Saturday, April 6, 2013

Argh! - Malware Removal

Over the past week, I've ended up wasting quite a bit of time trying to resolve a bunch of annoying issues on my main development machine to the point that I'm now at my wits end trying to resolve these.

Early on Tuesday morning (or perhapa it might've all been that night - I can't remember now) this week, links across both browsers (but initially noticed in Firefox, which I was mainly using) started to randomly get redirected to various linkbucks pausing screens, and soon to a linkbucks "not found" page (always with a fixed subdomain). My initial thoughts were that perhaps it was a dodgy addon - perhaps one of the ones I had been trialling over the past month with no problems so far was doing evil stuff all of a sudden. All suspects in this category were promptly deleted. For a while, most symptoms were abated.
Then later on Tuesday night, I had troubles after resuming from standby (something I often do with no problems): after logging in, I was left staring at a black screen with just the cursor showing. Nothing else. I was able to move the cursor, and it would change shape in some places as if there were hidden windows there. But no amount of clicking or hotkeys would get anything else to show. Stuck, I was forced to hard reboot. After reboot, I tried to check the logs for clues. The only hints were that a certain ebdm or something database for the search indexing was corrupted. Oh crap. Slightly spooked by all this, I decided that perhaps a system restore was in order. Luckily, there was a restore point from Monday available. Great! Nice and recent...

At this point, I decided to call it a day, and try going through these things again in the morning with a clearer head. At this point I was basically shaking in shock - something is obviously wrong here, but I had no idea how far this goes...

On Wednesday, I started by keeping the machine offline until I got a chance to check for anything running which obviously shouldn't be (forthe record, there were no random startup executables, services, or things running). I also went through clearing all temp files and caches. Then, on a separate machine, I started searching for potential causes and fixes to these types of problems. It turns out that linkbucks redirection malware provlems are quite commonly discussed. However, none of the manual removal checks (for files and registry changes) turned up anything. On one site though, I did see a hint about ensuring that the settings to use a proxy weren't set (for firefox, this turned out to be set to use system defaults, which I promptly changed to no proxy; chrome proved more difficult, and reported waiting on a proxy for a few attempts). Finally, I also checked on the DNS settings (all auto as they should be AFAIK), and the hosts file among others (perfectly fine, unless localhost being repeated again is actually bad). For good measure, I booted ff in safe mode and nuted a few more addons.

After all this, things were starting to look up - and then I found that the evil stuff was somehow rewriting a few links in blogger (view blog) to redirect through linkbucks (by prefixing the url with 'linkbucks/url/') which would then go to the not found page. It didn't actually do this on page load, but rather some 1-2 secs later, or immediately when a click occurred. Eventually, I managed to fix this case by clearing the ff cace and deleting cookies for these sites + linkbucks and a 'logoptimsely'. Things seemed to finally be on the right track with no further redirects for the rest of the day, though google sites took ages to respond!

On Thursday, things seemed to be going well, but chrome was still crawling like a dog, and was now complaining of a corrupted profile on load (which resolved itself by halfway through the day). Then, it got one or two random redirects again on a few sites. Cue more rechecks and searching for solutions. After that, things looked stable at last.

Most of Friday was fine too, though ff was now frequently reporting redirect attempts on yahoo items (i'd turned on that option). That is until 10pm, when google searches started failing, and then random redirects (and pages changing to reflect these corrupted links) started occurring again. At this stage, I finally started going through a few of the anti malware recommended everwhere. Getting there was tough though, as this thing seemed desperate that all clicks towards these were delays on linkbucks. Mbam turned up nothing, as did the ms tool. Combofix started to unpack, and then it aborted saying it was incompatible, leaving i don't know what junk/corruption around (though i know it reset the task manager i'd set, and also seemed to kill flash plugins/exes running).

And here i am, typing this out on my tablet (excuse typos) as i cant sleep while mulling over the potential damage and unbootabiliry after this, while also pondering my next step to try to oust this thing. Any suggestions gladly welcomed!


  1. Here's a few things you could try:

    1. Open a command prompt as an administrator and run: sfc /scannow
    This will scan your system files for any modifications which may have been caused my the malware. If it finds integrity violations and cannot fix them, you may have to consider reinstalling Windows.

    2. Backup your bookmarks and delete your %AppData%\Mozilla folder. It is possible that the malware may have done some shady things to your Firefox profile which may be causing issues. I'd also recommend uninstalling Firefox, deleting the folder from Program Files, and checking all your plugins (not addons) for anything suspicious.

    3. Inspect the locations and files of all your start-up programs. I've seen malware add start-up entries with seemingly safe names like "NOD32.exe", which don't look so safe when you look where they are located.

    4. Open msinfo32, go to Software Environment -> Loaded Modules. This will give you a list of all libraries in use. Sort by path and look for anything out of place.

    I'm not sure what else to suggest since I'm not too familiar with your system or the malware. Let me know if you'd be interested in a TeamViewer session to try and get things sorted!

  2. Easiest solution that comes to mind is :

    - Boot on a Live CD
    - Backup your data somewhere else
    - Reinstall the operating system entirely, preferably Linux so these things never happen again
    - Copy data back

  3. Do NOT trust a machine that has been compromised. You don't know if there is a lower level root kit present or if your every keystroke is being recorded. I recommend you do as the commenter above stated, and reinstall your OS. It's a lot of work but the peace of mind is worth it.

  4. are you on windows, osx, or linux?