2008-10-07 10:09:56
Bradford McKesson
Another client brought us their PC. They had the fully up to date McAffee.
We thought we cleaned it out and as part of TJM's regular services, did some
routine housekeeping before returning the machine.

Attempt to run disk defrag.. failed.
While searching for cause of the defragment failure we
discovered a browser URL redirector/rewriter attack was active.
It affects FireFox, Internet Explorer, but not SeaMonkey!
No recognizable rogue warez found.. despite load spikes whenever a link is
clicked.

This particular attack works by prepending some Javascript to the top of webpages.
The Javascript attaches onclick handlers that rewrite the URLs on the linked page to
pass through go.google.com to an obfuscated URL which
passes it through analitics-check.google.com, then on to some advertising websites.
Both go.google.com and analitics-check.google.com are invalid domains.
The attack can be mostly thwarted by disabling javascript in the browser.
The compromized DNS issue remains though.
It also disables McAffee site adviser.
/windows/system32/drivers/etc/hosts only has entry for localhost.

Very little info on the net about this sort of thing. Apparently an uncommon attack..
or very good at silencing those that experience it. Those that had answers recommended
malwarebytes anti-malware (mbam-setup.exe from www.malwarebytes.com)

Malwarebytes uncovered a rootkit (system32/tds*.dll files) associated
with some win AV200x variants.
With the rootkit out of the way, cleanup got much easier. And the defragment worked.