Aggressive, unremovable rootkit infection

Solved
By videoart
Dec 17, 2011
  1. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    This is strange.
    Are you sure you're in correct registry section?
    Is your laptop fully updated?
  2. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    In the correct section, and using SP2.
  3. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Let me ask tool creator.
    It may be a while...
  4. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Any word from tool creator?
  5. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Oh yeah, sorry about it.
    .
    Post new FSS log.
  6. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Farbar Service Scanner
    Ran by Chris Wright (administrator) on 23-12-2011 at 21:01:34
    Microsoft Windows XP Professional Service Pack 2 (X86)
    ********************************************************

    Internet Services:
    =================
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Nsi Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open Nsi registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open Nsi registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open Nsi registry key. The service key does not exist.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.


    Connection Status:
    =================
    Localhost is blocked.
    There is no connection to network.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Yahoo IP returend error: Other errors


    Windows Firewall:
    ================
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    Firewall Disabled Policy:
    ========================


    System Restore:
    ==============

    System Restore Disabled Policy:
    ==============================


    File Check:
    ==========
    C:\WINDOWS\system32\dhcpcsvc.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE

    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4

    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

    C:\WINDOWS\system32\ipnathlp.dll
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

    C:\WINDOWS\system32\netman.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0197632 ____A (Microsoft Corporation) 3516D8A18B36784B1005B950B84232E1

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2010-11-30 15:29] - [2004-08-03 16:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

    C:\WINDOWS\system32\srsvc.dll
    [2010-11-30 15:31] - [2004-08-03 16:56] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

    C:\WINDOWS\system32\Drivers\sr.sys
    [2010-11-30 15:31] - [2004-08-03 15:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

    C:\WINDOWS\system32\svchost.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

    C:\WINDOWS\system32\rpcss.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233

    C:\WINDOWS\system32\services.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


    **** End of log ****
  7. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Go Start>Run (Start search in Vista and 7), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    At Command Prompt, type in:
    netsh int ip reset reset.log
    Hit Enter.
    Type in:
    netsh winsock reset catalog
    Hit Enter.

    Apply Fixit from: http://support.microsoft.com/kb/811259/en-us

    Restart computer.
    NOTE for Windows XP users. You may need to apply manual fix from the above link.
  8. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Entered the commands and applied the FixIt. No luck. Error 720 again.
  9. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Of note may be the fact my 1394 Connection reads as Connected in Network Connections, even after unplugging the USB modem.
  10. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    ...
  11. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Manually input the Winsock command, and still no luck after restart. Error 720.
  12. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Let's try to uninstall/reinstall TCP/IP stack.

    1. Download winsock.zip
    Unzip it.
    Right click on Winsock.reg, click "Merge".
    Allow registry merge.

    2. Restart computer.

    3. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
    • On the General tab, click Install a popup window opens.
    • Select Protocol from the list and then click Add.
    • A new window opens, click Have Disk....
    • In the browse... box type c:\windows\inf
    • Click OK.
    • Select Internet Protocol (TCP/IP), and then click OK.
    • Restart and check the connection.
  13. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    I receive this message:

    "Cannot import C:\Documents and Settings\Chris Wright\Desktop\Winsock.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor."
     
  14. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    My fault. Incorrect file.
    I edited it.
    Delete yours and download new one from the very same link.
  15. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Success in getting a net connection! What should my next step be--the ESET scan?
  16. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    WOW! I was losing hope :)

    If you completed both steps from my reply #18, go ahead withe Eset.
  17. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Running the Java Update, I get the following sequence of alerts:

    bin\jqs.exe: Old File not found. Hoever, a file of the same name was found. No update done since file contents do not match.

    Java(TM) Update fails to apply changes to your system.

    Error 1722.There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.

    Installation Failed

    The wizard was interrupted before Java(TM) 6 Update 30 could be completely installed. To complete installation at another time, please run setup again.
  18. Broni

    Broni Malware Annihilator Posts: 45,217   +243

  19. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Java updated, Eset run, here's the 1 file it found:

    C:\Documents and Settings\Chris\My Documents\Downloads\asc-setup.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined

    Everything's running smooth and glitch free now.
  20. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.

    [​IMG]
  21. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    You have my deepest gratitude--your help has been invaluable!

    My PC is running like a champ, and I've saved your recommendations to a .txt file so I can keep things running smooth and virus-free...

    Be well and I hope you've had a wonderful Christmas!
    Chris
  22. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Way to go!! [​IMG]
    Good luck and stay safe :)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.