[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

infected laptop

Posted on 2011-05-06
23
Medium Priority
?
573 Views
Last Modified: 2013-11-22
Yesterday I got infected from the internet, first with a fake trojan and then with password.xgen and now rootkit, all at once. I ran Malwarebytes and found 16 infections and then ran Combofix and told me it found rootkit and ran Malwarebytes a couple more times until it found nothing, and ran anti-virus and found nothing. However every time I run Combofix, it tells me it found rootkit. Every other time I open a browser, it redirects my page, or if I open a new tab it says connecting but never opens. I changed the defaults of the browser to factory defaults but it didn't help. What else can I do? The OS is Windows XP SP3 and the browser is Internet Explorer 8. Thanks!
0
Comment
Question by:Bob Macpherson
  • 7
  • 7
  • 5
  • +4
23 Comments
 
LVL 38

Accepted Solution

by:
younghv earned 1200 total points
ID: 35708748
You might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.
0
 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 35708757
make sure you are working in safe mode when you do the repairs to the computer


You should use CCleaner
manually delete the temp files
turn system restore off. (viruses can hide in there)
0
 
LVL 13

Expert Comment

by:jonahzona
ID: 35708825
If you clear everything off and you are still getting browser redirects, check this article that was posted a couple days ago.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_5327-Infected-router-Google-search-redirects-even-on-a-clean-system.html

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 30

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 800 total points
ID: 35708827
Please before recommending turning System Restore off read the articles on this site dealing with System Restore.  In summary, DO NOT turn System restore off until your system is clean.  The SR file are benign unless you use them to restore to a previous date.

System Restore Articles:

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1934-Viruses-in-the-System-Volume-Information-System-Restore.html

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_2209-Removing-protected-System-Restore-files-if-they-have-been-infected.html

As for your rootkits, I suggest a dedicated rootkit cleaner.  Check out my article on rootkits, free antirootkit scanners, and cleaning after a rootkit infection.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html

NOTE: The only way to be sure your system is clean after a rootkit infection is to do a clean install.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35708830
Please do not attempt to disinfect any computer in "Safe Mode".
You need to all processes running in order for them to be identified by your scanners and neutralized.

ALL of the most effective scanners are designed to be run in "Normal Mode" and the only time you use Safe Mode is if that is the only way your system will boot.

Please don't ever turn off your System Restore until your system has been repaired - and then only to delete all of the old restore points - then immediately turn it back on again.

If something goes wrong with your current system files, the only way you are going to be able to restart your system is from one of those Restore Points. Even if they are infected, they are better than nothing.
0
 

Author Comment

by:Bob Macpherson
ID: 35708911
I did what younghv suggested and it found one rootkit. Unfortunately, I already turned System Restore Off and it cleaned all my history. Here is the log
TDSSKiller.2.5.0.0-06.05.2011-14.txt
0
 
LVL 38

Expert Comment

by:younghv
ID: 35708959
Excellent!

Please read these two Articles and use the "Rogue Killer" followed by a fresh Malwarebytes (Full) scan.

Post the logs from both.

http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
0
 

Author Comment

by:Bob Macpherson
ID: 35709038
Now my browser DOES NOT work anymore... Page not found... I cannot even ping yahoo.com. I do have an internet connection active though! Please advise!
0
 
LVL 38

Expert Comment

by:younghv
ID: 35709054
Using "Rogue Killer", go through the Menu Items, starting with "Proxy Fix" and see if that repairs it.
0
 

Author Comment

by:Bob Macpherson
ID: 35709185
Rogue Killer did not find anything, I justrebooted and now internet seems to be working (knock in wood) but it's still slower than before, I don't know why!
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 35709230
Try using a different browser (read: chrome).  See if that helps any.  If you do end up using Chrome be sure to use abelsofts free unchrome it removes chrome's unique ID.
0
 

Author Comment

by:Bob Macpherson
ID: 35709300
I had Firefox before but I removed it after I was infected before it changed the configuration to a Proxy 127.0.0.1 and I could not use it anymore, after I changed it back I still had problems with that browser and I had to uninstall it. I will try to install it again.
0
 

Author Comment

by:Bob Macpherson
ID: 35709306
Do you think my computer is clean now?
0
 
LVL 38

Expert Comment

by:younghv
ID: 35709333
The "Proxy Fix" report from RogueKiller is always blank.
It just fixes the problem, but there are no 'processes' to report.

What showed up in the "HOSTS" report?
A really large number of entries in that file can actually slow down your browsing speeds.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35709350
"Do you think my computer is clean now?"

You haven't posted the log for your Malwarebytes scan yet.

You should have done that immediately after running RogueKiller
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 35709355
I am not as proficient at reading tdsskiller logs as Younghv.  In general I would run a couple of more scans with as many scanner engines before pronouncing anything.  Also you should do an online scan with one of the many free online tools like ESETs: http://www.eset.com/us/online-scanner
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 35709382
Also I recommend running this tool from f-secure:

http://healthcheck.f-secure.com/
0
 

Author Comment

by:Bob Macpherson
ID: 35709421
In the host file I have one entry 127.0.0.1 localhost
the last Malwarebytes log is free of errors, found no infections
I will do the ESET on line scan too and the F-secure
Thanks!
0
 
LVL 38

Expert Comment

by:younghv
ID: 35709446
Good advice - always better "Safe than sorry".
Let us know the results.
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 35709701
Here's a link to my bookmarks for scan/clean tools:

http://www.delicious.com/tzucker/scan%2Fclean

There is also a tag for online scanners.  Feel free to look around.

Note that I have no connection with any of these vendors.  I also don't warrant that they won't harm your computer - use at your own risk.  Also note that although I have found most of these tools useful at one time or another, your mileage may vary (YMMV).
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 35711080
After you have run the ESET and F-secure scans there is still another good utility that you could try, it doesn't appear to have been mentioned yet ... Dr.Web CureIt!:
http://www.freedrweb.com/cureit/?lng=en

Incidently did you manage to re-install Firefox?

Also please confirm whether or not you can still access the internet.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35711165
When you made your first post it would've helped if you also posted the ComboFix log.
ComboFix needs user input to clean up some infections, that's what its script function is for.

TDSSKiller log shows it cured the rootkit at reboot so I assume it had? Did the redirect issue stopped?

0
 

Author Comment

by:Bob Macpherson
ID: 35711928
yes, it stopped, the computer seems good now, thanks to all of you!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
If you are like me and like multiple layers of protection, read on!
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question