Number 305 - October 2008
An Infection Repair Case
by Ron Weinberg, Member at Large,
Tampa PC Users Group


   A friend complained his system was very slow. This is an XP Home PC rarely used that, upon investigation, had somehow become severely infected, possibly with an infection that reinstalls itself if not completely cleaned.

   McAfee Internet Security Center and Ad Aware, which were already installed had cleaned multiple items but kept missing something. The addition of Webroot Spy Sweeper cleaned more, but still failed to complete the job. Windows Defender was also added.

   Just a few of the bad items encountered were:
  1. Adware SearchSquire
  2. Adware Ad Destroyer
  3. Adware eBay Moe Money Maker
  4. Roings Search Browser Modifier
  5. Spyware Shop At Home
  6. Adware Memory Watch
  7. Adware AZE Search
  8. Adware180 Search Assistant
  9. Adware Easy Search Bar
  10. Many more were buried deep and remained hidden.

   But the most noticeable problem was the redirection of any Google search to a legitimate looking page of links, each of which really took you to an undesirable (porn) site, always at 85.255.120.26/feed/search.

   A search for this problem revealed that this was a hijack from a server in the Ukraine, and help was available from the Tech Support Forum


   My request for assistance was responded to by 'Pancake', Security Team Analyst in Australia, who guided me step by step through the issue. Various tools were required to find the malware, Trojans and any Root Kit infections. The steps were:
  • Downloaded Fixwareout. It failed.
  • Next, SDFIX to remove Trojan Services and repair Registry
  • Next, ComboFix, which aborted because it found the system did not have a Recovery Console. It was necessary to download an installation package from Microsoft, which ComboFix used to install the Recovery Console.
  • Next, ComboFix ran successfully.
    •    With each of the above repair programs, a log was produced which, together with a new HijackThis log each time, was forwarded to the Security Team Analyst. Finally, the system was clean, and I removed the repair programs and logs. But in the process I had discovered that the System Restore function was inoperative, and it was necessary to reinstall System Restore.

       This whole process was laborious and time-consuming. It took several days because it was necessary to wait for the analyst's response to each log.

       For those of you unfamiliar with HijackThis, it is the premier tool used to document system problems of this type. It creates logs of everything related on your system and is available free from Trend Micro. I urge you to download a copy and have it on hand should it ever be needed.

       The logs can be analyzed by Trend Micro or any of several free volunteer forums.

       It is amazing that this level of expert free help is available from such highly competent volunteers.

       Finally, I installed free Spyware Blaster and ThreatFire as further prevention measures.
      Number 305 - October 2008