Super Stealthy Spyware

[Solomoriah]

Let me preface this by saying that removing spyware is a lot of what I do day to day; this is the first time in years I've needed help and actually had to ask for it.

That said: I have had two computers arrive in my office, from two very different users, on two different ISPs, with what appears to be the same spyware. I've run MBAM, AVG Antivirus, and CA Antivirus on both, and found nothing significant, and I see nothing out of the ordinary in HijackThis.

But the computers basically grind to a halt over about fifteen minutes of operation. One is a laptop, the other a desktop, and again, they are very different (but both do run XP).

My fallback removal method, which has always worked before, is to boot an Ubuntu disc and look for strange things in \windows\system32 and \windows\system32\drivers (and sometimes other places, depending on the exact behavior). No luck here either, though of course I haven't done a truly exhaustive search (with tens of thousands of files to look at, I don't think I can afford to).

So I installed Wireshark on the desktop to look for strange Internet communications. The only "odd" thing I saw was an occasional ICMP Destination Port Unreachable message; the payload indicated that the failed request was a DNS lookup to a root name server (apparently randomly selected) for a seemingly random name. But the actual DNS requests are missing from the log.

So I set up a known clean computer and an old-fashioned 10Mbps repeater, and hooked the two sick computers and the clean computer to it, and ran Wireshark on the clean computer. Now, I can see the DNS requests.

No.	 Time		Source				Destination		   Protocol Info
	 33 1.254143	10.0.1.216			192.58.128.30		 DNS	  Standard query A wvkputkfsb.com

Frame 33 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: Twinhead_31:11:b3 (00:40:45:31:11:b3), Dst: Intel_e2:bb:9b (00:07:e9:e2:bb:9b)
Internet Protocol, Src: 10.0.1.216 (10.0.1.216), Dst: 192.58.128.30 (192.58.128.30)
User Datagram Protocol, Src Port: 39641 (39641), Dst Port: domain (53)
Domain Name System (query)

The last time I ran the test, I saw that domain name as well as stazupgt.com; whois indicates that neither are valid domain names, but of course they might have been registered and then cancelled (what they call "domain tasting" if I remember rightly).

Finally, I gave up on the desktop, which is a home system used by a little old lady; I set aside the installed system and built a new one, then put back her user account folder (a trick I use a lot on XP). After doing this, I see no sign of infection, which indicates to me that the infection is not in the user profile folder.

I'd like to fix the laptop without such an invasive procedure, since it is a work machine and has sundry and various software installed that I'd have to figure out how to reinstall. So my question is, have you ever heard of anything like this? What should I be looking for here?

A bit more info: I just ran the laptop for several minutes; here's the list of domain names it tries to look up:

inuhybkler.com

kncxqnizsx.com

oxa.com

uncncncr.com

vufolwjy.com

oxa.com is the only one I can pull up on a whois search; the others seem not to exist.

Here's the HijackThis log from the laptop, though I doubt it will help:

Logfile of HijackThis v1.99.1

Scan saved at 10:03:52 AM, on 1/7/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\CA\AV2007\CA Anti-Virus\ISafe.exe

c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\o2flash.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\CA\AV2007\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe

C:\Program Files\CA\AV2007\cctray\cctray.exe

C:\Program Files\CA\AV2007\CA Anti-Virus\CAVRID.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

E:\SpywareRemoval\Copy of HijackThis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/New%20Century/index.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/New%20Century/index.html

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM\..\Run: [RoxWatchTray] "c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"

O4 - HKLM\..\Run: [DMXLauncher] "c:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\AV2007\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\AV2007\CA Anti-Virus\CAVRID.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229641834578

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229641935515

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\AV2007\CA Anti-Virus\ISafe.exe

O23 - Service: Roxio File Backup Service (CEEBC40A-FDED-4C59-B354-939132350B01) - Unknown owner - c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe

O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\AV2007\CA Anti-Virus\VetMsg.exe

[Solomoriah]

Wow, nobody, eh? I was afraid it was too tough.

I'm going to begin rebuilding the system today, since nobody has any suggestions. I just hope I don't run into too many more of these.