?
Solved

Cannot run HiJackThis or Combofix

Posted on 2009-04-16
21
Medium Priority
?
1,462 Views
Last Modified: 2013-12-06
The broadband has been very slow for a couple of days with download speed of 640kbps (normally around 7600) and upload 448kbps (no difference). A change of DSL filter gave a temporary reprise increasing download to 4600kbps. However, a day later and it was slow again. It seems fine in the morning slowing down in the afternoon.

However, this morning I got a message on one of the four peer-to-peer XP Pro PCs that MIcrosoft Software Removal Tool had found and removed two trojans.

As a precaution, I attempted to install HiJackThis in normal and safe mode but it wouldn't install, tried running Combofix in normal and safe mode, even renaming it and trying again in safe mode, but it wouldn't run. Malwarebytes wouldn't install in either mode.

After these attempts it went back to dead slow when attempting to use the Internet, although other computers seemed ok, not fast, but ok. The "infected" computer could also not load Google even after several attempts and a reboot, coming up with the msg "Windows Internet Explorer: Internet Explorer cannot open the Internet site http://www.google.co.uk". Operation aborted."

All other sites do load although very slowly.

I managed to eventually run a clone HiJackThis through Deckard and I've attached logs in Normal and Safe modes.

Any ideas would be greatly appreciated.

Thanks,

Mike



 

 
0
Comment
Question by:mikeabc27
  • 12
  • 6
  • 3
21 Comments
 

Author Comment

by:mikeabc27
ID: 24156055
Sorry clicked submit before I'd attached these.
dss-in-normal-mode.txt
0
 

Author Comment

by:mikeabc27
ID: 24156065
... and this - having a bad day.

dss-in-safe-mode.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24156263
I suggest that you get a blank CD and burn Dr Web CureIt live CD ISO onto it. Then boot your PC using this disk and scan your PC for viruses and/or malware.

http://www.freedrweb.com/livecd/

Read the instructions which are in a PDF file at: ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

Hope it helps.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1000 total points
ID: 24156557
Did you rename Combofix before saving to your desktop?

Try the Combofix link and instructions posted in this thread --> http://www.experts-exchange.com/Community_Support/Hidden/Private_Discussions/Q_24288356.html 

 C:\Program Files\srhmoxc <-- did you create this folder? delete if you don't know it.
0
 

Author Comment

by:mikeabc27
ID: 24156832
Warturtle - I've not tried CureIt before but will try it if I can't get anywhere with my normal solutions - HiJackThis, Combofix, Mbam and Kaspersky Online Scanner.
Rpggamergirl - I may have cheated a bit and renamed AFTER. Many thanks for the link, I'll try now and post the results.
 
 
0
 

Author Comment

by:mikeabc27
ID: 24165472
hi rpggamergirl - the links in install CF and mbam worked perfectly and now everything installs.
Combofix found about 12 files and asked me to note them, then rebooted - these are the UAC*.* shown in the CF deletions. It didn't do the recovery console check on the infected PC but did on another. It also didn't create the combofix folder and put everything into qoobox.
Could you please check the attached logs?
Internet is still slow but I feel that is totally unrelated, as my highly protected laptop worked at snail pace on the broadband.
Thanks,
Mike
 
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24169204
Why are those 2 Combofix have different versions???

The second CF is of last year....the log also shows some bad entries.

0
 

Author Comment

by:mikeabc27
ID: 24176501
Second CF report was from the original that initially wouldn't run. I know I should have removed it.
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 1000 total points
ID: 24176960
It looks like its a TDSS rootkit infection. ComboFix has removed most of the bad files so far, still some are left. Did you run MalwareBytes before ComboFix was run?? or the other way around??

I would suggest running a fullscan with MalwareBytes in safe mode to finish off the infections. It looks like MalwareBytes tried to remove TDSS files, but was unable to do so. Running ComboFix has surely helped with that. Another tool that might also help is SuperAntiSpyware, which is similar to MBAM, but sometimes it catches things that MBAM doesn't. It can be downloaded from www.superantispyware.com and scanning in safe mode is the best option for it as well.

Hope it helps.
0
 

Author Comment

by:mikeabc27
ID: 24182383
Hi warturtle - mbam was ran between first and second CFs.
Today I'm running smitfraud and HJT today and will post the results.
0
 

Author Comment

by:mikeabc27
ID: 24185143
I ran the following programs in this order:
PC1 (infected PC)
1.  HiJackThis
2. Smitfraud
3. Gmer
I would be grateful if someone could check out the HiJackThis logs on 3 of the other 4 PCs on the network.
Thanks,
Mike

rapport.txt
Vishal-HJT.txt
gmer.txt
anna.log
felipe.txt
john.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24186275
Hello Mike,

Are you also having problems on other 3 computers as well?? First observation is that you don't have XP SP3 on PC2 and PC4.

PC1:
Still has TDSS rootkit infection in it.

PC2:
Do you know these IP's?
O17 - HKLM\System\CCS\Services\Tcpip\..\{25112092-21C3-4B4F-9C28-372B173602CC}: NameServer = 194.74.65.68,194.74.65.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{25112092-21C3-4B4F-9C28-372B173602CC}: NameServer = 194.74.65.68,194.74.65.69

PC3:
Limewire is installed on this PC. HijackThis log looks normal.

PC4:
Do you know these IP's?
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD01BBF8-B40C-4F81-AE02-48C1339847C4}: NameServer = 194.72.9.34,62.6.40.178

I would suggest running MalwareBytes Anti-Malware on all PC's (if possible, in safe mode without networking).
0
 

Author Comment

by:mikeabc27
ID: 24188826
Warturtle - No problem is immediately evident other than the Internet going from very slow to no connection 25% of the time. BT are checking it out fully tomorrow and I'm almost convinced it''s a problem their end.
Good point about the 2 PCs that need to be patched.
As part of the tests 2 of the PCs were given fixed IPs and the addresses on PC2 are fixed BT DNS ones. Similarly, when I check the 2 addresses on PC4 I'm sure I'll find they are dynamically assigned BT DNS servers as well.
Not sure what Limewire was being used for and will check tomorrow, but it was probably installed by someone who has left the company.
Thanks for checking these. I think PC1 is the only infected one and will run mbam in safe mode on that tomorrow.
Many thanks and will post updates.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24189353
I suggested running MalwareBytes on all PC's because a HijackThis log would rarely capture a rootkit if its present on your other PC's as well. Rootkit is basically a technology that helps viruses protect themselves from the traditional antivirus scanners. I was able to confidently mention TDSS due to its presence in the ComboFix log which is a more thorough tool for investigation purposes. However, I don't suggest running ComboFix as an initial checkup tool. MalwareBytes or SuperAntiSpyware(www.superantispyware.com) are much easier to use and don't require making any manual changes to the system as well.

0
 

Author Comment

by:mikeabc27
ID: 24195074
All PCs now on XP SP3 and mbam ran in safe mode. It didn't find anything on PC1, PC2 and PC4, but found some adware on PC3.
I ran Superantispyware on PC1 and PC3 and more adware found plus 5 more harmful ones on PC1.
I've attached a hijackthis log from PC1 when everything was completed.
 

vishal-hjt.log
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24199715
The HijackThis log that you've sent looks normal. Is your PC behaving normally now? Since MalwareBytes and SuperAntiSpyware are specialised tools for spyware, it might be good to do a scan with McAfee that is installed on your PC's in safe mode (without networking). If that test passes, then the computer is reasonably clean then.
0
 

Author Comment

by:mikeabc27
ID: 24212505
With the Internet connection problems (which BT  has admitted is at their end and is still not fixed) it's difficult to assess the overall effect any infections had on the PC, but I do feel they are all clean now.
Many thanks for yours and rpggamergirls help.
0
 

Author Closing Comment

by:mikeabc27
ID: 31570899
Great help and advice
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24213640
Good to see that the problem has been resolved. Thanks for the feedback. You can uninstall ComboFix as follows >

Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24231608
Hi Mike sorry for the very delayed reply.... I just got back and did not have internet connection for a week.

The Gmer log is showing TDSS rootkit reg entries.... MBAM and Combofix removes TDSS rootkits but Combofix will fail to detect it if you ran any ARK tool in the same session before Combofix (needs a reboot after running ARK tool and before running combofix)

Glad to know it's now resolved.
Thanks!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question