A friend of mine called me this morning saying that is browser was acting very odd. Here is what happens:

1. Open IE or Firefox and goto a search portal (Google or Yahoo)
2. type in something to search (“winter coat”)
3. on the results page, if you right-click on a link and “open in new tab/window”, the page opens and immediately gets redirected to some other page (usually some other portal site)
4. HOWEVER, if you right-click on a link and select “copy shortcut”, then MANUALLY open a tab and paste the link, the page opens just fine

NOTE: my friend is also an IT person

We checked for proxy settings, extra processes running, etc. We ran the usual anti-spyware/anti-virus and all came back clean as usual.
Avast - clean
HiJackThis - normal
MalwareBytes - clean
Spybot SD - clean (just usual cookies)

However, running PROCEXP, I happened to notice this line:
C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\efsadub.dll”,DWLGXPLFFX
which was running as a sub-process under svchost.exe (C:\WINDOWS\system32\svchost.exe -k netsvcs).
See attached screen capture.

The file “C:\WINDOWS\system32\efsadub.dll” (notice the “b” in the filename) had its bits set as “read-only”, “hidden” and “system”. When we goto change the attributes, we get “Access Denied” (from Administrator account). Hell, we even tried to access this in Safe-Mode Command Prompt Only, we get the same error.

We could not rename the file either, obviously.

I was finally able to change the attributes and rename the file after running “CACLS.EXE efsadub.dll /G EVERYONE:F” on the file.

Once the file was renamed, the computer rebooted, the problem went away.

Can I submit this file to Avast so that it can be included in the next signature release?
FYI, VirusTotal already shows:
“Symantec 20091.2.0.41 2010.01.31 Suspicious.Insight”
for this file.

Now, the only thing left for my friend’s computer is … how do I remove that entry:
C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\efsadub.dll”,DWLGXPLFFX
from his system? It still shows up after reboot, but the file “efsadub.dll” is now gone.

NOTICE: there is a Microsoft Windows file named “efsadu.dll” (the spyware is efsadub.dll, there is “b” in the filename)

Yes, you submit this file to Avast so that it can be included in the next signature release.

its a dll extension filename maybe it doesn’t harm in your pc I think its just a suspicious file.

my system does the exact same thing, i unable to locate the a system 32 file with the “b” on the end. what do you suggest?

Given what it has zero hits on a google search other than this topic, for a file in the system32 folder I get extremely suspicious. So it looks like it is trying to look like the legit efsadu.dll file.

I take it that you can’t remove this entry in HJT then ?

It should most certainly be submitted to avast.

Please start your own new topic as I doubt your issue is the same, base only on there is a b at the end of the file name.

You situation might be like the one I found today.
It has the same symptoms (clicking on search page results results in random redirects to random bogus pages).

Check your system’s services and see if there is anything that looks odd. Most likely you have a DLL that is getting loaded as a sub-process by the standard Windows svchost.exe process.

Oh how I wish Microsoft would fix this huge security hole.

Hi Onesimus,

It is hard to comment on your problem because there could be a whole scala of causes for this which can only be established by various additional locational info.

Run SmartDreck and give an attached logfile txt - download the tool from here:
http://www.niksoft.at/download/startdreck.htm

Look here for info: http://www.bleepingcomputer.com/tutorials/tutorial83.html

More general contemplations on the various causes for this issue here:
http://www.pcreview.co.uk/forums/thread-1891886.php

Also watch the various processes with process explorer and hook explorer for additional info.
This could also be caused by the automatic update of Windows, disabling that could fix the issue,

polonus

That is a redirect that has been of the scanners for a while - I do have some information and cleaning instructions for it - I just have to find them

It is not a problem of Microsoft Windows Updates.
The recent spyware seems to be hiding itself as a DLL loaded by Microsoft’s svchost.exe.
Microsoft should put a “check” of some sort before loading these sub-processes.

OK found it - it is generally but not always associated with TDSS rootkit

Adds a leter after a genuine MS file name and locks the dll down
It has an associated job which will generate a new dll if needed

Kenco.exe download and run this programme it will generate a log - post that here

Hi essexboy,

If I read you correctly it found efsadu.dll and turned that into efsadub.dll
efsadu.dll is only installed if you’ve enabled the Encrypting File System
Running a tool like Dependancy Walker could give information
if also other dll like for instance dwmapi.dll is removed.
Is the OS Vista?

@Onesimus, follow essexboys’ instructions on the dot, he will let you eliminate thisrootkit quite thoroughly, because he is this forum’s specialist in these respects, and a very apt one

polonus

It doesn’t remove the dll just copies the name and adds a letter on the end, so a cursory glance and it looks legit

Hi essexboy,

capito,

pol

People … you are all misreading this.

The spyware/malware created the file efsadub.dll, probably from downloading it from a website etc.
It is not a copy of efsadu.dll.

On the system where I found this, I have removed it already.
I used cacls.exe to deny access to it, rebooted the machine, and deleted the file.

I only posted here to let other know about it.

Correct it copies the file name and adds one letter to it. It does not touch the legitimate file at all

Hi ONESIMUS,

Then we thank you for reporting, well anyway they used the terms efsadub in a malicious dll to be similar to an existing efsadu so you would not read anything into it, but you know exactly what should be there and what not, was not fooled by this and eliminated the malcoded dll.
Again thanks and to others reading this thread “forewarned is forearmed”,

polonus