Results 1 to 18 of 18
  1. #1
    Special Member ★ madhatter256's Avatar
    Join Date
    Jul 2008
    Location
    CFL
    Folding Profile Heatware Profile

    Virus sets up a proxy server... cannot fully remove it...

    Hey guys. I've worked on this client's PC (windows XP pro SP3) six times already, each with the same problem.

    AV Security Suite ends up installing itself, but the problem starts when pop ups appear out of no where. They are the usual porn, ED, etc. Eventually this thing installs.

    So, I know how to remove the program manually from the registry, and where it installs itself. The problem I'm having is removing all of the networking crap the virus(s) changes. I know it changes something internally with IE or Windows Script or something because I cannot run Windows Update from IE or the automatic updates. I get a dns error.

    I ran Winsock reg fix, disabled via registry the proxy settings, and ran malwarebytes, combofix, avira, and MS Security Essentials. After all of that a popup re appeared for some obscure search page shopica.com.

    Anyway, I have it running another barage of scans over night and I am posting the hijackthis log to see if anyone can find anything unusual:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:37:05 PM, on 7/6/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    L:\Tech Tools\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O1 - Hosts: 127.0.0.0 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\s wg.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlcdnet.asus.com/pub/ASUS/mis...ex-2.2.5.0.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay125.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/...?1278443062968
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6087.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1148171208687
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148388373375
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 5934 bytes

  2. #2
    Registered
    Join Date
    Feb 2008
    A friend of mine had been dealing with this same problem on his parents computer for the last week or so. He finally went to Secunia.com and downloaded their PSI program. He found a lot of outdated programs, which he updated or uninstalled or patched. He manually removed the AV Security Suite registry edits, made sure all internet connections were set to automatic and not to any proxies and then used an uninstall tool from some website (???, sorry don't know which one). He hasn't had any problems in a few days so he thinks he has finally gotten rid of it.

    I guess what I am suggesting is to make sure all of your clients programs are up to date. The Secunia.com program is free and does all of the work for you from what my friend told me. It's worth a look at least.

  3. #3
    Senior Member
    DaveHCYJ's Avatar
    Join Date
    Jun 2003
    Location
    San Diego
    Once infected the safest thing you can do is just reinstall. You never know what might be left behind or what you're not seeing. Obviously the pop ups are in your face an annoying, but far worse might be the key loggers etc. that are going to lead to identity theft, stolen credit cards etc.

    You can reinstall your computer, you can't reinstall your life.

  4. #4
    In IE, go to Internet Options -> Connections -> Lan settings and uncheck the "Use a proxy server..." setting. That should give you internet access back. Then you can download the removal tool for that horrid payload.
    Cpu - Intel E8400 @ 4.0GHz (445 x 9) 1.288v (CPU-Z)
    HSF - TRUE 120 with Scythe S-Flex SSF21F (29*c/55*c)
    Motherboard - Asus P5K Premium
    Ram - 2 x 2GB Corsair TWIN2X4096-6400C5DHX 5-5-5-18 890MHz 1.8v
    Video - BFG 880GT OC
    Storage - 500GB Western Digital 7200RPM
    PSU - Corsair HX620
    Case - Antec 900
    Sound - X-Fi Xtrememusic

  5. #5
    Member Trap05's Avatar
    Join Date
    Jan 2005
    Location
    Alberta, Canada
    Six times? Reinstall time...probably should have done that long ago
    CoolerMaster 690
    Antec HCG 620w
    Gigabyte Z68X-UD4-B3 + i5 2500K
    Xigmatek Dark Knight S1283V w/crossbow
    G.Skill 8GB 1600
    MSI GTX 560ti 448 1280MB
    Corsair Nova 64GB SSD
    Windows 7 x64 HP SP1
    Corsair k60 & Logitech MX518
    BenQ RL2450H 24" 1080p
    http://www.heatware.com/eval.php?id=60834
    SteamID trm2006

  6. #6
    Special Member ★ madhatter256's Avatar
    Join Date
    Jul 2008
    Location
    CFL
    Folding Profile Heatware Profile
    Reinstall is not an option.


    It looks to be an Alureon.h rootkit. Windows Security Essential always picks it up, but it cannot remove it. It doesn't tell me the location of the file either for me to hard delete it. So, I'm figuring out what to do.

  7. #7
    Special Member ★ madhatter256's Avatar
    Join Date
    Jul 2008
    Location
    CFL
    Folding Profile Heatware Profile
    Still trying to figure out how to remove it, but I can now run Windows Update and start updating the XP PC via IE8. So, that's some progress.

  8. #8
    Member
    Join Date
    Jun 2010
    Location
    New Jersey
    Try using this software - malwarebytes. There is a free version that you can download from their website - http://www.malwarebytes.org/

    I've been using this for years now and it hasn't failed me yet.
    Last edited by _s3v3n_; 07-07-10 at 04:28 PM.

  9. #9
    Senior Member
    DaveHCYJ's Avatar
    Join Date
    Jun 2003
    Location
    San Diego
    Quote Originally Posted by madhatter256 View Post
    Reinstall is not an option.


    It looks to be an Alureon.h rootkit. Windows Security Essential always picks it up, but it cannot remove it. It doesn't tell me the location of the file either for me to hard delete it. So, I'm figuring out what to do.
    Rootkits by their very nature are designed so you can't remove them. In a lot of cases they either modify OS files that handle interaction with the file system so that the rootkit files don't even show up or so that the files can't be removed. In other cases the rootkit installs itself below the OS so everything the OS trys to do has to go through the rootkit first and it can deny any actions that would attempt to remove it.

    Sorry to break the bad news, but the only way to remove a properly designed rootkit is to reinstall.

    I would try googling it to see if you can find specific removal instructions, but if you can't and reinstall is not an option then you are pretty much left to just trying to get the computer into a semi usable sate. But as you've seen already the problem is likely to just resurface again and again.

    First step I'd take if you aren't going the reinstall route is to setup a firewall that blocks outgoing traffic on your router to help minimize the amount of information being transmitted to the outside world, but that is really just going to give you a false sense of security.

  10. #10
    Member ratbuddy's Avatar
    Join Date
    Aug 2007
    Location
    Hartford, CT
    Heatware Profile
    Quote Originally Posted by madhatter256 View Post
    Reinstall is not an option.
    Then you shouldn't be wasting time working on the machine - see below.

    Quote Originally Posted by DaveHCYJ View Post
    Sorry to break the bad news, but the only way to remove a properly designed rootkit is to reinstall.
    This is correct. Once a baddie like that gets in, you are way better off just nuking the whole drive and starting over.
    HTPC - 2500k - 212+ - GA-Z68MX-UD2H-B3 - 2x4GB G.Skill DDR3-1600 - Crucial MX100 512GB, Spinpoint F3 1TB w/M4 64GB ISRT Cache
    MSI GTX 970 4GB - Silverstone LC10B-E - Corsair RM550

    -----
    Main - X3 450 - ASRock A790GMH/128M 790GX - 2x2GB G.Skill 4-4-4-12 - Crucial MX100 256GB, 2xWD Green 1TB
    Gigabyte GTX 460 1GB - Silverstone TJ08 - Corsair CX400W

    Nothin' up my sleeve..

  11. #11
    Member medo145's Avatar
    Join Date
    Jun 2004
    Location
    Massachusetts, USA
    try malwarebytes again, make sure it's updated and run a full scan in safe mode.
    |ASUS P8Z68 DELUXE/GEN3|i72600K 3.4GHz @ 4.5GHz(100x45)|EVGA GTX670 FTW+ 4GB @ 1006/6008|
    |4x4GB G.Skill DDR3 1600 PC2 12800|LianLi(PC-A70B)|Corsair HX750|ASUS Xonar Essence STX|
    |Samsung 840 Pro 256GB (OS)|3x1TB (WD Black) 0+5 Intel Matrix Raid|

    |Asrock Z97E-ITX/ac|i54670K 3.4GHz @ Stock(...x..)|Corsair H60|
    |2x4GB G.Skill Sniper DDR3 1600 PC2 12800|Corsair(250D)|Corsair CX600M|
    |Samsung 840 Evo 250GB (OS)|3TB (Seagate)|

  12. #12
    Special Member ★ madhatter256's Avatar
    Join Date
    Jul 2008
    Location
    CFL
    Folding Profile Heatware Profile
    FYI: Malwarebytes kept reporting the system as clean, whereas MS SE kept coming up with the rootkit infection (but still unable to delete it).

    Well I searched MSDN and even called MS Support and the directed me to one topic on their support forums. In there was this program called unhackme. I installed it, ran it and found some suspicious files. I deleted them because they did look unimportant. Afterward I rebooted, ran MS Security Essential over night and Malwarebytes and they came back clean the morning after.

    Then I started surfing around the Internet on his PC to see if IE might still be affected (even after resetting everything back to default via the registry) and nothing popped up like it did before.

    Told the client everything that I've done and he took it back. He understands that he has to live with it if comes back until he upgrades his PC. Told him to purchase Malwarebytes so it has the live-protection enabled to prevent the bad stuff the rootkit (if it's still in there - not 100% sure) might install like it has been doing.

    So yeah, I think it is removed, but then again I am not sure. Time will tell if something comes back or not.

  13. #13
    Member jediobi1's Avatar
    Join Date
    Feb 2006
    Location
    Nashville Tn
    Heatware Profile
    Quote Originally Posted by madhatter256 View Post
    FYI: Malwarebytes kept reporting the system as clean, whereas MS SE kept coming up with the rootkit infection (but still unable to delete it).

    Well I searched MSDN and even called MS Support and the directed me to one topic on their support forums. In there was this program called unhackme. I installed it, ran it and found some suspicious files. I deleted them because they did look unimportant. Afterward I rebooted, ran MS Security Essential over night and Malwarebytes and they came back clean the morning after.

    Then I started surfing around the Internet on his PC to see if IE might still be affected (even after resetting everything back to default via the registry) and nothing popped up like it did before.

    Told the client everything that I've done and he took it back. He understands that he has to live with it if comes back until he upgrades his PC. Told him to purchase Malwarebytes so it has the live-protection enabled to prevent the bad stuff the rootkit (if it's still in there - not 100% sure) might install like it has been doing.

    So yeah, I think it is removed, but then again I am not sure. Time will tell if something comes back or not.
    i had a problem like this on a clients computer and i made a copy of windows to run on a usb drive using bartpe/emergency boot cd and booted the computer from the thumb drive and ran different av programs over night and it cleaned the whole thing and they havent had a problem since
    Motherboard: Gigabyte EP45-UD3P
    CPU: E8400 3.0ghz
    Memory: Gskill 4 gigabyte 2x2gb sticks
    Videocard: ATI Radeon 4850
    Case: Antec 900
    Mouse: Logitech G5
    Keyboard: Zboard Gaming Keyboard


    My Heatware

  14. #14
    Premium Member #1
    chawks2's Avatar
    Join Date
    Jun 2004
    Location
    OG, CT
    Quote Originally Posted by jediobi1 View Post
    i had a problem like this on a clients computer and i made a copy of windows to run on a usb drive using bartpe/emergency boot cd and booted the computer from the thumb drive and ran different av programs over night and it cleaned the whole thing and they havent had a problem since
    +1

    This should remove/replace the infected files. Had a nasty hijack the atapi.sys driver, booted from a diff machine with HDD connected, ran AVG and cleaned the baby all up.
    "The only solid piece of scientific truth about which I feel totally confident is that we are profoundly ignorant about nature...It is this sudden confrontation with the depth and scope of ignorance that represents the most significant contribution of 20th century science to the human intellect."
    -Lewis Thomas, The Medusa and the Snail

    "The best definition we have found for civilization is that civilized man does what is best for all, the savage does what is best for himself."
    -Edwin Hubble

    H.E.A.T
    MarioKart FID-0774-5798-8330

  15. #15
    Try Antivir's or Dr Webb's bootable recovery CD. Another option is to take the drive and hook it up to another computer and then run some scans.

  16. #16
    Member
    Join Date
    Jun 2010
    Location
    New Jersey
    I've posted this tool from the other thread.

    http://www.overclockers.com/forums/s...6&postcount=16

  17. #17
    Special Member ★ madhatter256's Avatar
    Join Date
    Jul 2008
    Location
    CFL
    Folding Profile Heatware Profile
    Latest version of combo fix at that time did not pick it up in the log reports.

    i'm gonna try this one bootCD mentioned by someone on here, but that post got deleted... The problem with using a boot CD is that this is a raid set up. so, bartPE, and bitdefender/avira rescue CD won't detect the hard drive RAID array and their support does not mention how to integrate RAID drivers into their ISO.

    So, I'm gonna have to clone the RAID onto a single HDD, and then run the boot CD programs.

    But what I did for now was install unhackme, which runs a rootkit revealer, etc and it did pick it up and said it removed it, but I'm not 100% sure until I do a scan with those boot CDs.

  18. #18
    Quote Originally Posted by DaveHCYJ View Post
    Rootkits by their very nature are designed so you can't remove them. In a lot of cases they either modify OS files that handle interaction with the file system so that the rootkit files don't even show up or so that the files can't be removed. In other cases the rootkit installs itself below the OS so everything the OS trys to do has to go through the rootkit first and it can deny any actions that would attempt to remove it.

    Sorry to break the bad news, but the only way to remove a properly designed rootkit is to reinstall.

    I would try googling it to see if you can find specific removal instructions, but if you can't and reinstall is not an option then you are pretty much left to just trying to get the computer into a semi usable sate. But as you've seen already the problem is likely to just resurface again and again.

    First step I'd take if you aren't going the reinstall route is to setup a firewall that blocks outgoing traffic on your router to help minimize the amount of information being transmitted to the outside world, but that is really just going to give you a false sense of security.
    Alureon.H is a nasty rootkit. We had this one at work on a couple of machines and we decided to backup the user profile and wipe the drives to be safe. No antivirus, anti-malware, or combofixer would work on it. You definitely do not need credit card numbers getting stolen! +1 for reinstall.
    My System:
    CPU: AMD 8650 X3 @ 2.3GHz | GPU: XFX ATI XXX 4870 | MOBO: GIGABYTE MA770-UD3 | PSU: CORSAIR 650TX 650W | RAM: 4GB OCZ Fatal1ty Edition 1066Mhz DDR2 | HDD: SEAGATE ST3250310AS 250GB | CASE: NZXT M59

    There are CPUs, and then there's AMD

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •