Fellow software engineers, I somehow managed to get a drive-by-download virus installed. It was this fake virus scanner the installed an executable into C:\Windows\System32\winupdate86.exe. I was able to kill all this without much problem. Now, when I do any Google, Yahoo or Bing search (either in FF or IE), the page occasionally goes to some scummy spam website (DO NOT VISIT ANY OF THEM):

Quote: bu520.com pricingcentral . com frontrunningdomainname . com collegejitters . net fns . usda . com myther . com justgving . com netaxle . com wkrz-news4 . com justluxe . com

Whenever the browser visits any of these sites, you're either presented with some kind of fake news article about how a work-at-home-mom made $5000 using google or some other spam crap. Occasionally, you're redirected to yet another drive-by-download site which installs MORE crap onto your system. So, I thought this was some kind of &#106avascript injection technique which I've seen before in the go.google virus. However, after turning off Java and &#106avascript, I get redirected still - but the page isn't quite able to do what it wants to. When I looked at the source code of the site, it was just some html boilerplate with a script entry. The script redirected (document.location =)you to this site: <a href="http://www.google.com/search?source=ig&hl=en&rlz=1G1GGLQ_ENUS307&=&q=r9237242.cn&aq=f&oq=&aqi=">r9237242.cn</a> (safe to click: resolves to a google search - <b>DO NOT VISIT THE ACTUAL DOMAIN</b>). Based from Google, there doesn't seem to be a lot know about this domain. However, the results all same the same thing - root-kit infection. I've already ran all the scanners that exist. I've dug through Process Explorer and HijackThis logs. I've ran the GMER root-kit detector application, the Runalyzer utility from S&D, the ComboFix utility from Bleeping Computer. I've even performed a manual search of all the typical places: - C:\WINDOWS, System32, System32\Drivers, System32, TEMP - Registry Run, RunOnce, RunOnceService, AppInit - Handles and Libraries attached to processes (through Process Explorer). - Scheduled Tasks - Winsock LSPs - Windows Services Nothing. I can't find this damn thing and I'm starting to go out of my mind. Before you say "format," I'd rather find this thing. Go to its house. Piss &#111;n its mother. Anybody know elsewhere I can look?

I'm amazed you got a virus by just visiting a page using firefox. I'd report that to the firefox development team.

Quote: Original post by Sirisian
I'm amazed you got a virus by just visiting a page using firefox. I'd report that to the firefox development team.

You'd be surprised.

I found that most of the drive by viruses take the form of iframes embedded into advertisements and have never gotten a virus warning since I installed addblock plus.

So it appears that the function calls SendCompleteHandler, PacketIndicateHandler and SendHandler have been hooked in NDIS.sys

I'm still poking around, but it seems this is where the virus is redirecting the requests from...

I had ntos.exe virus a while ago, that downloaded, and run itself automatically, its first move was to shut down the firewall, so some other guys came with it too. I pushed reset. Got the net cable out of the machine.
After reboot, one core was on 100%.
I ran virus scan.
It didn't recognize the virus, but luckily it marked it as "non accessible/whatever."
I tried to google it, fortunately I could found a reg-cleaner (and had to trust it),
That had to be run in Safe Mode, and run the program.
It helped.

SDFix:
http://forums.techguy.org/malware-removal-hijackthis-logs/585177-solved-how-remove-ntos-exe.html

Try "Rootkit Unhooker"

Have you looked at the \windows\system32\drivers\etc\hosts file to see if the search engines are remapped to those other sites?

I think I killed it. After doing some digging with RKU (Rootkit Unhooker) and GMER, it appears that ATAPI.SYS was infected with a rootkit. I booted up with BartPE and copied a few files (just in case) from an uninfected PC:

System Files:
ntkrnlpa.exe
advapi32.dll
ntdll.dll

Drivers:
ntfs.sys
atapi.sys
classpnp.sys
ndis.sys
ntfs.sys
acpi.sys

When I did an analysis of the files, the uninfected atapi.sys differed from the one on the infected system. The rest of the files had the same signatures.

When this happens to me (rarely, fortunately), my immediate reaction is to do a system restore. Normally, Windows will automatically create restore points each time you install a software, or every few days. So far it was always enough to get ride of the virus.

Y.