Avatar of quixys
quixys

asked on 

Complications from XP Security 2011 Virus

Hello,

I'm working on a PC that was infected by XP Security 2011, and went through the "normal" steps to remove the infection. I have done the same on several other PCs infected by this virus, but this time it seems to have gotten a bit more advanced.

First, I logged on in Safe Mode under the Administrator account, used Registry fix file to allow .Exe's to run, ran renamed rKill, then updated and ran Malwarebytes full scan. Removed selected with Malwarebytes, rebooted in Normal Windows mode, repeated process on User Account.

So, no more popups now from the fake Security Center, but there are a few lingering complications that I can't figure out. First, Avast keeps popping a "Malicious URL Blocked", originating from C:\WINDOWS\System32\svchosts.exe, the URL it's directing to varies each time the pop up is launched. Second, IE is still semi-hijacked, it keeps redirecting when clicking links from Google, and will not allow access to Microsoft Update. I am not able to turn on Automatic Updates either.

HijackThis log is attached. hijackthis.log
Anti-Virus AppsOS Security

Avatar of undefined
Last Comment
quixys
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

I would run Combofix from Bleeping computer.   http://www.bleepingcomputer.com/download/anti-virus/combofix  It seems to find and fix things others miss.
Avatar of warbringer
warbringer
Flag of United States of America image

you have a root kit infection.

download Avira's free version and install it on a computer that you can take apart.  take the hard drive out of the infected computer and install it into the computer you put Avira on.  Boot up on the your "Take apart PC" operating system and make sure the infected hard drive shows up in your windows explorer.  right click on the infected hard drive and run a full Avira scan.  it will find the root kit and eliminate it.  that will solve the problem.
Avatar of younghv
younghv
Flag of United States of America image

You will have to define what you mean by "normal" - normally, Safe Mode scans are not recommended.

Where did you get the instructions for removing this virus.

Please compare what you did with the instructions found here:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011
Avatar of younghv
younghv
Flag of United States of America image

You do not have to pull and slave your hard drive, but you do need to fix your registry before starting the rest of the process.

In virtually all cases, your computer can be cleaned using freely available tools - if it will boot up.
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of johnb6767
johnb6767
Flag of United States of America image

Sure it is "C:\WINDOWS\System32\svchosts.exe", and not  C:\WINDOWS\System32\svchost.exe? If the first one, thats a viral file.....

Guess it is just a typo, as I didnt see it in the process list....

Just as an aside, you need to decide between Avast or AVG (Avast personally), as you dont want multiple AV apps running at the same time....
Avatar of quixys
quixys

ASKER

DaveBaldwin,

I will run a ComboFix this afternoon and post results/log.

warbringer,

I would really rather not do that, but I will keep it on the table as a last resort option, before doing a new XP Pro install.

younghv,

That is the exact tutorial I followed, although it had to be done in Safe Mode originally as I could not run anything at all, couldn't even bring up my USB drive to run the Registry Fix file. After doing it in Safe Mode under Administrator, I ran the same process in "Normal" Windows operating mode under both the Administrator account and the User account.

rpggamergirl,

I will run TDSSKiller this afternoon. Are the Winlogon files something I could copy from an install disc? How about the DX9 files, would I need to reinstall DirectX?

johnb6767,

It is "svchost.exe", that is indeed a typo. I would normally only use Avast, however this isn't my computer and the owner already had AVG installed. I threw Avast on simultaneously just as another scan function to hit it with. I ran AVG, Avast, MBAM and McAfee Stinger just to see which program found what. Plan to remove AVG this afternoon.

Thanks to everyone for all of your input, I will post an update post-ComboFix.
Avatar of warbringer
warbringer
Flag of United States of America image

I understand that pulling the drive out is a daunting task.  However, in terms of your time, pulling the drive out will take 20 minutes.  Scanning will take who knows how long (but it does not matter because you can go to dinner or a movie).  Putting it together will take 20 minutes.

In the grand scheme of things, I find it easier to pull and scan versus trying 30 different programs and web fixes to solve a problem that is most likely a root kit infection.
Avatar of quixys
quixys

ASKER

My only reservation is that this machine is configured with a mirrored array. How would I use this method considering this?

If I pull/scan the Master drive in the RAID array, will the Slave drive mirror the newly cleaned Master, or will I need to pull/scan both drives?
Avatar of johnb6767
johnb6767
Flag of United States of America image

"O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)"

Nothing to reinstall here. It isnt DirectX. Services arent supposed to run from a TEMP location.....

"O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing) G
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)"

Only check them from HJT if the files REALLY dont exist.

Same for the other services in HJT. If you did, I would restore from backup and make sure the files really do not exist.  

Whast the result of TDSSKILLER?


Avatar of quixys
quixys

ASKER

Running ComboFix right now, TDSSKiller to follow.

FYI, ComboFix did detect rootkit activity in sptd service, requiring reboot right now, results shortly.
Avatar of johnb6767
johnb6767
Flag of United States of America image

TDSS Often finds an MBR infection, that others dont. Personally, I dont find combofix to be that effective any more.

Most Malwares, if not MBR based, reside in a handful of locations...

All users\Application Data
%appdata%\
Shell:local appdata
%TEMP%

They reside either as a randomly named folder, or file with a recently modified date. They also have no MFGR signature.

Autoruns is extremely effective at identifying these threats, by thier startup locations. Chances are if you dont see an obvious startup location by a malware/virus, its a Rootkit, and TDSSKiller should find it....

There are also a few startup locations that Autoruns DONT search, but those are more rare.
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Can we look at the ComboFix log?
ComboFix is a good scanner... though it doesn't remove all bad files in its first run we can remove/replace files with its script function which makes it much better than most scanners. CF even fixes mbr infections that it's updated to.

"Are the Winlogon files something I could copy from an install disc?"

O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing)  
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)

The above entries are bad.... they are trojan.koblu's leftover reg entries/values pointing to a bad dll that no longer exist. Fixing those entries in hijackthis is all that's needed.


"How about the DX9 files, would I need to reinstall DirectX?"

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

No you don't need to reinstall DirectX. The above service is an installation component related to the DirectX installation process of Roxio which doesn't always correctly remove itself after installation.
Legit but not necessary and the file is already gone....fixing the entry in Hijackthis will disable that service.
Avatar of quixys
quixys

ASKER

rpggamergirl,

Duh, sorry, I get it now. I will be posting CF log shortly.

Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

"FYI, ComboFix did detect rootkit activity in sptd service, requiring reboot right now, results shortly."

A hook in sptd could very well be false positive, that service/driver would be related to your CD emulator. Often times it's a good idea to run DeFogger tool first -- a tool to disable all CD Emulator drivers and autostart entries so it doesn't interfer with rootkit scans.

It's midnight so got to go... I'll check back tomorrow.
Avatar of quixys
quixys

ASKER

Ran ComoboFix, still had problems after reboot with svchost.exe trying to contact random URL's.

Then ran TDSSKILLER and that seems to have done the trick.

I've attached both CF/TDSS logs and a new HijackThis log created just moments ago.

 hijackthis.log ComboFix.txt TDSSKiller.2.5.1.0-17.05.2011-10.txt
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Yes it was TDL4 rootkit and TDSSKiller took care of it.

\HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
Avatar of quixys
quixys

ASKER

Thank you all for your help, it's sincerely appreciated!
Anti-Virus Apps
Anti-Virus Apps

Anti-virus software was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious layered service providers (LSPs), dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity theft (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets and DDoS attacks.

23K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo