I recently had a few viruses on one of my home computers, there were some trojans, and at least one rootkit. I believe I was successfully able to remove them, but I'm not %100 sure. One of the trojans "ate" my network, the firewall is disabled and I can't restart it along with internet connection sharing, and the DHCP service doesn't appear to be working either. to add to it, it boots up slower than usual before the login screen and once the login screen is reached if I let it sit for about 10 minutes a mysterious application appears, the title at the top is "mini web browser" I've never seen anything like that happen before. It doesn't appear very functional, it has 4 buttons that don't really do anything "clear log, Test 1, Test 2, Test 3" a check box that says +
"show links" and a text box below. I searched the registry and couldn't find anything suspicious and I didn't notice anything suspicious on my hijackthis log either. if anybody has experienced this before or has any knowledge pertaining to this, their input would be greatly appreciated. I've included my hijackthis log and I can upload a screenshot of the login screen with the "mini web browser" if it would be useful
MS Windows XP proffessional 32-bit SP3
Intel Pentium 4 northwood 0.13um Technology
1.00 GB Dual-Channel DDR @ 199MHx (3-3-3-8)
Dell Computer Corp. 0DG284 (Microprocessor)
NEC FE771SB (1024x768@75Hz)
256MB RADEON X850 Series (ATI)
256MB RADEON X850 Series (ATI) - Secondary (ATI)
39.1GB Seagate ST340016A (PATA)
488GB Western Digital WDC WD5000AAKS-7STMA0 (SATA)
ogfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:40:23 PM, on 3/15/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
This is pretty new, I couldn't find ANYTHING on these files below on a search engine. This started on March 12. Btw I'm on a laptop and have a hardware kill switch, so when
I got suspicious, wireless was disconnected. I'm operating XP SP3 2005. Here's what happened to me:
1. Internet and downloads slowed considerably
2. Redirected on IE8 and Firefox (hijacked), but NOT on OPERA 9.63 (unaffected)
3. Used hardware kill swich to disconnect internet for analysis
4. Found the following files, directories, and registry entries... nothing on Google:
5. on restart, the "Mini Web Browser" popped up for less than a second
I noted that cursor movement was slowed, like done in the conrol panel applet.
C:\Documents and Settings\User\Local Settings\Temp\Temporary Internet Files\Content.IE5
"C:\Documents and Settings\EDSC\Application Data\Evewhe\huvoi.exe"
C:\Documents and Settings\EDSC\Application Data\Evewhe\huvoi.exe huvoi
Inhaca "C:\Documents and Settings\EDSC\Application Data\Evewhe\huvoi.exe"
The stuff in \Run directory can be stopped using the msconfig tool, and MUI and MRU are what you have touched recently.
Delete ALL files in the \Temp\Temporary Internet Files\Content.IE5 folder
You CAN'T move, rename or copy the suspicious files in the \Application Data folder (\inhaca, \Meomo\uhcu.iwe, \evewhe\huvoi.exe, \xuasn [which has a temporary file that
seems to delete itself]), you will need the freeware Unlocker tool, copy it from an external source like a flash drive. Try sending these in a zip folder to the anti-virus
companies since I was stupid enough to delete them instead. Anyway the internet should work once they are renamed or erased. I had a Norton free trial preinstalled, I had
to install it twice before it updated itself. Here's what it found on a scan:
"Trojan.Zeroaccess!inf" detected by virus scanner; but lists both as "high" and "low" risk???; detection of Bloodhound.CC.Rootkit.
You can download "FixZeroAccess.exe" from their website, it cleaned some contaminated files but didn't stop the Mini Web Browser thingy. However it kept saying it stopped
intrusion attempts from IP's:
18.104.22.168:4966 Amsterdam Registrar: RIPE Network Coordination Centre name: Alex
XX.XXX.XXX.XXX:3483 (tcp/https) drpxbbjbvcvcjllyqxsn.com
22.214.171.124:443 over https Seoul, Kyonggi-Do, Korea RIPE-NCC-RIS-AS (RIPE NCC RIS project)
126.96.36.199:34354 Livermore, CA c-24-4-12-12.hsd1.ca.comcast.net
In TCPView, by just sitting at startup, my computer was connecting to addresses like:
www-15-05prn1.facebook.com (which I've never visited, by the way)
After all this, I can't login to eBay without extra credentials because of suspicious account activity from my IP, but my partner can!
Crazy huh? And this Mini Web Browser still hasn't been fixed.
However, Firefox was still being hijacked (when I click on toolbar links) to: myspace.com & mevio.com via ad-feeds.net.
Also, upon launching Firefox, I saw a ZoneAlarm Security Alert that "Firefox is trying to act as a server." This alert continued to appear until I chose Accept to grant Firefox server privileges. I don't think that this is normal behavior - Firefox should be able to run without server privileges.
Next I ran the Kapersky Antirootkit application: tdsskiller.exe. This program found a rootkit infection, "Virus.Win32.Zaccess.aml" in \WINDOWS\system32\drivers\redbook.sys, and cleaned it.
After a system reboot, Firefox no longer tries to act as a server, and links are no longer hijacked.