Phew! What a night. A client running XP Home called me to say that he had received a few warnings from Avast, but now it had stopped working and many other applications no longer responded. In addition, most anti-virus websites resolved to a new page with the message, “This is the Plesk default page.” This machine runs the latest Avast!, plus ZoneAlarm and sits behind a router/firewall. GerryR to the rescue.
I discovered that his Task Manager had been disabled and that Regedit would run, but all registry keys and data strings were not editable or deletable. Curiously, they could still be renamed, which helped me get the Task Manager back. No files could be downloaded from the web and no online AV products could be installed.
By examining files on the system and the various registry keys that run files and services, I found references to the following trojans:
Trojan.dropper
Troj_Tib.AI
Backdoor.w32/Rbot-QE
Files that I found and knew to be malicious:
kernels8.exe
xpupdate.exe
vxgame1.exe (along with 2, 4 & 6)
Image1.gif.exe
I cleaned out these files easily, since they don’t hide themselves very well. The system still showed no improvement, so I knew I was dealing with at least one hidden process.
Downloaded and ran RootKitRevealer from http://www.sysinternals.com/Utilities/RootkitRevealer.html. It showed 8 files and processes hidden from the Windows API - among them two files named QZ.DLL and QZ.SYS.
I Googled the filenames and discovered Haxdoor for the first time. (I always wanted to fight a rootkit!) Now I knew its name, but how to go about killing it?
I Googled some more and found Haxfix at http://users.telenet.be/marcvn/tools/haxfix.exe. It automates the removal process and cleans everything out after a reboot. Google is your friend.
So it appears that one trojan got in, disabled most of the security and then allowed a chain of other Trojans to be downloaded. All this appeared to happen in one day. Although Avast! did sound one alarm very early in the infection, it wasn’t up to the task of dealing with these Trojans.
I hope the links to RootKitRevealer and Haxfix will be useful to others. Good hunting!