Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection on XP - can't run mbam or other security programs


  • Please log in to reply
5 replies to this topic

#1 rankind15

rankind15

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 06 December 2008 - 08:01 PM

Hi - I found this site looking to clean my infected system. I am actually on a different computer now as my infected system (desktop - wireless) can't access security sites.

The problem started Dec 2nd, 2008. I'm running XP SP 3. The system was set up to autodownload MS updates once per day, and AV every three hours. Somehow it got infected with a nasty malware program - I'm guessing via human interaction of a family member clicking something they shouldn't have. The system has TendMicro Internet Security 2008 running on it and had it running at the time of infection too. I've spent about 10 hours trying to clean it so far with little luck. I'd appreciate any help anyone can provide.

Symptoms:
-Running a little slow, to very slow at times, especially when downloading files. Not consistent though.

-Originally it wouldn't boot past the loading windows screen, but that has stopped now

-Trendmicro found GetModule, Adload, and Generic12.KAO but couldn't clean them. Adload and Generic aren't found anymore, and I cleaned GetModule via instructions on the TrendMicro site

-I cannot surf to any security sites (including this one) nor can I get to windowsupdate, but I can surf to msn, yahoo, etc

-tried loading AVGFree AV by downloading it to my clean laptop, burning it to cd, and then transfering it to the desktop, but it runs with errors and ends up doing nothing

-Also transferred over mbam-setup, HJTInstall, spybot, but they won't run. I click on them, get the waiting cursor for a short moment, then nothing.

-Found dihjmevt and hsfxpeqgkaukg in the startup, I've since disabled them from starting and deleted their dlls and registry entries

-/etc/hosts file is normal

-Finally opened a chat session with TrendMicro,but they couldn't help (session ID: 584407 if interested)

-TrendMicro had me turn off my system restore, and now I can't restore to a previous date as none exist anymore

-Tried gmer (www.gmer.net) but it also wouldn't execute

-Checked (known to me) registry keys for disabling my ability to run programs without any success

- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

-Ran RootkitRevealer from sysinternals and found the results listed below, but can't find them in my registry to delete/modify

- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\ -dated 2/25/2007
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\tdssdata -dated 12/2/2008
- HKLM\SOFTWARE\TDDS -dated 12/5/2008
- HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys -dated 12/6/2008
- HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys -dated 12/6/2008
- HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys -dated 12/6/2008

-ran ccleaner and cleaned everything found - ran every option and fixed everything it suggested with success

-ran AntiVir Removal Tool 3.0c but it didn't find anything

I've tried all of the above items in normal mode, safe mode, and safe mode with network support with no difference in results. I've also tried booting to last known good state without any luck (boots to state I used this AM). I'm a few years removed from my old sys admin days, but "back in the day" I could create an av recovery disk to boot from to clean up the disk drive without the OS running, but can't find a way to do that now when I don't have a floppy drive. Also, my laptop has vista and trend doesn't have (that I can find or the chat person knew of) a vista version to sw to make a boot cdrom

Any suggestions/help would be greatly, greatly, greatly appreciated!

Thanks,
Dave

BC AdBot (Login to Remove)

 


#2 rankind15

rankind15
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 06 December 2008 - 08:21 PM

I'm still discovering more information. I did a netstat -o while booted in normal running mode, without any network connections of my own open, and found many entries all mapped to a process ID of 1512. This PID lists in my task manager as svchost.exe. in the netstat - o results, http connections are open to the following:

207.68.173.231

205.128.73.126

206.33.45.124

8.12.222.126

65.55.239.188

a96-17-75-139.deploy.akamaitechnologies.com

204.160.99.125

65.55.197.247

198.78.200.124

65.55.197.254

199.93.63.124

192.221.114.124

8.12.222.126

65.55.21.250

89.188.16.36

hosted-by.xentronix.nl

89.188.16.36

62.4.83.195

-All are listed as CLOSE_WAIT at the moment. I doubt the IPs or domains will help in resolving my issue, but I thought I'd include them just in case. Also, if they aren't other unsuspecting infected computers, maybe this information will be read by someonw who can help add their info to security tools/scanners.

Edited by rankind15, 06 December 2008 - 08:42 PM.


#3 wabkia

wabkia

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 16 December 2008 - 11:08 AM

I'm having the same issues. I have NEVER had problems getting rid of spyware/viruses in the past but i simply CANNOT get rid of this. You cant run HijackThis, MBAM, SAS, ComboFix. It's driving me nuts! Luckily I have everything backed up and I was able to reinstall windows.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:36 AM

Posted 16 December 2008 - 01:19 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

-- If you cannot use the Internet or download any programs from your machine, you are going to need access to another computer (family member, friend, etc) with an Internet connection. Save mbam-setup.exe to a flash (usb, pen, thumb, jump) drive or CD, transfer it to the infected machine, then install and run the program. If you cannot transfer or install from the infected machine, try running the setup (installation) file directly from the flash drive or CD so it will install on the hard drive.

IMPORTANT NOTE: One or more of the identified infections (TDSSserv.sys) is related to a nasty rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 mr. u

mr. u

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 04 January 2009 - 01:57 AM

After 20 years, I slipped and got infected on January 1st, 2009. Great way to start the year.

My browser was hijacked--google results went to any number of ad-based sites, instead of the proper targets. All addresses showed in the bottom status bar as "go.google.com.(tons of crap)." Trying to get to any of the anti-spyware, antivirus, computer security forums (including bleepingcomputer.com), or anything else failed. So did software updates.

Ad-aware showed nothing. F-Secure came up with nothing. AVG came up with nothing. HiJackThis showed a number of suspicious files/keys (and in fact, I'd already found suspicious processes), namely winloggn.exe, csrssc.exe, and tyshb36rfjdf.dll. Cleaned those out, and the thing still misbehaved.

Downloaded MalwareBytes Anti-Malware (MBAM), and found that the installer wouldn't actually run on my infected computer, same as the OP. Checked the file, tested it on a good computer, and then took a wild shot-in-the-dark, and renamed it to xmbam-setup.exe. That worked! The program installed, and then...

...didn't run. Same story. Found the binary (not just the desktop shortcut) and threw an x in front of the name. It ran fine at that point, and found 11 infected files. Cleaned them up (five required a reboot), and the system is now working properly. I'm rescanning it, but the browser hijacking is gone, and the machine is a LOT faster at internet access.

Good luck to anyone else with this problem. If you ever find a virus writer, make sure to hit them in the head with a shovel.

#6 jsikaras

jsikaras

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 03 April 2009 - 12:20 PM

Hey Guys,

Im new to this board, but I just wanted to pass along this information regarding this Hijacker/Malware problem that people seem to be having. I had two clients with the same exact problems above and I ran the same exact tools as everyone else in here (hijackthis/malware bytes/spybot/trend micro/symantec) and nothing seemed to work. I worked on this for 3 days and was not able to get anywhere with this so i did some research and found this one tool called Prevxcsi (www.prevx.com) and it worked like a champ...Im not a schill for this company, but I just wanted to pass this info along to everyone because I know the frustration of dealing with this kind of crap. I hope this helps...

Thanks

jsikaras

Edited by quietman7, 05 April 2009 - 04:56 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users