Trojan straight from hell!

Help! Make it stop. I have some horrible malware that won't quit. It is over my head and at this homicidal point, the behavior is most visible when I run Currports. For awhile nothing ever showed up on scans. Then, finally Malwarebytes and Avast caught some malware. Still, the problems persist.

I have an HP Presario V5000 laptop, Windows XP Home, 1G RAM, SP3, 1463 Mhz Processor. Comodo Personal Firewall, Avast5 Antivirus.

There are as many as 50 ports open, even when I have no Chrome app's open. Remote Port 80 has countless app's under it, such as a bunch of these type: iw-in-f105.1e100.net. It is blacklisted in at least one list, according to an ip address search.

In Currports, under "Process Name" I get up to 8 "Unknown" processes (right under 4 "System" processes-usually. I cannot delete the Unknown processes, at all. If I delete another program running, such as the one's like iw-in-f105.1e100.net, it gets replaced by numerous more, immediately afterward. A file titled "Currports" randomly appears on my desktop many times, even though I do nothing to incite this.

Immediately upon bootup, I open Currports and I will see 9 open ports, under AvastSvc.exe, and I had not hit any other keys. Avast does not update upon bootup like it did before. Like clockwork, it would do so every time I booted up. It updates rarely and randomly. I have it set to update at bootup.

I deleted a "backups" folder that appeared out of nowhere on my desktop. It appeared after the HJT "fix" today. There was no name linking HJT at all, so I assumed it wasn't installed by HJT. I have suspected a notepad.exe corruption, among other programs, as well.

I had someone at Malwarebytes forum trying to help, to no avail. They had me do all the scans and run programs, such as Malwarebytes, Combofix, TDSSKiller, etc. Nothing caught anything, nor helped. A few scans are not going to catch this thing. I can do scans on my own, and have done so countless times.

Shortly after working with them, I ran scans with Malwarebytes, SAS, and Avast and they FINALLY caught a few items. Nonetheless, I still have some nasty spyware or something. Interestingly, Remote Registry and several other programs are missing from my "Services" (Control Panel>Admin Tools>Services) program.

I know something is wrong. This thing is above the usual scans, of which I have run a plethora of (safe and normal modes). I am hoping someone can help me with this???

I am including today's HJT log, before and after "fix", via HJT. It was after deleting these items, along with many other attempts at self-help, that I decided to post here.

 

Thank you for such a quick response 8) And thank you for your help!

Believe it or not I am trying to be as brief as possible here on detailing behavior.

After changing Startup Selection to Normal Mode, restarting and rebooting, I immediately checked and found it had reverted to Selective Startup. Again, I reset to Normal Mode, restarted, rebooted, and finding it had reverted to Selective Startup again - all the items under Selective Startup were checked.

I have suspected an MBR issue for awhile, but the Malwarebytes team didn't answer my queries on this issue. I explained the above behavior to them, as I had noticed this exact behavior before of reverting to Selective Mode, after I suspected MBR issues.

Interestingly, every single time I run Regpair/Free Window Registry Repair, it shows the same Empty Registry Keys (hundreds of them), and most are under HKEY_USERS S-1-5-18,19,20 & 21 (Do I need this "user"???). Interestingly, I always see "Empty Registry Keys" under "Data": Security, URLSearchHooks, Certificates, ProtectedRoots, Trust Database, Blocked, RunOnce, Blocked, CTLs, CRL's, Installer, CmdMapping, Lsa, Windows NT, Terminal Server, Location Awareness, Network, user agent, P3P, OpenWithList, ?????k, Protected Storage System Provider, etc. There are numerous empty keys of CTLs and CRLs.

About a week ago, I removed a few Remote Access programs in my Registry. I disabled what Remote Access programs that I could and also noticed some programs missing, that I had not removed - notely, Remote Registry. I have no need for Remote Access anything, so I removed a few programs, after suspecting Remote Access to my computer. I have suspected this for a couple of months. Comodo firewall confirmed my suspicions. I switched from ZoneAlarm firewall to Comodo Firewall and it is the ONLY program at all that detected something like "Someone is trying to remotely access your computer session" type of message, at which point, of course, I had Comodo block it. This has happened at least a few times.

After COMBOFIX ran, and disabling Avast, Comodo and Winpatrol, I got a warning: microsoft.com IE Home page was changed....

A few minutes after COMBOFIX ran and restarted, I turned Avast, Comodo and WinPatrol back on, a WinPatrol pop-up:

"detected a change to one of your file type associations. .URL"

The program currently associated with this file type is: Run a DLL as an App Microsoft Corporation
C:WINDOWS.0\system32\rundll32.exe C:\WINDOWS.0\system32\ieframe.dll,OpenURL %1

A change was made to use the following program for this file type. Run a DLL as an App Microsoft Corporation
rundll32.exe ieframe.dll,OpenURL %1
------------------------------------------------------------
VERY STRANGE: After Combofix ran and restarted, I saved info in a doc on my desktop warning "A change has been detected in your IE Search Page. Your new page is http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Then, after seeing this suspicious behavior, I took a screen shot of it and saved it to my DESKTOP. It didn't go to the desktop, so I did a search of the saved file and found 3 files for the one doc. One doc is located on the desktop, where I put it. Another is in Documents and Settings and is a 2.8 MB file??? (the original info is nowhere near that size of a file). I deleted all these files.

I was going to send logs,

I am sending all logs up until MGTools, if and until it can run and/or finish. After 90 minutes of running MGTools, and no indication of movement, no feedback whatsoever from it, I assumed it was hosed up somehow. There was, as far as I can tell, like other scan warnings, no warning it would take awhile to run. I will send the results if and when it ever runs properly.

 

Ok. Ever since MGTool ran and froze, or whatever it was or wasn't doing, everything is molasses slow. It went into the cmd screen mode and never indicated any movement from then on - the initial text on the screen never changed. I am going to include the log. I found the log after using the "Search" program. I assume it is not complete. You will know if it is or not. in the next post I will send it, as everything is slowing down again.

Slowness has not been an issue at all. There was weirdness/bugginess before I did 3 recent XP reinstalls. After the last reinstall of XP, surfing and response is very fast. Nonetheless, malware issues persist. There have been no issues of slowness in about a month or so. Issues of slowness coincide with the MGTool being hosed up.

There was no slowness at all until I ran MGTool. I ran MGTool and it took forever (as in 90 minutes and no scan I have ever done took that long. All my scans are less than half that time, at the very most), and didn't seem to be doing anything and I was getting no feedback whatsoever or indication of movement on the program, so I tried to turn the computer off. It would not do anything, so I unplugged the computer and took the battery out.

I rebooted and upon bootup things were fairly fast, then went molasses slow again; so much so I could not send post to you, much less attachments. So I unplugged, took the battery out again, rebooted and here I am.

I was then able to send the first message and now this one and no issues with uploading attachments this time.

As for where my SAS scan is? I know for a fact I did an SAS scan last night and saved the log, but cannot find that one. There was no issues found last night. In fact, I did two scans last night. One before and one after I realized I had not updated SAS before the first scan. I updated, ran a second scan and neither scan found anything.

I will run another scan, but for the record, nothing was found.

 

Ok, here is the MGlogs.

Sorry about so many steps, but things are getting weird again.

 

You are not a fan of registry cleaners, I gather?

I do not recall exactly which remote access items I removed, for they are gone now. (I think I removed Telnet?) I believe I removed a couple of them, was very careful, googled a lot, was careful not to remove one's that are linked to other types of programs. They were remote access related items only. I disabled a bunch of them through the registry and afterward noticed no ill effects at all. Even still, after disabling a bunch of them, the Comodo warning of "remote computer trying to join you" still returned a few times afterward. Of course I had Comodo block those attempts.

On this remote note, I found suspicious files?:

It is read only and the "sharing page is all grayed out:

MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Other suspicious files:

It is a "System" file, C:\System Volume Information, Description: MountPointManagerRemoteDatabase

remotepg.dll, remotesp.tsp (I am tempted to remove this, but will wait. I keep seeing telephony and spyware type links to this file???)

C:\WINDOWS.0\$hf_mig$\KB967715\SP3QFE shell32.dll

Was the attachment(s) I sent for MGTools not good? I will try the MGTools again.

Here is the OTL scans from today and the SAS scan from last night.

 

Also, about every 20 minutes I keep getting this warning from Winpatrol.

It started after Combofix ran. I presume because I had disabled Avast, Comodo and Winpatrol, defenses were down and this thing became opportunistic?

I have attached the screenshot I took of the pop-up warning Winpatrol keeps showing. I keep saying "No" do not make changes, but it is persistent in reappearing.

I've tried about 4 times and it won't upload. It is the same one I included in previous post, that Winpatrol had warned of.

 

I will run the alternative GMTools method.

It is confusing to me when I read articles or posts made by obviously computer-savvy people, whom are highly opposed to running registry cleaners, yet, those very websites, such as MGeeks, Cnet, etc., tout registry cleaners. I also see other computer-savvy individuals touting the use of registry cleaners. And yes, I have read that registry cleaners can remove needed app's.

As you can see, I am not computer-savvy and I am not trying to be difficult. I am only trying to understand.

So then I wonder if the people who are opposed to registry cleaners are against them because they know what the hell they are doing, hence do not need the cleaners, and figure they may do more harm than good, since they may remove some needed information.

I knew a guy that was employed in the IT dept. at American Express, that never even ran a firewall on his personal computer, because he "didn't need it". But, I don't think it is a good idea for at least 99% of us to not run a firewall.

So then I wonder if all these computer websites include registry cleaners in their product line, even though they are against them. Or, that two somewhat equally computer-savvy persons will disagree on whether to use them or not???

Perhaps, like my Amex friend analogy, most of us should use a registry cleaner, but the computer-savvy individuals don't need to?

Are they touted because the less savvy users need a registry tool because they cannot manage the registry themselves? And the cleaners have opposition because they may remove needed app's? I'm so confused.

 

Sorry about the delay, but had a family emergency.

Finally able to run MGTools. It ran fine, taking a very short time to run. The first time I tried to run it, it hung for over an hour. The whole system hung for over an hour, every application was molasses slow. This behavior was linked to attempting to run the MGTools. I wasn't saying there is something wrong with MGTools. Actually, I was wondering if the odd behavior was due to whatever "hook" is in my laptop and it was trying to "read" or stop MGTools or something like that, and this is why my whole system hung up so badly???

As you can see, ESET found 4 items. However, I ran the ESET online scanner in Chrome, as I had no choice. When I go to IE8 and try to run ESET, it brings up a Chrome screen. This also happens when I try to download from microsoft.com, using IE8. I start off in IE8, close all Chrome screens and it still brings up a Chrome screen. I don't know if it matters that the scan was run in Chrome versus IE8, but I don't know how to remedy the auto-switching.

I have exhausted max upload space and will add more scans on next post...

 

And now for OTL. I ran it just fine a few days ago, bringing up both scan files needed. But last night I ran it and it would bring up only the OTL.txt file, not the Extras file also. I have tried a total of 5 times, including today, to run the scan and only get the OTL.txt file. Today I even deleted the OTL program, downloaded again, ran scan again, and still only one file is produced. I am including the one file.

Ok, maybe not. MGeeks will not accept OTL file because "OTL.txt, Your file of 1.27 MB bytes exceeds the forums limits of 375.0 KBfor this file type".

 

Winpatrol keeps warning me, about every 20 minutes, that it has "detected a change to one of your file type associations .URL". I choose "No" when asked if this change is ok, but the warning keeps reappearing.

The 2 programs it warns me about are:

Run a DLL as an App
Microsoft Corporation
C:\WINDOWS.0\system32\rundll32.exe C:\WINDOWS.0\system32\ieframe.dll, OpenURL %l
---------
A change was made to use the following program for this file type.
Run a DLL as an App
Microsoft Corporation
rundll32.exe ieframe.dll, OpenURL %l

 

Thanks. I will try OTL again.

About 10 days ago, Malwarebytes removed a System Volume Information_restore file. SAS removed a bunch of other stuff and Avast got a hit/removal too.

I wish I understood all the info Currports was showing me, as this is where a lot of my paranoia comes from.

Right now I have 3 Google Chrome windows up. Currports says I have 72 total ports and 23 Remote Connections. Simple math seems to tell me that there is something wrong with this picture? The total

Sometimes I get up to 8 "Unknown" Process Names showing and cannot delete some of them, no matter how many times I hit delete.

I always get numerous weird Remote Host Names, such as yx-in-f00.1e100.net, yi-in-f189.1e100.net, etc. And if I delete one a dozen more will immediately replace that one. I have googled and went to ip address identifying sites and find that they are spyware related sites.

There are 5 "System" Process Names. I thought I had one "System".

I took screenshots of Currports and tried to attach it, but MGeeks cannot accept the file.

 

As for the info below and relating to the last comment, by you, I have seen - after cleaning scans - empty and temp folders for Firefox. I have never downloaded Firefox, not ever, on this computer.

Quote:
The 2 programs it warns me about are:

Run a DLL as an App
Microsoft Corporation
C:\WINDOWS.0\system32\rundll32.exe C:\WINDOWS.0\system32\ieframe.dll, OpenURL %l
---------
A change was made to use the following program for this file type.
Run a DLL as an App
Microsoft Corporation
rundll32.exe ieframe.dll, OpenURL %l
You should have also seen something like this:
Quote:
The program currently associated with this file type is:
FIREFOX (Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe %1

 

Oh yes, and weird things happen with files on my desktop.

Occasionally a desktop file gets changed or a file appears from nowhere. Never had that happen on any computer I have had. Actually, this behavior is what made me suspicious about malware to begin with.

 

I was afraid you would ask me which files. Honestly, I have been chasing so much weird behavior over the past month, with intuition mostly, as I am not savvy in computer processes, so it is hard to recall things. I followed things, that led to something else, that led to something else, and I forget a lot of it. I have googled so much, over the weirdness lately, and chased so much down, my head is spinning from so much information.

One of the first things I noticed was Notepad appearing in my Start menu, like it had been used last. I have never used notepad, in any computer, and honestly didn't even know about it, as I have always used a Word doc.

Then a Word doc, on my desktop, would get renamed. Or it would go from having the icon that looks like a tablet to having an icon that has 3 different colored dots on it. And I know I had not renamed the doc. It would appear, out of nowhere, with the different icon representing it.

Numerous times, usually after closing Currports, I have seen a doc titled "cports" end up on my desktop. I do nothing to incite this. I closed Currports now and a file named "cports.cfg" appeared on my desktop. Currports did not save any files on my desktop at all when I first started using it, so this is why I am suspicious. It is a newer behavior.

As for "Unknown" processes listed in Currports. Under "Process Name" it will say "Unknown", so I don't know what "they" are hiding.

 

According to Currports I now have 185 Total Ports and 39 Remote Connections.

As for "Unknown" processes listed in Currports. Under "Process Name" it will say "Unknown" and no other information, so I don't know what "they" are hiding. Sometimes I can delete most of them and sometimes one or two will stubbornly stay, not being able to be deleted, no matter how many times I try, which makes me wonder if "they" have corrupted Currports?

When I disabled some Remote programs, via the registry, from a list online, I noticed some programs were not accessible because they simply were not in the registry.


Missing:

Internet Connection Sharing, Internet Connection Firewall and Internet Connection Sharing, Upload Manager, Telnet, Smart Card Helper, Windows Management Instrumentation Driver Extension.

Registry Items that are "frozen", grayed out areas, etc:

Security Accounts Manager - will not allow me to stop, frozen in "start", no changes allowed.

Terminal Services - will not allow me to stop, frozen in "start", no changes allowed.

Now, this may be why OTL is now not able to save an Extras.txt file and only save the OTL.txt file, after scans. After I recently did the OTL scan, I could only see the OTL.txt file on the desktop. I used Search to try and find the Extras.txt file, after the scans, and found this suspicious file:

file:///Cocuments%2520Settings/andre.ANDRE-894C01RFB/Desktop/Extras.Txt%2520Dec%25201.txt

The specified path does not exist.
Check the path, and then try again.

OTL was saving both files after a scan, before I saw the above file, using Search.

Is this where this file should be? %SystemRoot%\System32\NOTEPAD.EXE /p %1


I found this info and deleted the following file, several times, with Malwarebytes and it reappears. I found this info on the file:

The %ProgramFiles%\Windows NT\hypertrm.exe file is installed and used by Backdoor.Win32.NewRest.bc, Adware.Loadscc and Malware.Xpiro.

While using Process Explorer, I noted the following:

DPCs has no info whatsoever - No security, no threads, no info at all, zero info.
SID: S-1-5-32
"Interrupts" is the same way - no info

Notes of weird behavior:

IN SERVICES TAB - 11/18/10

! Could not stop Remote Access Connection Manager service
on Local Computer.

Error 1053: The service did not respond to the start or
control request in a timely fashion.

Comodo detected this, and I see it, and similar addresses, in Currports every time I am online:

New Private Network Detected!

192.168.5.102/255.255.255.0

 

As for "Unknowns", or any other program in Currports, should I be concerned if I am not allowed to end the process from running, after several attempts?

I do not recall which site I got the HyperTerminal info from. I have been wary of spywareremove.com, as I ascertained it was apparent they are all about pushing their so-called removal tool, that is probably malware anyway, and EVERYTHING is malware to them, as to push their product.

Some strange files are being created. Many times I will see a Word or Notepad doc that I created/named and it will get duplicated, but saved in a weird place, such as these:

My original file: DHCP client-suspicious.txt,
C:\Documents and Settings\andre.ANDRE-894C01BFA\Desktop

The copied, suspicious file is saved in My Computer folder and the icon to the left (using Search) is a blue "e", like IE8 has.

It reads - Type: Internet Shortcut
Internet Address: file:///C:/Documents%2520and%2520Settings/andre.ANDRE-894C01BFA/Desktop/DHCP%2520client-suspicious.txt

I now found something very odd. I used Search to find dialer.exe and there is a folder named Dialer, with 2 files created on 11/24/10, that I absolutely did not create. It is in Documents and Settings, Local, with Sharing, and it has 2 files: andre_buddies.dat, DAT file, unknown application, and the other file is andre_call_log.txt, Opens with Notepad and reads: 
 ÿÿ  CObList

I would normally delete that whole folder, lately, with all the paranoia around Remote Access and such.

When I google hilgraeve.com, I see that Hilgraeve is a software firm based out of Monroe, Michigan, and is best known for its HyperTerminal and HyperACCESS...

I would never download that software, would have no need for it, have a paranoia about anything with the word "access" in it, so I am deducing it was installed remotely onto my laptop, via whomever put the rootkit on my computer.

Should I be concerned about Remote Registry and the other missing registry programs?

About 10 days ago, after following suspicious trails, I typed MEDIAPLEX in the Registry, found it and deleted - zlob, media, 3d, 3dtext. MEDIAPLEX is still there, as I wasn't confident to delete all of it.

As a matter of fact, the most audacious behavior that got my attention and suspicions, is 3dtext, about 6 weeks ago, when my screen went black, froze (no key would trigger out of it) and when it came back to my normal screen, I saw a program listed in the bottom task tray (where open Chrome and programs are listed next to each other) named 3dtext. The googling and scans have not stopped since I saw that very suspicious program.

Here are scans/malware removal logs:

Malwarebytes -11/18/10 -
Files Infected:
C:\Program Files\Alwil Software\Avast5\chrome\ChromeInst.exe (Trojan.Startpage) -> Delete on reboot.
C:\System Volume Information\_restore{2F34BD55-12CF-4B5C-8426-87DCCFA8E08F}\RP4\A0001894.exe (Trojan.Startpage) -> Quarantined and deleted successfully.

SAS - 11/24/10 - ATTACHMENT






As for Currports showing that I now had 185 Total Ports and 39 Remote Connections, and only 4 Google Chrome windows open, is this not of concern?

 

Accidentally sent the last post too soon, before SAS log was attached, as here.

Avast removals: 2 - Win32:Trogan-gen files

11/23/10 - Name: q6ybzkt.exe -
C:\Documents and Settings\andre.ANDRE-894C01BFA\Desktop\q6ybzykt.exe

11/24/19 - Name: A0006536.exe
C:\System Volume Information\_restore{01D2103B-2D7...

 

Thanks, but I am a bit confused, as in a few posts back:

My comment:
As you can see, ESET found 4 items.

Kes:
One false positive and three found in system restore which can only really be removed when you follow my final steps.

I have not been instructed as to what those "final steps" may be???

 

One more question I had asked and still wonder about was when, in the initial stages here, I was told to change System Config. Utility to Normal Startup, from Selective Startup, and reboot. I have done this at least 4-5 times and every time I do this, upon reboot, I immediately check msconfig and find it has reverted back to Selective Startup. It never stays in Normal Startup.

Among other concerns, I have suspected MBR corruption, and this behavior only adds to this concern.

 

Also, I have to be persistent about malware suspicions.

I had asked why in Process Explorer there is absolutely no information whatsoever on DPCs and Interrupts.

Even more suspicious is in Sys. Config. Utility, under Remote Procedure Call, the one by Microsoft Corporation is "Stopped", and the Remote Procedure Call, directly under the MS one, is Manufacturer "Unknown", as opposed to MS, and is "Running".

Is it not highly suspicious that the Unknown one is overriding the Microsoft one?

 

Ok, go to the software forums.

One last question. I found a bunch of info on Mediaplex, found it in my registry, under Search Assistant ACMru. I see nothing but bad things associated with it, via google, and the other files with it, in my registry, such as:

mediaplex, MVPS, kkvwbsrw, urdvsc, tvsknrse, tvs, dhcp, dialer.

How is this not malware?

I get the distinct impression that this particular forum is for scans only, and then the software forum is more interactive?

My last question, I swear. I think.

Thanks.

 

Now, isn't that strange.

I totally left "mediaplex" alone yesterday, until I heard from you on it. I did not delete anything.

However, today, when I go to regedit, I cannot find any file relating to mediplex??? Yesterday I found it by searching through edit and typing "mediaplex". Now, I cannot find it anywhere, using any of the words: mediaplex, MVPS, kkvwbsrw, urdvsc, tvsknrse, tvs, dhcp, dialer, Search Assistant ACMru.

I did not delete anything???

 

Due to a family emergency I have not been able to finish the process yet.
I am to the point of System Restore. When I brought up System Restore it was already turned off.

XP Instructions:
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes if you are prompted to restart the computer.
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

It was already in "off" mode, so it has obviously been in this mode all along. I unchecked it and checked it again, pressed apply and it didn't prompt me to do anything. I have been rebooting all along, so I am confused as to what to do next? I have never used System Restore, so I had not set it at "off".

One last question about my startup. Every time I set System Config Utility to Normal Startup, upon rebooting, I notice it has reverted to Selective Startup, no matter what. I have reset it numerous times and each time, right after rebooting I notice it reverts to Selective Startup???