TechSpot

Google links redirection - Slow page loading

By BaronCzerny
Feb 27, 2011
  1. Hello,

    my brother's PC got infected by a malware that redirected his Google results to an Antivirus software site. I recommended him to download Malwarebytes' Antimalware and to scan the computer. The software seemingly got rid of some malware, because the links no longer redirect. Instead he gets very long loading times, and some pages even don't load completely. Sometimes the browser even crashes.

    Computer: PC with Pentium 4
    OS: Windows XP SP2 - Spanish (the messages in the logs are in Spanish. Hope this is not too much of a problem)
    Antivirus: Commodo Internet Security Free version
    Browser used: Firefox 3.6.13

    Any help regarding the complete removal of the malware is greatly appreciated!

    Miguel

    Logs
    ======================================================
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Versión de la Base de Datos: 5794

    Windows 5.1.2600 Service Pack 2 (Safe Mode)
    Internet Explorer 7.0.5730.13

    21/02/2011 9:57:57
    mbam-log-2011-02-21 (09-57-57).txt

    Tipos de Análisis: Análisis Completo (C:\|)
    Objetos examinados: 206880
    Tiempo transcurrido: 37 minuto(s), 3 segundo(s)

    Procesos en Memoria Infectados: 0
    Módulos de Memoria Infectados: 0
    Claves del Registro Infectadas: 0
    Valores del Registro Infectados: 0
    Elementos de Datos del Registro Infectados: 0
    Carpetas Infectadas: 0
    Archivos Infectados: 5

    Procesos en Memoria Infectados:
    (No se han detectado elementos maliciosos)

    Módulos de Memoria Infectados:
    (No se han detectado elementos maliciosos)

    Claves del Registro Infectadas:
    (No se han detectado elementos maliciosos)

    Valores del Registro Infectados:
    (No se han detectado elementos maliciosos)

    Elementos de Datos del Registro Infectados:
    (No se han detectado elementos maliciosos)

    Carpetas Infectadas:
    (No se han detectado elementos maliciosos)

    Archivos Infectados:
    c:\documents and settings\usuario\configuración local\Temp\gpxnks8s.exe.part (Rogue.SmartInternetProtection) -> Quarantined and deleted successfully.
    c:\documents and settings\usuario\datos de programa\sdra64.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{5f7eb413-81c9-4a61-b1b7-8e59cf5c8093}\RP620\A0701023.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{5f7eb413-81c9-4a61-b1b7-8e59cf5c8093}\RP620\A0701024.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{5f7eb413-81c9-4a61-b1b7-8e59cf5c8093}\RP620\A0701025.exe (HackTool.SnadBoy) -> Quarantined and deleted successfully.
    ======================================================

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-23 11:23:51
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16 ST3160815AS rev.3.AAA
    Running: 0uudli5q.exe; Driver: C:\DOCUME~1\usuario\CONFIG~1\Temp\kwlyipod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xA938312C]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xA938336A]

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

    ---- EOF - GMER 1.0.15 ----

    ======================================================

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by usuario at 12:53:20,92 on 23/02/2011
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.2022.1612 [GMT 1:00]

    AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
    FW: COMODO Firewall *Disabled*

    ============== Running Processes ===============

    C:\Archivos de programa\COMODO\COMODO livePCsupport\CLPSLS.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\AstSrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe
    C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Archivos de programa\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Software\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uInternet Settings,ProxyOverride = <local>;*.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre1.6.0\bin\ssv.dll
    TB: HopSurf toolbar: {e9fab13d-4600-49e1-90d1-ee961c859d39} - c:\archivos de programa\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [updateMgr] "c:\archivos de programa\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SkyTel] SkyTel.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre1.6.0\bin\jusched.exe"
    mRun: [HP Software Update] "c:\archivos de programa\hewlett-packard\hp software update\HPWuSchd2.exe"
    mRun: [QuickTime Task] "c:\archivos de programa\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [COMODO Internet Security] "c:\archivos de programa\comodo\comodo internet security\cfp.exe" -h
    mRun: [RegTask] c:\archivos de programa\regtask\RegTask.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\winzip~1.lnk - c:\archivos de programa\winzip\WZQKPICK.EXE
    uPolicies-explorer: DisallowRun = 1 (0x1)
    IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\archivos de programa\java\jre1.6.0\bin\ssv.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office12\REFIEBAR.DLL
    IE: {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} - c:\archivos de programa\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    TCP: {4AC016F5-A2A5-41F3-8D84-E68CDB2D0775} = 80.58.0.33,80.58.32.97
    TCP: {CFC6972C-C5C8-4883-8144-72131CF4214F} = 87.216.1.65,87.216.1.66
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\windows\system32\guard32.dll
    IFEO: image file execution options - svchost.exe
    IFEO: OLT.exe - svchost.exe

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\usuario\datosd~1\mozilla\firefox\profiles\0tsey6q8.default\
    FF - prefs.js: browser.search.selectedEngine - search
    FF - plugin: c:\archivos de programa\java\jre1.6.0\bin\npjpi160.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

    ============= SERVICES / DRIVERS ===============

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-1-27 28552]
    R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-4-9 15464]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-4-9 225344]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-4-9 25240]
    R2 CLPSLS;COMODO livePCsupport Service;c:\archivos de programa\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-19 148744]
    R2 cmdAgent;COMODO Internet Security Helper Service;c:\archivos de programa\comodo\comodo internet security\cmdagent.exe [2010-4-9 1769216]
    R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [2011-1-12 372480]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-16 35968]
    S1 KmxAgent;KmxAgent;c:\windows\system32\drivers\kmxagent.sys --> c:\windows\system32\drivers\kmxagent.sys [?]
    S1 KmxFile;KmxFile;c:\windows\system32\drivers\kmxfile.sys --> c:\windows\system32\drivers\KmxFile.sys [?]

    =============== Created Last 30 ================

    2011-01-28 01:36:02 -------- d-----w- c:\docume~1\usuario\datosd~1\Malwarebytes
    2011-01-28 01:35:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-28 01:35:57 -------- d-----w- c:\docume~1\alluse~1\datosd~1\Malwarebytes
    2011-01-28 01:35:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-28 01:35:54 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
    2011-01-27 12:29:26 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2011-01-27 12:28:21 -------- d-----w- c:\archivos de programa\Panda Security
    2011-01-27 10:23:08 -------- d-----w- c:\docume~1\usuario\config~1\datosd~1\COMODO
    2011-01-27 09:22:03 -------- d-sh--w- c:\docume~1\alluse~1\datosd~1\SIFNIJP
    2011-01-27 09:21:16 -------- d-sh--w- c:\docume~1\alluse~1\datosd~1\3740ed

    ==================== Find3M ====================

    2010-12-10 15:10:50 338760 ----a-w- c:\archivos de programa\RegtaskTool_Installer.exe
    2010-12-10 12:09:17 6252136 ----a-w- c:\archivos de programa\winzip100.exe
    2010-05-10 08:44:52 62223760 ----a-w- c:\archivos de programa\cisfree_installer_x86.exe
    2009-01-28 12:34:18 26193832 ----a-w- c:\archivos de programa\AdbeRdr90_es_ES.exe
    2008-12-11 12:15:49 6024704 ----a-w- c:\archivos de programa\easypdf5_setup.msi
    2006-09-01 09:00:00 746600 ----a-w- c:\archivos de programa\GDS.EXE
    2006-09-01 09:00:00 702120 ----a-w- c:\archivos de programa\GTB9X.EXE
    2006-09-01 09:00:00 558248 ----a-w- c:\archivos de programa\GTBXP.EXE
    2006-09-01 09:00:00 204800 ----a-w- c:\archivos de programa\SETUP.EXE

    ============= FINISH: 12:53:50,87 ===============
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Miguel. I will do my best to help- but Spanish may be a problem. I don't have time to go through translations, so if I can't determine what an entry is, I will refer it back to you to identify, then tell me.

    While I go over these logs, please go ahead and run the following> English would be appreciated.

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the cli[board, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. BaronCzerny

    BaronCzerny TS Rookie Topic Starter

    Thanks so much for your help, Bobbye. I'll do my best to get the English version of the messages (some are system generated, but others depend on the software used I guess, like with Malware Bytes's program. We used the Spanish version here).
    More in a while.

    Best,

    Miguel
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, thanks.
     
  5. BaronCzerny

    BaronCzerny TS Rookie Topic Starter

    Dear Bobbye,

    please find enclosed the two logs (Eset and Combofix).

    Thanks!

    Miguel

    Eset NOD32 Online antivirus ========================

    C:\Documents and Settings\All Users\Datos de programa\3740ed\6721.mof Win32/RogueAV.A trojan

    ===============================================


    ComboFix 11-02-27.03 - usuario 28/02/2011 18:20:01.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.2022.1581 [GMT 1:00]
    Running from: c:\software\ComboFix.exe
    AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
    FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\archivos de programa\Setup.exe
    c:\documents and settings\All Users\Datos de programa\3740ed
    c:\documents and settings\All Users\Datos de programa\3740ed\3740ed6ee3def639287eaaf39cd1a0c8.ocx
    c:\documents and settings\All Users\Datos de programa\3740ed\6721.mof
    c:\documents and settings\All Users\Datos de programa\3740ed\BackUp\WinZip Quick Pick.lnk
    c:\documents and settings\All Users\Datos de programa\3740ed\mozcrt19.dll
    c:\documents and settings\All Users\Datos de programa\3740ed\n5e7tm9q01novktm9q01u8zim9q01u8wu8gcdan.dll
    c:\documents and settings\All Users\Datos de programa\3740ed\SIP.ico
    c:\documents and settings\All Users\Datos de programa\3740ed\sqlite3.dll
    c:\documents and settings\usuario\Reciente\CLSV.sys
    c:\documents and settings\usuario\Reciente\exec.dll
    c:\documents and settings\usuario\Reciente\kernel32.dll
    c:\windows\system32\midas.dll

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))
    .

    2011-02-28 12:52 . 2011-02-28 12:52 -------- d-----w- c:\archivos de programa\ESET

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 17:09 . 2011-01-28 01:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 17:08 . 2011-01-28 01:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-10 15:10 . 2010-12-10 15:10 338760 ----a-w- c:\archivos de programa\RegtaskTool_Installer.exe
    2010-12-10 12:09 . 2010-12-10 12:09 6252136 ----a-w- c:\archivos de programa\winzip100.exe
    2010-05-10 08:44 . 2010-05-10 08:40 62223760 ----a-w- c:\archivos de programa\cisfree_installer_x86.exe
    2009-01-28 12:34 . 2009-01-28 12:33 26193832 ----a-w- c:\archivos de programa\AdbeRdr90_es_ES.exe
    2008-12-11 12:15 . 2008-12-11 12:13 6024704 ----a-w- c:\archivos de programa\easypdf5_setup.msi
    2006-09-01 09:00 . 2010-12-16 10:24 746600 ----a-w- c:\archivos de programa\GDS.EXE
    2006-09-01 09:00 . 2010-12-16 10:24 702120 ----a-w- c:\archivos de programa\GTB9X.EXE
    2006-09-01 09:00 . 2010-12-16 10:24 558248 ----a-w- c:\archivos de programa\GTBXP.EXE
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
    "RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
    "SunJavaUpdateSched"="c:\archivos de programa\Java\jre1.6.0\bin\jusched.exe" [2007-05-22 77824]
    "HP Software Update"="c:\archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
    "QuickTime Task"="c:\archivos de programa\QuickTime\QTTask.exe" [2008-03-28 413696]
    "Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "COMODO Internet Security"="c:\archivos de programa\COMODO\COMODO Internet Security\cfp.exe" [2010-04-08 2029456]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-20 15360]

    c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
    WinZip Quick Pick.lnk - c:\archivos de programa\WinZip\WZQKPICK.EXE [2010-12-10 122880]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Archivos de programa\\Bonjour\\mDNSResponder.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:Remote Desktop
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "5184:TCP"= 5184:TCP:Services
    "8868:TCP"= 8868:TCP:Services
    "7682:TCP"= 7682:TCP:Services
    "7683:TCP"= 7683:TCP:Services
    "9316:TCP"= 9316:TCP:Services
    "8504:TCP"= 8504:TCP:Services
    "7597:TCP"= 7597:TCP:Services
    "6722:TCP"= 6722:TCP:Services
    "8488:TCP"= 8488:TCP:Services
    "8489:TCP"= 8489:TCP:Services
    "9410:TCP"= 9410:TCP:Services
    "7144:TCP"= 7144:TCP:Services
    "8691:TCP"= 8691:TCP:Services
    "8269:TCP"= 8269:TCP:Services
    "8457:TCP"= 8457:TCP:Services
    "9832:TCP"= 9832:TCP:Services
    "8066:TCP"= 8066:TCP:Services
    "9175:TCP"= 9175:TCP:Services
    "7738:TCP"= 7738:TCP:Services
    "2020:TCP"= 2020:TCP:Services
    "9019:TCP"= 9019:TCP:Services
    "8738:TCP"= 8738:TCP:Services
    "4297:TCP"= 4297:TCP:Services
    "8347:TCP"= 8347:TCP:Services
    "8175:TCP"= 8175:TCP:Services

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [27/01/2011 13:29 28552]
    R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [09/04/2010 0:25 15464]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [09/04/2010 0:25 225344]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [09/04/2010 0:25 25240]
    R2 CLPSLS;COMODO livePCsupport Service;c:\archivos de programa\Comodo\COMODO livePCsupport\CLPSLS.exe [19/02/2010 16:00 148744]
    R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [12/01/2011 10:35 372480]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [16/04/2007 15:12 35968]
    S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys --> c:\windows\system32\DRIVERS\kmxagent.sys [?]
    S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys --> c:\windows\system32\DRIVERS\KmxFile.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: {4AC016F5-A2A5-41F3-8D84-E68CDB2D0775} = 80.58.0.33,80.58.32.97
    TCP: {CFC6972C-C5C8-4883-8144-72131CF4214F} = 87.216.1.65,87.216.1.66
    FF - ProfilePath - c:\documents and settings\usuario\Datos de programa\Mozilla\Firefox\Profiles\0tsey6q8.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-updateMgr - c:\archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    HKLM-Run-SkyTel - SkyTel.EXE
    HKLM-Run-RegTask - c:\archivos de programa\RegTask\RegTask.exe
    AddRemove-Microsoft Interactive Training - c:\windows\IsUn040a.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-28 18:22
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwClose, ZwOpenFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1032)
    c:\windows\system32\guard32.dll

    - - - - - - - > 'lsass.exe'(1124)
    c:\windows\system32\guard32.dll
    .
    Completion time: 2011-02-28 18:23:35
    ComboFix-quarantined-files.txt 2011-02-28 17:23

    Pre-Run: 131.064.639.488 bytes libres
    Post-Run: 131.033.149.440 bytes libres

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Modo Seguro Windows" /fastdetect /safeboot:minimal/sos/bootlog /fastdetect

    - - End Of File - - C61B43890C6698503202036DEF3FC4DC
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download the Rootkit Removal Tool HERE. and save it to the desktop.> there is an indication that he may have a GROMOZON Rootkit

    Gromozon is not a single infection, but a blended attack designed to bypass traditional anti-malware tools. The end result meaning that the machine is not only infected by several well known Trojans but also a highly dangerous Rootkit.

    You can find more information on this malware here: http://info.prevx.com/gromozon.asp?sessionid=9645A4EC-10B9-404B-AF84-F4DC043A0CFB

    Please follow the screen prompts, save log and paste into your next reply.

    I'll be setting up some script to run through Combofix.
     
  7. BaronCzerny

    BaronCzerny TS Rookie Topic Starter

    Hello Bobbye,

    my brother has downloaded the Rootkit Removal Tool and run the software. After the scan it says that it couldn't find any Rootkit. He has't found any log either (maybe because there wasn't anything to report about).

    Miguel
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What is the status of the system now?
     
  9. BaronCzerny

    BaronCzerny TS Rookie Topic Starter

    Dear Bobbye,

    sorry for the delay. I've asked my brother to monitor his PC's function for a couple of days.

    He's noticed the following:

    1. He still can't download complete web pages. The browser halts at a certain point.
    2. This is really odd: Whenever he starts the computer, after logging in, he get a Windows warning asking him whether he wants to start the following program:

    9645A4EC10B9404BAF84.EXE

    My brother obviously answers "No".

    This program is located in the same folder where all the scanning and malware removal tools used for the "8 steps" and the ones following your further indications are saved.

    The Comodo antivirus scanner doesn't report any virus in this file. I've tried to identify it with Marco Pontello's TrID, and it says that it is most likely a Windows executable.

    Best,

    Miguel
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Miguel, the problems he reports about partial loads of web pages sound more like it's system related. But the attempts of 9645A4EC10B9404BAF84.EXE asking to start most surely sounds like malware. Somethhing is on the Startup menu connected to this .exe file. It is possible he can find and stop it, possibly identify it using the msconfig utility:
    The only processes that need to start on boot are:
    Antivirus program
    Firewall if using third party firewall such as Comodo or ZoneAlarm.
    Touchpad if on laptop
    Network process is using Cisco or Metwork Magic

    Nothing else- but almost all users have many other unnecessary processes.
    =============================================
    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
      [o]By expanding this colume, he may be able to see what the unknown 9645A4EC10B9404BAF84.EXE is associated with and i can be unchecked.
    • Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
    ===================================
    The Combofix scan before the rootkit scan showed this:
    The NDTLL code modification indicates a kernel modification- usually a giveaway that a rootkit is on board. Running this script will generate a new Combofix log. I may get information from that to see status of rootkit.
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\DRIVERS\kmxagent.sys
    ;c:\windows\system32\DRIVERS\KmxFile.sys
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    Driver::
    KmxAgent
    KmxFile
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Have him follow with this: Be sure the directions for setting up the Directory for HJT are followed: Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  11. BaronCzerny

    BaronCzerny TS Rookie Topic Starter

    Bobbye,

    thanks so much again for your help. I'll report back later.

    Best,

    Miguel
     
  12. BaronCzerny

    BaronCzerny TS Rookie Topic Starter

    Hello again, Bobbye.

    Here are the logs:

    ComboFix 11-03-09.03 - usuario 10/03/2011 12:33:55.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.2022.1613 [GMT 1:00]
    Running from: c:\software\ComboFix.exe
    Command switches used :: c:\software\CFScript.txt
    AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
    FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    FILE ::
    "c:\windows\system32\DRIVERS\kmxagent.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_KMXAGENT
    -------\Legacy_KMXFILE
    -------\Service_KmxAgent
    -------\Service_KmxFile
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-01 12:46 . 2011-03-01 12:46 -------- d-----w- c:\documents and settings\All Users\Datos de programa\TEMP
    2011-02-28 12:52 . 2011-02-28 12:52 -------- d-----w- c:\archivos de programa\ESET
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 17:09 . 2011-01-28 01:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 17:08 . 2011-01-28 01:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-10 15:10 . 2010-12-10 15:10 338760 ----a-w- c:\archivos de programa\RegtaskTool_Installer.exe
    2010-12-10 12:09 . 2010-12-10 12:09 6252136 ----a-w- c:\archivos de programa\winzip100.exe
    2010-05-10 08:44 . 2010-05-10 08:40 62223760 ----a-w- c:\archivos de programa\cisfree_installer_x86.exe
    2009-01-28 12:34 . 2009-01-28 12:33 26193832 ----a-w- c:\archivos de programa\AdbeRdr90_es_ES.exe
    2008-12-11 12:15 . 2008-12-11 12:13 6024704 ----a-w- c:\archivos de programa\easypdf5_setup.msi
    2006-09-01 09:00 . 2010-12-16 10:24 746600 ----a-w- c:\archivos de programa\GDS.EXE
    2006-09-01 09:00 . 2010-12-16 10:24 702120 ----a-w- c:\archivos de programa\GTB9X.EXE
    2006-09-01 09:00 . 2010-12-16 10:24 558248 ----a-w- c:\archivos de programa\GTBXP.EXE
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-02-28_17.22.16 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2004-09-06 10:58 . 2011-03-10 11:10 53744 c:\windows\system32\perfc009.dat
    - 2004-09-06 10:58 . 2011-02-28 16:03 53744 c:\windows\system32\perfc009.dat
    + 2004-09-06 10:58 . 2011-03-10 11:10 383390 c:\windows\system32\perfh009.dat
    - 2004-09-06 10:58 . 2011-02-28 16:03 383390 c:\windows\system32\perfh009.dat
    + 2010-05-10 12:15 . 2011-03-10 11:15 1349840 c:\windows\system32\drivers\sfi.dat
    - 2010-05-10 12:15 . 2011-02-28 17:08 1349840 c:\windows\system32\drivers\sfi.dat
    + 2007-05-25 17:22 . 2011-03-09 12:54 37943240 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
    "RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
    "SunJavaUpdateSched"="c:\archivos de programa\Java\jre1.6.0\bin\jusched.exe" [2007-05-22 77824]
    "HP Software Update"="c:\archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
    "QuickTime Task"="c:\archivos de programa\QuickTime\QTTask.exe" [2008-03-28 413696]
    "Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "COMODO Internet Security"="c:\archivos de programa\COMODO\COMODO Internet Security\cfp.exe" [2010-04-08 2029456]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-20 15360]
    .
    c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
    WinZip Quick Pick.lnk - c:\archivos de programa\WinZip\WZQKPICK.EXE [2010-12-10 122880]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxRootkitRemovalTool]
    2011-03-01 12:44 737280 ----a-w- c:\software\9645A4EC10B9404BAF84.EXE
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Archivos de programa\\Bonjour\\mDNSResponder.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:Remote Desktop
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "5184:TCP"= 5184:TCP:Services
    "8868:TCP"= 8868:TCP:Services
    "7682:TCP"= 7682:TCP:Services
    "7683:TCP"= 7683:TCP:Services
    "9316:TCP"= 9316:TCP:Services
    "8504:TCP"= 8504:TCP:Services
    "7597:TCP"= 7597:TCP:Services
    "6722:TCP"= 6722:TCP:Services
    "8488:TCP"= 8488:TCP:Services
    "8489:TCP"= 8489:TCP:Services
    "9410:TCP"= 9410:TCP:Services
    "7144:TCP"= 7144:TCP:Services
    "8691:TCP"= 8691:TCP:Services
    "8269:TCP"= 8269:TCP:Services
    "8457:TCP"= 8457:TCP:Services
    "9832:TCP"= 9832:TCP:Services
    "8066:TCP"= 8066:TCP:Services
    "9175:TCP"= 9175:TCP:Services
    "7738:TCP"= 7738:TCP:Services
    "2020:TCP"= 2020:TCP:Services
    "9019:TCP"= 9019:TCP:Services
    "8738:TCP"= 8738:TCP:Services
    "4297:TCP"= 4297:TCP:Services
    "8347:TCP"= 8347:TCP:Services
    "8175:TCP"= 8175:TCP:Services
    "1630:TCP"= 1630:TCP:Services
    "1760:TCP"= 1760:TCP:Services
    "3458:TCP"= 3458:TCP:Services
    "6707:TCP"= 6707:TCP:Services
    "8191:TCP"= 8191:TCP:Services
    "9707:TCP"= 9707:TCP:Services
    "7425:TCP"= 7425:TCP:Services
    "9050:TCP"= 9050:TCP:Services
    "9660:TCP"= 9660:TCP:Services
    "9816:TCP"= 9816:TCP:Services
    "9222:TCP"= 9222:TCP:Services
    "8550:TCP"= 8550:TCP:Services
    "8816:TCP"= 8816:TCP:Services
    "7769:TCP"= 7769:TCP:Services
    "9566:TCP"= 9566:TCP:Services
    "7504:TCP"= 7504:TCP:Services
    "7457:TCP"= 7457:TCP:Services
    "7458:TCP"= 7458:TCP:Services
    .
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [27/01/2011 13:29 28552]
    R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [09/04/2010 0:25 15464]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [09/04/2010 0:25 225344]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [09/04/2010 0:25 25240]
    R2 CLPSLS;COMODO livePCsupport Service;c:\archivos de programa\Comodo\COMODO livePCsupport\CLPSLS.exe [19/02/2010 16:00 148744]
    R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [12/01/2011 10:35 372480]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [16/04/2007 15:12 35968]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: {4AC016F5-A2A5-41F3-8D84-E68CDB2D0775} = 80.58.0.33,80.58.32.97
    TCP: {CFC6972C-C5C8-4883-8144-72131CF4214F} = 87.216.1.65,87.216.1.66
    FF - ProfilePath - c:\documents and settings\usuario\Datos de programa\Mozilla\Firefox\Profiles\0tsey6q8.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-10 12:39
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2936)
    c:\windows\system32\WININET.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
    c:\windows\system32\AstSrv.exe
    c:\windows\RTHDCPL.EXE
    .
    **************************************************************************
    .
    Completion time: 2011-03-10 12:43:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-10 11:43
    ComboFix2.txt 2011-02-28 17:23
    .
    Pre-Run: 130.626.637.824 bytes libres
    Post-Run: 130.556.817.408 bytes libres
    .
    - - End Of File - - E1880DA315D62702D5B28F35D47D2592



    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 13:58:13, on 10/03/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17055)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Archivos de programa\COMODO\COMODO livePCsupport\CLPSLS.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\AstSrv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe
    C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe
    C:\Archivos de programa\WinZip\WZQKPICK.EXE
    C:\WINDOWS\explorer.exe
    C:\Archivos de programa\Mozilla Thunderbird\thunderbird.exe
    C:\Software\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
    O3 - Toolbar: HopSurf toolbar - {E9FAB13D-4600-49E1-90D1-EE961C859D39} - C:\Archivos de programa\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: HopSurf - {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - C:\Archivos de programa\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4AC016F5-A2A5-41F3-8D84-E68CDB2D0775}: NameServer = 80.58.0.33,80.58.32.97
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CFC6972C-C5C8-4883-8144-72131CF4214F}: NameServer = 87.216.1.65,87.216.1.66
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\system32\AstSrv.exe
    O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Archivos de programa\COMODO\COMODO livePCsupport\CLPSLS.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
    O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
    O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
    O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe
    O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
    O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

    --
    End of file - 6578 bytes
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, something has caused more ports to open. We need to find out what processes are using these ports:

    How do I close a specific TCP port
    To close a port, it's usually only necessary to shut down the program holding the port open. Some ports can be closed by just telling the program or service that the port should not be opened. Examples: If Microsoft Internet Information Services in Windows 2000 and Windows XP are installed, they open three ports automatically: Port 21 which is the FTP server, Port 25 which is the SMTP server (email server) and Port 80m which is the webserver for http.

    Here's how we find out what processes are keeping those ports open:
    1. . Press Windows key + r (or click start --> run)
    2. . Type cmd
    3. . Press enter (or click 'OK')
    4. . Type 'netstat -ano (note space before -ano)
    5. . Press enter

    This lists all ports, the IP addresses using them, and more importantly, the Process IDentifier (PID) that has them open. Find any listings for the following list of the ports and make a note of the PID.

    Now, follow these steps:
    1. . Hold down ctrl + shift + esc
    2. . From the 'View' menu, select 'Select Columns'
    3. . Check the box next to 'Process Identifier'
    4. . Press 'OK

    The Task Manager will show you all the processes running on your machine, and the PID of each. Find the processes with the same PID that you noted earlier. Stop the process.,
    Courtesy of Help from Majorgeeks.

    The following is the list of Open Ports to be identified:
    "3389:TCP"= 3389:TCP:Remote Desktop
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "5184:TCP"= 5184:TCP:Services
    "8868:TCP"= 8868:TCP:Services
    "7682:TCP"= 7682:TCP:Services
    "7683:TCP"= 7683:TCP:Services
    "9316:TCP"= 9316:TCP:Services
    "8504:TCP"= 8504:TCP:Services
    "7597:TCP"= 7597:TCP:Services
    "6722:TCP"= 6722:TCP:Services
    "8488:TCP"= 8488:TCP:Services
    "8489:TCP"= 8489:TCP:Services
    "9410:TCP"= 9410:TCP:Services
    "7144:TCP"= 7144:TCP:Services
    "8691:TCP"= 8691:TCP:Services
    "8269:TCP"= 8269:TCP:Services
    "8457:TCP"= 8457:TCP:Services
    "9832:TCP"= 9832:TCP:Services
    "8066:TCP"= 8066:TCP:Services
    "9175:TCP"= 9175:TCP:Services
    "7738:TCP"= 7738:TCP:Services
    "2020:TCP"= 2020:TCP:Services
    "9019:TCP"= 9019:TCP:Services
    "8738:TCP"= 8738:TCP:Services
    "4297:TCP"= 4297:TCP:Services
    "8347:TCP"= 8347:TCP:Services
    "8175:TCP"= 8175:TCP:Services
    "1630:TCP"= 1630:TCP:Services
    "1760:TCP"= 1760:TCP:Services
    "3458:TCP"= 3458:TCP:Services
    "6707:TCP"= 6707:TCP:Services
    "8191:TCP"= 8191:TCP:Services
    "9707:TCP"= 9707:TCP:Services
    "7425:TCP"= 7425:TCP:Services
    "9050:TCP"= 9050:TCP:Services
    "9660:TCP"= 9660:TCP:Services
    "9816:TCP"= 9816:TCP:Services
    "9222:TCP"= 9222:TCP:Services
    "8550:TCP"= 8550:TCP:Services
    "8816:TCP"= 8816:TCP:Services
    "7769:TCP"= 7769:TCP:Services
    "9566:TCP"= 9566:TCP:Services
    "7504:TCP"= 7504:TCP:Services
    "7457:TCP"= 7457:TCP:Services
    "7458:TCP"= 7458:TCP:Services

    .Additional ports have been opened since the last scan. I notice he is using the Telnet Protcol. Security advisors recommend that the use of Telnet for remote logins should be discontinued under all normal circumstances, for the following reasons:
    • Telnet, by default, does not encrypt any data sent over the connection (including passwords)
    • Most implementations of Telnet have no authentication that would ensure communication is carried out between the two desired hosts and not intercepted in the middle.
    • Commonly used Telnet daemons have several vulnerabilities discovered over the years.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...