Jump to content

Possible trojan and rootkit infection


Recommended Posts

Hi,

I'd like to thank in advance for the person who is going to help me solve the problem I am having with my computer.

I am not good at computer terms and stuffs, so it would be very helping if simple terms are used.

Last Friday, I was fooled by the windows security scan and downloaded this fake malware removal program. My computer was immediately infected. So I went online to seach for solutions. After spending more than 20 hours on researching and performing different kinds of malware scans, I think I successfully remove all of the infected files (according to malwarebytes and hijackthis programs). However, now everything seems to work right but whenever I use internet explorer to visit a website, it redirects to another sponsor site. It happens to firefox as well but less often.

Sparks

Link to post
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Hi,

I'd like to thank in advance for the person who is going to help me solve the problem I am having with my computer.

I am not good at computer terms and stuffs, so it would be very helping if simple terms are used.

Last Friday, I was fooled by the windows security scan and downloaded this fake malware removal program. My computer was immediately infected. So I went online to seach for solutions. After spending more than 20 hours on researching and performing different kinds of malware scans, I think I successfully remove all of the infected files (according to Malwarebytes and Hijackthis programs and also my computer is not slow anymore). However, now everything seems to work right but whenever I use Internet Explorer to visit a website, it redirects to another sponsor site. It happens to Firefox as well but less often. I then researched on solutions to this matter and found Hitman pro program. I used it but to no avail. I went on and deleted all that was listed after the scan, only explorer.exe and tcpip.sys can not be deleted and it says that they are infected by trojan and rootkit respectively. Since explorer.exe looks like an important file, I am afraid of deleting

Link to post
Share on other sites

Hi,

I'd like to thank in advance for the person who is going to help me solve the problem I am having with my computer.

I am not good at computer terms and stuffs, so it would be very helping if simple terms are used.

Last Friday, I was fooled by the windows security scan and downloaded this fake malware removal program. My computer was immediately infected. So I went online to seach for solutions. After spending more than 20 hours on researching and performing different kinds of malware scans, I think I successfully remove all of the infected files (according to Malwarebytes and Hijackthis programs and also my computer is not slow anymore). However, now everything seems to work right but whenever I use Internet Explorer to visit a website, it redirects to another sponsor site. It happens to Firefox as well but less often. I then researched on solutions to this matter and found Hitman pro program. I used it but to no avail. I went on and deleted all that was listed after the scan, only explorer.exe and tcpip.sys can not be deleted and it says that they are infected by trojan and rootkit respectively. Since explorer.exe looks like an important file, I am afraid of deleting it and not being able to access

Link to post
Share on other sites

Hi,

I'd like to thank in advance for the person who is going to help me solve the problem I am having with my computer.

I am not good at computer terms and stuffs, so it would be very helping if simple terms are used.

Last Friday, I was fooled by the windows security scan and downloaded this fake malware removal program. My computer was immediately infected. So I went online to seach for solutions. After spending more than 20 hours on researching and performing different kinds of malware scans, I think I successfully remove all of the infected files (according to malwarebytes and hijackthis programs). However, now everything seems to work right but whenever I use internet explorer to visit a website, it redirects to another sponsor site. It happens to firefox as well but less often.

Sparks

Sorry I don't know how to edit my last post so I made a reply instead. I added a few more details in my last post and the HJT log.

Hi,

I'd like to thank in advance for the person who is going to help me solve the problem I am having with my computer.

I am not good at computer terms and stuffs, so it would be very helping if simple terms are used.

Last Friday, I was fooled by the windows security scan and downloaded this fake malware removal program. My computer was immediately infected. So I went online to seach for solutions. After spending more than 20 hours on researching and performing different kinds of malware scans, I think I successfully remove all of the infected files (according to Malwarebytes and Hijackthis programs and also my computer is not slow anymore). However, now everything seems to work right but whenever I use Internet Explorer to visit a website, it redirects to another sponsor site. It happens to Firefox as well but less often. I then researched on solutions to this matter and found Hitman pro program. I used it but to no avail. I went on and deleted all that was listed after the scan, only explorer.exe and tcpip.sys can not be deleted and it says that they are infected by trojan and rootkit respectively. Since explorer.exe looks like an important file, I am afraid of deleting it and not being able to access windows. This is why I am here asking for help.

Sparks

Following is the HJT log after what I think the infected files are removed:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 18:04:56, on 2010-10-03

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Prevx\prevx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Prevx\prevx.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\System32\PxSecure.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [JCFSE7V7Z1] C:\DOCUME~1\Toshi\LOCALS~1\Temp\Ajr.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE R

Link to post
Share on other sites

Hello sparks

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\system32\drivers\*.sys /90

    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Please download Rootkit Unhooker and save it to your desktop.

  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it, typically your desktop. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

Hi Kahdah,

Thank you very much for your time and your help and also being very detailed in the steps!

Update:

There are some changes since my last post. I don't know what I did, but the redirecting in IE has stopped; however Firefox is the one with the redirecting problem now. Whenever I open firefox, the system run extremely slow. Besides that, as I have Hitman pro and Prevx installed in the computer, it scans the computer as i log on to windows. This time around Hitman pro indicates "explore.exe, mswstr108.dll and winlogon.exe" are infected, and Prevx indicates that "winlogon.exe" is infected.

I ran the OTL as requested. The first time I ran it came wit the OTL.txt and Extras.txt. However, due to the system was running very slow, I had to reboot the computer. As I ran it for a second time, only the OTL.txt appears. Why is that? Is the OTL.txt alone enough?

It says my text is too long, so I will attached the files instead.

Thanks again!

OTL.Txt

Report_rootkit_unhooker.txt

Link to post
Share on other sites

Yes it only produces one txt file if ran 2 times.

It really isn't needed at this point.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    ;Filefind
    explorer.*
    winlogon.*
    explore_.*
    winlogo_.*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Let's move on shall we. :o

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Hello!!

I am so worried right now. I went to the site you suggested to download combofix. I disabled all programs that were asked to disabled before starting combofix.

When I ran combofix, it first asked me there's a newer version and do i want to update it. So i click yes. Then after the update, it follows the steps in the instruction up to the point where it asks if i want combofix to install the Microsoft windows recovery console. I clicked yes but it didn't work so i just leave it as it is as combofix instruction. It was auto scanning till the "Completed Stage_50". After this, instead of combofix preparing the log report, there were lines saying some paths are successfully deleted then another few lines saying

"The file explorer.exe is infected!! ......

successfully restore :)

The file winlogon.exe is infected!! ......

successfully restore :lol:"

After these lines, combofix never showed the lines "preparing log report, do not run any programs until combofix has finished". Then suddenly, screen turns black and starts rebooting.

And now it goes into a continuous reboot. It does not want to go into windows login screen.

I tried safe mode, go back to last restore point. Nothing works.

PLEASE PLEASE HELP!!! THANKS IN ADVANCE!!!!!

(p.s: im replying from another computer)

Link to post
Share on other sites

I went into the F8 screen, tried every single mode and nothing works. It just reboots again and again and again....

So I can't get into any type of safe mode or do a system restore.

My friend lended me a Compaq QuickRestore System Recovery CD for Microsoft Windows XP Home SP1. I am using Windows XP SP1 but my machine is not a compaq. I don't want to use it and lose everything in my computer.

So far I can't find anyone that has a xp cd cause everyone has a newer windows.

Link to post
Share on other sites

Before doing this I want to ask you a few questions. I still have some files in my computer that I need and I am afraid the computer might crash after using the compaq cds.

So first of all, there are 4 cds. On the cd it says 'Only for distribution with a compaq PC' (it sounds like if i use it on other machines, it won't work or crash...that's only my interpretation :) )

Also, in the QuickRestore intructions, it says:

''The QuickRestore CD reformats and restores the hard drive(including the OS, drivers, and other software enhancements) of your notebook to its original factory default state. If you want to restore individual applications drivers, or utilities (excluding the OS), use the Software Setup utility (on select models( on your har drive by selecting Start > Software Setup''

"Caution: Restoring the notebook to its factory default state erases your personal data and software applications; the QuickRestore CD only restores factory-installed software. Back up any personal data files and applications that are on the hard drive before beginning the OS reinstallation. Restore your data files and applications when the installation is complete."

So what I understand is that if I choose the Software Setup Utility, this option should enable me to see the c:\I386 file without having to reformat or restore the computer?

(Sorry, I never use a recovery CD, I am not sure if it's going to erase everything right away after I put the cd in the computer)

Thanks for being so patient!

Link to post
Share on other sites

Hi no you can x out of the autoplay menu that opens.

Just go directly to the cd drive and right click and choose explorer in another computer.

This will allow you to see the contents don't put it in your computer we are not going to recover your computer with them I just need to know if there are a few files on the cd we can use to replace the infected one's with.

Don't run the recovery disks at all just explore the cd.

Link to post
Share on other sites

I put the cd in and then it loads into this screen with the title "Quick Restore".

On the left side, it says: "Warning, this action will completely reformat your hard drive and destroy all users installed applications and data."

On the other side, i have multiple languages to choose from to continue.

And at the bottom right corner, there's the exit button.

I'm not sure if I should continue...feels like the QuickRestore is going to start once I choose the language...

Help?

Link to post
Share on other sites

I don't know if I will be able to find an xp cd. If I can't does it mean the computer won't work forever?

Since my computer can't go into the windows login screen, is it possible to use DOS to fix something without going into windows?

How long can this thread stays inactive? I notice some threads close down because it was inactive for like 10 days. Since I have exams soon and i need some time to see if anyone i know have xp discs...if I don't come on this thread, will it close down too?

Link to post
Share on other sites

No it does not mean it will not work forever it just means you need a means of recovery.

There is no dos without a cd for xp to do any of the commands to fix it plus you will need a clean file to replace the old ones that are infected.

The disk will contain those files.

In the meantime you can get into your drive and get some files off to use by doing the following.

http://www.howtogeek.com/howto/windows-vis...ndows-computer/

Once you are into your computer try to go to c\qoobox\quarantine

Inside you will find the files explorer.exe.vir and winlogon.exe.vir

Try to right click on those one at a time and choose rename.

Take the vir off of the name and then copy and paste the explorer into the windows folder and the winlogon.exe into the system32 folder.

Then see if the machine will boot.

Link to post
Share on other sites

I found the files explorer.exe.vir and winlogon.exe.vir.

But the file explorer.exe and winlogon.exe are in the windows folder and system32 folder respectively. So should I replace these files with explorer.exe.vir and winlogon.exe.vir but without the .vir?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.