quixys
asked on
Complications from XP Security 2011 Virus
Hello,
I'm working on a PC that was infected by XP Security 2011, and went through the "normal" steps to remove the infection. I have done the same on several other PCs infected by this virus, but this time it seems to have gotten a bit more advanced.
First, I logged on in Safe Mode under the Administrator account, used Registry fix file to allow .Exe's to run, ran renamed rKill, then updated and ran Malwarebytes full scan. Removed selected with Malwarebytes, rebooted in Normal Windows mode, repeated process on User Account.
So, no more popups now from the fake Security Center, but there are a few lingering complications that I can't figure out. First, Avast keeps popping a "Malicious URL Blocked", originating from C:\WINDOWS\System32\svchos
HijackThis log is attached. hijackthis.log
I'm working on a PC that was infected by XP Security 2011, and went through the "normal" steps to remove the infection. I have done the same on several other PCs infected by this virus, but this time it seems to have gotten a bit more advanced.
First, I logged on in Safe Mode under the Administrator account, used Registry fix file to allow .Exe's to run, ran renamed rKill, then updated and ran Malwarebytes full scan. Removed selected with Malwarebytes, rebooted in Normal Windows mode, repeated process on User Account.
So, no more popups now from the fake Security Center, but there are a few lingering complications that I can't figure out. First, Avast keeps popping a "Malicious URL Blocked", originating from C:\WINDOWS\System32\svchos
HijackThis log is attached. hijackthis.log
Last Comment
Dave Baldwin
I would run Combofix from Bleeping computer. http://www.bleepingcomputer.com/download/anti-virus/combofix It seems to find and fix things others miss.
you have a root kit infection.
download Avira's free version and install it on a computer that you can take apart. take the hard drive out of the infected computer and install it into the computer you put Avira on. Boot up on the your "Take apart PC" operating system and make sure the infected hard drive shows up in your windows explorer. right click on the infected hard drive and run a full Avira scan. it will find the root kit and eliminate it. that will solve the problem.
download Avira's free version and install it on a computer that you can take apart. take the hard drive out of the infected computer and install it into the computer you put Avira on. Boot up on the your "Take apart PC" operating system and make sure the infected hard drive shows up in your windows explorer. right click on the infected hard drive and run a full Avira scan. it will find the root kit and eliminate it. that will solve the problem.
You will have to define what you mean by "normal" - normally, Safe Mode scans are not recommended.
Where did you get the instructions for removing this virus.
Please compare what you did with the instructions found here:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011
Where did you get the instructions for removing this virus.
Please compare what you did with the instructions found here:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011
You do not have to pull and slave your hard drive, but you do need to fix your registry before starting the rest of the process.
In virtually all cases, your computer can be cleaned using freely available tools - if it will boot up.
In virtually all cases, your computer can be cleaned using freely available tools - if it will boot up.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Sure it is "C:\WINDOWS\System32\svcho
Guess it is just a typo, as I didnt see it in the process list....
Just as an aside, you need to decide between Avast or AVG (Avast personally), as you dont want multiple AV apps running at the same time....
Guess it is just a typo, as I didnt see it in the process list....
Just as an aside, you need to decide between Avast or AVG (Avast personally), as you dont want multiple AV apps running at the same time....
ASKER
DaveBaldwin,
I will run a ComboFix this afternoon and post results/log.
warbringer,
I would really rather not do that, but I will keep it on the table as a last resort option, before doing a new XP Pro install.
younghv,
That is the exact tutorial I followed, although it had to be done in Safe Mode originally as I could not run anything at all, couldn't even bring up my USB drive to run the Registry Fix file. After doing it in Safe Mode under Administrator, I ran the same process in "Normal" Windows operating mode under both the Administrator account and the User account.
rpggamergirl,
I will run TDSSKiller this afternoon. Are the Winlogon files something I could copy from an install disc? How about the DX9 files, would I need to reinstall DirectX?
johnb6767,
It is "svchost.exe", that is indeed a typo. I would normally only use Avast, however this isn't my computer and the owner already had AVG installed. I threw Avast on simultaneously just as another scan function to hit it with. I ran AVG, Avast, MBAM and McAfee Stinger just to see which program found what. Plan to remove AVG this afternoon.
Thanks to everyone for all of your input, I will post an update post-ComboFix.
I will run a ComboFix this afternoon and post results/log.
warbringer,
I would really rather not do that, but I will keep it on the table as a last resort option, before doing a new XP Pro install.
younghv,
That is the exact tutorial I followed, although it had to be done in Safe Mode originally as I could not run anything at all, couldn't even bring up my USB drive to run the Registry Fix file. After doing it in Safe Mode under Administrator, I ran the same process in "Normal" Windows operating mode under both the Administrator account and the User account.
rpggamergirl,
I will run TDSSKiller this afternoon. Are the Winlogon files something I could copy from an install disc? How about the DX9 files, would I need to reinstall DirectX?
johnb6767,
It is "svchost.exe", that is indeed a typo. I would normally only use Avast, however this isn't my computer and the owner already had AVG installed. I threw Avast on simultaneously just as another scan function to hit it with. I ran AVG, Avast, MBAM and McAfee Stinger just to see which program found what. Plan to remove AVG this afternoon.
Thanks to everyone for all of your input, I will post an update post-ComboFix.
I understand that pulling the drive out is a daunting task. However, in terms of your time, pulling the drive out will take 20 minutes. Scanning will take who knows how long (but it does not matter because you can go to dinner or a movie). Putting it together will take 20 minutes.
In the grand scheme of things, I find it easier to pull and scan versus trying 30 different programs and web fixes to solve a problem that is most likely a root kit infection.
In the grand scheme of things, I find it easier to pull and scan versus trying 30 different programs and web fixes to solve a problem that is most likely a root kit infection.
ASKER
My only reservation is that this machine is configured with a mirrored array. How would I use this method considering this?
If I pull/scan the Master drive in the RAID array, will the Slave drive mirror the newly cleaned Master, or will I need to pull/scan both drives?
If I pull/scan the Master drive in the RAID array, will the Slave drive mirror the newly cleaned Master, or will I need to pull/scan both drives?
"O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1
Nothing to reinstall here. It isnt DirectX. Services arent supposed to run from a TEMP location.....
"O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing) G
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)"
Only check them from HJT if the files REALLY dont exist.
Same for the other services in HJT. If you did, I would restore from backup and make sure the files really do not exist.
Whast the result of TDSSKILLER?
Nothing to reinstall here. It isnt DirectX. Services arent supposed to run from a TEMP location.....
"O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing) G
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)"
Only check them from HJT if the files REALLY dont exist.
Same for the other services in HJT. If you did, I would restore from backup and make sure the files really do not exist.
Whast the result of TDSSKILLER?
ASKER
Running ComboFix right now, TDSSKiller to follow.
FYI, ComboFix did detect rootkit activity in sptd service, requiring reboot right now, results shortly.
FYI, ComboFix did detect rootkit activity in sptd service, requiring reboot right now, results shortly.
TDSS Often finds an MBR infection, that others dont. Personally, I dont find combofix to be that effective any more.
Most Malwares, if not MBR based, reside in a handful of locations...
All users\Application Data
%appdata%\
Shell:local appdata
%TEMP%
They reside either as a randomly named folder, or file with a recently modified date. They also have no MFGR signature.
Autoruns is extremely effective at identifying these threats, by thier startup locations. Chances are if you dont see an obvious startup location by a malware/virus, its a Rootkit, and TDSSKiller should find it....
There are also a few startup locations that Autoruns DONT search, but those are more rare.
Most Malwares, if not MBR based, reside in a handful of locations...
All users\Application Data
%appdata%\
Shell:local appdata
%TEMP%
They reside either as a randomly named folder, or file with a recently modified date. They also have no MFGR signature.
Autoruns is extremely effective at identifying these threats, by thier startup locations. Chances are if you dont see an obvious startup location by a malware/virus, its a Rootkit, and TDSSKiller should find it....
There are also a few startup locations that Autoruns DONT search, but those are more rare.
Can we look at the ComboFix log?
ComboFix is a good scanner... though it doesn't remove all bad files in its first run we can remove/replace files with its script function which makes it much better than most scanners. CF even fixes mbr infections that it's updated to.
"Are the Winlogon files something I could copy from an install disc?"
O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing)
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)
The above entries are bad.... they are trojan.koblu's leftover reg entries/values pointing to a bad dll that no longer exist. Fixing those entries in hijackthis is all that's needed.
"How about the DX9 files, would I need to reinstall DirectX?"
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1
No you don't need to reinstall DirectX. The above service is an installation component related to the DirectX installation process of Roxio which doesn't always correctly remove itself after installation.
Legit but not necessary and the file is already gone....fixing the entry in Hijackthis will disable that service.
ComboFix is a good scanner... though it doesn't remove all bad files in its first run we can remove/replace files with its script function which makes it much better than most scanners. CF even fixes mbr infections that it's updated to.
"Are the Winlogon files something I could copy from an install disc?"
O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing)
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)
The above entries are bad.... they are trojan.koblu's leftover reg entries/values pointing to a bad dll that no longer exist. Fixing those entries in hijackthis is all that's needed.
"How about the DX9 files, would I need to reinstall DirectX?"
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1
No you don't need to reinstall DirectX. The above service is an installation component related to the DirectX installation process of Roxio which doesn't always correctly remove itself after installation.
Legit but not necessary and the file is already gone....fixing the entry in Hijackthis will disable that service.
ASKER
rpggamergirl,
Duh, sorry, I get it now. I will be posting CF log shortly.
Duh, sorry, I get it now. I will be posting CF log shortly.
"FYI, ComboFix did detect rootkit activity in sptd service, requiring reboot right now, results shortly."
A hook in sptd could very well be false positive, that service/driver would be related to your CD emulator. Often times it's a good idea to run DeFogger tool first -- a tool to disable all CD Emulator drivers and autostart entries so it doesn't interfer with rootkit scans.
It's midnight so got to go... I'll check back tomorrow.
A hook in sptd could very well be false positive, that service/driver would be related to your CD emulator. Often times it's a good idea to run DeFogger tool first -- a tool to disable all CD Emulator drivers and autostart entries so it doesn't interfer with rootkit scans.
It's midnight so got to go... I'll check back tomorrow.
ASKER
Ran ComoboFix, still had problems after reboot with svchost.exe trying to contact random URL's.
Then ran TDSSKILLER and that seems to have done the trick.
I've attached both CF/TDSS logs and a new HijackThis log created just moments ago.
hijackthis.log ComboFix.txt TDSSKiller.2.5.1.0-17.05.2011-10.txt
Then ran TDSSKILLER and that seems to have done the trick.
I've attached both CF/TDSS logs and a new HijackThis log created just moments ago.
hijackthis.log ComboFix.txt TDSSKiller.2.5.1.0-17.05.2011-10.txt
Yes it was TDL4 rootkit and TDSSKiller took care of it.
\HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
\HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
ASKER
Thank you all for your help, it's sincerely appreciated!
Anti-Virus Apps
Anti-virus software was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious layered service providers (LSPs), dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity theft (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets and DDoS attacks.
23K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
