Virus infects explorer.exe, userinit.exe

[ClickRight]

I'm in a hurry so I'll try and keep this short while giving the necessary details.

I have a clients PC (Vista SP2) in for a virus removal. The only noticeable symptom is web page redirecting in IE and Firefox. We have run it through the usual MBAM, Super Anti-Spyware, and full offline scans using Dr. Web and Norman Malware cleaner. None of these scans pick up anything, the only scanner that picks up anything at all is Combofix, which reports that explorer.exe and userinit.exe are infected. If I upload those files to virus total, they will confirm the infection, but just give it a generic name (Trojan.Packer I believe)

Even if I replace those files with clean versions and reboot, the virus comes back. Has anyone seen this before -- any thoughts or suggestions?

 

[Joe The PC Doc]

If you are replacing the files and the infections reappear, there may be a trigger running earlier that you've missed. Anything showing out of place in Autoruns/HijackThis logs? If Combofix can't clear it, might be the result of a rootkit?

 

[MobileTechie]

Have you looked around the registry to see what might be starting and replacing the files?

Have you tried sfc to check the validity of system files?

Did you scan offline with a really good AV like Kaspersky?

Check it out with Gmer and see which other files might be implicated.

 

[PurpleLime Repair]

Hey

Ive had a similar one recently with the redirection issue, in my experience thats usually related to a tds rootkit. Download and Run TDS Killer, it takes five minutes and I bet it finds something.... Let us know how you get on, id like to know if that finds it

Good Luck!

Mike

 

[MobileTechie]

Hey

Ive had a similar one recently with the redirection issue, in my experience thats usually related to a tds rootkit. Download and Run TDS Killer, it takes five minutes and I bet it finds something.... Let us know how you get on, id like to know if that finds it

Good Luck!

Mike

Yes - good call.


...................

 

[K007]

Hey
...Download and Run TDS Killer, it takes five minutes and I bet it finds something..

Mike

Please forgive my ignorance, is this utility part of Kapersky Internet Suite, or is a separate/third party utility?

 

[K007]

Wow,
as I have Kaspersky Internet Suite on my personal laptop, I tahught I try to find this TDSSKiller myself to see if is part of the suite or not.
Of course I could not find it.
Not to mention that my KIS has it's own rootkit scanner, which drives me mad running several times per day.
I downloaded the TDSSKiller from Kaspersky website and ran it.
SURPRISE, one suspicious file found in system folder.
Ran a scan of that folder with KIS and nothing found (the rootkit scanner runse several times per day as I said).
Quarantined the damn thing, and ran TDSSKiller again, but the suscpicious file still there. So this time I choose to delete it.
Another surprise, on the delete list, the same file showed up maybe 50 times.
It loooks like it reacreates itself when chosen to delete it.
However, TDSSKiller asked me to reboot the system and the file will be deleted after reboot.
Did the reboot, ran TDSSKiller again and this time nothing found.
In deed, fi that suspicious file was genuine file, it would have not recreated itself ???

Thank you very much and just as a note, TDSSKiller does not come with Kaspersky Internet Suite.
Another tool for my USB drive.
Thank you again, in fact I cannot thank you enough....

 

[ATTech]

Did you check the hosts file?

 

[iisjman07]

Did you check the hosts file?

Or the proxy settings?

 

[ATTech]

Or the proxy settings?

Or the DNS settings?

 

[Xander]

Or my axe?


(Oops, wrong running joke)


I've been running TDSS Killer on every machine I touch lately. It's finding something on about every 4th/5th machine, even those with no symptoms.

 

[Joines]

Or my axe?
I've been running TDSS Killer on every machine I touch lately. It's finding something on about every 4th/5th machine, even those with no symptoms.

quoted for truth

Since we're on the topic of TDSS, if anyone is interested in what does detect the latest releases of it (from malware domain list, at least)

I was bored yesterday and decided to infect a spare computer (full updates, etc, no antivirus tho) with TDSS which was active yesterday on some website

I scanned (and attempted to remove) with the following:

AVG AntiRootKit -> No
Avast! AntiRootkit -> No
Dr. Web Scanner -> Yes
McAfee Rootkit -> No
Rootanalyzer -> No
SanityCheck -> BSOD'd
Hitman Pro -> Yes but makes you get a free license
Sophos AntiRootkit -> No
Norman Malware Cleaner -> No
Kaspersky Virus Removal Tool -> Yes (Failed to remove, however)
Kaspersky TDSSKiller -> Yes

Autoruns: Nothing suspicious
Process Explorer: Under Spoolsv.exe there was a "2F.tmp" running, tested and installed rootkit again and then a "3F.tmp" appeared, so this is obviously related to the rootkit in some way
WinDbg (Local Kernel): found no differences w/ !process 0 0, !chkimg -d nt found errors, however !chkimg -f nt failed to fix them


Can you tell I was bored :\?
P.S. I think TrendMicro's "Rootkit Remover" is the same as Rootanalyzer, I deleted it but if you're wondering why its not listed this is why.

I also didn't try Gmer now that I think of it *face palm*

 

[Vicenarian]

^^nice write-up, thanks! GMER probably would have picked it up though.

 

[PurpleLime Repair]

Thank you very much and just as a note, TDSSKiller does not come with Kaspersky Internet Suite.
Another tool for my USB drive.
Thank you again, in fact I cannot thank you enough....

Late reply, but just wanted to say no worries, thats what this forum is all about! This place has been nothing but help and interesting reads! Great community....

 

[PurpleLime Repair]

^^nice write-up, thanks! GMER probably would have picked it up though.

yup, I reckon it almost certainly would. More of a techy tool, Id just use both. Good tools, find loadsa stuff others miss....

 

[iisjman07]

Dr. Web Scanner -> Yes

Do you mean Dr. Web gets it from inside the infected OS? I've only ever used it from UBCD4WIN and of course it'll detect it from there were the rootkit isn't running, but I didn't think it was able to get it whilst running

 

[Galdorf]

Try scanning with a boot cd i use dr web live cd or AOSS they will usually pick up things like rootkits if all else fails.
I find sardu very useful for this i created a dvd iso and also have a few flash drives setup with current version of ubcd4win,dr web live cd and AOSS.

 

[Joines]

Do you mean Dr. Web gets it from inside the infected OS? I've only ever used it from UBCD4WIN and of course it'll detect it from there were the rootkit isn't running, but I didn't think it was able to get it whilst running

Yeah it launches itself into some sort of Dr. Web-like safemode, hard to explain without actually seeing it for yourself

They update it everyday, only annoyance is you have to redownload it everytime: http://www.freedrweb.com/cureit/?lng=en

small price to pay for brilliance

 

[iladelf]

I vote nay on the Dr. Web boot cd. Reason? I've seen it take HOURS on end to do a complete scan. Kind of hard to get things done like that onsite, IMO.

I think it's a great product (for catching things), but timeliness makes it a last-resort on-the-bench-only tool for me.

Maybe others have suggestions as to how to make scans with it more timely.