• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Virus sets up a proxy server... cannot fully remove it...

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

madhatter256

Special Member
Joined
Jul 5, 2008
Location
CFL
Hey guys. I've worked on this client's PC (windows XP pro SP3) six times already, each with the same problem.

AV Security Suite ends up installing itself, but the problem starts when pop ups appear out of no where. They are the usual porn, ED, etc. Eventually this thing installs.

So, I know how to remove the program manually from the registry, and where it installs itself. The problem I'm having is removing all of the networking crap the virus(s) changes. I know it changes something internally with IE or Windows Script or something because I cannot run Windows Update from IE or the automatic updates. I get a dns error.

I ran Winsock reg fix, disabled via registry the proxy settings, and ran malwarebytes, combofix, avira, and MS Security Essentials. After all of that a popup re appeared for some obscure search page shopica.com.

Anyway, I have it running another barage of scans over night and I am posting the hijackthis log to see if anyone can find anything unusual:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:05 PM, on 7/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
L:\Tech Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 127.0.0.0 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay125.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1278443062968
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148171208687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148388373375
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5934 bytes
 
A friend of mine had been dealing with this same problem on his parents computer for the last week or so. He finally went to Secunia.com and downloaded their PSI program. He found a lot of outdated programs, which he updated or uninstalled or patched. He manually removed the AV Security Suite registry edits, made sure all internet connections were set to automatic and not to any proxies and then used an uninstall tool from some website (???, sorry don't know which one). He hasn't had any problems in a few days so he thinks he has finally gotten rid of it.

I guess what I am suggesting is to make sure all of your clients programs are up to date. The Secunia.com program is free and does all of the work for you from what my friend told me. It's worth a look at least.
 
Once infected the safest thing you can do is just reinstall. You never know what might be left behind or what you're not seeing. Obviously the pop ups are in your face an annoying, but far worse might be the key loggers etc. that are going to lead to identity theft, stolen credit cards etc.

You can reinstall your computer, you can't reinstall your life.
 
In IE, go to Internet Options -> Connections -> Lan settings and uncheck the "Use a proxy server..." setting. That should give you internet access back. Then you can download the removal tool for that horrid payload.
 
Reinstall is not an option.


It looks to be an Alureon.h rootkit. Windows Security Essential always picks it up, but it cannot remove it. It doesn't tell me the location of the file either for me to hard delete it. So, I'm figuring out what to do.
 
Still trying to figure out how to remove it, but I can now run Windows Update and start updating the XP PC via IE8. So, that's some progress.
 
Reinstall is not an option.


It looks to be an Alureon.h rootkit. Windows Security Essential always picks it up, but it cannot remove it. It doesn't tell me the location of the file either for me to hard delete it. So, I'm figuring out what to do.

Rootkits by their very nature are designed so you can't remove them. In a lot of cases they either modify OS files that handle interaction with the file system so that the rootkit files don't even show up or so that the files can't be removed. In other cases the rootkit installs itself below the OS so everything the OS trys to do has to go through the rootkit first and it can deny any actions that would attempt to remove it.

Sorry to break the bad news, but the only way to remove a properly designed rootkit is to reinstall.

I would try googling it to see if you can find specific removal instructions, but if you can't and reinstall is not an option then you are pretty much left to just trying to get the computer into a semi usable sate. But as you've seen already the problem is likely to just resurface again and again.

First step I'd take if you aren't going the reinstall route is to setup a firewall that blocks outgoing traffic on your router to help minimize the amount of information being transmitted to the outside world, but that is really just going to give you a false sense of security.
 
try malwarebytes again, make sure it's updated and run a full scan in safe mode.
 
FYI: Malwarebytes kept reporting the system as clean, whereas MS SE kept coming up with the rootkit infection (but still unable to delete it).

Well I searched MSDN and even called MS Support and the directed me to one topic on their support forums. In there was this program called unhackme. I installed it, ran it and found some suspicious files. I deleted them because they did look unimportant. Afterward I rebooted, ran MS Security Essential over night and Malwarebytes and they came back clean the morning after.

Then I started surfing around the Internet on his PC to see if IE might still be affected (even after resetting everything back to default via the registry) and nothing popped up like it did before.

Told the client everything that I've done and he took it back. He understands that he has to live with it if comes back until he upgrades his PC. Told him to purchase Malwarebytes so it has the live-protection enabled to prevent the bad stuff the rootkit (if it's still in there - not 100% sure) might install like it has been doing.

So yeah, I think it is removed, but then again I am not sure. Time will tell if something comes back or not.
 
FYI: Malwarebytes kept reporting the system as clean, whereas MS SE kept coming up with the rootkit infection (but still unable to delete it).

Well I searched MSDN and even called MS Support and the directed me to one topic on their support forums. In there was this program called unhackme. I installed it, ran it and found some suspicious files. I deleted them because they did look unimportant. Afterward I rebooted, ran MS Security Essential over night and Malwarebytes and they came back clean the morning after.

Then I started surfing around the Internet on his PC to see if IE might still be affected (even after resetting everything back to default via the registry) and nothing popped up like it did before.

Told the client everything that I've done and he took it back. He understands that he has to live with it if comes back until he upgrades his PC. Told him to purchase Malwarebytes so it has the live-protection enabled to prevent the bad stuff the rootkit (if it's still in there - not 100% sure) might install like it has been doing.

So yeah, I think it is removed, but then again I am not sure. Time will tell if something comes back or not.

i had a problem like this on a clients computer and i made a copy of windows to run on a usb drive using bartpe/emergency boot cd and booted the computer from the thumb drive and ran different av programs over night and it cleaned the whole thing and they havent had a problem since
 
i had a problem like this on a clients computer and i made a copy of windows to run on a usb drive using bartpe/emergency boot cd and booted the computer from the thumb drive and ran different av programs over night and it cleaned the whole thing and they havent had a problem since

+1

This should remove/replace the infected files. Had a nasty hijack the atapi.sys driver, booted from a diff machine with HDD connected, ran AVG and cleaned the baby all up. :thup:
 
Try Antivir's or Dr Webb's bootable recovery CD. Another option is to take the drive and hook it up to another computer and then run some scans.
 
Latest version of combo fix at that time did not pick it up in the log reports.

i'm gonna try this one bootCD mentioned by someone on here, but that post got deleted... The problem with using a boot CD is that this is a raid set up. so, bartPE, and bitdefender/avira rescue CD won't detect the hard drive RAID array and their support does not mention how to integrate RAID drivers into their ISO.

So, I'm gonna have to clone the RAID onto a single HDD, and then run the boot CD programs.

But what I did for now was install unhackme, which runs a rootkit revealer, etc and it did pick it up and said it removed it, but I'm not 100% sure until I do a scan with those boot CDs.
 
Rootkits by their very nature are designed so you can't remove them. In a lot of cases they either modify OS files that handle interaction with the file system so that the rootkit files don't even show up or so that the files can't be removed. In other cases the rootkit installs itself below the OS so everything the OS trys to do has to go through the rootkit first and it can deny any actions that would attempt to remove it.

Sorry to break the bad news, but the only way to remove a properly designed rootkit is to reinstall.

I would try googling it to see if you can find specific removal instructions, but if you can't and reinstall is not an option then you are pretty much left to just trying to get the computer into a semi usable sate. But as you've seen already the problem is likely to just resurface again and again.

First step I'd take if you aren't going the reinstall route is to setup a firewall that blocks outgoing traffic on your router to help minimize the amount of information being transmitted to the outside world, but that is really just going to give you a false sense of security.

Alureon.H is a nasty rootkit. We had this one at work on a couple of machines and we decided to backup the user profile and wipe the drives to be safe. No antivirus, anti-malware, or combofixer would work on it. You definitely do not need credit card numbers getting stolen! +1 for reinstall.
 
Back