We help IT Professionals succeed at work.

Tough Virus

rhavey
rhavey asked
on
I am working on a computer that I am certain has a virus - at least one, but I can't find it mmuch less kill it.  The OS is WINDOWS XP Home Premium, and the only AV that was on the machine was AVG 8 - obviously not up to date.  This user is not very sophisticated - she still uses AOL dial-up.  I would like to give this machine back to her working and with a working antivirus - probably MS Security Essentials.

THe indication is a warning when I open Internet Explorer tha the  security settings are putting the computer at risk, I am unable to browse to any web site that has anything to do with virus protection or removal, I cannot change thesearch provider, the left side of start menu and MFU list are blank, I can't change Start Menu settings, I can't change to classic view in Control Panel, Malwarebytes will  not install or run except in Safe mode, and ComboFix had to be in safe mode to install.

I was able to get the portable version of superantispyware to run, but all it found was tracking cookies.  Combofix does not appear to do much of anything.  And, Malwarebytes found nothing when I ran it in Safe Mode and will not run at all in Normal.

Short of reformatting, what do I have to do to clean up this machine?
Comment
Watch Question

Kyle AbrahamsSenior .Net Developer

Commented:
try running a smitfraudfix.  If you ran Malware Bytes and nothing happened also try hijack this for a manual scan of any BHO logs.

in safe mode (try with netowrking) see if you can get an updated version of the anti virus (whichever you choose.)

Commented:
That is because the virus is tagged to iexplorer in the registry, This script will reset all exe extensions to their original.
REM Restore Default File Associations for Windows XP.
REM Copyright 2003 - Doug Knox
REM This BAT file restores the Default associations that XP ships with
REM It does not restore associations created by 3rd party applications.

Echo Restoring Default File Associations

assoc.323=h323file
assoc.386=vxdfile
assoc.aca=Agent.Character.2
assoc.acf=Agent.Character.2
assoc.acs=Agent.Character2.2
assoc.acw=acwfile
assoc.ai=
assoc.aif=AIFFFile
assoc.aifc=AIFFFile
assoc.aiff=AIFFFile
assoc.ani=anifile
assoc.aps=
assoc.asa=aspfile
assoc.ascx=
assoc.asf=ASFFile
assoc.asm=
assoc.asmx=
assoc.asp=aspfile
assoc.aspx=
assoc.asx=ASXFile
assoc.au=AUFile
assoc.AudioCD=AudioCD
assoc.avi=avifile
assoc.bat=batfile
assoc.bfc=Briefcase
assoc.bin=
assoc.bkf=msbackupfile
assoc.blg=PerfFile
assoc.bmp=Paint.Picture
assoc.bsc=
assoc.c=
assoc.cab=CLSID\{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}
assoc.cat=CATFile
assoc.cda=CDAFile
assoc.cdf=ChannelFile
assoc.cdx=aspfile
assoc.cer=CERFile
assoc.cgm=
assoc.chk=chkfile
assoc.chm=chm.file
assoc.clp=clpfile
assoc.cmd=cmdfile
assoc.cnf=ConferenceLink
assoc.com=comfile
assoc.cpl=cplfile
assoc.cpp=
assoc.crl=CRLFile
assoc.crt=CERFile
assoc.css=CSSfile
assoc.csv=
assoc.CTT=MessengerContactList
assoc.cur=curfile
assoc.cxx=
assoc.dat=
assoc.db=dbfile
assoc.dbg=
assoc.dct=
assoc.def=
assoc.der=CERFile
assoc.DeskLink=CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}
assoc.dib=Paint.Picture
assoc.dic=
assoc.diz=
assoc.dll=dllfile
assoc.dl_=
assoc.doc=WordPad.Document.1
assoc.dos=
assoc.dot=
assoc.drv=drvfile
assoc.dsn=MSDASQL
assoc.dun=dunfile
assoc.DVD=DVD
assoc.emf=emffile
assoc.eml=Microsoft Internet Mail Message
assoc.eps=
assoc.exe=exefile
assoc.exp=
assoc.ex_=
assoc.eyb=
assoc.fif=
assoc.fnd=fndfile
assoc.fnt=
assoc.Folder=Folder
assoc.fon=fonfile
assoc.ghi=
assoc.gif=giffile
assoc.grp=MSProgramGroup
assoc.gz=
assoc.h=
assoc.hhc=
assoc.hlp=hlpfile
assoc.hpp=
assoc.hqx=
assoc.ht=htfile
assoc.hta=htafile
assoc.htc=
assoc.htm=htmlfile
assoc.html=htmlfile
assoc.htt=HTTfile
assoc.htw=
assoc.htx=
assoc.hxx=
assoc.icc=icmfile
assoc.icm=icmfile
assoc.ico=icofile
assoc.idb=
assoc.idl=
assoc.idq=
assoc.iii=iiifile
assoc.ilk=
assoc.imc=
assoc.inc=
assoc.inf=inffile
assoc.ini=inifile
assoc.ins=x-internet-signup
assoc.inv=
assoc.inx=
assoc.in_=
assoc.isp=x-internet-signup
assoc.its=ITS File
assoc.IVF=IVFFile
assoc.java=
assoc.jbf=
assoc.jfif=pjpegfile
assoc.job=JobObject
assoc.jod=Microsoft.Jet.OLEDB.4.0
assoc.jpe=jpegfile
assoc.jpeg=jpegfile
assoc.jpg=jpegfile
assoc.JS=JSFile
assoc.JSE=JSEFile
assoc.latex=
assoc.lib=
assoc.lnk=lnkfile
assoc.local=
assoc.log=txtfile
assoc.lwv=LWVFile
assoc.m14=
assoc.m1v=mpegfile
assoc.m3u=m3ufile
assoc.man=
assoc.manifest=
assoc.MAPIMail=CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}
assoc.mdb=
assoc.mht=mhtmlfile
assoc.mhtml=mhtmlfile
assoc.mid=midfile
assoc.midi=midfile
assoc.mmf=
assoc.mmm=MPlayer
assoc.mov=
assoc.movie=
assoc.mp2=mpegfile
assoc.mp2v=mpegfile
assoc.mp3=mp3file
assoc.mpa=mpegfile
assoc.mpe=mpegfile
assoc.mpeg=mpegfile
assoc.mpg=mpegfile
assoc.mpv2=mpegfile
assoc.msc=MSCFile
assoc.msg=
assoc.msi=Msi.Package
assoc.msp=Msi.Patch
assoc.MsRcIncident=MsRcIncident
assoc.msstyles=msstylesfile
assoc.MSWMM=Windows.Movie.Maker
assoc.mv=
assoc.mydocs=CLSID\{ECF03A32-103D-11d2-854D-006008059367}
assoc.ncb=
assoc.nfo=MSInfo.Document
assoc.nls=
assoc.NMW=T126_Whiteboard
assoc.nsc=
assoc.nvr=
assoc.nws=Microsoft Internet News Message
assoc.obj=
assoc.ocx=ocxfile
assoc.oc_=
assoc.odc=
assoc.otf=otffile
assoc.p10=P10File
assoc.p12=PFXFile
assoc.p7b=SPCFile
assoc.p7c=certificate_wab_auto_file
assoc.p7m=P7MFile
assoc.p7r=SPCFile
assoc.p7s=P7SFile
assoc.pbk=pbkfile
assoc.pch=
assoc.pdb=
assoc.pds=
assoc.pfm=pfmfile
assoc.pfx=PFXFile
assoc.php3=
assoc.pic=
assoc.pif=piffile
assoc.pko=PKOFile
assoc.pl=
assoc.plg=
assoc.pma=PerfFile
assoc.pmc=PerfFile
assoc.pml=PerfFile
assoc.pmr=PerfFile
assoc.pmw=PerfFile
assoc.pnf=pnffile
assoc.png=pngfile
assoc.pot=
assoc.pps=
assoc.ppt=
assoc.prf=prffile
assoc.ps=
assoc.psd=
assoc.psw=PSWFile
assoc.qds=SavedDsQuery
assoc.rat=ratfile
assoc.rc=
assoc.RDP=RDP.File
assoc.reg=regfile
assoc.res=
assoc.rle=
assoc.rmi=midfile
assoc.rnk=rnkfile
assoc.rpc=
assoc.rsp=
assoc.rtf=rtffile
assoc.sam=
assoc.sbr=
assoc.sc2=
assoc.scf=SHCmdFile
assoc.scp=txtfile
assoc.scr=scrfile
assoc.sct=scriptletfile
assoc.sdb=appfixfile
assoc.sed=
assoc.shb=DocShortcut
assoc.shs=ShellScrap
assoc.shtml=
assoc.shw=
assoc.sit=
assoc.snd=AUFile
assoc.spc=SPCFile
assoc.spl=ShockwaveFlash.ShockwaveFlash
assoc.sql=
assoc.sr_=
assoc.sst=CertificateStoreFile
assoc.stl=STLFile
assoc.stm=
assoc.swf=ShockwaveFlash.ShockwaveFlash
assoc.sym=
assoc.sys=sysfile
assoc.sy_=
assoc.tar=
assoc.text=
assoc.tgz=
assoc.theme=themefile
assoc.tif=TIFImage.Document
assoc.tiff=TIFImage.Document
assoc.tlb=
assoc.tsp=
assoc.tsv=
assoc.ttc=ttcfile
assoc.ttf=ttffile
assoc.txt=txtfile
assoc.UDL=MSDASC
assoc.uls=ulsfile
assoc.URL=InternetShortcut
assoc.VBE=VBEFile
assoc.vbs=VBSFile
assoc.vbx=
assoc.vcf=vcard_wab_auto_file
assoc.vxd=vxdfile
assoc.wab=wab_auto_file
assoc.wav=soundrec
assoc.wax=WAXFile
assoc.wb2=
assoc.webpnp=webpnpFile
assoc.WHT=Whiteboard
assoc.wk4=
assoc.wll=
assoc.wlt=
assoc.wm=ASFFile
assoc.wma=WMAFile
assoc.wmd=WMDFile
assoc.wmf=wmffile
assoc.wmp=WMPFile
assoc.wms=WMSFile
assoc.wmv=WMVFile
assoc.wmx=ASXFile
assoc.wmz=WMZFile
assoc.wpd=
assoc.wpg=
assoc.wri=wrifile
assoc.wsc=scriptletfile
assoc.WSF=WSFFile
assoc.WSH=WSHFile
assoc.wsz=
assoc.wtx=txtfile
assoc.wvx=WVXFile
assoc.x=
assoc.xbm=
assoc.xix=
assoc.xlb=
assoc.xlc=
assoc.xls=
assoc.xlt=
assoc.xml=xmlfile
assoc.xsl=xslfile
assoc.z=
assoc.z96=
assoc.zap=zapfile
assoc.ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
assoc.zip=CompressedFolder

Echo Default File Associations Restored

Sorry about the long post but copy this script and make it into a batch file.  Also open up internet explorer, select tools>options, under connections tab select LAN button, remove the check out of proxy settings to allow internet browsing.

Once those are complete look for the virus, try contol alt delete and check for goofy processes and kill them.  Click start>run, type msconfig, check the startup programs and see what the name of the virus is (if in there).  write it down, then click start>run, type regedit, do a search for the virus and delete the keys.

Now download and install cleanup which is found here: http://www.stevengould.org/index.php?Itemid=223&id=29&option=com_content&task=view
Run this file to clean out all the cookies/temp files where viruses/spyware like to sit.

Download and install malwarebytes and run a scan, malwarebytes can be found here: www.malwarebytes.org.

Last but not least before you reboot, go to C drive>program files>common files and look for a folder called uninstall, check to see if the virus is sitting in there too.
Also run a search of your computer but make sure you search hidden folders also for the virus.
*** Hopeleonie ***IT Manager

Commented:
These tools will help you to clean!
Run:
- Combofix
- Panda Activescan
- Hitman Pro (30 day trial)
- Drweb Cureit
- Kaspersky Virus Removal Tool 2010

My favorite is Panda Activescan.


All the links you will find here:
http://www.experts-exchange.com/blogs/hopeleonie/Malware-Removal-Links-all-for-free.html
Can you get into the registry? If so, do the following:

start>run
regedit

Browse to the following location in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution.options

Delete every subkey within that key. You will most likely see many, many entries that relate to antivirus apps.
reboot and test

Also look at the hosts file:

c:\windows\system32\drivers\etc\hosts

The default is like this:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

If you see additional entries, delete them all until it looks like above. There is also an auto fixit by MS that will do it for you:
http://support.microsoft.com/kb/972034

Once done, you should be able to get to AV websites.
All good suggestions.  Try them first, if they don't work for you, try booting from an external boot device (cd/dvd/usb).  You can create one of these fairly easily with a utility called SARDU.  If you want you can create a single boot install or multiple boot install (you can put every possible boot cd known into this and then choose which to use from the initial menu).  It has a one-click create button - see this article:

http://www.experts-exchange.com/articles/Storage/Misc/Boot-Disks-UBCD-UBCD4Win-and-SARDU.html
Top Expert 2009

Commented:
Try Tdsskiller. Runs in less than a minute and hopefully will find rootkit blocking access to AV websites and causing other scanner issues

http://support.kaspersky.com/viruses/solutions?qid=208280684
hi, uescomp
 i have a small doubt is your script will run on VISTA
 (for my self clearence)
Distinguished Expert 2019

Commented:
you can also run a scan from the Kaspersky rescue cd : http://www.tinydl.com/software/45023-kaspersky-boot-rescue-disk-2010.html 

Author

Commented:
So far, I haven't found anything but a misbehaving computer.  BTW, it is an XP machine - not Vista.  The association fixing batch file had no effect.  I even ran it in a command window to be sure it was in fact running.  I have run Combofix and tried to run Malwarebytes without success.  The suggested registry edit had no effect.  Running Active Scan, etc.won't work because I cant get to the websites.  The Kaspersky tdskiller did not do anything.

I am working my way through the SARDU disk with the different virus scanners, but so far I have found nothing.  Most of the suggested offline scanners are included.

What I haven't tried is Smithfraudfix and Hijackthis I will try those later.  I also want to run SFC.

I may be looking at redidual damage, in which case I have a problem.  The computer is an HP, which means that I have to set it all the way back to factory settings.  I always lose something when I do that.
Top Expert 2009

Commented:
Can you post Combofix's logfile + TdssKiller's>both located at c:\

Also run Gmer
Make sure anti virus and any other security programs shields/real time scanners are disabled before running Gmer
Have no other programs open
http://www.gmer.net/download.php

If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then uncheck the following:
    >  IAT/EAT
    > Drives/Partitions other than OS Systemdrive (typically C:\)
    > Show All (don't miss this one)

NB>Then hit scan and leave machine idle to run Gmer scan
When completed, hit save button and attach its logfile

Note>Dont take any action on files listed in scan as it also lists legit files!

Author

Commented:
These are the logs that you requested plus a HiJackThis log.

None of the virus scanners have turned anything up.  BIt Defender would not run from the SARDU disk, and Malwarebytes will still not run in normal mode.  I have also run Rootkit Revealer amd Process Explorer from SysInternals (now a Microsoft operation.  They did not show anythinge either.

Someone mentioned HiJackThis, but it did not find anything that means anything to me.

As far as I can tell, I have a registry problem - possibly, but not necessarily caused by a virus.  If someone sees something that I missed, I will be delighted to hear about it, but it's looking like my next step is going to be to capture my customer's profile and reinstall to factory condition.  I am not lookig forward to reinstalling printer and scanner drivers if I have to download them on site - with a dial-up connection (maybe she can tell me the model numbers).  And, installing AOL software is not my favorite thing to do.
ComboFix.txt
gmer.log
hijackthis.log
TDSSKiller.2.3.2.0-11.06.2010-16.txt
Top Expert 2009

Commented:
Hi.
Fix these in Hijackthis:

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

>Run Sfc /purgecache followed by sfc /scannow from run box(start+run)
>check your issues again

Kyle AbrahamsSenior .Net Developer

Commented:
Fix the following in HJT as well:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

Be sure to do a backup before removing.

Author

Commented:
I had tried to fix some of these previously.  The ones suggested by ged325 have been fixed, but the protocol defaults items suggested by optoma refuse to go away.

I still cannot make changes to the Start menu.  I cannot change anything in IE 8,  there are several other settings that I can't change, and I can't install an AV program.

Something is blocking changes to WIndows.

Author

Commented:
The Subinacl batch file suggested by ged325 cured the problem.