Cannot connect to specific websites

Norton Security | Norton Internet Security
1

 I have a Lenovo laptop that will not connect to websites that contain the names Microsoft, Norton, or Symantec (possibly others). Any attempt to contact a URL containing these names IMMEDIATELY fails with a “server not found” message. Windows auto update does not work and I was unable to manually update drivers for hardware  devices. Suspecting a virus, I loaded NAV09 from CD. It did not find anything, but was unable to download the latest updates. OS is WinXP Pro SP2. Windows firewall is off, I already reset IP stack with netsh command and checked \drivers\etc\hosts. It contains only localhost 127.0.0.1. Based on similar problems reported in this forum. I downloaded and ran SysProt and also gmer. Logs are attached below. Is this a rootkit or what?

2

Please have a bit patience. One of the sysprot guru’s will assist you

3

BigBlue81:

 

Before any suggestions are offered, are you able to back up all of your important documents and photos, etc?

 

Do you have an operating system disc or recovery discs?

4

There is nothing on this machine that I can’t recover or is important enough to worry about. Fire away!

5

BigBlue81:

 

Your machine is at serious risk, as it appears that the svchost.exe, which is a major component of the operating system has been over-written by malware.  It is not a rootkit per se, although there are some characteristics, which is why it shows as it does in the GMER.  If the svchost.exe file is simply removed, you will lose access to the machine and a reformat will loom largely in your future.

 

What has been happening, is that the infected file has to be gingerly replaced, using an assortment of tools, and then other malware removed.  It is a complex and risky business.

 

If you prefer not to reformat I would recommend  http://www.bleepingcomputer.com/     as they have worked through several of these successfully.

 

 

6

You could check the hosts file by copy and pasting this in the run command:

 

notepad.exe c:/windows/system32/drivers/etc/hosts

 

Could you copy what is in this file?

 

 

7
I am unsure what to call it, 

1. Whether the svchost.exe is the legit one OR whether it is one like the "atapi.sys" due to the fact the file is in the correct location, so has it been overwritten with a bad Malware version, Or it's just using the legit svchost as an actor 
 
2. In any case if "svchost.exe" is a good or bad file it would mean that if bad it can't just be taken as the file is in use by Windows (same as atapi.sys problem that appeared) so if the file is taken there will be no other file in that folder of that name, same problem as the likes of atapi.sys svchost.exe is what controls Windows services from A to Z including BITS automatic update .........................................
 
3. Nothing shows up for "bdiix", "Boot Network" or the file "bnhuqm.dll"
 
BleepingPC in their Malware board have people trained in the more advanced tools and loggers like myself, they logically and methodically take in any info from logs asked and track it down,  and script for what is necessary from file removal to scripting for swapping a file  with a clean one.
 
Quads 
8

You now have a reply on the other Forum,  Please Note they are busy trying to keep up with everyone

 

Quads 

9
Hi
 
Conficker /Downadup  Variant 
 
 ---- Services - GMER 1.0.15 ----

Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )   [AUTO] bdiix            <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg    HKLM\SYSTEM\CurrentControlSet\Services\bdiix@DisplayName           Boot Network
Reg    HKLM\SYSTEM\CurrentControlSet\Services\bdiix@Type                        32
Reg    HKLM\SYSTEM\CurrentControlSet\Services\bdiix@Start                        2
Reg    HKLM\SYSTEM\CurrentControlSet\Services\bdiix@ErrorControl            0
Reg    HKLM\SYSTEM\CurrentControlSet\Services\bdiix@ImagePath             %SystemRoot%\system32\svchost.exe -k netsvcs
Reg             HKLM\SYSTEM\CurrentControlSet\Services\bdiix@ObjectName   LocalSystem
Reg             HKLM\SYSTEM\CurrentControlSet\Services\bdiix@Description     Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Reg             HKLM\SYSTEM\CurrentControlSet\Services\bdiix\Parameters                                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\bdiix\Parameters@ServiceDll     C:\WINDOWS\system32\bnhuqm.dll
Reg             HKLM\SYSTEM\ControlSet002\Services\bdiix@DisplayName                           Boot Network
Reg             HKLM\SYSTEM\ControlSet002\Services\bdiix@Type                                         32
Reg             HKLM\SYSTEM\ControlSet002\Services\bdiix@Start                                         2
Reg             HKLM\SYSTEM\ControlSet002\Services\bdiix@ErrorControl                             0
Reg             HKLM\SYSTEM\ControlSet002\Services\bdiix@ImagePath                                          %SystemRoot%\system32\svchost.exe -k netsvcs
Reg             HKLM\SYSTEM\ControlSet002\Services\bdiix@ObjectName   LocalSystem
Reg             HKLM\SYSTEM\ControlSet002\Services\bdiix@Description      Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Reg             HKLM\SYSTEM\ControlSet002\Services\bdiix\Parameters (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet002\Services\bdiix\Parameters@ServiceDll        C:\WINDOWS\system32\bnhuqm.dll

---- EOF - GMER 1.0.15 ----
 
 
 

Exploits legit "svchost.exe", "explorer.exe" or "services.exe" file; this may cause system errors or interfer with system day to day running


KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random name]\Parameters\”ServiceDll” = “Path to worm”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random name]\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

And Sub Controlsets  (Controlset002,.............)

All Controlsets will have to be removed and the file(s) for the infection stabilty
 
"C:\WINDOWS\system32\bnhuqm.dll"  = C:\WINDOWS\system32\[RANDOM].dll
 
Service  "bdiix" = [RANDOM NAME]
 
If it is New(er) it could be that more sites are blocked by it than what is stated on sites with older posts 
 
 
Quads 
 
 
Message Edited by Quads on 11-05-2009 02:04 PM
Message Edited by Quads on 11-05-2009 02:08 PM