I got a computer with an infection, I don’t have the user’s password and she isn’t available, so everything I have been doing has been under the administrator’s account.
I don’t see anything strange running, and the only thing that I have observed was IE and Firefox weren’t able to connect to the internet (no weird proxy was set, it just wouldn’t connect), and the Security Center service was completely missing from the services list.
I did a malwarebytes scan twice. The first one was a full scan that was taking forever so I cancelled it and removed the one file that it found, and rebooted after.
Then I used this: http://www.winhelponline.com/blog/misc-registry-fixes-for-windows-7-xp-vista/ to repair the missing Security Center Service. It’s running properly now.
Ran a quick MalwareBytes scan and cleaned a few more things.
Then I ran OTS with the instructions listed from Essexboy’s post.
Now, since I have never used OTS, I’d like a little help in trying to find out if this computer is clean or not.
Thanks for the help guys!
Seems that xqt.exe is related to Win 7 Total Security, so I’ll be looking for information on removal.
Found a weird file in c:\users\all users, but virustotal doesn’t seem to think it’s bad.
http://www.virustotal.com/file-scan/report.html?id=cfc86d5ca172fc44643c8d4723a886a72885700d659ba534b711f66515876d16-1308152615
Found the same file in a few other %appdata% places for the user and I got rid of them all. They were created recently and in places where http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011 claims that bad files may reside.
Trust me 'tis bad
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > ->
YN -> HKEY_USERS\.DEFAULT\: URLSearchHooks\\"{472734EA-242A-422b-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > ->
YN -> HKEY_USERS\S-1-5-18\: URLSearchHooks\\"{472734EA-242A-422b-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{DE9C389F-3316-41A7-809B-AA305ED9D922}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY -> q4ta1hu2fuke6yb3bssy4t2ab -> C:\ProgramData\q4ta1hu2fuke6yb3bssy4t2ab
[Files - No Company Name]
NY -> q4ta1hu2fuke6yb3bssy4t2ab -> C:\ProgramData\q4ta1hu2fuke6yb3bssy4t2ab
NY -> eST3snm.dll -> C:\Windows\System32\eST3snm.dll
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
THEN
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the “Scan” button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
Thanks EB, I’ll start running through that now. Didn’t realize it was that bad. Be back in a short while!
Just ran the OTS “Run Fix” with information supplied. It’s making me reboot the system, doing so now.
Edit, alright, rebooted saved logs from OTS, then ran aswMBR. Logs are attached.
Doh! he’s gone. :-[ Hopefully you come back within about a half hour, we’re closing at 3pm today which is about 45 mins away. Don’t know if I should click FixMBR or not or what to do next. I really gotta read up on cleaning malware off.
Haven’t done anything yet, as it appears that there are no rootkits from what I can tell from the aswmbr output, but I did update MBAM one more time and ran a quick scan. It came up clean.
Alright, time to close up shop. Hopefully it’s clean enough for the user to work on it.
Thanks for your help Essexboy!
Great! Thanks very much for your help. One day I’ll sit around reading long enough to figure out what that OTS fix did.
I owe ya one!
Just an update, the user called me up today saying that she still couldn’t open IE / Firefox / Outlook or any other program really. I created a temporary username for her to use and that seemed to work.
Then when she went to lunch, I downloaded the exe fix from here: http://www.dougknox.com/xp/file_assoc.htm
and that seemed to fix the rest of her problems. That’s the second time in a week that I’ve had to reset the exe file associations on a computer that got malware on it. Seems that it might come in handy later on so I posted it here.
Thats weird as OTS gives an analysis of the exe and com associations - for all users
And they were good
Also the IE and FF commands were likewise checked - curious
Hey bro, I’m no expert at malware removal. I all I know is that I removed everything and ran all of your utilities under the domain administrator account and never logged in as the user that actually witnessed the problems.
Even after the issues were fixed, the associations were still broken for exe’s. The reg fix remedies the problem, but your repairs didn’t do that automatically.
I can assume that the majority of the people that you help probably use home computers with local usernames, and the majority of those try the fixes that your prescribe from their own accounts.
For me, it wasn’t the case. All of my users are usually on domain networks and I usually apply fixes from another (domain admin) user account.
I just wanted to give you a head’s up that it’s possible that the fix works, but the original user account is where the fixes need to be run from. Otherwise it doesn’t go as far as it needs to.
OK a domain would cause problems as all the tools work from a local machine and are designed for that purpose