Cannot run exe files - association broken after remove virus

JesseJames_2

RussJK wrote: »

p.s., I'm assuming that you did ask Malwarebytes to remove this item afterwards:
Files Infected:
c:\WINDOWS\ezebeqixiwu.dll (Trojan.Hiloti) -> No action taken.

No I left it, but let Hitman Pro delete this afterward.

Hitman also found in system32
atkctrs0.dll (on my xp vm is called atkctrs.dll)
norminda8.dll (hidden file)

Hitman also failed to remove during restart, and found these 2 viruses again on a second pass.

RussJK wrote: »

The trojan left behind a DNS hijack. I would definitely run Combofix, as it's had a full package there and it's likely there's a rootkit as well. Make sure 'security center' under services.msc is set to 'Automatic (delayed start).

I had put it as Automatic ( can you delay the start on XP?)
Also it is now showing as disabled again

Combo fix has been running and restarting over the last 20 minutes
Just finished

Quick scan of ComboFix
No rootkits
Files new over the last month - includes the 2 Hitman virus dlls above.

RussJK

Wait, what did Combofix look like? There's no 'quick scan' with Combofix. What do you mean "running and restarting"? Did it produce a combofix.txt log? Should be on the root of C drive. Can copy/paste it to http://pastebin.com/ then just give the link to pastebin.

Both look dodgy and atkctrs.dll can be part of a rootkit:
atkctrs0.dll
norminda8.dll

If they are still there, see if you can upload both to www.virustotal.com and supply the links to the report - make sure you re-analyse if it asks. Afterwards try the FileAssassin tool in Malwarebytes (Other Tools tab) or see if you can rename them.

Might be a 'clean up as best you can then reinstall' job, including running FIXMBR from the recovery console.

JesseJames_2

OK I'll do that - dlls are still there

ComboFix log: http://pastebin.com/8j7C8CEe

I did notice before I saw your last post that there are about 5 entries in HKLM\software with random character Key/data pairs pointing to the application data folder.


" There's no 'quick scan' with Combofix." - I meant a quick visual lookover of the comboFix log :-)

"What do you mean "running and restarting"?" - I noticed the PC restarting once before continuing

RussJK

Could you browse to that folder, then right click and 'edit' the batch file below, then copy paste the contents? If it's huge, then put onto another pastebin. Afterwards, delete the following:
c:\documents and settings\Admin\Application Data\phvoisznn.bat
c:\windows\Hgoqoxubace.bin

Wouldn't hurt to manually look in the different Application Data folders for each user, as there's often more dodgy looking files and folders.

Going to have some dinner, but I'll be back later on.

JesseJames_2

RussJK wrote: »

Could you browse to that folder, then right click and 'edit' the batch file below, then copy paste the contents? If it's huge, then put onto another pastebin. Afterwards, delete the following:
c:\documents and settings\Admin\Application Data\phvoisznn.bat
c:\windows\Hgoqoxubace.bin

Wouldn't hurt to manually look in the different Application Data folders for each user, as there's often more dodgy looking files and folders.

Going to have some dinner, but I'll be back later on.

That batch file - phvoisznn.bat (the Temp folder was empty when I looked)

:redel
del "C:\DOCUME~1\Admin\LOCALS~1\Temp\aeoxmsnrwc.tmp"
if exist "C:\DOCUME~1\Admin\LOCALS~1\Temp\aeoxmsnrwc.tmp" goto redel
del %0

Those DLL files

Had to go in to recovery console to copy files.
I suppose I can delete them there as well but will check first.

atkctrs0.dll - http://www.virustotal.com/file-scan/report.html?id=3d52dd82dad1849ec965f387a5810a88a6a191d84d9aabfa569ec1ee3cda3879-1308343182

normidna8.dll - http://www.virustotal.com/file-scan/report.html?id=aea860112fa23f0a6cc0085fe92f80e9ccf4cb7d52dd9af4aacabf952ac91ae0-1308342982


Noticed these 2 dlls running under the Microsoft name in Process Explorer...

svchost.exe (parent of the 4 child processes below)
rundll32.exe
rundll32.exe
rundll32.exe
wuauclt.exe


Path: C:\WINDOWS\system32\svchost.exe
Command Line: C:\WINDOWS\System32\svchost.exe -k netsvcs
Current Directory: C:\WINDOWS\system32\



Path: C:\WINDOWS\system32\rundll32.exe
Command Line: C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\atkctrs0.dll",hzimg
Current Directory: C:\WINDOWS\system32\


Path: C:\WINDOWS\system32\rundll32.exe
Command Line: C:\WINDOWS\system32\rundll32.exe "C:\Program Files\Microsoft.NET\normidna8.dll",OAJA
Current Directory: C:\WINDOWS\system32\

Path: C:\WINDOWS\system32\rundll32.exe
Command Line: C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\normidna8.dll",bukdbsxatf
Current Directory: C:\WINDOWS\system32\


Path: C:\WINDOWS\system32\wuauclt.exe
Command Line: "C:\WINDOWS\system32\wuauclt.exe"
Current Directory: C:\WINDOWS\system32\



UPDATE: I went into recovery console, took of the read only attributes, and deleted both dlls.
Seems to have worked, but the halting for a few seconds is still happening.
Currently running MWB, CFix, Hitman, etc...

RussJK

Thanks for all that - funny to see McAfee as one of the very few making a detection!

Let me know how you go with those other scans (sometimes removing trojans/rootkits will reveal other malware) but it's at that point where it'd be a good idea to back things up, format, wipe MBR and reinstall.

You could see if another go at system restore to a date before all this happened and see if things are faster, but really if it were mine I'd be formatting.

You could also go through with some long scans with bootdisk antiviruses (e.g. 2 hours for Avira rescue CD, 24hours for Dr Web..., forget how long for Kaspersky) but they might not even have definitions for whatever else might be there.

RussJK

If you do want to use a Antivirus rescue/boot CD, then I've already listed some here:
https://forums.moneysavingexpert.com/discussion/comment/41653210#Comment_41653210

I'd only do it as an exercise for fun/learning though.

JesseJames_2

Thanks Russ

You've made me work hard tonight _pale_

So far...
1) Automatic DNS is now working
2) Security Centre is now running automatic in services.
3) Was able to install Microsoft Security Essentials and run it.

Just the slowdown now.
The slowdowns especially navigating explorer is weird.
It either is near instant, or a few seconds, and could happen in a new explorer window or just navigating within explorer.
I can do other things before the new explorer window opens or navigates to the next directory, so it does not hang the PC in any way.
PC seems quite quick otherwise.

Even a save as dialog box can take a few seconds to pop up.

stilltheone

Was a clean install not an option?

JesseJames_2

stilltheone wrote: »

Was a clean install not an option?

Yes it was and still is.

They dropped the PC here, but I would need to go there to install XP home and drag my 3 kids there at nighttime. (needs patched into a server - Sage programs run networked for a start)
So basically last resort, although I'm going to give them an option - take it as it stands and free of charge (10 hours of my time so far), or Pay to get this reinstalled.

There is an Acer EISA partition on the drive, but don't know how to access - tried the FN keys (according to Acer) to no avail. No Acer tools on systemdrive as it was a reinstall I did a few years ago outwith EISA - lost that disc now though. - serial key is still the original Acer one.



Russ,
thanks for your prompt and comprehensive effort in getting this fixed to the stage it is at.
Just spoke to mum in law, and said that that folder slowdown happened quite recently - that's in line with those pesky dlls -10th I'm sure the logs say.