Cannot run HiJackThis or Combofix

The broadband has been very slow for a couple of days with download speed of 640kbps (normally around 7600) and upload 448kbps (no difference). A change of DSL filter gave a temporary reprise increasing download to 4600kbps. However, a day later and it was slow again. It seems fine in the morning slowing down in the afternoon.

However, this morning I got a message on one of the four peer-to-peer XP Pro PCs that MIcrosoft Software Removal Tool had found and removed two trojans.

As a precaution, I attempted to install HiJackThis in normal and safe mode but it wouldn't install, tried running Combofix in normal and safe mode, even renaming it and trying again in safe mode, but it wouldn't run. Malwarebytes wouldn't install in either mode.

After these attempts it went back to dead slow when attempting to use the Internet, although other computers seemed ok, not fast, but ok. The "infected" computer could also not load Google even after several attempts and a reboot, coming up with the msg "Windows Internet Explorer: Internet Explorer cannot open the Internet site http://www.google.co.uk". Operation aborted."

All other sites do load although very slowly.

I managed to eventually run a clone HiJackThis through Deckard and I've attached logs in Normal and Safe modes.

Any ideas would be greatly appreciated.

Thanks,

Mike



 

 
mikeabc27Asked:
Who is Participating?
 
rpggamergirlCommented:
Did you rename Combofix before saving to your desktop?

Try the Combofix link and instructions posted in this thread --> http://www.experts-exchange.com/Community_Support/Hidden/Private_Discussions/Q_24288356.html 

 C:\Program Files\srhmoxc <-- did you create this folder? delete if you don't know it.
0
 
mikeabc27Author Commented:
Sorry clicked submit before I'd attached these.
dss-in-normal-mode.txt
0
 
mikeabc27Author Commented:
... and this - having a bad day.

dss-in-safe-mode.txt
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
warturtleCommented:
I suggest that you get a blank CD and burn Dr Web CureIt live CD ISO onto it. Then boot your PC using this disk and scan your PC for viruses and/or malware.

http://www.freedrweb.com/livecd/

Read the instructions which are in a PDF file at: ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

Hope it helps.
0
 
mikeabc27Author Commented:
Warturtle - I've not tried CureIt before but will try it if I can't get anywhere with my normal solutions - HiJackThis, Combofix, Mbam and Kaspersky Online Scanner.
Rpggamergirl - I may have cheated a bit and renamed AFTER. Many thanks for the link, I'll try now and post the results.
 
 
0
 
mikeabc27Author Commented:
hi rpggamergirl - the links in install CF and mbam worked perfectly and now everything installs.
Combofix found about 12 files and asked me to note them, then rebooted - these are the UAC*.* shown in the CF deletions. It didn't do the recovery console check on the infected PC but did on another. It also didn't create the combofix folder and put everything into qoobox.
Could you please check the attached logs?
Internet is still slow but I feel that is totally unrelated, as my highly protected laptop worked at snail pace on the broadband.
Thanks,
Mike
 
0
 
rpggamergirlCommented:
Why are those 2 Combofix have different versions???

The second CF is of last year....the log also shows some bad entries.

0
 
mikeabc27Author Commented:
Second CF report was from the original that initially wouldn't run. I know I should have removed it.
0
 
warturtleCommented:
It looks like its a TDSS rootkit infection. ComboFix has removed most of the bad files so far, still some are left. Did you run MalwareBytes before ComboFix was run?? or the other way around??

I would suggest running a fullscan with MalwareBytes in safe mode to finish off the infections. It looks like MalwareBytes tried to remove TDSS files, but was unable to do so. Running ComboFix has surely helped with that. Another tool that might also help is SuperAntiSpyware, which is similar to MBAM, but sometimes it catches things that MBAM doesn't. It can be downloaded from www.superantispyware.com and scanning in safe mode is the best option for it as well.

Hope it helps.
0
 
mikeabc27Author Commented:
Hi warturtle - mbam was ran between first and second CFs.
Today I'm running smitfraud and HJT today and will post the results.
0
 
mikeabc27Author Commented:
I ran the following programs in this order:
PC1 (infected PC)
1.  HiJackThis
2. Smitfraud
3. Gmer
I would be grateful if someone could check out the HiJackThis logs on 3 of the other 4 PCs on the network.
Thanks,
Mike

rapport.txt
Vishal-HJT.txt
gmer.txt
anna.log
felipe.txt
john.txt
0
 
warturtleCommented:
Hello Mike,

Are you also having problems on other 3 computers as well?? First observation is that you don't have XP SP3 on PC2 and PC4.

PC1:
Still has TDSS rootkit infection in it.

PC2:
Do you know these IP's?
O17 - HKLM\System\CCS\Services\Tcpip\..\{25112092-21C3-4B4F-9C28-372B173602CC}: NameServer = 194.74.65.68,194.74.65.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{25112092-21C3-4B4F-9C28-372B173602CC}: NameServer = 194.74.65.68,194.74.65.69

PC3:
Limewire is installed on this PC. HijackThis log looks normal.

PC4:
Do you know these IP's?
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD01BBF8-B40C-4F81-AE02-48C1339847C4}: NameServer = 194.72.9.34,62.6.40.178

I would suggest running MalwareBytes Anti-Malware on all PC's (if possible, in safe mode without networking).
0
 
mikeabc27Author Commented:
Warturtle - No problem is immediately evident other than the Internet going from very slow to no connection 25% of the time. BT are checking it out fully tomorrow and I'm almost convinced it''s a problem their end.
Good point about the 2 PCs that need to be patched.
As part of the tests 2 of the PCs were given fixed IPs and the addresses on PC2 are fixed BT DNS ones. Similarly, when I check the 2 addresses on PC4 I'm sure I'll find they are dynamically assigned BT DNS servers as well.
Not sure what Limewire was being used for and will check tomorrow, but it was probably installed by someone who has left the company.
Thanks for checking these. I think PC1 is the only infected one and will run mbam in safe mode on that tomorrow.
Many thanks and will post updates.
0
 
warturtleCommented:
I suggested running MalwareBytes on all PC's because a HijackThis log would rarely capture a rootkit if its present on your other PC's as well. Rootkit is basically a technology that helps viruses protect themselves from the traditional antivirus scanners. I was able to confidently mention TDSS due to its presence in the ComboFix log which is a more thorough tool for investigation purposes. However, I don't suggest running ComboFix as an initial checkup tool. MalwareBytes or SuperAntiSpyware(www.superantispyware.com) are much easier to use and don't require making any manual changes to the system as well.

0
 
mikeabc27Author Commented:
All PCs now on XP SP3 and mbam ran in safe mode. It didn't find anything on PC1, PC2 and PC4, but found some adware on PC3.
I ran Superantispyware on PC1 and PC3 and more adware found plus 5 more harmful ones on PC1.
I've attached a hijackthis log from PC1 when everything was completed.
 

vishal-hjt.log
0
 
warturtleCommented:
The HijackThis log that you've sent looks normal. Is your PC behaving normally now? Since MalwareBytes and SuperAntiSpyware are specialised tools for spyware, it might be good to do a scan with McAfee that is installed on your PC's in safe mode (without networking). If that test passes, then the computer is reasonably clean then.
0
 
mikeabc27Author Commented:
With the Internet connection problems (which BT  has admitted is at their end and is still not fixed) it's difficult to assess the overall effect any infections had on the PC, but I do feel they are all clean now.
Many thanks for yours and rpggamergirls help.
0
 
mikeabc27Author Commented:
Great help and advice
0
 
warturtleCommented:
Good to see that the problem has been resolved. Thanks for the feedback. You can uninstall ComboFix as follows >

Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.
0
 
rpggamergirlCommented:
Hi Mike sorry for the very delayed reply.... I just got back and did not have internet connection for a week.

The Gmer log is showing TDSS rootkit reg entries.... MBAM and Combofix removes TDSS rootkits but Combofix will fail to detect it if you ran any ARK tool in the same session before Combofix (needs a reboot after running ARK tool and before running combofix)

Glad to know it's now resolved.
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.