4

The problem came to me when a user complained they couldn't send or receive emails. Outlook 2010 reads "Disconnected" in the bottom right. I have tried everything to reconnect, but no luck.

Tried:

  • Repairing Network Connection
  • Cached mode Off/On
  • Running Spybot
  • Malware Bytes
  • CCleaner
  • VIPRE Rescue
  • Trend Micro
  • Hijack This
  • Safe Mode cleaning

Further into the problem, I tried connecting to our Outlook Web Access, and Chrome gave me a warning page that the SSL certificate wasn't trusted. That's news to me. Turns out it isn't my certificate after all. I try open other secure login pages, and they all redirect to the same red screen with the same warning, same certificate.

So I checked the hosts file and it's clean.

I tried turning off almost every Startup Item, and one jumped out at me. dedcedeefbeedct.exe. I deleted it, but that still didn't do the trick.

Then my network AV tells me the computer I'm working on has been trying to access http://methylen.com/Y2x8MS42fDMxNWZlOTA1MWQ4NDAyZDAyNTk3ZDNmYzk2ZDNiZmU3fDMwOQ== unsuccesfully (hyperlink changed so no one accidentally clicks on it), every three seconds for most of the time I've been working on it.

To me, it looks like all traffic on the SSL port (443) is being redirected/hijacked. This would explain why Outlook can't log in, because it uses SSL to verify.

So while I think I have an idea of what is going on, I'm not sure where to go from here. Anybody have any ideas?

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
Jeff M
  • 43
  • 3

2 Answers2

1

It looks like malware. Give Combofix or SuperAntiSpyware a try. They are head and shoulders above the rest of those that you named in my experience.

pk.
  • 6,413
  • 1
  • 41
  • 63
  • Are you sure combofix is a good idea on an exchange server? It is designed for the client OS. At the very least you should back up your exchange data to tapes or something before you do that. – Falcon Momot Apr 27 '12 at 21:31
  • 1
    I didn't get the impression that it was his Exchange server that was infected. I understood it as though he was trying to troubleshoot why a singular Outlook client couldn't connect and he ascertained that this individual's computer was infected. If it is indeed his Exchange server that is infected, yes, he needs to be very cautious about proceeding. – pk. Apr 27 '12 at 21:34
  • 1
    Thanks, I think I tried everything else suggested on this page, saving Combofix for last. That was finally enough to get me clean again. Said I had a nasty "rootkit zero access in the tcp/ip stack". Several runs and restarts later, things are working again. Thanks everybody! – Jeff M May 01 '12 at 18:29
  • Update: I may have spoke a little too soon. The issue with Outlook not connecting/HTTPS sites redirecting is fixed, however, my AV is still warning me the computer is trying to contact methylen.com every three seconds... If there are no other ideas, I will post my logs on a forum that handles that type of thing. – Jeff M May 01 '12 at 21:11
1
  1. Cut the machine off from the network
  2. Give the Microsoft Malware Removal Tool a full run
  3. Check the version info and file hash of common http(s) libraries like Winhttp.dll and SChannel.dll
  4. Run Process Monitor and try to connect to an SSL resource, see what happens

Update:
Apparently methylen.com has been associated with the Ololoshaface.com bot, you might want to check out this analysis from Sophos

Here's another tip or two from removemalwarespyware.com, legit information (I wouldn't click on their ads though)

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95