Jump to content

Epic Virus Battle!


Recommended Posts

I got a netbook in (Asus EEE PC) that had a virus on it and needs to be cleaned. It has Windows XP Home installed on it and OS reload is not an option at this point. Here are the current symptoms:

IE works but cannot go to windowsupdate.microsoft.com. If you try to go to other websites, it spawns extra IEs!

Firefox works but if you go to any site, a new window opens and it tries to go to 2 bad URLs and 2 other tabs show you the Firefox folder on the hard drive.

I'm running a Rootkit Revealer scan right now, and will get a HJT log and post it in a bit. Here's what I've done so far:

1. Uninstalled AVG. It was being a pain. I installed MSSE but it can't update. Ran a scan and it found nothing.

2. Ran Gmer, found 2 rootkits. I deleted the files offline and then had gmer delete the services.

3. Spyware Blaster protecting IE and Firefox

4. Dial-A-Fix ran but had no effect.

5. Malwarebytes runs now and find no issues.

6. Super Antispyware found some, cleaned and now finds no issues.

7. Spybot S&D finds nothing

8. Downadup/Conficker not found

If this sounds familiar and you know what it is, let me know. As I said, I'll post the HJT log in a little bit. Also if you know any other programs to run post those too.

I forgot I also used Procmon and Procexp and was not able to trace the browser behaviours. I have Combofix waiting in the wings, but that is usually a last resort for me.

Also, whatever is on the system is NOT one of those where you need to rename your apps to run them. And the HOSTS file is clean.

Here are the 4 tabs that Firefox opens:

http://www.xn--ck%1fi-2ka30arb8cze04f.com/
file:///C:/Program%20Files/Mozilla%20Firefox/
file:///C:/Program%20Files/Mozilla%20Firefox/
http://www.ö›~ìõ¢é`ƒÔ%1ft.com/&%7D%C2%BC%C3%BF%C3%86%27:U%27V%1C%C3%9Be%C6%92%C3%80V%C2%BB%1C%C2%B5d5@%C2%9D%C3%95mc%06%1DY%C2%ACiO%CB%86%C3%B7%0E%C3%B8%1Ff

I ran HJT and removed some entries. Here is what is left:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:46 AM, on 7/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - Global Startup: MRI_DISABLED
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279765707640
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7290 bytes

Behaviour still exists for both browsers.

Link to comment
Share on other sites


First thing I normally do is reboot in safe mode and run autoruns (along with process explorer). I hardly ever have to do anything beyond that (never had to use Gmer/Spyware Blaster/Dial-A-Fix/Malwarebytes/Super Antispyware/Spybot S&D or any of that stuff). But when you have rootkits on there, it's pretty much game over. Time to format. It's the only way you can be 100% sure it's malware free now.

Link to comment
Share on other sites

First thing I normally do is reboot in safe mode and run autoruns (along with process explorer). But when you have rootkits on there, it's pretty much game over. Time to format. It's the only way you can be 100% sure it's malware free now.

Oops sorry I modified my post

Link to comment
Share on other sites

IE works but cannot go to windowsupdate.microsoft.com. If you try to go to other websites, it spawns extra IEs!

Firefox works but if you go to any site, a new window opens and it tries to go to 2 bad URLs and 2 other tabs show you the Firefox folder on the hard drive.

Stupid question, but what happens with 65.55.21.250 instead of windowsupdate.microsoft.com ?

This is NOT "kosher":

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643

jaclaz

Link to comment
Share on other sites

Hey I'll try that IP. Oh also I forgot I took out that loopback line with HJT.

Anyways, I found the solution for the Firefox issue, which only seems to be ComboFix. The issue for me with this is that I really don't know what ComboFix does. I usually like to find ways to manually remove viruses if possible or else its no fun. Also I'm going to recommend ComboFix but the caveat is that it could hose up Windows, which I've seen it do before.

Link to comment
Share on other sites

Yes I can get to that webpage. I could get to MS no problem, just not the updates. It also decided to start opening additional windows again, but it will stop if I unplug the network cable.

But it is interesting that IE didn't have this extra IE problem until after I removed the rootkits that Gmer found.

Link to comment
Share on other sites

I had gotten permission to run ComboFix and it found the infected atapi.sys file and restored the original. So it was caused by that. So its working fine now. Oh actually I had to re-download ComboFix because the one I had on the USB key came up and said "The current date is ~." and the product was expired...

Weird, the ComboFix log file also had a line in it that said "kitty had a snack"... :blink:

Link to comment
Share on other sites

Weird, the ComboFix log file also had a line in it that said "kitty had a snack"... :blink:

Hehehehe, noticed that too a long time ago.

It has something to with ComboFix installing the Recovery Console and

the source (on the internet) of this is a bit hush-hush :whistle:

Greetz,

Peter.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...