Jump to content


Photo

How to make sure that your LSP chain is intact


  • Please log in to reply
1 reply to this topic

#1 Jersey Mike

Jersey Mike

    New Member

  • Members
  • Pip
  • 18 posts
  • Gender:Male

Posted 10 July 2008 - 08:13 PM

About a week ago two of my computers were suddenly hit with a trojan called the "XPFIXER". It's initial symptoms are very visible. Your background is changed to a solid blue with a single warning box right in the middle of the screen that says "Your computer has been infected. Click here for a free virus scan". The wording might be a little different because I'm going by memory. Also internet explorer (if that is your browser of choice) will start acting very strange as if someone else is controlling it. It will open and close, and go to different websites on it's own. You will definitely know that something is wrong. Do NOT click that warning box because it is not going to help get rid of your problem, it will only get worse.

I immediately went to "My Network Places", right clicked on the desktop icon and picked "Properties". From there I disabled my network card to (hopefully) keep damage to a minimum. I then used every virus scanner, malware scanner, rogueware scanner that I had and ran it on the one machine. I just powered off the other one until I could find what would fix the problem. Nothing I used worked. I couldn't get rid of the background, or the bizarre behavior in IE, no matter what I did.

I finally started killing processes using SysInternal's procexp.exe, which is a process explorer. It functions similar to task manager but shows you the whole process tree instead of just the process. You can also use this tool to end processes that task manager says "access denied" to. When I killed one instance of svchost.exe, the system shut itself down and rebooted. This meant that there was at least one dll involved.

When the system came back up, it was acting the same way. It was also now preventing me from running certain programs like Spybot S&D. I started looking through the Windows\System32 file system for things that looked abnormal. I sorted the folder by date and found 3 dll's that had been created very recently. They all had strange names that looked like letters randomly thrown together. I tried to delete each one in turn but they were all locked. I didn't know about Malwarebyte's FileASSASSIN at the time. I probably could have rebooted into Safe Mode to delete those dll's, but I have a bootable CD which is especially for troubleshooting. It started with Bart's PE but has been worked on by several people since then. Anyway, this CD has gotten me out of many sticky situations in the past, so I booted it up. Once the system was up, I could delete the locked dll's, get rid of the background and put my normal background back in place. I also took the time to empty each users temp and internet temp folders. I've found in the past that malware writers like to stick their code into the temp folders because most people don't look in there.

I rebooted back into XP and it looked like the problem was gone. However, I found that I had a new problem. My computer could not get a DHCP address no matter what I tried. I tried changing the TCP/IP settings and set a static ip address. This would allow me to ping another machine on my internal network but I could not get out to the internet. At this point I went to another clean machine, and sent out a plea for help to the Malwarebytes community. AdvancedSetup and JeanInMontana we both very willing to help me, even though I had made some obvious mistakes in the information I provided. It was 2:30 in the morning and I was really starting to hate malware.

JeanInMontana has written an excellent tutorial of what steps to take to get your machine as clean as you can and then send in HijackThis logs for further anaysis, if necessary. You can find that tutorial here: http://www.malwareby...?showtopic=2936. She also sent me another url, and that was what I needed to fix the network problem. The url is http://www.bleepingc...tutorial59.html. This site has a tiny little utility called "LSPFix.zip", it might also be available as an exe file, I can't recall.

I downloaded that utility to a usb key on a working computer, then plugged into my broken one and ran it. It took about 10 seconds and came back and said "Your LSP chain is broken. Do you want us to fix it?". The wording may not be exact but it's pretty close. I answered Yes, the computer hard drive made some awful sounds for about another 30 seconds and then LSPFix prompted me to reboot my computer, which I did.

When it came back up, the network card immediately got a DHCP address, I could get on the internet just fine and I was as happy as I could be. I then went through Jean's tutorial again, using each tool in the exact order that she specified and cleaned up 32 other pieces of rogueware. I'm going to monitor it, and run scans on it daily for about a week but I think it is back to normal. And it's really funny because now it seems to be much snappier (quicker). It had been degrading for some time and I didn't notice because I used it every day.

Hats off to AdvancedSetup and JeanInMontana and her excellent tutorial. I printed it out and put the pages in plastic covers. I'm keeping this one close at hand.

Thank you everyone,
Jersey Mike

P.S Jean, thanks for pushing. Without it I don't think I'd have done it and someone else would have to go through the same torture again. I hope I put it in the right place.

#2 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,101 posts
  • Gender:Male
  • Location:US

Posted 10 July 2008 - 11:06 PM

Thanks for the post Mike. I've moved it into the PC Help forum as the HJT forum is only for actual HJT posts.

Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users