[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Virus / Spyware remaining after Clean Vista Reinstall

Posted on 2008-11-10
16
Medium Priority
?
947 Views
Last Modified: 2013-11-15
Hi all. I have a machine (Dell XPS 730) infected with some kind of virus or spyware that has taken over all web browsing and URL directing (constant redirects to bogus spyware removal sites with pornographic ads etc...). My McAfee which was up to date can no longer access McAfee's virus definition updater site to update itself and similar benevolent sites like http://v4.windowsupdate.microsoft.com are completely inaccessible. A full system scan with McAfee did not return any detected malware or infected files. This being the case, I decided to do a clean install of Vista using Dell's reinstallation CD that came with the machine. During the process I kept my network cable disconnected, no USB drives attached and created a new single partition which I formatted. I was surprised at how fast the format took place (less then a minute) as well as the OS install (maybe 20 minutes).

After the install completed, the first thing I did was plug the network cable back in and hopped in internet explorer and was horrified to see the same malicious activity still taking place!! I had not copied anything back onto the machine nor had I reattached any other devices. The virus / spyware was simply still there. I am thinking that possibly (especially since the install seemed so fast) that the install wasn't really completely clean - that is no low level format really ever took place?? Is this possible? Has anyone seen anything like this before and if so, how do I fully, totally and completely wipe this drive clean?
0
Comment
Question by:mcascino
  • 5
  • 4
  • 3
  • +2
16 Comments
 
LVL 1

Expert Comment

by:sscout
ID: 22922844
Low level formating may be supported by utilities provided by manufacturer of your hard drive. Check your HDD manufacturer's site.

Be careful improper use of low level format can damage your drive.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 22923177
First, post a Hijack This log as an attached file. The malware should be removable with the proper tools.
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

You may need to rename HiJack This to bypass malware. HJT.exe usually works.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 22923203
You may have two Vista installs on different partitions depending on how you installed Vista.

Vista installs as an image and does not format the partition.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:mcascino
ID: 22926975
Hi - I ran Hijackthis and below is the log file it produced:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:57 PM, on 11/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:

--
End of file - 2133 bytes
0
 

Author Comment

by:mcascino
ID: 22929630
Just another quick add... After running HiJackThis I installed a copy of Malwarebyte's Anti-malware and ran a full scan which kicked up the following corrupted registry values:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.195 85.255.112.231 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{30514d88-3d87-4354-8c07-2dfa339020c0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.195 85.255.112.231 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.195 85.255.112.231 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{30514d88-3d87-4354-8c07-2dfa339020c0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.195 85.255.112.231 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.195 85.255.112.231 1.2.3.4 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{30514d88-3d87-4354-8c07-2dfa339020c0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.195 85.255.112.231 1.2.3.4 -> No action taken.

No other infected items were found. I had the program remove the infected values, then restarted Windows, but the redirecting and 100% blockage of access to Windows updates continues. Another scan using the Malwarebyte's (after the Windows restart) utility revealed the same six registry values were once again corrupt.

This thing just seems virtually undetectable. I am still wondering right now which route I should go : try to find and wipe this thing out manually -or- use some low level disk format utility to REALLY wipe the hard drive and risk potentially damaging the drive.

sscout - I have a Seagate barracuda 7200 SATA drive model ST3750630AS. I went to Seagate's site and see they have a utility called DiskWizard but I don't see whether or not this utility is for doing any kind of low-level format. Do you, or does anyone know anything about this tool?

willcomp - I only have one instance of Vista installed. Originally there were two partitions on my drive : a 676 GB partition (which the OS resided on) and a 10GB recovery partition. When I reinstalled Windows, I first deleted BOTH partitions, then created a new 686GB partition. I then formatted this partition (although as mentioned in my initial post it did this in a few seconds) and installed Vista on this single partition.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22929774
Your hijackthis log is incomplete. some entries are missing there.
it is wareout infection that is showing in the MBAM log
In Vista a wareout infection can be removed by just merely fixing the 017 entries as there are no hidden stealth wareout file in Vista.
There can sometimes be a wareout service (023 entry in hijackthis) present which needs to be disabled and deleted.

Can you show us a complete hijackthis log?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22929823
"Windows Tribute Service" <-- check if this service is present, this has been present with wareout recently. The service points to a kd###.exe in the system32 folder.(### = random letters)
If some entries still won't show up, you can use combofix to remove wareout.

Please download ComboFix by sUBs:(run in Sfe mode)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 
Smitfraudfix removes wareout "kd###.exe" variant, if you prefer to run smitfraudfix instead.
Please download SmitfraudFix, and select Option 2. Clean (Safe mode recommended)
http://siri.geekstogo.com/SmitfraudFix.php

0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 1200 total points
ID: 22929918
Hi,
I have a feeling this may be what we're seeing more of lately. Do you use a router? This new Wareout infection is "infecting" the router by changing the router settings.

The best way to deal with this is to clean all infected machines on your network, and MBAM will do that if you tell it to.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{30514d88-3d87-4354-8c07-2dfa339020c0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.195 85.255.112.231 1.2.3.4 -> No action taken.

Let it fix what it finds.

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you dont know the router's default password, you can look it up. You also need to reconfigure any security settings you had in place prior to the reset. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 22930175
It's about time you two showed up :-)

@mcascino --- as mentioned earlier, Vista installs as an image (think Ghost) and does not format the drive prior to installing like XP and its predecessors. So, yes, the install is much faster than an XP install.
0
 

Author Comment

by:mcascino
ID: 22930192
Ok. I just re-ran HiJackThis again and the complete log is listed below. I should note that I previously had HiJackThis fix the O13 Gopher prefix entry after I had ran it earlier.

RPGGamergirl - I don't see any 017 entries? What are you referring to? Did you mean the O13 entry - if so, fixing that did not solve the problem. Also, I just checked services (yes the full extended tab) and I do NOT see Windows Tribute Service present. Should I still bother with ComboFix??

IndiGenus - I do use a router and have not yet tried to reset it. That's a good point though and I do know how to do that. I am going to try that later today as I am about to head off to work. I will update here tonight.

Here is the HiJackThis Log File:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:45 AM, on 11/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 3371 bytes
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 800 total points
ID: 22930344
>>> I don't see any 017 entries? What are you referring to?<<<
The registry entries showing in MBAM log also refer to the 017 entries in Hijackthis but they're not showing, no service showing either.

Reset the router, as that could be the answer here and quicker than running scanners, if problem persists then run those tools I mentioned.

Hi there willcomp, :)
0
 
LVL 1

Expert Comment

by:sscout
ID: 22933381
mcascino, it's Zero-Fill option in Seagate DiskWizard.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22933798
mcascino,
Don't forget that IF there are other Zlob-infected machines using the same router, they will need to run MalwareBytes also before resetting the router, otherwise malware will simply go back and change the router's DNS settings.

0
 

Author Comment

by:mcascino
ID: 22935825
Indigenus & rpggamergirl : You guys nailed it. The virus did in fact alter the settings on my router. After resetting the router my system so far appears to be back to normal. Thank you for your help!!
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22936052
Glad that got it. This is becoming more and more prevalent now. Thank you for the grade and points.

Regards,
Dave
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22937148
Glad to know it's solved!
Thank you.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you discover the power of the R programming language, you are going to wonder how you ever lived without it! Learn why the language merits a place in your programming arsenal.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question