Complications from XP Security 2011 Virus

quixys
quixys used Ask the Experts™
on
Hello,

I'm working on a PC that was infected by XP Security 2011, and went through the "normal" steps to remove the infection. I have done the same on several other PCs infected by this virus, but this time it seems to have gotten a bit more advanced.

First, I logged on in Safe Mode under the Administrator account, used Registry fix file to allow .Exe's to run, ran renamed rKill, then updated and ran Malwarebytes full scan. Removed selected with Malwarebytes, rebooted in Normal Windows mode, repeated process on User Account.

So, no more popups now from the fake Security Center, but there are a few lingering complications that I can't figure out. First, Avast keeps popping a "Malicious URL Blocked", originating from C:\WINDOWS\System32\svchosts.exe, the URL it's directing to varies each time the pop up is launched. Second, IE is still semi-hijacked, it keeps redirecting when clicking links from Google, and will not allow access to Microsoft Update. I am not able to turn on Automatic Updates either.

HijackThis log is attached. hijackthis.log
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
I would run Combofix from Bleeping computer.   http://www.bleepingcomputer.com/download/anti-virus/combofix  It seems to find and fix things others miss.
you have a root kit infection.

download Avira's free version and install it on a computer that you can take apart.  take the hard drive out of the infected computer and install it into the computer you put Avira on.  Boot up on the your "Take apart PC" operating system and make sure the infected hard drive shows up in your windows explorer.  right click on the infected hard drive and run a full Avira scan.  it will find the root kit and eliminate it.  that will solve the problem.
Author of the Year 2011
Top Expert 2006

Commented:
You will have to define what you mean by "normal" - normally, Safe Mode scans are not recommended.

Where did you get the instructions for removing this virus.

Please compare what you did with the instructions found here:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author of the Year 2011
Top Expert 2006

Commented:
You do not have to pull and slave your hard drive, but you do need to fix your registry before starting the rest of the process.

In virtually all cases, your computer can be cleaned using freely available tools - if it will boot up.
Top Expert 2007
Commented:
the above suggestions are good, also show us the logfile if using ComboFix.

Fix these 3 entries in hijackthis:

O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing) G
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)



If the problem persists, use TDSSKiller mentioned in this article:
“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
Most Valuable Expert 2011
Top Expert 2011

Commented:
Sure it is "C:\WINDOWS\System32\svchosts.exe", and not  C:\WINDOWS\System32\svchost.exe? If the first one, thats a viral file.....

Guess it is just a typo, as I didnt see it in the process list....

Just as an aside, you need to decide between Avast or AVG (Avast personally), as you dont want multiple AV apps running at the same time....

Author

Commented:
DaveBaldwin,

I will run a ComboFix this afternoon and post results/log.

warbringer,

I would really rather not do that, but I will keep it on the table as a last resort option, before doing a new XP Pro install.

younghv,

That is the exact tutorial I followed, although it had to be done in Safe Mode originally as I could not run anything at all, couldn't even bring up my USB drive to run the Registry Fix file. After doing it in Safe Mode under Administrator, I ran the same process in "Normal" Windows operating mode under both the Administrator account and the User account.

rpggamergirl,

I will run TDSSKiller this afternoon. Are the Winlogon files something I could copy from an install disc? How about the DX9 files, would I need to reinstall DirectX?

johnb6767,

It is "svchost.exe", that is indeed a typo. I would normally only use Avast, however this isn't my computer and the owner already had AVG installed. I threw Avast on simultaneously just as another scan function to hit it with. I ran AVG, Avast, MBAM and McAfee Stinger just to see which program found what. Plan to remove AVG this afternoon.

Thanks to everyone for all of your input, I will post an update post-ComboFix.
I understand that pulling the drive out is a daunting task.  However, in terms of your time, pulling the drive out will take 20 minutes.  Scanning will take who knows how long (but it does not matter because you can go to dinner or a movie).  Putting it together will take 20 minutes.

In the grand scheme of things, I find it easier to pull and scan versus trying 30 different programs and web fixes to solve a problem that is most likely a root kit infection.

Author

Commented:
My only reservation is that this machine is configured with a mirrored array. How would I use this method considering this?

If I pull/scan the Master drive in the RAID array, will the Slave drive mirror the newly cleaned Master, or will I need to pull/scan both drives?
Most Valuable Expert 2011
Top Expert 2011

Commented:
"O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)"

Nothing to reinstall here. It isnt DirectX. Services arent supposed to run from a TEMP location.....

"O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing) G
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)"

Only check them from HJT if the files REALLY dont exist.

Same for the other services in HJT. If you did, I would restore from backup and make sure the files really do not exist.  

Whast the result of TDSSKILLER?


Author

Commented:
Running ComboFix right now, TDSSKiller to follow.

FYI, ComboFix did detect rootkit activity in sptd service, requiring reboot right now, results shortly.
Most Valuable Expert 2011
Top Expert 2011

Commented:
TDSS Often finds an MBR infection, that others dont. Personally, I dont find combofix to be that effective any more.

Most Malwares, if not MBR based, reside in a handful of locations...

All users\Application Data
%appdata%\
Shell:local appdata
%TEMP%

They reside either as a randomly named folder, or file with a recently modified date. They also have no MFGR signature.

Autoruns is extremely effective at identifying these threats, by thier startup locations. Chances are if you dont see an obvious startup location by a malware/virus, its a Rootkit, and TDSSKiller should find it....

There are also a few startup locations that Autoruns DONT search, but those are more rare.
Top Expert 2007

Commented:
Can we look at the ComboFix log?
ComboFix is a good scanner... though it doesn't remove all bad files in its first run we can remove/replace files with its script function which makes it much better than most scanners. CF even fixes mbr infections that it's updated to.

"Are the Winlogon files something I could copy from an install disc?"

O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing)  
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)

The above entries are bad.... they are trojan.koblu's leftover reg entries/values pointing to a bad dll that no longer exist. Fixing those entries in hijackthis is all that's needed.


"How about the DX9 files, would I need to reinstall DirectX?"

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\sysop\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

No you don't need to reinstall DirectX. The above service is an installation component related to the DirectX installation process of Roxio which doesn't always correctly remove itself after installation.
Legit but not necessary and the file is already gone....fixing the entry in Hijackthis will disable that service.

Author

Commented:
rpggamergirl,

Duh, sorry, I get it now. I will be posting CF log shortly.

Top Expert 2007

Commented:
"FYI, ComboFix did detect rootkit activity in sptd service, requiring reboot right now, results shortly."

A hook in sptd could very well be false positive, that service/driver would be related to your CD emulator. Often times it's a good idea to run DeFogger tool first -- a tool to disable all CD Emulator drivers and autostart entries so it doesn't interfer with rootkit scans.

It's midnight so got to go... I'll check back tomorrow.

Author

Commented:
Ran ComoboFix, still had problems after reboot with svchost.exe trying to contact random URL's.

Then ran TDSSKILLER and that seems to have done the trick.

I've attached both CF/TDSS logs and a new HijackThis log created just moments ago.

 hijackthis.log ComboFix.txt TDSSKiller.2.5.1.0-17.05.2011-10.txt
Top Expert 2007

Commented:
Yes it was TDL4 rootkit and TDSSKiller took care of it.

\HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

Author

Commented:
Thank you all for your help, it's sincerely appreciated!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial