Unknown Virus on XP Professional system

[mchain]

This is my first post re an attempt to remove an unknown virus from a friend's computer.

Here is what I know:

• Internet provider is Qwest DSL.
• Internet provider has shut off Internet access to ISP due to a virus being reported to them.  The modem itself has been disabled.  It is running, has an Ethernet connection, but Internet connection is denied by Qwest.
• System appears to be running normally, but is missing icons in Control Panel, such as System Restore, Add/Remove.
• Antivirus is ESET Smart Inspector, version 4.0.311.0 (expired 05/05/2011).
• Windows Firewall is off.

I am taking several malware removal tools with me to where the computer is located.

A fresh copy of Avast! Free, Malwarebytes Free, SAS Free, Rootkit Revealer Free, all with latest malware definitions available, and also Revo Uninstaller Free, Spywareblaster Free, Firefox 6.0.2, as well as the latest updates for java and adobe, are being brought with me.  For a firewall, I will be taking a full installer of COMODO.

I am thinking of removing the HDD in his system and installing as a usb drive using my Windows XP Home system at home.  Would this configuration work for cleaning this system? Or is it necessary to bring the system here and run these tools as his system is now configured?

I have burned a CD with the above security files, and also have an usb stick loaded as well.

I will gladly follow any advice given here in this forum.

BTW, I know to remove the security suite first before installing Avast!.

As the system in question appears to be running normally, I think I will be looking for some sort of bot on the system.

mchain

XP Home Edition SP3 P4 2.8  2 GB RAM Avast! Free Edition v. 6.0.1289

[mchain]

UPDATE:

System:  Compaq Presario SR1817CL, XP Professional Edition SP2?, AMD Anthlon +3200 2.0 GHz, ATI XPRESS 200 Integrated, 512 MB RAM, 200 GB HDD.  System as first inspected had ESET SMART Inspector v. 3.0.314.0 (expired).  

Previous PC Tech apparently installed a lifetime license, but ESET discovered this was a hacked version, and disabled the license.  Unfortunately, this disabled real-time a/v protection, and also disabled the firewall.

Remarkably, the system is relatively clean considering the operating environment it was run under.

I successfully installed and ran the following:

• Avast! Free
• Malwarebytes Free
• SUPERAntispyware Free
• Revo Uninstaller Free

ESET was successfully uninstalled, and Avast! was put in with todays vps for 9/18/2011.

After running a quick scan, boot scan (that was truncated by an unexpected restart), a full scan, and a final boot scan, Avast! quarantined a total of 27 malware files.  Note these files were quarantined, not deleted, as I deemed it might be necessary to restore one or more of these files at a later time.

Malwarebytes was installed, with the latest manual definitions available today, 8/31/2011, and it found three malware files in quick scan, and a Trojan [Fake] in iexplore.exe in the full scan.  All files here were quarantined.

SUPERAntispyware was installed with data version 7705 (not the latest malware core version) and found 427 dirty cookies resident on the system.

All in all, it was a little bit like peeling an onion layer by layer.

The following P2P and Bitorrent programs were installed:

• BearShare
• Ares
• Limewire

I have uninstalled Ares (removed the folder and shortcut icon on desktop, as no entry could be found for it in either Add/Remove or Revo Uninstaller) and Limewire.  I have left BearShare alone as this client has more than 800 MB of downloaded music files scattered about the desktop, and in one folder also on the desktop.

The concern here is that these music files may not work in other .mp3 players.  I would not know this until BearShare is uninstalled, and then it might be too late.  

See below.

The fact that System Restore is not working and the fact I cannot find a tab for it in 'System Properties' is of concern.  

I have looked in Task Manager and also in msconfig, and cannot find the process or service for it in either.

This fact may be germane to this issue:  There is no logon screen available when the computer first boots.  Windows loads with the blue rolling bar, then goes directly to the desktop, with a short stop at 'Windows is starting' page.

I also found java to be sorely out-of-date, with both jre's at version 20 and 21, Adobe Reader was still at version 7, and Flash at version 10 X.  Java jre and Adobe Reader have been uninstalled.

I can easily get the logs that are pertinent to scans done so far, but as the system is still at my friend's house, it may be a day or so before I get back to you.

First reboot of the system yielded a boot startup time of over 16 minutes.  Cleaning the system and disabling the three P2P/Bitorrent programs from msconfig as services and startup now has it booting in three minutes.  COMODO firewall has not yet been installed.

I would expect COMODO to have an impact on system startup times, so this above is a baseline.

A few of the files Avast! deemed to be dirty were related to java.  Some of these files were found under the heuristic scan portion of the final boot scan.  Others were outright exploits and Trojans.  All have been quarantined as of the moment.

This is as complete an update as I can now provide.

Saved by Avast!

mchain

XP Home Edition SP3 P4 2.8  2 GB RAM Avast! Free 6.0.1289

[essexboy]

If you have the time I can do a check for remnants

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

[mchain]

If you have the time I can do a check for remnants

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

essexboy,

First day I will be able to get to this system will be tomorrow (Wednesday here in the US).  At that time I will provide the scan logs from SAS, Malwarebytes and a screenshot of virus chest in Avast!  (Likely two of them here in this case, as the total quarantined files is about 20 +.)

As this system is at my client's house, and he does not have internet access ATM, all work done will have to be done both here and there.

Please be patient while we work this out.

OTL will be downloaded and script pasted in.  Appreciate the help.

All info will be attached tomorrow.

mchain

XP Home Edition SP3 P4 2.8 2 GB RAM Avast! Free 6.0.1289

[essexboy]

I am subscribed to this thread so time is not a problem

[mchain]

I am subscribed to this thread so time is not a problem

essexboy,

OK, then.

This is the first of two posts.  Second will have the OTL files attached, as well as the logs from the anti-malware programs.  Second will follow in about two hours or less.

Now have the client's computer here, and not there anymore.  Reason for this decision is due to the fact that it has SP2 on it, and I have a burned XP3 CD disc available to install it.  It is a complete file, as it is suitable for Windows Server, et al, as well as for XP Home and Professional.

Question:  Is it better to wait on XP3 install until system is known clean until we finish with removing remnants?  I am sure we will find more, especially as it was run w/o a/v and firewall for an unknown amount of time.  Not even Windows Firewall was turned on.

System will not be put online until after system is clean and XP3 is installed.

It will be after XP3 is installed that COMODO will be installed, and that won't happen until both of us are good to go, so...

Once again, System Restore is not available as a service to run.

mchain

XP Home SP3 P 2.8 2 GB RAM Avast! 6.0.1289

[essexboy]

No hold of on SP3 initially as we can use that for any repairs later 

[mchain]

No hold of on SP3 initially as we can use that for any repairs later  

essexboy,

OK, now we have the files (and more) you requested.

A small problem:  Client's computer is bi-lingual, with Spanish as the primary.

So, when I ran OTL, the GUI came up in Spanish, rather than English.  All other programs installed as security programs installed properly in English.  (Selected English as default language on install.)  No option apparently for OTL, it appears.

If you could, can you please post images as to where I paste your commands?

I will then run OTL and get back to you posthaste.  As it is, I got OTL to run, and it produced the two logs you requested.  

I will post the rest to follow.

mchain

XP Home Edition SP3 P4 2.8 2 GB RAM Avast! 6.0.1289

[mchain]

No hold of on SP3 initially as we can use that for any repairs later 

essexboy,

Continued:

[mchain]

No hold of on SP3 initially as we can use that for any repairs later 

essexboy,

Continued, part 3.

[mchain]

No hold of on SP3 initially as we can use that for any repairs later 

essexboy,

Where can I upload the other two .jpg's (too big) for you to see?

One of them is the avast! virus  chest.

mchain

XP Home Edition SP3 P4 2.8 2 GB RAM Avast! 6.0.1289

[mchain]

No hold of on SP3 initially as we can use that for any repairs later  

essexboy,

Here is the Extra.txt.  Sorry, but I attached one OTL file twice. 

Going to spend a little time backing up client's files just in case, for now.

mchain

[mchain]

I am subscribed to this thread so time is not a problem

Essexboy,

One more time :-)  Two .jpg files here:  http://www.mediafire.com/?9zz8hpyh8zicnvd  and here:  http://www.mediafire.com/?a6u7cn8nnd7fyas

I like a challenge, so I figured out how to run OTL and run all users and paste commands on my own.

Exact logs requested will follow soon.   

mchain

[mchain]

I am subscribed to this thread so time is not a problem

Essexboy,

One more time :-)  Two .jpg files here:  http://www.mediafire.com/?9zz8hpyh8zicnvd  and here:  http://www.mediafire.com/?a6u7cn8nnd7fyas

I like a challenge, so I figured out how to run OTL and run all users and paste commands on my own.

Exact logs requested will follow soon.   

mchain

Here are the two .txt files w/command files run below.

[essexboy]

OK what we are looking for now is a hidden driver or service, for that I will need to use a stronger tool.  This will offer to install the recovery console allow it to do so

Reference OTL usage - have a look here http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/
 
 Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

 IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now