?unknown malware connecting to xakepy.ru

Hello all
Sorry that my first post here is about a problem.
I have been lurking here for a while and have been impressed.
Of course it was NEVR going to happen to me
I am of course expert user when all is good.
Hopeless newbie if it goes wrong.

I have XP home Sp2 fully patched.
1G ram
ASUSTeK Computer Inc. P4P800S Rev 1.xx
BIOS: American Megatrends Inc. 080009 08/05/2003
2.67 gigahertz Intel Pentium 4
Intertnal WD
external WD USB>IDE

Security:
NAV/NIS/NPF (I know, but it has served me ok for a while, waiting for NOD suite/Avira suite)
Spybot with Teatimer
BOClean
Hosts file
Spyware blaster
Spyware guard
Use FF almost exclusively (occassional need for some sites with IE6 fully locked)
Regular clean with CCleaner
Regular sweeps on line with various AVs
Send and recieve MY e-mail in text only.

HAd some friends staying last weekend and they were e-mailing on administrator account (error No1)

Later that day I noticed in/out connections in NIS to xakepy.ru..??
Googled: not good.
Mistake no2; stunned, paniced: deleted all temps/cache/cookies/logs
Scanned with evrything I could think of:
Spybot: found something;see below
Webroot
NAV
AVira
KAV
Gmer
RKR
IceSword
Darkspy
Trend
: Nothing. Felt a bit better. No further connections seen.

Ran HJT and noticed reset of:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

Googled again: looked bad: fixed. No recurrence on repeat HJT scans.

Googling around;
Now I have found this with Autoruns:
SysEnforce:File not found: C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE

Spybot found this:
Win23.PE: Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386
Win23.PE: Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386

That also seems to be a baddy.
I cant seem to find anything else.

I am happy to go through the "removal protocol" you have here and post back if that would be useful.

Thanks for any advice.

 

Please do go through the read and run me procedure. and post the logs listed below.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Thankyou
Sorry about not posting as per protocol.

Doing all that takes some time for me.
I'll be back soon.

 

No problem, we'll be here when you are ready.

 

Thankyou
Stupid me.
Have FDISR in system and have 3 "snapshots" present.
This means LLLooooooooNNNNgggg scans.
STill, better to have scanned them too.
They can be wiped and the assumption is that whatever is in them goes too.
Dont know if that has been tested yet!

Have followed steps as required

Here are the log files:

 

Here are others.
HJT ran as sgc.exe

Thankyou for taking an interest.

salut
Hangten.

 

I need more information about one of the files activescan is reporting. The second one is normally part of a smitfraud fix utility but I am unsure as to why it is in system 32.

Downlad the attached zip file and extract both files to a folder in a convienient location. Run the GetFileDetails.bat file and upload the log created in the root of c: (c:\getdetails.txt)

You have SEVERAL versions of acrobat installed ... do you need them ALL ?

Theres also something funny going on with your JRE the updater is running at U8 but the startup entry is U4

Have HJT fix the following lines

I see no particular evidence of malware in your logs although there is evidence that ther was malware at some point but has been removed (see the last 2 lines I asked you to fix)

Are you still having any malware issues ?

 

Hi matt.chugg
Thanks for following
OK

Um no. I suspect they get dled by the domestic supervisor by mistake every now and then. How do I get rid of them?

As per instructions I deleted the previous versions I had installed and installed the V8 version today prior to scans as suggested: any help?

Just a question, dont those HJT 06 entries reflect restrictions I have placed in IE?
How can one find info about those ?clsid keys or are they active X functions in 016 entries?

Attached is getdetails.

salut.

 

Just uninstalthe version you don't need from Add/Remove programs in control panel.

Leave the o16 lines if you created the restrictions intentionally.

DOn't worry about the Java, I have removed the startup entry for the old sheduler.

The file process.exe is not malware, its part of smitfraudfix.

04E214E5-63AF-4236-83C6-A7ADCBF9BD02 is housecall from trend micro

0E5F0222-96B9-11D3-8997-00104BD12D94 is PCPitstop Utility

 

@matt.chugg

OK thanks

Yes, still having some problem:
Explorer.exe keeps crashing when I access the C drive from MyComputer, followed by drwatson debugger crashing.
At the same time NIS, Ghost,spyware guard, and SPybot Teatimer/Resident icons dissappear from the start-up list in the taskbar.

Box freezes requires reboot and then it appears on restart that NAVorNIS is disabled for a short while. ???

I think I may have disabled some explorer global hooks with Teatimer?

In addition I ran gmer and it is showing blank ADS entry see attached.
But nothing else.

What do i do? I idiot.

Hangten

 

Disable Teatimer. Its on access scanner is probably causing conflicts with nortons on access scanner.

 

@matt.chugg

Thankyou for your help.
I appreciate it

Regards.
Hope not to be back in this subforum again

Regards