Solved

I have a heavily infected system that can no longer access the internet

Posted on 2012-04-04
11
722 Views
Last Modified: 2013-11-22
We have a client machine that was heavily infected with trojans.  I ran Malwarebytes, Super anti spyware and trend micro anti virus scans, which found viruses and showed that the viruses were quarantined and removed.  However, the trend micro security console on our server continued to point to the affected client machine as problematic.  After running the virus scans, the client machine lost network connectivity and was receiving a 169 address.  I attempted to give the client machine a static ip following the scheme from our DNS server however even after the static ip settings were configured, the client machine was still unable to get online or connect to our network.  I attempted to run trend micro again but noticed that would no longer start.  I decided to perform a system restore and booted in safe mode however after two attempts with two different restore points, I received the message: System Restore did not complete successfully.

I then booted in windows regularly and after logging in i noticed the color scheme was similiar to safe mode and the start button had the classic look to it.  However, safe mode was not displayed in the four corners of the screen.  I nonetheless ran system restore in this state and after two attempts (with 2 different restore points) I had the same problem as before, windows reported system restore did not complete successfully.  the system restore displayed the following details:

System restore failed to extract the file (D:\Windows\$NtUninstallKB236603$\4013077249) from the restore point.  The restore point was damaged or was deleted during the restore.

I'm puzzled as to why system restore is looking to the D: drive, since our client machines have the OS loaded on the C: drive and the D: drive is reserved for the HP recovery partition for the machine.

Also, I ran a netsh int ip reset and netsh winsock reset and restarted but was still experiencing network issues.

Anyways, I am stuck and not sure how to proceed further, any help would be greatly appreciated.

Thanks.
0
Comment
Question by:cllocc
  • 3
  • 2
  • 2
  • +4
11 Comments
 

Author Comment

by:cllocc
ID: 37807209
also i tried running startup repair thru f8 and it keeps reporting that there is no problem detected.
0
 
LVL 6

Accepted Solution

by:
HomerTNachoCheese earned 126 total points
ID: 37807217
Not that this is a solution that fixes the issue, but wouldn't it be a better idea to wipe out this machine and reload Windows?  If it is "heavily infected" you may not clean everything up.  Reloading would probably take longer than fixing, but at least you have pretty good confidence that the machine is clean.
0
 

Author Comment

by:cllocc
ID: 37807246
yes, that is a good point. I was hoping there may be something I was overlooking before having to resort to system recovery and maybe there was someone out there who might there who point me in the right direction.  however if the consensus is to reformat and restore then I'll be hard pressed to go that route.
0
 
LVL 9

Assisted Solution

by:Geodash
Geodash earned 63 total points
ID: 37807307
I agree with Homer - at this time rather than taking a chance in your production environment, wipe and reload this guy. It is MUCH SAFER!
0
 
LVL 6

Assisted Solution

by:HomerTNachoCheese
HomerTNachoCheese earned 126 total points
ID: 37807327
I would be concerned with root kits.  At least try to scan for those if you can.  They may be present even after a reformat.  I am no expert in root-kits, but I think this would be a valid concern.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 63 total points
ID: 37807355
I also agree with Homer.  But if you want to check for rootkits, please check out my article first:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html

Also check out younghv's article on rogue killer.
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 62 total points
ID: 37807378
Since I do this quite often, here are some observations:

If you have everything you need then reloading is usually more time-efficient than cleaning up.  The trades are:
- is the investment in system configuration great enough that cleanup will be a real benefit?  This is true of workstations with lots of important app's with lots of tailored setups.  It's true for many home systems with unskilled users.  It isn't the case for simple configurations such as office "dumb terminal" situations.  Only you can decide.
- still, reloading often requires:
  .. finding and installing drivers.
  .. bringing the OS fully up to date
  .. installing common tools like Adobe Reader, internet security, etc.
  .. backing up data; making sure the data is "clean"; restoring the data.  Sometimes this is more time-consuming than you think it would be.  (You cannot rely on the users to tell you what to back up and you can't and don't want to use blanket backups without ending up dealing with restore problems of one kind or another).
But, it does give confidence.

Cleanup can be time consuming (certainly wall-clock time!) as the scans take hours and there can be many of them done before one is finished.  Assuring that a cleanup has been fully/reasonably successful can be tricky.  That said, I've not often been fooled - but I do it all the time.  You want to have some tests to run to reach a level of assurance.  For example, will www.windowsupdate.com work on the system?  Can you reach sites that have parasite removal tools?  Do there continue to be misdirects with the browsers?  Do there continue to be popups of strange orgin?

I'm generally biased to do the cleanup because the users are going to be able to be "back in business" without a lot of their own effort.  That has value.  But, if they won't know the difference then I will be earlier motivated to rebuild.   The risks of a cleanup, which have some similarity to the risks of cloning a failing hard drive, are:
- some programs may be damaged and have to be reinstalled
- the OS may be damaged.  I would definitely run the System File Check with an OS disk in an optical drive.  You may want or need to do a Repair Install - but in truth I almost never need to do this.  Your mileage may vary.

I find that cleanups start showing improvement gradually.
Safe mode *without* a network connection is a good place to start.  Have some concern that a network connection can be a source of new problems - as well as a threat to the network.  So, I use an isolated network when I feel there's a need for a connection.  Up to some point you may want to introduce everything using CDs or DVDs - including manual signature updates.

At this stage I'd suspect a root kit.  By design they are harder to find and eradicate.  Using some drastic tools is likely in order now.  And I'd start in Safe Mode without a connection .. as above.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 124 total points
ID: 37807400
The symptoms you are describing are fairly typical of current malware infections and this can probably be repaired without the obvious "format/reinstall" decision.

If by "client" you mean that this is part of a network, the first step is to isolate (disconnect) it from your network and make sure that your corporate policy allows you to attempt a repair.

The basic steps in proper repair are contained in the EE Articles listed below. The 'rogue process stoppers' both have either menu options to repair the symptoms you describe or will auto-fix them (connectivity).

Please be sure to post all of the logs from the tools/scanners you use so that we can analyze them.


Rogue-Killer-What-a-great-name
Stop-the-Bleeding-First-Aid-for-Malware
Malware Fighting – Best Practices

You can substitue "TheKiller" for "RogueKiller" - in my experience the efficacy is quite similar.

Download TheKiller to your Desktop
http://maliprog.geekstogo.com/explorer.exe

Note that TheKiller is renamed as explorer.exe
Run it by double click
Press OK button after program finish
Do not restart your system after this step, but immediately run the next scan: MalwareBytes, TDSSKiller, ComboFix
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 124 total points
ID: 37807411
Please do not try to perform any "Safe Mode" scans with any of the automated malware tools. Windows File Protection service is NOT running and you can inadvertently delete critical system files - without the replacement being made...leading to a BSOD.

This advice is too often posted in many forums and it is always wrong.
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 62 total points
ID: 37807511
cllocc--Once you have deleted all the malware the various scans can, you might consider a Repair Install of the operating system.
This should not affect your personal data or installed programs, but it never hurts to back them up.
http://www.sevenforums.com/tutorials/3413-repair-install.html
0
 

Author Closing Comment

by:cllocc
ID: 37808557
Thanks for the excellent suggestions.  I followed the guides posted by users on this question however it seemed that even the root kit scans may not have been enough.  I was still getting a 169 address, system repair was not working, and windows was still booting up with a strange color scheme and classic start menu.

I decided that it would be much faster to reformat and recover the machine so I backed up the user's critical files after consultation and started the HP factory recovery mode using the f11 key from the bios.  It was quicker than i expected and it brought the computer back to its original state with full network connectivity.  I will be reinstalling the user's required applications shortly.

One thing i definitely learned from this whole experience....these root kits sure are a nightmare to deal with.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now