Done, no change.computerfreaker wrote:Also, try running CCleaner - use it to clear all your caches (IE, Java, Fx, anything else it can find) and clean up your registry (make sure to back up your changes!).
Then see if this weird script tries to run...
I was hoping maybe a corrupted Java applet... no dice, huh?Montagar wrote:Done, no change.computerfreaker wrote:Also, try running CCleaner - use it to clear all your caches (IE, Java, Fx, anything else it can find) and clean up your registry (make sure to back up your changes!).
Then see if this weird script tries to run...
I am running Comodo firewall.
Since the issue occurs with the machine *not* connected to the Web, shouldn't be any harm in disabling the fw for that test only. If it doesn't happen with the fw disabled -- bingo.computerfreaker wrote:Well, maybe try disabling your firewall temporarily if you're feeling adventurous (wouldn't try it myself, but maybe you're different),
While we're looking at long shots, might as well also run msconfig, and check both the Startup and Services tabs. Usually, Services tab has similar entries to services.msc, but we're looking for a ghost here... hey, might as well check *all* the tabs.computerfreaker wrote:I know it's a really long shot, but look through your Windows services (run services.msc) and see if you can find anything...
Hope it's that easy, but something tells me it won't be...Tom T. wrote:Since the issue occurs with the machine *not* connected to the Web, shouldn't be any harm in disabling the fw for that test only. If it doesn't happen with the fw disabled -- bingo.computerfreaker wrote:Well, maybe try disabling your firewall temporarily if you're feeling adventurous (wouldn't try it myself, but maybe you're different),
Better still - use Process Explorer, free from SysInternals. Mouse over explorer.exe, svchost.exe, and the rest of the processes - any running services piggybacking on the moused-over process will show up in the tooltip. (If something doesn't work, PM me your e-mail address - I'll send you my pre-configured Process Explorer Portable, which will definitely show you those services)Tom T. wrote:While we're looking at long shots, might as well also run msconfig, and check both the Startup and Services tabs. Usually, Services tab has similar entries to services.msc, but we're looking for a ghost here... hey, might as well check *all* the tabs.computerfreaker wrote:I know it's a really long shot, but look through your Windows services (run services.msc) and see if you can find anything...
Also, Task Manager\Processes, although I expect a well-written one would piggyback on explorer.exe or the generic svchost.exe. Worth a quick look.
Make sure you check out HKLM\Software as well... also HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce.Tom T. wrote:Registry: HKCU\Software and see if anything unfamiliar shows. Several things will, but then they usually turn out to be weird names for legit sw. E. g., I have an entry, "65" ... huh? ... which when opened, proved to be the very useful Spacemonger tool. But you might find something....
Then, while still in Software, open Microsoft\ (look for any weirdos here)\Windows\CurrentVersion, and check Run (and RunOnce) for any anomalies.
Could do the same thing in HKU for Default folder and each S-x-x-xx folder.
Well... how actively did each of you probe for the virus? It's possible this is a remarkably intelligent virus, which detects abnormal system-probing and "hides" upon "seeing" the user searching for it... I know this sounds insane, but, as you said, we're hunting for a ghost - long shots count too.Tom T. wrote:I still don't know why this vanished the day after I reproduced it. Guardian had a good theory about a worm that hits, then slides under the radar for a while, but apparently Montagar is seeing this constantly, under the specified URLs and sequences, for almost two weeks since the OP (and for how long before posting?) -- which would seem to eliminate that.
I did *nothing* between the day it appeared, and the next day, when it disappeared. Only after the disappearance did I do another AV scan. ... is using "find" in Regedit "abnormal probing"? Wow, that's one alert virus!computerfreaker wrote:Well... how actively did each of you probe for the virus? It's possible this is a remarkably intelligent virus, which detects abnormal system-probing and "hides" upon "seeing" the user searching for it...
... and again, IIRC, I didn't start the forensics until after it had disappeared.
Which is exactly where Giorgio was a week ago, and we haven't seen his analysis of the results. Will flag it for him.computerfreaker wrote:Montagnar, any luck with Wireshark? More and more, it seems that's going to be the key to this puzzle...
Well, we can rule that out, at least...Tom T. wrote:I did *nothing* between the day it appeared, and the next day, when it disappeared. Only after the disappearance did I do another AV scan. ... is using "find" in Regedit "abnormal probing"? Wow, that's one alert virus!computerfreaker wrote:Well... how actively did each of you probe for the virus? It's possible this is a remarkably intelligent virus, which detects abnormal system-probing and "hides" upon "seeing" the user searching for it...
I like the looks of that external Google JS, the one with the long obfuscation-style string attached... everything else looks benign, but then again I'm no HTTP expert...Tom T. wrote:Which is exactly where Giorgio was a week ago, and we haven't seen his analysis of the results. Will flag it for him.computerfreaker wrote:Montagnar, any luck with Wireshark? More and more, it seems that's going to be the key to this puzzle...
Agree. I've already PMd Giorgio, and it's Monday morning in Italy. Hopefully, he'll find some time to look at it.computerfreaker wrote:I like the looks of that external Google JS, the one with the long obfuscation-style string attached.
I didn't comment on the HttpFox logs because there wasn't anything interesting about them.Tom T. wrote:Agree. I've already PMd Giorgio, and it's Monday morning in Italy. Hopefully, he'll find some time to look at it.computerfreaker wrote:I like the looks of that external Google JS, the one with the long obfuscation-style string attached.
Darn.Giorgio Maone wrote:All the requests were kosher, including the "obfuscation-style" named one.
I was hoping to see a 30x redirect there (since the script we're after is not shown in the source), but there's none
Maybe *that* will find something? Totally freeware, and just a 581k download. Extract and run -- no "installation" required.This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.
You'll probably be surprised at how many executables are launched automatically!
I will give that program a try.Tom T. wrote:Maybe *that* will find something? Totally freeware, and just a 581k download. Extract and run -- no "installation" required.
Montagar?
Dang it.Giorgio Maone wrote:I didn't comment on the HttpFox logs because there wasn't anything interesting about them.
All the requests were kosher, including the "obfuscation-style" named one.
I was hoping to see a 30x redirect there (since the script we're after is not shown in the source), but there's none
I use Autoruns as well - great program. Unfortunately, it's not quite portable (it's MS, what do you expect?Tom T. wrote:Well, speaking of Sysinternals (unfortunately bought up by MS), I have a freeware from them called Autoruns, which does just what it says. Tabbed, so you can select "Everything", or individual tabs, Services, Drivers, Boot Execute (blank, in my case -- good!)....
http://technet.microsoft.com/en-us/sysi ... 63902.aspx
), but PortableApps.com has a wrapper app that makes it truly portable... http://portableapps.com/node/13087Double dang it. This whatever-it-is is certainly doing a dang good job of hiding... and I have a very strong inclination to say some strong things...Montagar wrote:I took a look at things using process explorer and didn't find anything unusual.
I have also been doing packet monitoring and haven't come up with anything suspicious yet. I think it's possible that this "thing" whatever it is, may attempt to make some external contact from time to time (possibly to update a URL list).
Correct. Thu Oct 29, 2009 4:15 am (UTC)Montagar wrote:Tom T. - It disappeared when you disabled and then re-enabled all of your addons, is that correct?
It *could* just be coincidence. How would disabling, then re-enabling a corrupted add-on extinguish the malcode, if you don't change or update the add-on, but merely click "Enable"?Tom T. wrote:TEST: Disabled all addons listed in previous post, except NS. Added all back, one by one. No issue. Can't reproduce it now.
Can't argue with you there. But the OP date, 27 Oct, and the date I reproduced it, 28 Oct. in the US, were several weeks after the October MS Patch Tuesday of 13 October. I don't allow Auto-Update to install things, so no MS updates in the interim.#1: is there anything you've installed recently? Anything? (Even a Windows update or Fx update counts)
I can't immediately think of any app that I'd object to posting here (though I could change my mind lol).#2: Sorry to get this nosy, but maybe you and Tom could do an application compare via PM and see what apps you have in common? Maybe, just maybe, something will turn up... some obscure app nobody would ever notice without a microscope directly on it...
Agree. Giorgio is working on porting NS to Google Chrome, AFAIK, but I don't think it's imminent. But could you do packet monitoring with IE or Opera, and see if there is any difference under the identical circumstances on Fx?Montagar wrote:I wish that there was something like NoScript for a completely different browser like IE or Opera, that way I could determine for sure that it's not something directly attached to FF.
Unfortuantely yes, that is the complete log.computerfreaker wrote:Montagar, was that the entire HttpFox log? (Please, please say "no"...)
The problem is that I haven't installed anything recently, but the only way I found this "problem" was because I installed NoScript for the first time back in October. So I have absolutely no idea when this may have started. I wish I had know about NoScript a long time ago.One more idea... sorry to get this nosy, but I'm a little desperate as my ideas run out...
#1: is there anything you've installed recently? Anything? (Even a Windows update or Fx update counts)
#2: Sorry to get this nosy, but maybe you and Tom could do an application compare via PM and see what apps you have in common? Maybe, just maybe, something will turn up... some obscure app nobody would ever notice without a microscope directly on it...
*shakes head*Tom T. wrote:Correct. Thu Oct 29, 2009 4:15 am (UTC)Montagar wrote:Tom T. - It disappeared when you disabled and then re-enabled all of your addons, is that correct?It *could* just be coincidence. How would disabling, then re-enabling a corrupted add-on extinguish the malcode, if you don't change or update the add-on, but merely click "Enable"?Tom T. wrote:TEST: Disabled all addons listed in previous post, except NS. Added all back, one by one. No issue. Can't reproduce it now.
And you also disabled all of yours, including plugins, then re-enabled them, correct? And the issue persists.
I know, but it leaves a few registry entries - I'm a stickler for keeping a computer clean.Tom T. wrote:@ computerfreaker: Portability shouldn't be an issue here. Even fully extracted, Autoruns is only slightly > 1 MB.
I don't know... something's not right here. There's not even an apparent infection vector...Tom T. wrote:Can't argue with you there. But the OP date, 27 Oct, and the date I reproduced it, 28 Oct. in the US, were several weeks after the October MS Patch Tuesday of 13 October. I don't allow Auto-Update to install things, so no MS updates in the interim.#1: is there anything you've installed recently? Anything? (Even a Windows update or Fx update counts)
And being weird, I'm still on Fx 2.0.0.20 most of the time, which no longer receives MZ updates.
I tried it on Fx Portable 3.5.3, as noted back then, but that was after it had already disappeared. No issue.
I don't remember any other updates to add-ons or plugins around that time. Flash plugin update was issued 17 July, and apparently installed on 23 July. But Montagar disabled Flash as well, right? ... still had the issue. If Flash update were the vector for infection, then why did mine disappear?
Maybe there's something there... Montagar, do you have Hamachi?Tom T. wrote:I can't immediately think of any app that I'd object to posting here (though I could change my mind lol).#2: Sorry to get this nosy, but maybe you and Tom could do an application compare via PM and see what apps you have in common? Maybe, just maybe, something will turn up... some obscure app nobody would ever notice without a microscope directly on it...
WHOA! Montagar, do you have LogMeIn Hamachi VPN? I had a support issue with the version installed, didn't remember the date, but the Program Files folder shows "modified 10/29/2009" for both hamachi-2.exe and hamachi-2-ui.exe. BUT ... that was 12 hours after the above post about *not* seeing the issue. Close, but no cigar.
Ditto...Tom T. wrote:Still hope Autoruns shows something.
Tom T. wrote:Edit:Agree. Giorgio is working on porting NS to Google Chrome, AFAIK, but I don't think it's imminent. But could you do packet monitoring with IE or Opera, and see if there is any difference under the identical circumstances on Fx?Montagar wrote:I wish that there was something like NoScript for a completely different browser like IE or Opera, that way I could determine for sure that it's not something directly attached to FF.
I use Scroogle too, and I was curious to see if I have this weird thing... so I headed over to Google. NO innoshot.Tom T. wrote:Even with NS, I wouldn't have seen it if you hadn't brought it up, as I don't use Google. I use SSL-secured Scroogle, which strips all the junk off Google before sending you your search results -- and for which you do *not* have to allow scripting, even from Scroogle.
Tom, did you do any kind of deletion before the infection vanished? Cache-clearing? Registry editing? Anything????Tom T. wrote:Guardian had mentioned earlier that some sites allow third-party code to run under the site's own domain name (a terrible policy, as it somewhat defeats NS). But I keep hitting the same wall -- why did it disappear for me, but still exist two weeks later for you?
Dang it.Montagar wrote:Unfortuantely yes, that is the complete log.
If it was an addon, the order in which you disabled/enabled them could be significant... I know, I know, it shouldn't be - but I've heard addon conflicts are sometimes solved by disabling/enabling addons in a certain order. Even the installation order can be important in an addon conflict... is it possible, maybe, that the order you disabled/enabled the addons is important (critical) here?Tom T. wrote:Tom T. wrote:TEST: Disabled all addons listed in previous post, except NS. Added all back, one by one. No issue. Can't reproduce it now.
It *could* just be coincidence. How would disabling, then re-enabling a corrupted add-on extinguish the malcode, if you don't change or update the add-on, but merely click "Enable"?