infected laptop

Yesterday I got infected from the internet, first with a fake trojan and then with password.xgen and now rootkit, all at once. I ran Malwarebytes and found 16 infections and then ran Combofix and told me it found rootkit and ran Malwarebytes a couple more times until it found nothing, and ran anti-virus and found nothing. However every time I run Combofix, it tells me it found rootkit. Every other time I open a browser, it redirects my page, or if I open a new tab it says connecting but never opens. I changed the defaults of the browser to factory defaults but it didn't help. What else can I do? The OS is Windows XP SP3 and the browser is Internet Explorer 8. Thanks!
Bob MacphersonAsked:
Who is Participating?
 
younghvCommented:
You might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.
0
 
Tyler LaczkoCommented:
make sure you are working in safe mode when you do the repairs to the computer


You should use CCleaner
manually delete the temp files
turn system restore off. (viruses can hide in there)
0
 
jonahzonaCommented:
If you clear everything off and you are still getting browser redirects, check this article that was posted a couple days ago.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_5327-Infected-router-Google-search-redirects-even-on-a-clean-system.html

0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Thomas Zucker-ScharffSolution GuideCommented:
Please before recommending turning System Restore off read the articles on this site dealing with System Restore.  In summary, DO NOT turn System restore off until your system is clean.  The SR file are benign unless you use them to restore to a previous date.

System Restore Articles:

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1934-Viruses-in-the-System-Volume-Information-System-Restore.html

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_2209-Removing-protected-System-Restore-files-if-they-have-been-infected.html

As for your rootkits, I suggest a dedicated rootkit cleaner.  Check out my article on rootkits, free antirootkit scanners, and cleaning after a rootkit infection.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html

NOTE: The only way to be sure your system is clean after a rootkit infection is to do a clean install.
0
 
younghvCommented:
Please do not attempt to disinfect any computer in "Safe Mode".
You need to all processes running in order for them to be identified by your scanners and neutralized.

ALL of the most effective scanners are designed to be run in "Normal Mode" and the only time you use Safe Mode is if that is the only way your system will boot.

Please don't ever turn off your System Restore until your system has been repaired - and then only to delete all of the old restore points - then immediately turn it back on again.

If something goes wrong with your current system files, the only way you are going to be able to restart your system is from one of those Restore Points. Even if they are infected, they are better than nothing.
0
 
Bob MacphersonAuthor Commented:
I did what younghv suggested and it found one rootkit. Unfortunately, I already turned System Restore Off and it cleaned all my history. Here is the log
TDSSKiller.2.5.0.0-06.05.2011-14.txt
0
 
younghvCommented:
Excellent!

Please read these two Articles and use the "Rogue Killer" followed by a fresh Malwarebytes (Full) scan.

Post the logs from both.

http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
0
 
Bob MacphersonAuthor Commented:
Now my browser DOES NOT work anymore... Page not found... I cannot even ping yahoo.com. I do have an internet connection active though! Please advise!
0
 
younghvCommented:
Using "Rogue Killer", go through the Menu Items, starting with "Proxy Fix" and see if that repairs it.
0
 
Bob MacphersonAuthor Commented:
Rogue Killer did not find anything, I justrebooted and now internet seems to be working (knock in wood) but it's still slower than before, I don't know why!
0
 
Thomas Zucker-ScharffSolution GuideCommented:
Try using a different browser (read: chrome).  See if that helps any.  If you do end up using Chrome be sure to use abelsofts free unchrome it removes chrome's unique ID.
0
 
Bob MacphersonAuthor Commented:
I had Firefox before but I removed it after I was infected before it changed the configuration to a Proxy 127.0.0.1 and I could not use it anymore, after I changed it back I still had problems with that browser and I had to uninstall it. I will try to install it again.
0
 
Bob MacphersonAuthor Commented:
Do you think my computer is clean now?
0
 
younghvCommented:
The "Proxy Fix" report from RogueKiller is always blank.
It just fixes the problem, but there are no 'processes' to report.

What showed up in the "HOSTS" report?
A really large number of entries in that file can actually slow down your browsing speeds.
0
 
younghvCommented:
"Do you think my computer is clean now?"

You haven't posted the log for your Malwarebytes scan yet.

You should have done that immediately after running RogueKiller
0
 
Thomas Zucker-ScharffSolution GuideCommented:
I am not as proficient at reading tdsskiller logs as Younghv.  In general I would run a couple of more scans with as many scanner engines before pronouncing anything.  Also you should do an online scan with one of the many free online tools like ESETs: http://www.eset.com/us/online-scanner
0
 
Thomas Zucker-ScharffSolution GuideCommented:
Also I recommend running this tool from f-secure:

http://healthcheck.f-secure.com/
0
 
Bob MacphersonAuthor Commented:
In the host file I have one entry 127.0.0.1 localhost
the last Malwarebytes log is free of errors, found no infections
I will do the ESET on line scan too and the F-secure
Thanks!
0
 
younghvCommented:
Good advice - always better "Safe than sorry".
Let us know the results.
0
 
Thomas Zucker-ScharffSolution GuideCommented:
Here's a link to my bookmarks for scan/clean tools:

http://www.delicious.com/tzucker/scan%2Fclean

There is also a tag for online scanners.  Feel free to look around.

Note that I have no connection with any of these vendors.  I also don't warrant that they won't harm your computer - use at your own risk.  Also note that although I have found most of these tools useful at one time or another, your mileage may vary (YMMV).
0
 
JonveeCommented:
After you have run the ESET and F-secure scans there is still another good utility that you could try, it doesn't appear to have been mentioned yet ... Dr.Web CureIt!:
http://www.freedrweb.com/cureit/?lng=en

Incidently did you manage to re-install Firefox?

Also please confirm whether or not you can still access the internet.
0
 
rpggamergirlCommented:
When you made your first post it would've helped if you also posted the ComboFix log.
ComboFix needs user input to clean up some infections, that's what its script function is for.

TDSSKiller log shows it cured the rootkit at reboot so I assume it had? Did the redirect issue stopped?

0
 
Bob MacphersonAuthor Commented:
yes, it stopped, the computer seems good now, thanks to all of you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.