Tripredacus Posted July 23, 2010 Share Posted July 23, 2010 I got a netbook in (Asus EEE PC) that had a virus on it and needs to be cleaned. It has Windows XP Home installed on it and OS reload is not an option at this point. Here are the current symptoms:IE works but cannot go to windowsupdate.microsoft.com. If you try to go to other websites, it spawns extra IEs!Firefox works but if you go to any site, a new window opens and it tries to go to 2 bad URLs and 2 other tabs show you the Firefox folder on the hard drive.I'm running a Rootkit Revealer scan right now, and will get a HJT log and post it in a bit. Here's what I've done so far:1. Uninstalled AVG. It was being a pain. I installed MSSE but it can't update. Ran a scan and it found nothing.2. Ran Gmer, found 2 rootkits. I deleted the files offline and then had gmer delete the services.3. Spyware Blaster protecting IE and Firefox4. Dial-A-Fix ran but had no effect.5. Malwarebytes runs now and find no issues.6. Super Antispyware found some, cleaned and now finds no issues.7. Spybot S&D finds nothing8. Downadup/Conficker not foundIf this sounds familiar and you know what it is, let me know. As I said, I'll post the HJT log in a little bit. Also if you know any other programs to run post those too. I forgot I also used Procmon and Procexp and was not able to trace the browser behaviours. I have Combofix waiting in the wings, but that is usually a last resort for me. Also, whatever is on the system is NOT one of those where you need to rename your apps to run them. And the HOSTS file is clean.Here are the 4 tabs that Firefox opens:http://www.xn--ck%1fi-2ka30arb8cze04f.com/file:///C:/Program%20Files/Mozilla%20Firefox/file:///C:/Program%20Files/Mozilla%20Firefox/http://www.ö›~ìõ¢é`ƒÔ%1ft.com/&%7D%C2%BC%C3%BF%C3%86%27:U%27V%1C%C3%9Be%C6%92%C3%80V%C2%BB%1C%C2%B5d5@%C2%9D%C3%95mc%06%1DY%C2%ACiO%CB%86%C3%B7%0E%C3%B8%1FfI ran HJT and removed some entries. Here is what is left:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:35:46 AM, on 7/23/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exec:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\EeePC\ACPI\AsEPCMon.exeC:\Program Files\EeePC\ACPI\AsTray.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Microsoft Security Essentials\msseces.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ASUS\Eee Docking\Eee Docking.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\igfxext.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dllO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exeO4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exeO4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkeyO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - Global Startup: MRI_DISABLEDO9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279765707640O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe--End of file - 7290 bytesBehaviour still exists for both browsers. Link to comment Share on other sites More sharing options...
CoffeeFiend Posted July 23, 2010 Share Posted July 23, 2010 First thing I normally do is reboot in safe mode and run autoruns (along with process explorer). I hardly ever have to do anything beyond that (never had to use Gmer/Spyware Blaster/Dial-A-Fix/Malwarebytes/Super Antispyware/Spybot S&D or any of that stuff). But when you have rootkits on there, it's pretty much game over. Time to format. It's the only way you can be 100% sure it's malware free now. Link to comment Share on other sites More sharing options...
Tripredacus Posted July 23, 2010 Author Share Posted July 23, 2010 First thing I normally do is reboot in safe mode and run autoruns (along with process explorer). But when you have rootkits on there, it's pretty much game over. Time to format. It's the only way you can be 100% sure it's malware free now.Oops sorry I modified my post Link to comment Share on other sites More sharing options...
jaclaz Posted July 23, 2010 Share Posted July 23, 2010 IE works but cannot go to windowsupdate.microsoft.com. If you try to go to other websites, it spawns extra IEs!Firefox works but if you go to any site, a new window opens and it tries to go to 2 bad URLs and 2 other tabs show you the Firefox folder on the hard drive.Stupid question, but what happens with 65.55.21.250 instead of windowsupdate.microsoft.com ?This is NOT "kosher": R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643jaclaz Link to comment Share on other sites More sharing options...
Tripredacus Posted July 23, 2010 Author Share Posted July 23, 2010 Hey I'll try that IP. Oh also I forgot I took out that loopback line with HJT.Anyways, I found the solution for the Firefox issue, which only seems to be ComboFix. The issue for me with this is that I really don't know what ComboFix does. I usually like to find ways to manually remove viruses if possible or else its no fun. Also I'm going to recommend ComboFix but the caveat is that it could hose up Windows, which I've seen it do before. Link to comment Share on other sites More sharing options...
Tripredacus Posted July 23, 2010 Author Share Posted July 23, 2010 Yes I can get to that webpage. I could get to MS no problem, just not the updates. It also decided to start opening additional windows again, but it will stop if I unplug the network cable. But it is interesting that IE didn't have this extra IE problem until after I removed the rootkits that Gmer found. Link to comment Share on other sites More sharing options...
TheReasonIFail Posted July 23, 2010 Share Posted July 23, 2010 Is the PC fully patched? Running latest version of IE? XP Service Pack 3? Link to comment Share on other sites More sharing options...
cluberti Posted July 23, 2010 Share Posted July 23, 2010 If you've got access to DaRT, you could always create an ERD and scan it from there after downloading the latest defs during the creation of the ERD. Link to comment Share on other sites More sharing options...
Tripredacus Posted July 23, 2010 Author Share Posted July 23, 2010 I had gotten permission to run ComboFix and it found the infected atapi.sys file and restored the original. So it was caused by that. So its working fine now. Oh actually I had to re-download ComboFix because the one I had on the USB key came up and said "The current date is ~." and the product was expired... Weird, the ComboFix log file also had a line in it that said "kitty had a snack"... Link to comment Share on other sites More sharing options...
Tarun Posted July 23, 2010 Share Posted July 23, 2010 Did you scan in safe mode and normal mode? Link to comment Share on other sites More sharing options...
VideoRipper Posted July 24, 2010 Share Posted July 24, 2010 Weird, the ComboFix log file also had a line in it that said "kitty had a snack"... Hehehehe, noticed that too a long time ago.It has something to with ComboFix installing the Recovery Console and the source (on the internet) of this is a bit hush-hush Greetz,Peter. Link to comment Share on other sites More sharing options...
dencorso Posted July 24, 2010 Share Posted July 24, 2010 Kitty had a snack Link to comment Share on other sites More sharing options...
Tripredacus Posted July 24, 2010 Author Share Posted July 24, 2010 Did you scan in safe mode and normal mode?I did everything in normal mode except for when I deleted the files the original rootkit used. Then I had booted into WinPE to delete them. Link to comment Share on other sites More sharing options...
jaclaz Posted July 24, 2010 Share Posted July 24, 2010 Kitty had a snack A possibly related thread :http://www.boot-land.net/forums/index.php?showtopic=8092jaclaz Link to comment Share on other sites More sharing options...
Tarun Posted July 25, 2010 Share Posted July 25, 2010 Kitty had a snack That is seriously so very stupid. If it deletes a critical system file that's all you get to see? Screw that. Sigh, stupid programmers. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now