infected laptop
Yesterday I got infected from the internet, first with a fake trojan and then with password.xgen and now rootkit, all at once. I ran Malwarebytes and found 16 infections and then ran Combofix and told me it found rootkit and ran Malwarebytes a couple more times until it found nothing, and ran anti-virus and found nothing. However every time I run Combofix, it tells me it found rootkit. Every other time I open a browser, it redirects my page, or if I open a new tab it says connecting but never opens. I changed the defaults of the browser to factory defaults but it didn't help. What else can I do? The OS is Windows XP SP3 and the browser is Internet Explorer 8. Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you clear everything off and you are still getting browser redirects, check this article that was posted a couple days ago.
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_5327-Infected-router-Google-search-redirects-even-on-a-clean-system.html
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_5327-Infected-router-Google-search-redirects-even-on-a-clean-system.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please do not attempt to disinfect any computer in "Safe Mode".
You need to all processes running in order for them to be identified by your scanners and neutralized.
ALL of the most effective scanners are designed to be run in "Normal Mode" and the only time you use Safe Mode is if that is the only way your system will boot.
Please don't ever turn off your System Restore until your system has been repaired - and then only to delete all of the old restore points - then immediately turn it back on again.
If something goes wrong with your current system files, the only way you are going to be able to restart your system is from one of those Restore Points. Even if they are infected, they are better than nothing.
You need to all processes running in order for them to be identified by your scanners and neutralized.
ALL of the most effective scanners are designed to be run in "Normal Mode" and the only time you use Safe Mode is if that is the only way your system will boot.
Please don't ever turn off your System Restore until your system has been repaired - and then only to delete all of the old restore points - then immediately turn it back on again.
If something goes wrong with your current system files, the only way you are going to be able to restart your system is from one of those Restore Points. Even if they are infected, they are better than nothing.
ASKER
I did what younghv suggested and it found one rootkit. Unfortunately, I already turned System Restore Off and it cleaned all my history. Here is the log
TDSSKiller.2.5.0.0-06.05.2011-14.txt
TDSSKiller.2.5.0.0-06.05.2011-14.txt
Excellent!
Please read these two Articles and use the "Rogue Killer" followed by a fresh Malwarebytes (Full) scan.
Post the logs from both.
https://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-A
https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great
Please read these two Articles and use the "Rogue Killer" followed by a fresh Malwarebytes (Full) scan.
Post the logs from both.
https://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-A
https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great
ASKER
Now my browser DOES NOT work anymore... Page not found... I cannot even ping yahoo.com. I do have an internet connection active though! Please advise!
Using "Rogue Killer", go through the Menu Items, starting with "Proxy Fix" and see if that repairs it.
ASKER
Rogue Killer did not find anything, I justrebooted and now internet seems to be working (knock in wood) but it's still slower than before, I don't know why!
Try using a different browser (read: chrome). See if that helps any. If you do end up using Chrome be sure to use abelsofts free unchrome it removes chrome's unique ID.
ASKER
I had Firefox before but I removed it after I was infected before it changed the configuration to a Proxy 127.0.0.1 and I could not use it anymore, after I changed it back I still had problems with that browser and I had to uninstall it. I will try to install it again.
ASKER
Do you think my computer is clean now?
The "Proxy Fix" report from RogueKiller is always blank.
It just fixes the problem, but there are no 'processes' to report.
What showed up in the "HOSTS" report?
A really large number of entries in that file can actually slow down your browsing speeds.
It just fixes the problem, but there are no 'processes' to report.
What showed up in the "HOSTS" report?
A really large number of entries in that file can actually slow down your browsing speeds.
"Do you think my computer is clean now?"
You haven't posted the log for your Malwarebytes scan yet.
You should have done that immediately after running RogueKiller
You haven't posted the log for your Malwarebytes scan yet.
You should have done that immediately after running RogueKiller
I am not as proficient at reading tdsskiller logs as Younghv. In general I would run a couple of more scans with as many scanner engines before pronouncing anything. Also you should do an online scan with one of the many free online tools like ESETs: http://www.eset.com/us/online-scanner
ASKER
In the host file I have one entry 127.0.0.1 localhost
the last Malwarebytes log is free of errors, found no infections
I will do the ESET on line scan too and the F-secure
Thanks!
the last Malwarebytes log is free of errors, found no infections
I will do the ESET on line scan too and the F-secure
Thanks!
Good advice - always better "Safe than sorry".
Let us know the results.
Let us know the results.
Here's a link to my bookmarks for scan/clean tools:
http://www.delicious.com/tzucker/scan%2Fclean
There is also a tag for online scanners. Feel free to look around.
Note that I have no connection with any of these vendors. I also don't warrant that they won't harm your computer - use at your own risk. Also note that although I have found most of these tools useful at one time or another, your mileage may vary (YMMV).
http://www.delicious.com/tzucker/scan%2Fclean
There is also a tag for online scanners. Feel free to look around.
Note that I have no connection with any of these vendors. I also don't warrant that they won't harm your computer - use at your own risk. Also note that although I have found most of these tools useful at one time or another, your mileage may vary (YMMV).
After you have run the ESET and F-secure scans there is still another good utility that you could try, it doesn't appear to have been mentioned yet ... Dr.Web CureIt!:
http://www.freedrweb.com/cureit/?lng=en
Incidently did you manage to re-install Firefox?
Also please confirm whether or not you can still access the internet.
http://www.freedrweb.com/cureit/?lng=en
Incidently did you manage to re-install Firefox?
Also please confirm whether or not you can still access the internet.
When you made your first post it would've helped if you also posted the ComboFix log.
ComboFix needs user input to clean up some infections, that's what its script function is for.
TDSSKiller log shows it cured the rootkit at reboot so I assume it had? Did the redirect issue stopped?
ComboFix needs user input to clean up some infections, that's what its script function is for.
TDSSKiller log shows it cured the rootkit at reboot so I assume it had? Did the redirect issue stopped?
ASKER
yes, it stopped, the computer seems good now, thanks to all of you!
You should use CCleaner
manually delete the temp files
turn system restore off. (viruses can hide in there)