¿Trojan Clocked, Rootkit?

Discussion in 'Malware Help (A Specialist Will Reply)' started by sinrazon_1, Mar 1, 2011.

  1. sinrazon_1

    sinrazon_1 Private E-2

    Hi guys! I'm new in this forum, but I think only you can help me. First, sorry by my English, I know isn't very good.

    Because of not having the lastest java version, I was infected by some virus. Avast! detected some of these, but i started with a problems:
    -PC is very slow (1000%+), but only to start Windows (I have WindowsXP Home SP2) and any program. Once windows or other program is started, velocity is normal.
    -Sometimes when windows is started up, and I don't open nothing, CPU's led lights up. I see in the TaskMgr and no process is guilty, "Inactive Process of System" is in 99%, but "CPU Usage" is between 60-100% (screen).
    -When I'm surfing with IE, FF or Chrome (any), suddenly Java Plugin, WMP and AcroRr32.exe start (together). But as they are now updated, don't run anything. They asks for confirmation, which I cancel.

    At the beginning, MBAM detected 2 malwares:
    -c:\documents and settings\hp_propietario\datos de programa\thinstall\office 2003\4000003900002i\multikill.exe (Trojan.IRCBot) -> Quarantined and deleted successfully.
    -HKEY_CURRENT_USER\Software\Microsoft\setiasworld (Malware.Trace) -> Value: setiasworld -> Quarantined and deleted successfully.
    And Panda Online 2 more (deleted with OTM):
    -c:\system volume information\_restore{b3a1165a-b243-4636-9ad5-9d938acb32ad}\rp5\a0004277.exe (Generic Trojan)
    -c:\documents and settings\hp_propietario\datos de programa\thinstall\swishmax\10000004a00002h\winhlp32.exe (Generic Trojan)

    Since this day, MBAM, PANDA, KAV, ESET, SuperAntiSpyware, Sophos, TDSSKiller, Norman and Dr.Web don't find nothing more. But I found some strange things:
    -[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
    Code:
     "DComLaunch" = DcomLaunch TermService
 "HTTPFilter" = HTTPFilter
 "imgsvc" = StiSvc
 "LocalService" = Alerter WebClient LmHosts [B]RemoteRegistry[/B] upnphost SSDPSRV
 "netsvcs" = 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ
Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto
Rasman [B]Remoteaccess[/B] Schedule Seclogon SENS [B]Sharedaccess[/B] SRService Tapisrv Themes TrkWks W32Time WZCSVC
Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN
 "NetworkService" = DnsCache
 "rpcss" = RpcSs
 "termsvcs" = TermService
 "WudfServiceGroup" = WUDFSvc
    -[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters]
    "DhcpNameServer" = 173.193.227.124 173.192.105.217
    -This hidden devices.

    I attached the MGlogs.zip, hoping you can help me. Since already many thanks!!
     

    Attached Files:

    sinrazon_1, Mar 1, 2011
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    You need to attach the rest of the logs that were requested in the READ & RUN ME. The full first logs from the below are required:
    • SUPERAntiSpyware
    • Malwarebytes
    • ComboFix
    • RootRepeal
    As far as the "DhcpNameServer" = 173.193.227.124 173.192.105.217 setting is concerned, what is the DNS server address that you ISP expects you to use? These address are for SoftLayer Technologies in Dallas Texas which is not even in the same country as you. Thus I'm wondering if you ISP outsource from somewhere else.
    There is nothing wrong with your [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] registry key. You should not be experimenting in the registry unless you are an Expert in Windows. If you touch the wrong thing, you could make your PC unusable.

    Because you do not have enough memory to properly run Windows XP and your other applications. Your logs show
    Code:
    Memoria física total 512.00 MB 
Memoria física disponible 108.08 MB
    You need to at least double this to 1 GB but 2 GB is highly recommended.
     
    Last edited: Mar 1, 2011
    chaslang, Mar 1, 2011
    #2
  3. sinrazon_1

    sinrazon_1 Private E-2

    Thanks for the welcome and fast answer, and apologies for not including the other logs. I have them but these are of few days ago, so I will run again.. please, wait for me! Because of this problem, the complete scan of MBAM and SuperAntiSpyware takes several hours (8 and 5 respectively, when before were 1-2 hours).

    As far as the DhcpNameServer, no, this don't belongs to my ISP. And I have not deleted/modified nothing from the registry.. I was just looking for strange things and typical changes made by rootkits (according to Google).

    And as for the RAM, I know I don't have enough, but the lastest 4 years I have "survived" with this. I will to improve it, but before infection was not a problem. Now is so strange...

    I will back with the logs, thanks again!!
     
    sinrazon_1, Mar 2, 2011
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually it is important that you attach the first logs so we can see what was found and removed on the first run. Even attach them if nothing is found as stated in the instructions.

    Not sure what you mean by "according to Google". You need to be very careful what you read since many people have no idea what they are talking about. However we still need to see all of your logs to know exactly what is going on with your PC.

    Have you attempted to flush your DNS cache to see if those entries go away.


    Click Start > Run and type in cmd
    • Click OK.
    • This will open a command prompt.
    • Type or copy and paste the following line in the command window:
      ipconfig /flushdns
    • Hit Enter
    • Exit the command window
    Yes but every software update for Windows and other applications you have installed, adds more of a burden to your system making it get slower and slower. Eventually you just hit the proverbial "straw that breaks the camels back". ;) And you said things are normal after you startup. The big demand on your system is occuring as applications all try to grab lots of memory as your PC starts up and you don't have enough memory, thus it slows things down as applications need to swap out from memory to disk ( virtual memory ) and this takes more time.
     
    Last edited: Mar 3, 2011
    chaslang, Mar 3, 2011
    #4
  5. sinrazon_1

    sinrazon_1 Private E-2

    I'll attach the old logs now, corresponding to MBAM, SuperAntiSpyware and Panda Online. The last logs I'll attach in the next reply, with the others logs needed.

    As for to flush my DNS cache, I don't tried it.. but I'll do anyway when I'll finish to the scans.

    And the day of the infection, my PC started in 2 minutes (normal) and I opened FF, LiveMSN and Winamp.. But after to Java Plugin up, Avast recognize some infections and I restart the system, Startup takes 10 min, CPU Usage 60-100% just opening notepad or other.. I know 512 it's not enough, indeed I'll improve it.. but I think don't have to underestimate 512's small power :p

    **IMPORTANT!
    Now I see your edit, in this page, I remember something (I can't believe I forgot to tell you!!): This is the reason I think I have a rootkit!

    I saw in MSConfig new service named "IPSectPro Service New". Nothing detected it! so I looked for in google and I only found this.

    I deleted files and keys that are mentioned there (My .exe file infected had the same Icon that "imap.exe" mentioned in the page of your edit). I have to say It's the only one what I deleted in the registry!

    Thanks very much for your time, I'll back with the other logs!
     

    Attached Files:

    sinrazon_1, Mar 3, 2011
    #5
  6. sinrazon_1

    sinrazon_1 Private E-2

    Chaslang,

    I've finished with the "Read & Run Me", MBAM and SuperAntiSpyware took most hours than before, but they found something (maybe because before I didn't use deffoger).

    About SAS log: I've installed Borland 3 years ago, or so. The dll's belongs to it.

    About MBAM log: svchosts1.exe is "Avira AntiRootkit Tool" renamed, I've renamed to avoid being blocked, but finally I didn't use it.

    I've attached all the logs needed. Thanks in advance!
     

    Attached Files:

    sinrazon_1, Mar 3, 2011
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below log from SUPERAntiSpyware should be attach which shows much more being found the logs you attached.
    Code:
    "C:\Documents and Settings\HP_Propietario\Datos de programa\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
Feb 23 2011  15209 "SUPERAntiSpyware Scan Log - 02-23-2011 - 19-45-14.log"
    You should not be editing the registry on your own with explicit instruction given directly to you. If you deleted everything given in that link, you have deleted some required Windows registry keys.

    What day did the infection occur? I'm guess on or before Feb 21 when you started downloading all kinds of security programs???

    Also I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe and other tools we asked you to save there for now as we may need them, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing. Normal Malware remover is over 100MB and I don't recommend that program anyway due to too many false detections.
     
    Last edited: Mar 3, 2011
    chaslang, Mar 3, 2011
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are any scans you have perform (like a full scan with Kaspersky) or any online scanners, picking up a Virut infection. You have bunch of system files showing up with incorrect sizes and they may be infected. For example the below is a small sample that I can quickly see as incorrect.
    Code:
    =======================================================================                                         
"C:\WINDOWS\explorer.exe" 1035776 13/06/2007 08:22 
"C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe" 1035776 13/06/2007 08:10 
"C:\WINDOWS\ERDNT\cache\explorer.exe" 1035776 13/06/2007 08:22 
"C:\WINDOWS\SoftwareDistribution\Download\c6accdcd02a08bf2b2edd97027272422\explorer.exe" 1036288 13/04/2008 21:18 
"C:\WINDOWS\SoftwareDistribution\Download\c90143e38809b5ce94759a9bc8b1e3be\explorer.exe" 1036288 13/04/2008 21:18 
"C:\WINDOWS\system32\dllcache\explorer.exe" 1035776 13/06/2007 08:22
=======================================================================
"C:\WINDOWS\SoftwareDistribution\Download\c6accdcd02a08bf2b2edd97027272422\proquota.exe" 50688 13/04/2008 21:19 
"C:\WINDOWS\SoftwareDistribution\Download\c90143e38809b5ce94759a9bc8b1e3be\proquota.exe" 50688 13/04/2008 21:19 
"C:\WINDOWS\system32\proquota.exe" 50688 19/08/2004 16:00 
=======================================================================
"C:\WINDOWS\regedit.exe" 152064 19/08/2004 16:00 
"C:\WINDOWS\SoftwareDistribution\Download\c6accdcd02a08bf2b2edd97027272422\regedit.exe" 152064 13/04/2008 21:19 
"C:\WINDOWS\SoftwareDistribution\Download\c90143e38809b5ce94759a9bc8b1e3be\regedit.exe" 152064 13/04/2008 21:19 
=======================================================================
"C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\services.exe" 111104 09/02/2009 04:53 
"C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\services.exe" 111104 09/02/2009 06:23 
"C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe" 111104 09/02/2009 06:16 
"C:\WINDOWS\ERDNT\cache\services.exe" 111104 09/02/2009 05:08 
"C:\WINDOWS\SoftwareDistribution\Download\c6accdcd02a08bf2b2edd97027272422\services.exe" 109056 13/04/2008 21:19 
"C:\WINDOWS\SoftwareDistribution\Download\c90143e38809b5ce94759a9bc8b1e3be\services.exe" 109056 13/04/2008 21:19 
"C:\WINDOWS\system32\services.exe" 111104 09/02/2009 05:08 
"C:\WINDOWS\system32\dllcache\services.exe" 111104 09/02/2009 05:08 
=======================================================================
"C:\WINDOWS\SoftwareDistribution\Download\c6accdcd02a08bf2b2edd97027272422\userinit.exe" 26624 13/04/2008 21:19 
"C:\WINDOWS\SoftwareDistribution\Download\c90143e38809b5ce94759a9bc8b1e3be\userinit.exe" 26624 13/04/2008 21:19 
"C:\WINDOWS\system32\userinit.exe" 25088 19/08/2004 16:00 
=======================================================================
"C:\WINDOWS\SoftwareDistribution\Download\c6accdcd02a08bf2b2edd97027272422\winlogon.exe" 510976 13/04/2008 21:19 
"C:\WINDOWS\SoftwareDistribution\Download\c90143e38809b5ce94759a9bc8b1e3be\winlogon.exe" 510976 13/04/2008 21:19 
"C:\WINDOWS\system32\winlogon.exe" 505344 19/08/2004 16:00
    If you do have a Virut or any other PE system file infector, you will have to reinstall to properly recover. Also if you did have that infection mentioned in the links I edited in to my message, then it also may be wise to insure your security and reinstall too.
     
    chaslang, Mar 3, 2011
    #8
  9. sinrazon_1

    sinrazon_1 Private E-2

    Yes, I've been saving the more important logs in the desktop (but quick-scan's logs) and on this only cookies were detected and I deleted them (because in this scan I didn't use Ccleaner before). My apologies. In the other full and quick scans (using Ccleaner) nothing was found.

    I did that on the infection days, when I started to see Avast! and other was not enough.. But i saw the strange service in those moments. I only deleted 4 files and registry keys according to this.

    Actually the first Java Plugin vulnerability ocurred on 6 Feb. This day Avast! detected some virus, and I didn't give much attention. Few days was ok, but then Java Plugin (now with AcroRd32.exe and WMP) started again.. Since that day (I don't sure, I think 12 Feb) the critical problems suddenly started, so I disabled and upgraded Java and start with a round of scans (it took several days due to slow).

    Sorry for my desktop, it's full since I've infected and I downloaded few tools. And I didn't know about Norman, thanks for the tip.

    Virut? :eek Actually when I scanned, KAV found nothing, neither ESET Online, and Panda just 2 trojans.. But I perfectly understand about the files.. As can I confirm this? And as might I know what virut variant I have? Please, noooo :________

    'Reinstall' means format the hard disk? What types file I can save? Or is there another option? Anyway I'll do what you'll recommend me.

    Finally, I still have the slowness of Windows, but since I finished with the "Read & Run Me", Java plugins, AcroRd and WMP not reopened again. I'll wait a little longer to fully confirm it.

    Really, thank you very much for all your help!
     
    sinrazon_1, Mar 4, 2011
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Your replies keep getting caught in moderation. This is the second time and I guess it's because of your use of
     
    Kestrel13!, Mar 4, 2011
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I repeat! Some of those keys are necessary Windows keys. Since you did not clearly say EXACTLY what you deleted, I can only assume you removed everything listed.

    Okay then part of what I was getting at was you installed many things after this data including Kaspersky and all of them have affect your startup time which is compounded by the limited memory.

    I don't know. All I know is your file sizes do not seem correct. Some forms of Virut are not detected by antivirus programs. It is also possible that the files for your language are different sizes and that you do not have a Virut infection at all. If no scans have detected Virut at all then they may not be infected with Virut.

    Yes it means format and reinstall from scratch. Very little can be saved. Only personal data and pictures. Virut can be carried in many differnt types of files but most commonly it infects all executable type files like .exe, .com, .dat, .dll, .scr but many more can be infected. If it is Virut, there is no other option and it will just get worse over time if it is Virut.

    If your only problem is the slow startup time then just uninstall all the stuff you installed since Feb 6th like Kaspersky and other programs and see if your startup time improves. As I keep saying, you don't have enough memory and that is going to slow down startup. You cannot compare to what you "used to have" because you have changed what is on your system and no longer have the same system.

    However as I stated before the other possible infection you had ( the one in the links I edited into a previous message ), indicate that you could have had or still may have, some aspects of an infection that could be dangerous to your financial security and as such, a reinstall may be prudent anyway. And in addition it would be wise to check with all your financial institutions ( credit cards, banks,....etc) for illegal activities. Also you should use a different know clean PC to change ALL passwords for all accounts.
     
    Last edited: Mar 6, 2011
    chaslang, Mar 6, 2011
    #11
  12. sinrazon_1

    sinrazon_1 Private E-2

    Hi Chaslang! I'm so sorry for the late in responding, but the problem with Java Plugin and AcroRd has not been resolved. As happened before, it can be without appearing 1 or 2 days, but then returns.

    These days I spent Dr. Web full scan (because before I only spent the express scan) and 30h later not found something important.. just 2 old keygens I had saved out there. I think it's a rootkit hidden behind services or svchost, I don't know .. I can't believe nothing detected it.

    Appear in the threat-page 4 files, 1 service and 12 (4 main) registry keys. I did this manually in safe mode (because nothing detected it), in this order:
    Service:
    IpSectPro service new STOPPED AND DELETED
    Files:
    %Windir%\system\13593.exe KILL PROCESS AND DELETED
    %Windir%\Web\ddid DELETED
    %Windir%\Web\ddnm DELETED
    %Windir%\Web\ddnm DELETED
    Registry Keys:
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_13593] CAN'T BE MANUALLY REMOVE
    -HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_13593\0000
    -HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_13593\0000\Control
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\13593] DELETED
    -HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\13593\Security
    -HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\13593\Enum
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_13593] CAN'T BE MANUALLY REMOVE
    -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77546\0000
    -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77546\0000\Control
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\77546] DELETED
    -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\77546\Security
    -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\77546\Enum

    I've uninstalled everything unnecessary, Kaspersky included. But I have to say the slow in Startup and opening any program was it after the infection, but before installing all this.

    As far as the possible Virut infection, I uploaded the files you mentioned to VirusTotal, and does not detect anything. Dr. Web doesn't detect it, and I see may be due to the different languages ​​/ versions of files, all sizes are known (example). I don't know if it ruled out the possible Virut infection.

    Finally, this registry key still exists:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
    "DhcpNameServer"=173.193.227.124 173.192.105.217

    Maybe in the end I'll reinstalling Windows, but I really wanna know what it's exactly I have, and I'd like to try all the possible ways to resolve it.. If you want I can attach the DrWeb log, although it shows nothing. I hope something can be done. Very thanks in advance!
     
    sinrazon_1, Mar 10, 2011
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These are not malware issues. You should post you questions/problems with them in the Software Forum.

    Not according to any of the logs you have posted. If you had malware, we would have noticed it. You do not appear to have any current malware since the file lengths I question may just be due to the non-English version of Windows and scans indicated they were clean. It is not impossible that you just have residual damage from previous malware or from some changes that you made on your own outside of what was done in this forum.

    Then again, likely residual damage or maybe you did not get some items uninstall. Seems your best bet would be to reinstall as there is nothing being found in any of your logs that is a problem other than too little memory.

    I don't think this is really a malware problem but we can try removing it with the below. But do note that if you find that you cannot connect to the internet afterwards then this DNS setting was needed and you will have to reestablish your DNS settings.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.
    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 10, 2011
    #13
  14. sinrazon_1

    sinrazon_1 Private E-2

    Hi Chaslang, I did what you told me, I attached the required logs!

    Actually, I don't really know if I still have a malware, but it is the same way that malware used before to infect my PC.. I have the taskmgr always open, and when I see that these process are opening, I close them immediately. But, if I don't do this, WMP trying to connect with "random" servers, example:
    rt340.biz
    Xd567.su
    At the time, I cancel the request. But as I say this is happening.. but I kill the process before.

    I followed the steps you said me, and I attached the logs. I've searched the registry key and I see DNS key is clean!
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
    "DhcpNameServer"=""
    But seeing the Network Connections, I saw this. Now, writing this post and uploading the .jpg to tinypic, the Java-AcroRd-WMP opened again.. (I killed the process before they attempt to connect to something).

    I await your instructions, Chaslang, thanks so much!

    I edit to ask about the registry keys of "IPSectPro Service New" that I couldn't remove.. I looked for and these keys I still have:
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_13593]
    -HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_13593\0000
    -HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_13593\0000\Control
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_13593]
    -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77546\0000
    -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77546\0000\Control

    Thanks!
     

    Attached Files:

    Last edited: Mar 11, 2011
    sinrazon_1, Mar 11, 2011
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This appears to be your required DNS server addresses from your ISP.

    Let's run another fix and also and a few follow up scans.


    Uninstall Spybot - Search & Destroy 1.4 which is years out of date.
    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    Now let's flush the Java Cache
    • Click Start > Settings > Control Panel
    • Double click the Java icon (be patient, it may take a while to open)
    • Now click the General tab and under the Temporary Internet File area
    • Click the Settings button and then click the Delete Files... button.
    • In the next popup click OK.
    If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.


    Now let's flush the FireFox Cache
    To flush your FireFox Cache:
    • click Tools
    • select Options
    • select Privacy
    • in the section labeled Private Data click Clear Now
    Now let's flush the Internet Explorer Cache
    To flush your Internet Explorer Cache:
    • click Tools
    • Internet Options
    • Now on the General tab and click Delete Files and select Delete all Offline content too
    • Click OK.
    • When it finishes Click OK.
    Now run Ccleaner!


    Now download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Now run this >> GMER - running with a random name and attach the log from GMER

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • the log from GMER
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 12, 2011
    #15
  16. sinrazon_1

    sinrazon_1 Private E-2

    Chaslang,

    I've removed SpyBot 1.4 and used CFscript on ComboFix succesfully! By the way, the files:
    C:\Documents and Settings\HP_Propietario\Escritorio\aqbwa495.exe = Dr. WEB random name
    C:\Documents and Settings\HP_Propietario\Escritorio\bross2011.exe = COMODO 2011 renamed
    C:\Documents and Settings\HP_Propietario\Escritorio\skk5oojt.exe = GMER random name
    Anyway those files has been removed by CF.

    I have to say the startup has been little slightly improved, now takes 7-8 minutes aprox (before infection 2-3m and after 10-12), but the slowness in opening any program is still the same.

    I've cleaned following all your steps successfully, executed HostsXpert and GetLogs too. But i have problems with GMER. The first time, when I've performed the scan and just started, the PC crashed (freezed). I only could reset and then I tried 2 more times, but same happened. I've even tried the scan in safe mode, but is the same. It's the first time that PC crashed with a security tool!

    I await your instructions, thank you so much for your help!
     

    Attached Files:

    sinrazon_1, Mar 12, 2011
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not rerun GetLogs.bat and thus your MGlogs.zip file was not updated.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
     
    chaslang, Mar 12, 2011
    #17
  18. sinrazon_1

    sinrazon_1 Private E-2

    How strange, but I've run again, hope that now the .zip has been updated!
     

    Attached Files:

    sinrazon_1, Mar 13, 2011
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not a topic for this forum since it is not due to malware. Your PC needs more memory to run efficiently.

    Your logs may be clean. I say maybe because ComboFix thinks your Registry Editor ( regedit.exe ) is infected but this could just be due to the non-English version of Windows being used or it could be due to what I worried about earlier. You could scan regedit.exe at http://www.virustotal.com/ to see if any problems are detected.


    Any remaining issues are due to problems with Windows itself and may require a repair or a reinstall which you can discuss in the Software Forum.
     
    Last edited: Mar 14, 2011
    chaslang, Mar 13, 2011
    #19
  20. sinrazon_1

    sinrazon_1 Private E-2

    I did, and not results found (0/43). Btw, while uploading regedit to VirusTotal, Java opened again and WMP too, attempting to connect but I closed them. It's gonna drive me crazy :crybaby

    I really wanted to know what I have, but it's so strange.. MG were my last hope! I'd prefer do what you said and reinstall OS, happily I realized I can to use HPrecovery and so don't have problems with Windows licence. I promise to improve my RAM too.

    Thank you so much for your time, Chaslang, your patient with my English and my logs in Spanish. Good luck! :drink
     
    sinrazon_1, Mar 14, 2011
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    It is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Mar 14, 2011
    #21
  22. sinrazon_1

    sinrazon_1 Private E-2

    Hi again, Chaslang! I'm writing again to tell you how I solved my problem, maybe it'll helps to someone.

    Following your advice, I reinstalled Windows. I made a backup of important files and ​​reinstalled Windows successfully. I've used the "HP recovery disk" to format and put the PC in factory settings. All is pretty fine now!

    Firstly, I updated to IE8 and Java 6.24 (don't wanted to have the same problem again), and then I used Windows Update, but when I'm opening Microsoft site, Java, AcroRd and RealPlayer (trying to connect with a server) opened again! :eek

    Just in case, I downloaded MBAM and SAS and I did full scans with both, but nothing was found (I still haven't returned the backup files). Then I saw the Network Connections and the DNS servers were the same: 173.193.227.124 and 173.192.105.217. I contacted with my ISP and they changed my modem and have reset the settings. Now I see the DNS servers and I now have the correct. Since then, problem hasn't happened again! :-D

    The reinstall fixed the slowness of the PC. Regarding the problem with Java and connection attempts, were not in FF IE or Chrome, was a change that the malware was on DNS servers. Changing this will solve everything about that!

    Hope this is helpful for someone else. Very thanks for all your help, finally I can say problem solved ;)!!
     
    sinrazon_1, Mar 21, 2011
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Interesting. I'm happy to hear you have it resolved. And thanks for the update.

    Yes we have seen quite a few DNS poisoning infections which have infected routers and sometimes modems. The IP addressed shown in yours however are not any of the ones that have been seen, so this is a first. I will have to add them to a list of items scanned for and recognized by MGtools.
     
    chaslang, Mar 23, 2011
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds