This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:
- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples
Complications from XP Security 2011 Virus
Hello,
I'm working on a PC that was infected by XP Security 2011, and went through the "normal" steps to remove the infection. I have done the same on several other PCs infected by this virus, but this time it seems to have gotten a bit more advanced.
First, I logged on in Safe Mode under the Administrator account, used Registry fix file to allow .Exe's to run, ran renamed rKill, then updated and ran Malwarebytes full scan. Removed selected with Malwarebytes, rebooted in Normal Windows mode, repeated process on User Account.
So, no more popups now from the fake Security Center, but there are a few lingering complications that I can't figure out. First, Avast keeps popping a "Malicious URL Blocked", originating from C:\WINDOWS\System32\svchos
HijackThis log is attached. hijackthis.log
I'm working on a PC that was infected by XP Security 2011, and went through the "normal" steps to remove the infection. I have done the same on several other PCs infected by this virus, but this time it seems to have gotten a bit more advanced.
First, I logged on in Safe Mode under the Administrator account, used Registry fix file to allow .Exe's to run, ran renamed rKill, then updated and ran Malwarebytes full scan. Removed selected with Malwarebytes, rebooted in Normal Windows mode, repeated process on User Account.
So, no more popups now from the fake Security Center, but there are a few lingering complications that I can't figure out. First, Avast keeps popping a "Malicious URL Blocked", originating from C:\WINDOWS\System32\svchos
HijackThis log is attached. hijackthis.log
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I would run Combofix from Bleeping computer. http://www.bleepingcomputer.com/download/anti-virus/combofix It seems to find and fix things others miss.
you have a root kit infection.
download Avira's free version and install it on a computer that you can take apart. take the hard drive out of the infected computer and install it into the computer you put Avira on. Boot up on the your "Take apart PC" operating system and make sure the infected hard drive shows up in your windows explorer. right click on the infected hard drive and run a full Avira scan. it will find the root kit and eliminate it. that will solve the problem.
download Avira's free version and install it on a computer that you can take apart. take the hard drive out of the infected computer and install it into the computer you put Avira on. Boot up on the your "Take apart PC" operating system and make sure the infected hard drive shows up in your windows explorer. right click on the infected hard drive and run a full Avira scan. it will find the root kit and eliminate it. that will solve the problem.
You will have to define what you mean by "normal" - normally, Safe Mode scans are not recommended.
Where did you get the instructions for removing this virus.
Please compare what you did with the instructions found here:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011
Where did you get the instructions for removing this virus.
Please compare what you did with the instructions found here:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011
You do not have to pull and slave your hard drive, but you do need to fix your registry before starting the rest of the process.
In virtually all cases, your computer can be cleaned using freely available tools - if it will boot up.
In virtually all cases, your computer can be cleaned using freely available tools - if it will boot up.
the above suggestions are good, also show us the logfile if using ComboFix.
Fix these 3 entries in hijackthis:
O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing) G
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1
If the problem persists, use TDSSKiller mentioned in this article:
“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
Fix these 3 entries in hijackthis:
O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing) G
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1
If the problem persists, use TDSSKiller mentioned in this article:
“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
Sure it is "C:\WINDOWS\System32\svcho
Guess it is just a typo, as I didnt see it in the process list....
Just as an aside, you need to decide between Avast or AVG (Avast personally), as you dont want multiple AV apps running at the same time....
Guess it is just a typo, as I didnt see it in the process list....
Just as an aside, you need to decide between Avast or AVG (Avast personally), as you dont want multiple AV apps running at the same time....
DaveBaldwin,
I will run a ComboFix this afternoon and post results/log.
warbringer,
I would really rather not do that, but I will keep it on the table as a last resort option, before doing a new XP Pro install.
younghv,
That is the exact tutorial I followed, although it had to be done in Safe Mode originally as I could not run anything at all, couldn't even bring up my USB drive to run the Registry Fix file. After doing it in Safe Mode under Administrator, I ran the same process in "Normal" Windows operating mode under both the Administrator account and the User account.
rpggamergirl,
I will run TDSSKiller this afternoon. Are the Winlogon files something I could copy from an install disc? How about the DX9 files, would I need to reinstall DirectX?
johnb6767,
It is "svchost.exe", that is indeed a typo. I would normally only use Avast, however this isn't my computer and the owner already had AVG installed. I threw Avast on simultaneously just as another scan function to hit it with. I ran AVG, Avast, MBAM and McAfee Stinger just to see which program found what. Plan to remove AVG this afternoon.
Thanks to everyone for all of your input, I will post an update post-ComboFix.
I will run a ComboFix this afternoon and post results/log.
warbringer,
I would really rather not do that, but I will keep it on the table as a last resort option, before doing a new XP Pro install.
younghv,
That is the exact tutorial I followed, although it had to be done in Safe Mode originally as I could not run anything at all, couldn't even bring up my USB drive to run the Registry Fix file. After doing it in Safe Mode under Administrator, I ran the same process in "Normal" Windows operating mode under both the Administrator account and the User account.
rpggamergirl,
I will run TDSSKiller this afternoon. Are the Winlogon files something I could copy from an install disc? How about the DX9 files, would I need to reinstall DirectX?
johnb6767,
It is "svchost.exe", that is indeed a typo. I would normally only use Avast, however this isn't my computer and the owner already had AVG installed. I threw Avast on simultaneously just as another scan function to hit it with. I ran AVG, Avast, MBAM and McAfee Stinger just to see which program found what. Plan to remove AVG this afternoon.
Thanks to everyone for all of your input, I will post an update post-ComboFix.
I understand that pulling the drive out is a daunting task. However, in terms of your time, pulling the drive out will take 20 minutes. Scanning will take who knows how long (but it does not matter because you can go to dinner or a movie). Putting it together will take 20 minutes.
In the grand scheme of things, I find it easier to pull and scan versus trying 30 different programs and web fixes to solve a problem that is most likely a root kit infection.
In the grand scheme of things, I find it easier to pull and scan versus trying 30 different programs and web fixes to solve a problem that is most likely a root kit infection.
My only reservation is that this machine is configured with a mirrored array. How would I use this method considering this?
If I pull/scan the Master drive in the RAID array, will the Slave drive mirror the newly cleaned Master, or will I need to pull/scan both drives?
If I pull/scan the Master drive in the RAID array, will the Slave drive mirror the newly cleaned Master, or will I need to pull/scan both drives?
"O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1
Nothing to reinstall here. It isnt DirectX. Services arent supposed to run from a TEMP location.....
"O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing) G
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)"
Only check them from HJT if the files REALLY dont exist.
Same for the other services in HJT. If you did, I would restore from backup and make sure the files really do not exist.
Whast the result of TDSSKILLER?
Nothing to reinstall here. It isnt DirectX. Services arent supposed to run from a TEMP location.....
"O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing) G
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)"
Only check them from HJT if the files REALLY dont exist.
Same for the other services in HJT. If you did, I would restore from backup and make sure the files really do not exist.
Whast the result of TDSSKILLER?
Running ComboFix right now, TDSSKiller to follow.
FYI, ComboFix did detect rootkit activity in sptd service, requiring reboot right now, results shortly.
FYI, ComboFix did detect rootkit activity in sptd service, requiring reboot right now, results shortly.
TDSS Often finds an MBR infection, that others dont. Personally, I dont find combofix to be that effective any more.
Most Malwares, if not MBR based, reside in a handful of locations...
All users\Application Data
%appdata%\
Shell:local appdata
%TEMP%
They reside either as a randomly named folder, or file with a recently modified date. They also have no MFGR signature.
Autoruns is extremely effective at identifying these threats, by thier startup locations. Chances are if you dont see an obvious startup location by a malware/virus, its a Rootkit, and TDSSKiller should find it....
There are also a few startup locations that Autoruns DONT search, but those are more rare.
Most Malwares, if not MBR based, reside in a handful of locations...
All users\Application Data
%appdata%\
Shell:local appdata
%TEMP%
They reside either as a randomly named folder, or file with a recently modified date. They also have no MFGR signature.
Autoruns is extremely effective at identifying these threats, by thier startup locations. Chances are if you dont see an obvious startup location by a malware/virus, its a Rootkit, and TDSSKiller should find it....
There are also a few startup locations that Autoruns DONT search, but those are more rare.
Can we look at the ComboFix log?
ComboFix is a good scanner... though it doesn't remove all bad files in its first run we can remove/replace files with its script function which makes it much better than most scanners. CF even fixes mbr infections that it's updated to.
"Are the Winlogon files something I could copy from an install disc?"
O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing)
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)
The above entries are bad.... they are trojan.koblu's leftover reg entries/values pointing to a bad dll that no longer exist. Fixing those entries in hijackthis is all that's needed.
"How about the DX9 files, would I need to reinstall DirectX?"
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1
No you don't need to reinstall DirectX. The above service is an installation component related to the DirectX installation process of Roxio which doesn't always correctly remove itself after installation.
Legit but not necessary and the file is already gone....fixing the entry in Hijackthis will disable that service.
ComboFix is a good scanner... though it doesn't remove all bad files in its first run we can remove/replace files with its script function which makes it much better than most scanners. CF even fixes mbr infections that it's updated to.
"Are the Winlogon files something I could copy from an install disc?"
O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing)
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)
The above entries are bad.... they are trojan.koblu's leftover reg entries/values pointing to a bad dll that no longer exist. Fixing those entries in hijackthis is all that's needed.
"How about the DX9 files, would I need to reinstall DirectX?"
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1
No you don't need to reinstall DirectX. The above service is an installation component related to the DirectX installation process of Roxio which doesn't always correctly remove itself after installation.
Legit but not necessary and the file is already gone....fixing the entry in Hijackthis will disable that service.
"FYI, ComboFix did detect rootkit activity in sptd service, requiring reboot right now, results shortly."
A hook in sptd could very well be false positive, that service/driver would be related to your CD emulator. Often times it's a good idea to run DeFogger tool first -- a tool to disable all CD Emulator drivers and autostart entries so it doesn't interfer with rootkit scans.
It's midnight so got to go... I'll check back tomorrow.
A hook in sptd could very well be false positive, that service/driver would be related to your CD emulator. Often times it's a good idea to run DeFogger tool first -- a tool to disable all CD Emulator drivers and autostart entries so it doesn't interfer with rootkit scans.
It's midnight so got to go... I'll check back tomorrow.
Ran ComoboFix, still had problems after reboot with svchost.exe trying to contact random URL's.
Then ran TDSSKILLER and that seems to have done the trick.
I've attached both CF/TDSS logs and a new HijackThis log created just moments ago.
hijackthis.log ComboFix.txt TDSSKiller.2.5.1.0-17.05.2011-10.txt
Then ran TDSSKILLER and that seems to have done the trick.
I've attached both CF/TDSS logs and a new HijackThis log created just moments ago.
hijackthis.log ComboFix.txt TDSSKiller.2.5.1.0-17.05.2011-10.txt
Premium Content
You need an Expert Office subscription to comment.Start Free Trial