IE Hijack? (Rootkits?)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by calyx881, Jan 28, 2011.

  1. calyx881

    calyx881 Private E-2

    Hey all,

    I am running an HP Laptop with Windows 7 (64-bit), which was made in April 2010 and I purchased new in September. My current location is Germany, and for the past few months I've been living in a student dorm arrangement. This dorm has only two options for free netz, which is an unencrypted Ethernet LAN in my room and a unsecured wireless connection on campus. We log in with user names (so only other university students use the network) but other than that, we're on our own in terms of computer safety.

    Knowing this I installed GData Internet Security 2011, thinking that'd keep everything secure. I must have made a mistake, and a week ago I noticed I was running 100% of my processes all the time (I posted here in the wrong forum about it, too, I'm sorry.)

    Wanting to be independent I went to Major Geeks and ran their malware removal protocol for Windows 7 (except combofix). So I ran Malwarebytes AntiMalware, SUPERAntiSpyware, HijackThis, CCleaner and GData. The log for Hijackthis before I removed anything is posted below.

    HijackThis was not able to scan the Hosts file. I noticed I was running about 15 IE processes, although I use Chrome. Also, CCleaner found way more tmp files in IE than in either of the browsers that I actually use, and running the cleaner didn't delete the processes in question. So after trying to uninstall IE (Turns out you can't do that) I went into the Help+Maintenance window and disabled Internet Explorer from there. That cut down the CPU% getting used by about 1/3.

    I then saved a System Image on my 1TB external HD in case I bleeped up and accidentally deleted system32 or something.

    Running Superantispyware found a trojan (Trojan/Gen) and a crapload of cookies, which I got rid of.

    I defragmented the disk.

    After that I updated GData (which was current then, but I tried it) and turned up the firewall to maximum security. It started blocking weird queries from other computers that live on my LAN network, but it still hasn't found any viruses.

    Today I went back to the Help+Maintenance window to do the Complete Health Check and it highlit some of my drivers for the Synaptics touchpad, HP Support Assistant, Realtek Audio Driver, and Intel RST Drivers as "needing updates". It also warned me that System Restore and the HP Support Assistant were disable. Trying to fix these issues in H+M didn't do anything - even when the downloads and installations were complete the task would never end.

    So I manually downloaded the drivers for the RST and the touchpad, and updated those, but I am having a hard time getting the one for the speakers. Realtek's site is obnoxiously slow and I already accidentally downloaded and briefly installed some suspect "Driver Navigator" from a company called "Easyware" which said it was from Realtek. (I've already uninstalled that.)

    I got Realtek's driver for the supposedly compromised speaker but I haven't installed it yet. The publisher is not Realtek but some other company, and I know Realtek is the tin can brand.


    I don't know whether I should follow HP's recommendation to get their "Support Assistant" (which I have disabled) or to enable System Restore.

    Not wanting to leave anything out I got a copy of Sophos Anti-Rootkit. It found 12 items. I'm going to try to fix them, and I included a printscreen to serve as a log for that.

    My CPU is still working harder than it ought to be, so I ask, is there something I missed? I'm including a Hijackthis log from before, when I had the original problem (with my notes on the log) and a log from today. Do you all have any recommendations about what to do next?

    I've attached two hijackthis logs - one from before I did anything and one from today, as well a DDS log. Can you help me?

    thank you.
    - calyx
     

    Attached Files:

  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks!

    * Why didn't you also run ComboFix?

    Please attach the below logs created while running the requested scans.
    • SASlog.txt log from SuperAntiSpyware.
    • Malwarebytes Anti-Malware log
    • RRlog.txt (from RootRepeal)
    • MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.
     
  3. calyx881

    calyx881 Private E-2

    I read (or I think I read) that Combofix won't work/can harm 64-bit operating systems.

    Hopefully I can get the other logs tonight.
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Combofix is now 64 bit compatible. So do run it.
     
    Last edited: Jan 31, 2011
  5. calyx881

    calyx881 Private E-2

    Here's the Combofix log. I apologize.. My computer's region is set to Germany so the log's Unicode is in German. Is it still helpful?

    Running the other two things shortly. Thank you!
     

    Attached Files:

  6. calyx881

    calyx881 Private E-2

    OK. That's everything, what do you think?

    Edit: are you sure Rootrepeal works on 64-bit computers? My edition did not.
     

    Attached Files:

  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Not seeing much to do.

    What is inside of this folder?
    c:\programdata\{23D58E70-3B83-4B83-A227-68770F84F5EC}

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    • Click the Start menu and click Run.
    • Type "regedit" and click OK.
    • Navigate to this key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UpnpDevice Host\Description\{1F3E9A4C-457A-466D-8AC1EB39819FEB64}
    • Click Registry in the Registry Editor toolbar.
    • Or File > Click Export Registry File.
    • Select the directory for the exported file and type a file name. Use a specific name so that you can identify the file easily
    • Click OK to export the Registry file.

    Zip it up and attach it here for our reviewal.
     
  8. calyx881

    calyx881 Private E-2

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host\Description\{1F74F341-4963-4EE1-AC89-CBF1BB840354}

    I couldn't find the registry key you were talking about in the editor. This one was the only one that starts with 1F.

    Here's what's in the folder you asked about (it's attached in the printscreen)
     

    Attached Files:

  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You will have to work out any remaining issues in the software forum.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds