Daughter's Computer Infected with new Variant, I think

Status
Not open for further replies.
L

Linus12

New member
Well my daughter finally complained to me about her laptop. It is definitely infected with a number of viruses, trojans, and "what nots".
System:
HP Laptop computer.
Windows XP SP2

Description of what we are facing:
  1. Background is changed to a blue screen with a message about the virus application is out of date and a big link in the middle of the screen leading off to a site (no one has clicked it).
  2. A pop up shows up every so often claiming to be from "Microsoft Security Center", it is red (again with links leading off).
  3. A Yellow Triangle with an exclamation mark in the middle shows up every soften in the System Tray with a balloon about virus protection being out of date.
  4. A Red ball icon has appeared in the system tray, again with a balloon that pops up every so often telling us that the virus checker is out of date and we need to install an update (again from a site that we know nothing about).
  5. The Task Manager has been disabled.
  6. Using IE or Firefox is impossible. New tabs are opened automatically, sometimes IE starts on its own and attempts to load up to 20 or so tabs at once.
  7. Running in Safe Mode causes system to reboot. (We can get to the login screen and Windows starts up, but about 2-3 seconds after we get the normal background, the system turns itself off.)

What we have tried so far (and the results :sad: )
  1. Installed Spybot S&D 1.6.0.30
  2. Installed updates manually using "spybotsd_includes-2008-10-01.exe" (Attempting to download updates using the internet connection results in "unable to obtain update file" messages.
  3. Attempted to run Spybot S&D
    Results: Spybot S&D will not load or run​
  4. Installed and ran CWS.SmartKiller from "http://www.safer-networking.org/files/"
    Results: Message Box indicates "CS ...v1/v2" is not installed.​
  5. Downloaded and installed HIJackThis.
    Results: Program will not run.​
  6. Was able to load MSConfig and supposedly starting programs and services and unchecked as many as I felt I could that would not cause problems.
    Results: No real change​
  7. Was able to install and run System Explorer by Mister Group 20008, version 1.4. I can see some of the processes, but do not necessarily know what to look for at this point.

I do have a number of other computers that do not seem to be affected at this time. I also have the ability to remove her harddrive and connect it to other systems as an "External Drive" (I did this once to make a backup when I needed to send the system in for repairs when the graphics system died on the laptop.)

I'll try almost anything at this point, and was wondering if it would make sense to attache the hard drive to another system, run Spybot S&D on it then put it back into the laptop. I know the registry won't be cleaned, but I suspect the problem files would be gone. I could then run Spybot S&D on the system which would clean up the registry (I think).

Is there a less drastic way to get rid of the things that are preventing me from running Spybot S&D?

(Of course to add insult to injury, my daughter has a term paper due on Nov 3, and if we can't fix the lap top soon, she'll have to retype the whole thing [yea right, mom and dad will end up retyping it! Not something I'm looking forward to.]

Any help would be really appreciated.

Dave
 
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Click to expand...
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly :D

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


my daughter has a term paper due on Nov 3
Click to expand...
We had best get moving then :)

If you can boot the infected machine and download the following then great, if not then you can download the files to a second computer and transfer them via USB/Flash drive.

----------------------------------------------------------- -----------------------------------------------------------

Step 1
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


----------------------------------------------------------- -----------------------------------------------------------
Step 2

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
 
Thanks Katana for your reply. I've done what I can and had some good results and not so good results. Here's what I was able to do:

Step 1
Due to the PC not having a network connection (it was connected but could not connect to anything that was valid) I downloaded Malwarebytes' Anti-Malware and placed it on a USB drive.
[ I also downloaded Combofix and placed it on the USB drive at the same time to save me a trip back to this computer. Yes the infected one is a laptop, but if you could see my desk, you'd understand why I want to leave the laptop in the other room :red: ]

Copied the Anti-Malware exe to the desk top and ran it from there.
It failed when it attempted to connect for an update, but the version installed was Version 1.30 (October 22, 2008).

It ran for 2 hours, 2 mins, and 59 sec and found 53 items. Below is the log file which I saved to the USB drive:
-----------------------------------------------------------------

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2

10/28/2008 12:28:18 AM
mbam-log-2008-10-28 (00-28-17).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 147807
Time elapsed: 2 hour(s), 2 minute(s), 59 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 3
Files Infected: 29

Memory Processes Infected:
C:\WINDOWS\system32\uesiuqcr.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\smwin32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a0442dfa-1f7e-4dce-b75c-a90993d6e7fc} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{268706f0-841c-446a-b757-8c1ef84527dc} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{32fd16dc-537c-4186-9bd6-c718a308342b} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32fd16dc-537c-4186-9bd6-c718a308342b} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{27861bda-a645-491d-8599-dcab5969dc34} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4cf05127-d66d-4125-b2d9-15909b83842a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{475a8380-dc57-448b-8d9f-5600df0a8476} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\getsn32.msiesn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: msansspc.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\uesiuqcr.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\uesiuqcr.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\GetPack (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\iCheck\iCheck.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\dictame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\GetPack23.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\trgtame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv934.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\getsn32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smwin32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini10803.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uesiuqcr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\DominiqueS\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSdxgp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSihys.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSkrxx.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnpur.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoitu.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSwubs.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSyaqu.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSmxfe.sys (Rootkit.Agent) -> Delete on reboot.

-----------------------------------------------------------------

It asked me to reboot, so I said Yes.

It took a while to reboot, but at least it looked liked my internet connection was working. I say that because the my anti virus software (AVG) finally got a connection and uploaded updates to it's data base.

Also the background stayed the same, and neither of the two system tray icons showed up and no other pop ups showed up. So that part seemed to have gone OK.



STEP 2

Copied ComboFix.exe from USB Drive to desktop.
Stopped Anti Virus Software (AVG)
Double clicked on ComboFixe.exe

Seemed to start up ok, then asked to install Microsoft Windows Recovery Console.
:oops:
Received a BSOD (Blue Screen of Death) with a STOP COLD error, but didn't catch the number (wasn't up there for very long )
The system rebooted by itself.:thud:

Upon Reboot, received another BSOD with the error Process1_initializing failed error and it shut down.:thud:

Upon turning it back on I got a STOP Error x 6something, again it flashed off very quickly (not even sure it wrote a dump file) :thud:
[note to self: set autoreboot on system stop to off next time the system is up and running]

Attempted Safe Mode reboot: Showed Windows load screen for about 3 seconds then automatic shutdown.:thud:

Attempted Last known good configuration startup: Showed Windows load screen for about 1.5 seconds, then automatic shutdown.:thud:

-----------------------------------------------------------------

I thinking I should not have installed the Recovery Console...but this may just be a coincidence.
Note:
I do have a Windows XP SP2 install disk that has the Recovery Console on it. I also have a bootable disc with Puppy Linix on it (Great for pulling files off of systems that won't boot.)

Both of these disc were used successfully to boot the system BEFORE I started this thread.​
Ok, so now I have a system that seems to have three of the visible problems fixed, but it doesn't boot. (Hopefully the multiple reboots I performed didn't do anymore damage.)

I look forward to your next set of instructions. And Again, thank you for your help!

Dave
 
Linus12 said:
I also have a bootable disc with Puppy Linix on it (Great for pulling files off of systems that won't boot.)
Click to expand...

That may come in handy :cool:

We need to see the contents of the following
C:\combofix.txt
C:\qoobox (entire folder)

If you can get those off the machine, please upload them to the following site
Please put them in one zip folder if you can
(if not let me know before you upload)

Please open LINK >>> THIS PAGE <<<LINK in a new window.



In the box marked Link to topic where this file was requested: please put this text
Code: 
http://forums.spybot.info/showthread.php?p=247564#post247564
( highlite the contents of the code box then press CTRL+C, then go to the new page click in the Topic box and press CTRL+V )

Now click browse and navigate to the .zip file and select it

In the Largest box please put
Code: 
File Requested By Katana
Logs from failed CF run
Finally click SendFile
 
Hi Katana,

Thanks again for your help.

Well again I think it is a Good News/Bad News/Good News situation.... but only you will tell ;)

Good News
I was able to boot the system using the Puppy Linix DVD and copy the c:\qoobox directory to a USB drive.

Bad News(??)
There was no c:\combofix.txt file.

Good News
I Zipped up the directory and posted it as requested. The file name I zipped the directory to is: Qoobox_post247564.zip

Hopefully you will have good news for me :)

Dave
 
Looking at the contents of Qoobox, it looks as if ComboFix barely got started on its run.

Please use your CD to boot to Recovery Console and do the following

type LISTSVC to list down all services.

Look for Services named as TDSSxxxx where x is a random letter
They will look something like these
TDSSdxgp
TDSSihys
TDSSkrxx

Note down the names of any you find.
Then for each service name, run the command ...

DISABLE TDSSxxxx ..

When they have all been disabled, type Exit
Hopefully, your machine should reboot normally
 
Last edited:
Please Sir, :D:

Could you also upload these folders as well
C:\ComboFix\
C:\Windows\ERDNT\HIV-BACKUP\
 
:sick: That's how I feel right now.

I am able to boot with the windows install disk, but it is not working as it did before.

Now I am able to get to the Windows installation selection mene, I select the C: drive (the E: drive is HP's "image restore drive" that restores the system back to the "factory out of the box got to update everything and delete all the garbage crapware" system).

I am able to type LISTSVC and one page is displayed with a message at the bottom of the screen, then the system power downs.

If I don't type LISTSVC quickly, the system power downs.

Sounds like something is getting loaded into memory (????).

Please, please, please tell me all is not lost....

Dave

P.S. I have to go and get my sone from school right now, I'll be back in about an hour
 
If you are booting from the install disc, then it is not malware that is causing the problem.
It may be that something is overheating and causing the crash.
Try leaving the laptop switched off until it cools down completely, and if you have a fan then use it when you turn it back on.
 
Hi Again Katana,

Thanks for being so patient with me....

I am uploading the second set of files requested ComboFix and Hiv-Backup as I type this. About 21 MB in size.

I took a can of air and blew out the dust bunnies from the fan and restarted the machine. (at least now it looks like the fan is turning, don't know about before.)

Only one TDSS file (instructions from post #6) was shown: TDSSserve.sys
I used the Disable command on it.

Now however, every type of reboot to windows results in a BSOD with error:
Process1_Initialization_Failed with a Boot Error Code of x0000006b (hopefully go the right number of zeros in front there.)

Same for normal and safe mode.

Was able to boot to Linix and stored of the above files as requested.

Just informed that the upload of the zip file failed. File was probably too big so I split it into 10MB size there are now three parts to the file (Split was performed using WinZip.)

Now it looks lik3 10MB is also too big... :pullinghair:

Are there any specific files you need from the directories? ComboFix is about 20MB and Hiv-Backup is about 35MB.

Dave
 
Hiv-Backup is the most important, but just let me check with the developer.
 
I await your reply on the files to send.

In the mean time, should I attempt a Repair Install of Windows to get past the Process1_Initialization_Failed BOSD problem? or did I disable the wrong TDSSxxxx file when I disabled TDSSserve.sys?

I humbly await your reply.
 
Sorry for the delay, I fell asleep :red:
The TDSSxxxx you disabled was correct, unfortunately this piece of dross is fairly new and doesn't like being removed.
Please don't do a repair install yet, we may still be able to save it.
If you can upload te following files, sUBs (the developer ) should be able to tell what happened.

ComboFix/CF-RC.txt
ComboFix/ForeignC00
ComboFix/ForeignA.dat
ComboFix/Foreign.dat
ComboFix/CregC_.dat
ComboFix/CregC.dat
Hiv-backup/system
Windir.dat

zip them all into one folder again please.

Oh, and thank you for your patience :)
 
Last edited:
Sleep??? Sleep??? How could you possibly Sleep at a time like this?????

<BIG GRIN>

I understand completely. I help on other boards with other kinds of problems and it is all volunteer. All you will probably get out of this is my undying gratitude (unless you prefer chocolates). LOL

Anyway.... I have uploaded the files requested in Post 13. It Worked!
The file name is: ComboFix_Post247564_13.zip

There might be a few "extra files" ones with names close to the ones you requested. They were small so I just grabbed them all.


AND.... I was able to store off a copy of my daughter's paper onto the USB drive. So at least she can work on the "family" computer and get that done before it is due. (of course she can't listen to her music because that is still on the one with the problem.)

Thank you again, and to sUBs for going the extra mile with this one.

Dave

P.S. I wasn't kidding about the chocolates, (When this is all fixed!) :D:
 
Linus12, I need you to check out something for me.

Please boot to the Recovery Console.
At the command prompt, type each of the numbered lines of commands.

1) CD C:\Windows\System32

2) DIR ntdll.dll*
2008-04-14 05:41 706,048 ntdll.dll
2008-04-14 05:41 706,048 ntdll.dll.vir
Click to expand...
At this juncture, if you see something like the above, go to Step #4
If you see just a solitary line like below, go to Step #3
2008-04-14 05:41 706,048 ntdll.dll.vir
Click to expand...

3) COPY ntdll.dll.vir ntdll.dll

4) EXIT

Kindly let us know if that allows you to boot into Windows
 
Hi sUBs (and Kantana)

You hit the dll on the head. the ntdll.dll was missing!

While the dates and sizes were slightly different, I copied the "ntdll.dll.vir" version to ntdll.dll and I have successfully rebooted into windows. :2thumb:

Checkdsk attempted to run, but I canceled it for now.

At this point the system is up, with my normal background, and "extra" items in the system tray. However it doesn't look like ComboFix is running.

I await your next commands :bow: :bow:
 
NTDLL.dll is a critical System file. ComboFix attacked it because it detected something amissed with the file.

I would like a closer peek at the file. Please upload that copy of NTDLL.dll to this website > http://www.bleepingcomputer.com/submit-malware.php?channel=4

Do not run ComboFix again as it shall attack the same NTDLL.dll. Well, not unless you download the latest version of ComboFix which I have just added another safety check.
 
Ok, will do. But I need to run and pick my daughter up from school. I'll be back in about 2 hours maybe 2 1/2 hours. Thanks for the quick response. I'll upload as soon as I get back.

I understand if you want to get some sleep or have better things to do than wait around for me right now.

Thank you again,

Dave
 
C:\WINDOWS\system32\av.dat
C:\WINDOWS\system32\TDSSmtpe.dat
Click to expand...

The above are malware files that needs to be deleted. You can do that manually. They wont resist deletion.
 
Hi sUBs,

I've uploaded the ntdll.dll file as requested in Post #17.

I will delete the two files as requested, I assume by your comment about them "not resisting" that I can do this in windows?

Should I download an updated version of CF to run? or wait for you to finish looking at ntdll.dll ?

I assume that Katana will want to continue the removal process once this gets sorted out.

Thanks again,
Dave

P.S. Sorry for the delay, but my daughter wanted to go look for a Holloween costume. Even though she already had one picked out! :hair: Oh the joys of being a parent of a 14 year old! :D: I do love her dearly....
 
Status
Not open for further replies.
Back
Top