Saturday, April 6, 2013

Argh! - Malware Removal

Over the past week, I've ended up wasting quite a bit of time trying to resolve a bunch of annoying issues on my main development machine to the point that I'm now at my wits end trying to resolve these.



Early on Tuesday morning (or perhapa it might've all been that night - I can't remember now) this week, links across both browsers (but initially noticed in Firefox, which I was mainly using) started to randomly get redirected to various linkbucks pausing screens, and soon to a linkbucks "not found" page (always with a fixed subdomain). My initial thoughts were that perhaps it was a dodgy addon - perhaps one of the ones I had been trialling over the past month with no problems so far was doing evil stuff all of a sudden. All suspects in this category were promptly deleted. For a while, most symptoms were abated.
Then later on Tuesday night, I had troubles after resuming from standby (something I often do with no problems): after logging in, I was left staring at a black screen with just the cursor showing. Nothing else. I was able to move the cursor, and it would change shape in some places as if there were hidden windows there. But no amount of clicking or hotkeys would get anything else to show. Stuck, I was forced to hard reboot. After reboot, I tried to check the logs for clues. The only hints were that a certain ebdm or something database for the search indexing was corrupted. Oh crap. Slightly spooked by all this, I decided that perhaps a system restore was in order. Luckily, there was a restore point from Monday available. Great! Nice and recent...

At this point, I decided to call it a day, and try going through these things again in the morning with a clearer head. At this point I was basically shaking in shock - something is obviously wrong here, but I had no idea how far this goes...

On Wednesday, I started by keeping the machine offline until I got a chance to check for anything running which obviously shouldn't be (forthe record, there were no random startup executables, services, or things running). I also went through clearing all temp files and caches. Then, on a separate machine, I started searching for potential causes and fixes to these types of problems. It turns out that linkbucks redirection malware provlems are quite commonly discussed. However, none of the manual removal checks (for files and registry changes) turned up anything. On one site though, I did see a hint about ensuring that the settings to use a proxy weren't set (for firefox, this turned out to be set to use system defaults, which I promptly changed to no proxy; chrome proved more difficult, and reported waiting on a proxy for a few attempts). Finally, I also checked on the DNS settings (all auto as they should be AFAIK), and the hosts file among others (perfectly fine, unless localhost being repeated again is actually bad). For good measure, I booted ff in safe mode and nuted a few more addons.

After all this, things were starting to look up - and then I found that the evil stuff was somehow rewriting a few links in blogger (view blog) to redirect through linkbucks (by prefixing the url with 'linkbucks/url/') which would then go to the not found page. It didn't actually do this on page load, but rather some 1-2 secs later, or immediately when a click occurred. Eventually, I managed to fix this case by clearing the ff cace and deleting cookies for these sites + linkbucks and a 'logoptimsely'. Things seemed to finally be on the right track with no further redirects for the rest of the day, though google sites took ages to respond!

On Thursday, things seemed to be going well, but chrome was still crawling like a dog, and was now complaining of a corrupted profile on load (which resolved itself by halfway through the day). Then, it got one or two random redirects again on a few sites. Cue more rechecks and searching for solutions. After that, things looked stable at last.

Most of Friday was fine too, though ff was now frequently reporting redirect attempts on yahoo items (i'd turned on that option). That is until 10pm, when google searches started failing, and then random redirects (and pages changing to reflect these corrupted links) started occurring again. At this stage, I finally started going through a few of the anti malware recommended everwhere. Getting there was tough though, as this thing seemed desperate that all clicks towards these were delays on linkbucks. Mbam turned up nothing, as did the ms tool. Combofix started to unpack, and then it aborted saying it was incompatible, leaving i don't know what junk/corruption around (though i know it reset the task manager i'd set, and also seemed to kill flash plugins/exes running).

And here i am, typing this out on my tablet (excuse typos) as i cant sleep while mulling over the potential damage and unbootabiliry after this, while also pondering my next step to try to oust this thing. Any suggestions gladly welcomed!

3 comments:

  1. Easiest solution that comes to mind is :

    - Boot on a Live CD
    - Backup your data somewhere else
    - Reinstall the operating system entirely, preferably Linux so these things never happen again
    - Copy data back

    ReplyDelete
  2. Do NOT trust a machine that has been compromised. You don't know if there is a lower level root kit present or if your every keystroke is being recorded. I recommend you do as the commenter above stated, and reinstall your OS. It's a lot of work but the peace of mind is worth it.

    ReplyDelete
  3. are you on windows, osx, or linux?

    ReplyDelete