• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1209
  • Last Modified:

PC infected with Multiple viruses and possible rootkits

A friend has a pc which I believe has had a serious virus issue for some time. Having failed to cure it, and with the most recent symtpoms being no icons, start menus etc on the desktop they have given it to me. The first thing I did was run up-to-date versions of AVG and superantivirus which identified numerous forms of virus, malware et al. Of main concern was two possible rootkits (Rootkit.Agent.gen and Rootkit TDSServ), Virus Rostock G and Vundo MSWorker fake) plus Trojans such as Csrssc, smitfraud (which I believe is responsible for the missing icons), sheur amongst others. I have cleared out all of temp files, cookies etc and tried to remove as much as I can using AVG & Superantivirus but as you would expect I have not been able to remove the serious infections and restore the icons. I have checked the registry settings for explorere.exe and it seems Ok. I can get task manager to run and can see explorer.exe in C:\windows. However I cannot run it as a new task. In addition it is not showing as running in the processes tab. I have also downloaded and  run smitrem but the icons have not been restored. Before I go any further and download root detecting utilities and wonder if someone could take a look at a HiJackThis log. This is as at the current state of play. I have one taken before I ran smitrem if it is of any use. Any advice and guiidance as to my next course of action would be appreciated.  With thanks.
hijackthis-100209.log
0
CluelessNI
Asked:
CluelessNI
  • 13
  • 6
  • 5
  • +4
3 Solutions
 
Rodney BarnhardtServer AdministratorCommented:
Why not just reload the computer? If it is that infected, my opinion is that is the best solution.
0
 
CluelessNIAuthor Commented:
This remains a possibility although I'll have to check that they have all the relevant disks. However I'll hang on a bit to see if anything comes of the HJT log. Thanks anyway.
0
 
lamaslanyCommented:
I agree with rbarnhardt: back up the data, nuke it and install a clean OS.  Once fully patched install and update antivirus then scan the data prior to moving it back.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
Mike_CarrollCommented:
Download MBAM here http://www.malwarebytes.org/mbam.php
Install, update and run it.

Then think about the HiJackThis log.

Also, I would not rule out a reload
0
 
TK-77Commented:
I agree with Mike Carroll, Run Malwarebytes and then post another Hijackthislog.

Here is what I found so far. Safe to remove:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O4 - HKLM\..\Run: [dmxxk.exe] C:\WINDOWS\system32\dmxxk.exe
O4 - HKLM\..\Run: [dmvkk.exe] C:\WINDOWS\system32\dmvkk.exe
O4 - HKLM\..\Run: [mozilla-text] newbreed.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\lssas.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\Mark\Application Data\My-disgo\MyKey disgo.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Mark\LOCALS~1\Temp\~tmpa.exe
O4 - HKCU\..\Run: [13CFG914-K641-26SF-N31P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee.com\Shredder\SHRED32.EXE" /q C:\DOCUME~1\Mark\LOCALS~1\History\History.SH! C:\WINDOWS\SYSTEM32\stdole3.SH! C:\WINDOWS\SYSTEM32\atmclk.SH! C:\WINDOWS\SYSTEM32\regperf.SH! C:\WINDOWS\SYSTEM32\hp100.SH! C:\WINDOWS\SYSTEM32\ld104.SH! C:\WINDOWS\SYSTEM32\dcomcfg.SH!
O4 - HKUS\S-1-5-18\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O20 - Winlogon Notify: cbXnkHXq - cbXnkHXq.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)

TK
0
 
rpggamergirlCommented:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe,C:\WINDOWS\system32\ndetect.exe,

The above is also a bad entry (SDBot/IRCBot entry).
The system is heavily infected wareout and all, you may need other tools in case MalwareBytes won't get it all.
Either SDFix or Combofix you can also run if problem persists.


If problem persists,
Please download ComboFix by sUBs: If the tool you use won't run, redownload and rename them first before saving to your desktop)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 
CluelessNIAuthor Commented:
OK - I have removed the entries that TK-77 said was safe. I have downloaded malwarebytes product and am running it as we speak. Once that is complete I will post a HJT log as requested. This is 150GB HDD so previous scans have taken some time. I will  come back to you as soon as it is done. The only issue is that this PC cannot connect to internet so the malwarebytes program was installed but not updated prior to running the scan. However I am sure its better than nothing! Just a quick thought - how much of this (HTJ or malwarebytes) should be done in safe mode - or does it not make much difference?  With thanks...
0
 
Mike_CarrollCommented:
MBAM is updated pretty regularly. Not the end of the world if it's not updated.
0
 
rpggamergirlCommented:
>>>OK - I have removed the entries that TK-77 said was safe
Did you also removed the F2 entry below that TK-77 missed in his list?
Believe it or not that is a bad entry. MBAM might removed it itself too anyway.

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe,C:\WINDOWS\system32\ndetect.exe,

>>>how much of this (HTJ or malwarebytes) should be done in safe mode
Hijackthis should NOT be run in safe mode(if pc boots in normal mode), while MBAM can be run in safe mode if you wish though It shouldn't make any difference, some tools works well in both mode.
0
 
CluelessNIAuthor Commented:
Hi All - just a quick update. I removed the F2 entry as identified by rpggamergirl and I ran the malwarebytes program and it has improved things considerably as it removed 300+ items(at the second time of asking). I now have desktop icons etc plus I also have connectivity back. I have attached a current HJT log plus the malwarebytes log. What I intend to do now that I have connectivity is run an updated malwarebytes plus combofix as per rpggamergirls' recommendation. I'll come back to you this evening once these programs have run. With thanks, C
mbam-log-2009-02-11--15-15-58-.txt
0
 
CluelessNIAuthor Commented:
Sorry - finger trouble. Heres the HJT log.
CluelessNI-3--110209.txt
0
 
rpggamergirlCommented:
The MBAM log attached is before it removed those items(which I assume, as you said has now been removed)

The Hijackthis log(besides some unnecessary entries) looks clean!
Bear in mind also that a clean Hijackthis log is not a guarantee that the system is clean because some nasties can still hide from the hijackthis scan.
But if the pc is behaving well and hijackthis log is clean then it sounds great.
0
 
Rodney BarnhardtServer AdministratorCommented:
Personally, if it was that infected, I would backup the data, nuke it, and reload it. I never trust a badly infected system.
0
 
CluelessNIAuthor Commented:
Hi All, Sorry about the delay in replying which was due to both being away on a work trip and also due to sever problems with my own PC. I thought I had infected it with the same viruses as the PC I am trying to fix as the symptoms were similar (slow boot and no internet connection/icons on desktop although ctr+alt+del gave me the task manager). However this turned out to be due to a windows patch (KB960715) which clashed with my firewall (Zone Labs) which it would not allow to initialise. It took me a while to figure this out hence the delay. I have uninstalled the patch and zone labs (which was corrupted) and all is well. However I have taken the liberty of attached a HJT log and malwarebytes log for my personal PC which I hope someone would be kind enough to take a look at. I would also be interested to know if this is a known issue with this patch as this would not be the first time this has happened.
With regard to teh original infected PC I think it is a case of one step forward and two back. Having restoreed the icons and intenet connectivity through malwarebytes I then ran combofix as suggested by rpggamergirl. After this I lost my interet connection although desktop icons etc were still there. It booted OK but with the occsional BSOD.I ran malwarebytes again and it identified vundo so also ran vundofix. I still had no internet connection and windos diagnositcs showed a problem with winsock.dll. Therefore I ran winsock fix but it did not work. I then let windows diagnostics fix the problem. Big mistake!. Now the pc boots OK but as soon as it tries to load a profile it gives a BSOD. I can boot into safe mode and the icons etc are still there (but no connectivity). I checked the lsass.exe files as I thought combofix may have removed them. There was a copy in System32 folder but not System32\dllcache so I copied form one to the other. However It still gives me a BSOD at the user login stage. I have attached a current HJT log adn malwarebytes log but I beleive the system is now clean. However if someone could take a look and confirm this I would be grateful. Likewise if anyone has any thoughts on teh BSOD issue then these would also be welcome. I realise that this probably a different issue and that I may need to log a seperate question. With thanks....
InfectedPChijackthis.log
InfectedPCmbam-log-2009-02-16--1.txt
PersonalPC-mbam-log-2009-02-14--.txt
PersonalPC.txt
0
 
CluelessNIAuthor Commented:
Apologise for previous typos !! - just wanted to get a comment on quickly!!
0
 
rpggamergirlCommented:
Original pc, just fix this entry below:
O4 - HKUS\S-1-5-18\..\Run: [hdleqqqz.exe] C:\WINDOWS\hdleqqqz.exe (User 'SYSTEM')
C:\WINDOWS\hdleqqqz.exe <-- and delete this file if still present.
 

Personal pc: the 023 entry can go and delete its file. I assume you let MBAM took care of the threats found?
C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe


Or just try running combofix on both pcs and see if it finds anything else, show us the combofix log after.
0
 
CluelessNIAuthor Commented:
Hi rpggamergirl: I have removed the entries as per your last post. I have also run combofix on the original PC (in safe mode as I still cannot load a profile in normal mode). I have attahced a log accordingly.
With regard to my personal PC I cannot run combofix as it keeps detecting my antivirus (AVG). This is despite the fact that I have uninstalled AVG and used the avg removal tool. I cannot see any trace of it on my system but combofix  still seems to think it is running. I will keep working at it.  With thanks...
ComboFix.txt
0
 
DooflegnaCommented:
It's probably detecting registry traces left over.  You'll need to run regedit and get rid of these keys manually.

http://www.mydigitallife.info/2008/07/11/fix-remove-avg-incompatible-software-error-when-installing-kaspersky-kis-and-kav/
0
 
CluelessNIAuthor Commented:
Hi Dooflegna - thanks for this. I had a look for traces of avg and could not find any. In particular I cold not see the entries as detailed in your link or using he find command. The path that is showing as problematic is HKLM\Software\Microsoft\WindowsNT\currentversion\windows\create registry key. However when I navigate to as far as the windows folder I get the error " cannot open windows: error opening key".
I hope this helps
0
 
DooflegnaCommented:
Does AVG Install/Uninstall from Safe Mode?  If it does, I would boot to Safe mode w/ Command Prompt (F8), reinstall AVG, reboot, Safe Mode w/ Command Prompt and then uninstall AVG.
0
 
rpggamergirlCommented:

[COLOR=RED] c:\windows\system32\userinit.exe . . . is infected!![/COLOR]
[COLOR=RED] c:\windows\system32\svchost.exe . . . is infected!![/COLOR]
[COLOR=RED] c:\windows\system32\spoolsv.exe . . . is infected!![/COLOR]
[COLOR=RED] c:\windows\explorer.exe . . . is infected!![/COLOR]


Looks like Virut or sality file patcher and looks like CF couldn't find a clean replacement of those files.
If it's virut it can't be cleaned and a reformat is needed.
0
 
rpggamergirlCommented:
>>>I had a look for traces of avg and could not find any<<<
AVG is still installed in the personal pc(entries are showing there.

How to disable AVG's Resident Shield.
Right click the AVG icon and click Open.
In the Overview panel click on Resident Sheild > Uncheck the Resident Sheild Active box > Save Changes
0
 
CluelessNIAuthor Commented:
Thanks for all the advice above - gives me a few things to do. I will 1. See what disks the infected PC owners have and go for a restore. I have their data and have swept it with malwarebytes and it appears clean. With regard to my own PC and AVG I will try Dooflegna's command line suggestion tonight when I have more time adn come back to you soonest. With thanks....
0
 
DooflegnaCommented:
There's a new nasty variant strain of virut that has just hit.  A lot of commercially available scanners opt to just delete the infected files if they are unable to successfully clean them.  However, since this particular infection targets .exes, it can render your OS entirely unusable.  AVG offers a free Virut remover (here: http://www.softpedia.com/get/Antivirus/Win32-Virut-Remover.shtml ), but it's outdated, so it's chances of cleaning in your situation are probably very small.  I agree with rpggamergirl's that a reload may be necessary in this case.  No fun.
0
 
CluelessNIAuthor Commented:
Hi All.
Firstly I downloaded the avg virut remover by as predicted it did not have much affect. It did not detect anythign on teh infected PC but it did on my pen drive that I have been using to transfer logs. Don't worry - this is about to undergo a full format. However I ran combofix again and it detected the entries as shown in rpggamergirls last post. Did not seem much point in posting the log as I don't think anything has changed from the last one. I am in the process of getting the original disks and will reformat it.

Secondly I tried Dooflegna's suggestion of trying an AVG install/uninstall in safe mode from the command prompt. Again it stalled with the same error message. Is it possible that AVG is not so much the problem but more so a corrupt registry folder (the windows folder as stated in the path). I take it the entry that rpggamergirl is referring to in the HJT log is this one:

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing).

Can I use HJT to try and fix this entry?
Thanks....
0
 
DooflegnaCommented:
It could be a permissions issue, which spyruses have been known to bork.  For fun before you restore the OS, you could always try a permissions reset.

Here are some better commands than what's listed in the link.

subinacl /subkeyreg hkey_local_machine /grant=administrators=f /grant=system=f
subinacl /subkeyreg hkey_users /grant=administrators=f /grant=system=f
subinacl /subdirectories %systemdrive%\ /setowner=administrators /grant=administrators=f /grant=system=f

http://www.winhelponline.com/blog/reset-the-registry-and-the-file-permissions-in-windows-xp/
0
 
CluelessNIAuthor Commented:
Hi All. Cuurent situation is:

Original infected PC: No change. Still waiitng for disks to do a complete restore.

Personal PC: I tried dooflegna's subinacl solution. Whilst it ran OK the first line produced 3 failures. I only noted 2 of them: Hkey_local_machine\Security\Policy\Secrets\sai and
HKey_Local_Machine\Software\Microsoft\windowsNT\currentversion\perflib\009

Notwithstanding this I tried agian to open the widows folder in regedit but got the same message. However I right-clicked it and ws told I could not view permissions but could change them. I then added in Administrators and gave full permissions in the ACL but it would not let me apply them. HOWEVER: I was able to take ownership OK. I then re-installed AVG successfully, disabled it (using reggamersgirls instructions) and finally ran combofix on my own PC. I have attached the log and if someone could take a look I would be grateful.
We are probably approaching the close of this (depending on the log). One worry I have is rootkits. Should I download a program that looks for this or is there no point?
Is there anything else I should run and attach a log? Do you need another malwarebytes or HJT log? If so please let me know.

With thanks...........
ComboFix.txt
0
 
DooflegnaCommented:
For what it's worth, the subinacl reset will almost always generate errors.  It'd be very strange if it didn't.  Your combofix log looks pretty good.  We shouldn't need Hijack This, but it can always be reviewed if it'll make you feel more comfortable.

If you're worried about rootkits, check out Trend Micro's Rootkit Buster: http://www.trendmicro.com/download/rbuster.asp

Can we access internet at this point?  If so, I suggest running a couple free online scanners.  They won't remove anything, but they'll tell us if anything's there.

http://www.kaspersky.com/virusscanner
0
 
CluelessNIAuthor Commented:
As per my last post - many thanks for your time and help. It was very clear, concise and accurate. With best wishes.......
0
 
CluelessNIAuthor Commented:
I have downloaded and run rottkitbuster on my personal PC adn it found nothing. i was more concerned about the original infected PC but this is now irrelavant as it has now been formatted, reinstalled and is back with its rightful owners. I have run AVG adn Superantispyware and they have found nothing so, whilst I may do Kaspersky for completeness I am confident all is well.
I guess it is time to close the call. Many thanks to you all, but especailly rpggamergirl, Dooflegna and TK-77 for all your time and help. With best wishes, CluelessNI
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 13
  • 6
  • 5
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now