TechSpot

Probable malware infection - need help

By tregan
Apr 12, 2009
  1. I think I have a malware problem. Observed symptoms:

    1) Can't edit registry or access DOS prompt. When I use the "run" option of the start menu to run "regedit" or "cmd", the only thing that happens is that the task bar disappears for 2-3 sec, and then returns. I could access these programs last week, so I don't think it's a configuration/policy issue.
    2) Can't update anti-virus program databases. The programs report a "couldn't update, make sure you're connected to the internet and try again" message.
    3) Intermittent redirection to random website. When clicking on a link (e.g. from a google search), I go to a web page that has nothing to do with what the link indicates. When I go back and retry, I usually reach the desired page. NOTE: After research, I have disabled my DNS client service on the suspect PC, and have not seen this happen since then.

    I have disconnected the PC from my home network, and have copied all important data (e.g. pictures) to the secondary hard drive and disconnected that hard drive from the motherboard. I am transferring files to/from the quarrantined PC via USB memory stick.

    Since suspecting the infection, I have run the following programs to attempt to diagnose the problem. Unless otherwise noted, the program reported that it did not find any problems.
    * ClamWin (this was the only program installed at the time of infection)
    * AVG
    * TrendMicro HouseCall (it reported an infection, but terminated during its clean-up phase)
    * TrendMicro "sysclean.com" (it reported an infection, but terminated during its clean-up phase)
    * MalwareBytes Anit-Malware (it reported that I had some invalid entries in my hosts file, but I believe that these were entries entered by Spybot to redirect known bad host names to 127.0.0.1.)
    * AdAware
    * Spybot S&D
    * Avast
    * SuperAnitSpyware

    When scanning, I made sure that all the other programs were disabled before starting the scan. I understand they can sometimes interfere with each other.

    Per the forum ground rules, I have performed the requested 8-step program before posting. (hopefully I did it correctly)

    I could not confirm my java version as recommended. Every time I tried to go to the specified web page, I would be redirected to a different page. (don't recall the URL) I know that I recently removed all Java on my PC and then installed the latest version from Sun's website. (Java 6 Update 13, according to my list of installed programs)

    Thanks in advance for any help.

    ----tom
     

    Attached Files:

  2. touch

    touch TS Rookie Posts: 978

    Hello tregan

    If you have paid for Norton/Symantec security, you should remove AVG8 and Clamwin from add/remove programs in controlpanel.

    Reboot, attach fresh hijackthis log, and tell if you still are redirected to a different pages ?
     
  3. tregan

    tregan TS Rookie Topic Starter

    Symantec AV definition file is very old

    Hi Touch,

    I did as you requested. (de-install AVG8, de-install ClamWin, reboot, re-run HJT, and attach HJT log).

    I have not seen any instances of browser redirects since I disabled the DNS client service on the PC. (But I quarantined my PC shortly after that, so I don't think I have enough data to definitively determine whether I cleared that problem for good) I don't know if my program update failures are due to DNS cache poisoning or another technique.

    FWIW: For several years, I have not had access to updated virus definition files from Symantec. (I installed SystemWorks in 2003/2004, and did not renew after the included 1-year subscriber lapse - went to ClamWin instead) I didn't uninstall SystemWorks because I wanted to have access to the other parts of that product suite, even if I didn't use the AV scanner.

    Given the age of the definition file for Symantec, I didn't bother running a scan with it. I figured the other programs would have all the same signatures, plus more from the last few years.

    ---tom
     
  4. touch

    touch TS Rookie Posts: 978

    It sounds a bit complicated to have a program where only a part of it works, I can imagine it hogging resources and slowing systems down.

    Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: (no name) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - (no file)
    O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) –


    Reboot, and tell how things are running now ?
     
  5. tregan

    tregan TS Rookie Topic Starter

    still can't run cmd or regedit

    I ran HJT, checked the entries you specified, and told HJT to "fix" them. I then rebooted and re-ran HJT. (log attached) I still can not run cmd or regedit. I am considering these my primary symptoms of infection. If you think there are more reliable/relevant indicators, let me know and I'll track them too.

    I put the computer online (briefly) and attempted to update some of the anti-malware software on the PC. Results:

    • Adaware: successfully updated. (ran scan - no threats found)

    • Spybot: successfully updated. (ran scan - complained that I didn't have AV protection turned on in Windows (i.e. I told Windows I would worry about keeping my AV SW up to date) - ignored)

    • Malware: App crashed upon attempt to update.

    • Avast: No idea what happened. The app didn't provide any feedback on whether the update was successful. (signature file appears dated 19-Mar-2009)
    What's the next step?

    Regarding running Symmantec. I figured it wasn't taking up much resources - and (more importantly) I couldn't find a way to suppress the AV features. I wanted to retain access to the non-AV utilites, so uninstalling it wasn't an option.

    -----tom
     
  6. touch

    touch TS Rookie Posts: 978

    Next step is SDFix ->

    Download andymanchesta´s SDFix http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
    and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)


    When you have done this, please boot into Safe Mode (Tap F8 during startup).
    Open the extracted folder - C:\ SDFix and doubleclick on RunThis.bat to start the script.

    Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. When you hit any key, your computer will reboot. Your system will take longer that normal to restart as the fixtool will be running and removing files.

    When your desktop loads, the utility will complete the removal and display Finished. Press any key again to end the script and load your desktop icons.


    Open the SDFix folder on your desktop and copy and paste the contents of Report.txt
     
  7. tregan

    tregan TS Rookie Topic Starter

    mission control, we have a problem

    I did what I thought you said, but the results were different.

    > Download andymanchesta´s SDFix (URL removed) and save it to your Desktop.
    > Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)
    > When you have done this, please boot into Safe Mode (Tap F8 during startup).
    Open the extracted folder - C:\ SDFix and doubleclick on RunThis.bat to start the script.

    (OK, I didn't download it to the desktop, but it seemed to extract just fine from my "downloads" directory. :) )

    All went well up to this point. But when I started the RunThis.bat script, the following happened:
    • The folder window for c:\sdfix disappeared
    • A message window popped up with the same "you are in safe mode. safe mode is intended for you to fix hardware or network problems..." message that Windows displayed when I first logged in while in safe mode.

    I didn't see any signs of a script executing, and nothing asking me to "press any key to reboot". I manually rebooted (into normal mode) to be sure, but it booted normally. (no cleanup scripts)

    FWIW, I selected "safe mode" as opposed to "safe mode with networking" or "safe mode with CLI" (or something like these).

    So was there operator error here? Or is something else going on?
     
  8. touch

    touch TS Rookie Posts: 978

    No, this message - "you are in safe mode. safe mode is intended for you to fix hardware or network problems" are normal in safe mode.


    Please download Brute Force Uninstaller http://www.majorgeeks.com/Brute_Force_Uninstaller_BFU_d4714.html
    Choose one of the Downloads servers.

    Unzip it to it’s own folder c:\BFU

    RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu)

    and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

    Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

    In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
    Press execute and let it do it’s job.

    Wait for the complete script execution box to pop up and press OK.

    click "save"

    IN "filename" enter "log.txt"

    Click "save"

    click exit to exit the BFU program.

    The log.txt will be in the C:\BFU\ folder ...

    Please attach the text from the file into your next post here

    Press exit to terminate the BFU program.
     
  9. tregan

    tregan TS Rookie Topic Starter

    ran bfu, but didn't get the logfile

    I didn't get the bfu logs. I ran the script as instructed, but it just said "done" when I ran it. I should have had the guts to click the Display Log checkbox before I ran the script - but I was worried that I'd prevent saving the logs if I did that.

    FWIW, I ran the script a second time and included the log. (probably useless, but just in case)

    After running the script, I rebooted and tried to access regedit and cmd - still no love there. (no change in system behavior - taskbar disappears for a few seconds, then reappears) I then ran an HJT scan and have attached the log. Not sure if it's useful, but I figured you can ignore it if you don't need it.

    I'm operating on the expectation that once I perform the instructions, there is no risk/harm in rebooting the computer and testing/scanning on my own. (disconnected from the internet, of course) If this is a problem/risk, let me know and I'll stop.

    -----tom
     
  10. touch

    touch TS Rookie Posts: 978

    Ok. Then I´ll suggest you check for (possibly) corrupted system files -
    Start-Run, then type:

    sfc /scannow

    note space between the c and /
    Have XP CD in your drive.

    Hit Enter
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...