a computer that was acting funny by a friend; they thought that it had a virus. After working on the computer for a little while I didn’t notice anything that really popped out. But I went to install Microsoft Security Essentials and it would never complete. It wouldn’t lock up the computer and the scroll bar kept rotating. I also noticed that shutting down and starting up was taking longer than it should.
After realizing something was up I opened task manger and didn’t notice anything odd. Winlogon was being more active than it should be though; something I only noticed because I was trying to see what would maybe be conflicting with the MSE install.
So I decided to start diagnosing and pulled over the Sysinternals suite to look around. Weirdly though anytime I started to try and open Process Monitor, Process Explorer or Rootkit Revelear they would open for about a second than close again.
I was confident at this time that their existed a virus on the computer. For testing I named a text document “Process Explorer” and opened it. It also was force closed shortly after that. I knew this was a pretty sure sign that I had something to wrestle with. Also I noticed a weird rar.exe file sitting hidden on my jump drive I used to move files over. I would delete it and it would return while being plugged into the computer. So I had a pretty good guess that the program would propagate itself using jump drives. I was after a reboot able to get MSE to install but left it alone so I could figure out the virus.
So I set out to find out a way to start process monitor or Process Explorer, since I knew if the virus didn’t want me opening these tools, then I would be able to use them to find my solution. So in trying to figure out how to trick the program I tried renaming the programs which still didn’t work. After a little bit I saw the Sysinternals desktops application in their suite and wondered how it went about creating multiple desktops on the background. I thought maybe (or had a small hope) that maybe the virus wasn’t smart enough to notice apps running inside a different desktops. After running desktops and opening a second desktop I was able to open, in that second desktop, process monitor and process explorer.
I restarted the computer wanting to ensure that it was desktops and not something I had done earlier allowing me this. After windows loaded I had the same problem of not being able to run Process Monitor and Process Explorer. I Fired up Desktops again and in the second desktop again I was able to get them running fine. Desktops will forever be in my antivirus removal box because of this.
I didn’t notice anything funny in process explorer and everything listed as Microsoft signed. The machine was actually very clean for a home user. So I ran Process Monitor for a minute and stopped it looking for any peculiar behavior. After looking through I noticed what I noticed earlier, winlogon was showing up way more than normal. After filtering to include only winlogon I noticed that about a little under every second it would check a key here:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acdcacaeaacbafbeaa
Process Monitor of Winlogon Activty - Part 1 |
Process Monitor of Winlogon Activty - Part 2 |
I also noticed it would look at Pending File Rename Operations and then also a value called Blud under the Winlogon key. With all this info I then, went back to installing MSE and after it installed and manually installed the latest defenitions which I had downloaded earlier. I right-clicked the DLL acdcacaeaacbafbeaa.dll in the System32 folder and told MSE to scan it. It then said that it had found WORM:Win32/Swimnag.gen!A.dll I did a search and came up with this link from google. http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm%3aWin32%2fSwimnag.gen%21A
I checked the dll was gone, good job MSE on keeping it gone. I was then able to go into the registry and delete the blub key located at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
I also noticed the associated key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acdcacaeaacbafbeaa" was no longer there. After reviewing the scan history on the computer I pulled up the log and noticed MSE had removed it too.
After watching taskmgr.exe and running a Process Monitor session I could see that winlogon was back to normal. I restarted the computer one more time to see if this time it would boot normally. It did. Also the computer stopped placing the hidden Autorun.inf and rar.exe on the jump drive. The computer was overall a lot more responsive. At this point I did a full scan with MSE and discovered no further problems.
CONCLUSION – I have tried to see if anyone else has used desktops to prevent a virus from closing applications and posted the story online but haven’t seen it. I don’t think this was an intended use of desktops but very interesting none the less. I would love to hear if this works for other viruses.
NOTE - Microsoft's stance is normally that after your system has been compromised you should reinstall the computer. I didn't do it here because I was feeling challenged at the time, and didn't have the disks for this persons computer. Normally I do reinstall since.
UPDATE - Shared this with Mark Russinovich and based on what I said the program was checking the Window titles, using window enumeration and that it only works for the current desktop. That is why I was able to use Sysinterlas Desktops to create another desktop to open Process Monitor and Process Explorer.
Labels:
Desktops,
sysinternals,
Virus,
Virus Removal,
Windows
Subscribe to:
Posts (Atom)