Inactive Google links redirection - Slow page loading

[BaronCzerny]

Hello,

my brother's PC got infected by a malware that redirected his Google results to an Antivirus software site. I recommended him to download Malwarebytes' Antimalware and to scan the computer. The software seemingly got rid of some malware, because the links no longer redirect. Instead he gets very long loading times, and some pages even don't load completely. Sometimes the browser even crashes.

Computer: PC with Pentium 4
OS: Windows XP SP2 - Spanish (the messages in the logs are in Spanish. Hope this is not too much of a problem)
Antivirus: Commodo Internet Security Free version
Browser used: Firefox 3.6.13

Any help regarding the complete removal of the malware is greatly appreciated!

Miguel

Logs
======================================================
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versión de la Base de Datos: 5794

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.5730.13

21/02/2011 9:57:57
mbam-log-2011-02-21 (09-57-57).txt

Tipos de Análisis: Análisis Completo (C:\|)
Objetos examinados: 206880
Tiempo transcurrido: 37 minuto(s), 3 segundo(s)

Procesos en Memoria Infectados: 0
Módulos de Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Archivos Infectados: 5

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos de Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Archivos Infectados:
c:\documents and settings\usuario\configuración local\Temp\gpxnks8s.exe.part (Rogue.SmartInternetProtection) -> Quarantined and deleted successfully.
c:\documents and settings\usuario\datos de programa\sdra64.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{5f7eb413-81c9-4a61-b1b7-8e59cf5c8093}\RP620\A0701023.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{5f7eb413-81c9-4a61-b1b7-8e59cf5c8093}\RP620\A0701024.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{5f7eb413-81c9-4a61-b1b7-8e59cf5c8093}\RP620\A0701025.exe (HackTool.SnadBoy) -> Quarantined and deleted successfully.
======================================================

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-23 11:23:51
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16 ST3160815AS rev.3.AAA
Running: 0uudli5q.exe; Driver: C:\DOCUME~1\usuario\CONFIG~1\Temp\kwlyipod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xA938312C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xA938336A]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- EOF - GMER 1.0.15 ----

======================================================

DDS (Ver_10-12-12.02) - NTFSx86
Run by usuario at 12:53:20,92 on 23/02/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.2022.1612 [GMT 1:00]

AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled*

============== Running Processes ===============

C:\Archivos de programa\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\AstSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Software\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre1.6.0\bin\ssv.dll
TB: HopSurf toolbar: {e9fab13d-4600-49e1-90d1-ee961c859d39} - c:\archivos de programa\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\archivos de programa\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre1.6.0\bin\jusched.exe"
mRun: [HP Software Update] "c:\archivos de programa\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [QuickTime Task] "c:\archivos de programa\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [COMODO Internet Security] "c:\archivos de programa\comodo\comodo internet security\cfp.exe" -h
mRun: [RegTask] c:\archivos de programa\regtask\RegTask.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\winzip~1.lnk - c:\archivos de programa\winzip\WZQKPICK.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\archivos de programa\java\jre1.6.0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office12\REFIEBAR.DLL
IE: {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} - c:\archivos de programa\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
TCP: {4AC016F5-A2A5-41F3-8D84-E68CDB2D0775} = 80.58.0.33,80.58.32.97
TCP: {CFC6972C-C5C8-4883-8144-72131CF4214F} = 87.216.1.65,87.216.1.66
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
IFEO: image file execution options - svchost.exe
IFEO: OLT.exe - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\usuario\datosd~1\mozilla\firefox\profiles\0tsey6q8.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - plugin: c:\archivos de programa\java\jre1.6.0\bin\npjpi160.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-1-27 28552]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-4-9 15464]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-4-9 225344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-4-9 25240]
R2 CLPSLS;COMODO livePCsupport Service;c:\archivos de programa\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-19 148744]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\archivos de programa\comodo\comodo internet security\cmdagent.exe [2010-4-9 1769216]
R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [2011-1-12 372480]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-16 35968]
S1 KmxAgent;KmxAgent;c:\windows\system32\drivers\kmxagent.sys --> c:\windows\system32\drivers\kmxagent.sys [?]
S1 KmxFile;KmxFile;c:\windows\system32\drivers\kmxfile.sys --> c:\windows\system32\drivers\KmxFile.sys [?]

=============== Created Last 30 ================

2011-01-28 01:36:02 -------- d-----w- c:\docume~1\usuario\datosd~1\Malwarebytes
2011-01-28 01:35:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-28 01:35:57 -------- d-----w- c:\docume~1\alluse~1\datosd~1\Malwarebytes
2011-01-28 01:35:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-28 01:35:54 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2011-01-27 12:29:26 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-01-27 12:28:21 -------- d-----w- c:\archivos de programa\Panda Security
2011-01-27 10:23:08 -------- d-----w- c:\docume~1\usuario\config~1\datosd~1\COMODO
2011-01-27 09:22:03 -------- d-sh--w- c:\docume~1\alluse~1\datosd~1\SIFNIJP
2011-01-27 09:21:16 -------- d-sh--w- c:\docume~1\alluse~1\datosd~1\3740ed

==================== Find3M ====================

2010-12-10 15:10:50 338760 ----a-w- c:\archivos de programa\RegtaskTool_Installer.exe
2010-12-10 12:09:17 6252136 ----a-w- c:\archivos de programa\winzip100.exe
2010-05-10 08:44:52 62223760 ----a-w- c:\archivos de programa\cisfree_installer_x86.exe
2009-01-28 12:34:18 26193832 ----a-w- c:\archivos de programa\AdbeRdr90_es_ES.exe
2008-12-11 12:15:49 6024704 ----a-w- c:\archivos de programa\easypdf5_setup.msi
2006-09-01 09:00:00 746600 ----a-w- c:\archivos de programa\GDS.EXE
2006-09-01 09:00:00 702120 ----a-w- c:\archivos de programa\GTB9X.EXE
2006-09-01 09:00:00 558248 ----a-w- c:\archivos de programa\GTBXP.EXE
2006-09-01 09:00:00 204800 ----a-w- c:\archivos de programa\SETUP.EXE

============= FINISH: 12:53:50,87 ===============

 

[Bobbye]

Welcome to TechSpot, Miguel. I will do my best to help- but Spanish may be a problem. I don't have time to go through translations, so if I can't determine what an entry is, I will refer it back to you to identify, then tell me.

While I go over these logs, please go ahead and run the following> English would be appreciated.

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the cli[board, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Query- Recovery Console image
  
  
  
  

  WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes it will open a text window. Please paste that log in your next reply.

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[BaronCzerny]

Thanks so much for your help, Bobbye. I'll do my best to get the English version of the messages (some are system generated, but others depend on the software used I guess, like with Malware Bytes's program. We used the Spanish version here).
More in a while.

Best,

Miguel

 

[Bobbye]

Okay, thanks.

 

[BaronCzerny]

Dear Bobbye,

please find enclosed the two logs (Eset and Combofix).

Thanks!

Miguel

Eset NOD32 Online antivirus ========================

C:\Documents and Settings\All Users\Datos de programa\3740ed\6721.mof Win32/RogueAV.A trojan

===============================================


ComboFix 11-02-27.03 - usuario 28/02/2011 18:20:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.2022.1581 [GMT 1:00]
Running from: c:\software\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\archivos de programa\Setup.exe
c:\documents and settings\All Users\Datos de programa\3740ed
c:\documents and settings\All Users\Datos de programa\3740ed\3740ed6ee3def639287eaaf39cd1a0c8.ocx
c:\documents and settings\All Users\Datos de programa\3740ed\6721.mof
c:\documents and settings\All Users\Datos de programa\3740ed\BackUp\WinZip Quick Pick.lnk
c:\documents and settings\All Users\Datos de programa\3740ed\mozcrt19.dll
c:\documents and settings\All Users\Datos de programa\3740ed\n5e7tm9q01novktm9q01u8zim9q01u8wu8gcdan.dll
c:\documents and settings\All Users\Datos de programa\3740ed\SIP.ico
c:\documents and settings\All Users\Datos de programa\3740ed\sqlite3.dll
c:\documents and settings\usuario\Reciente\CLSV.sys
c:\documents and settings\usuario\Reciente\exec.dll
c:\documents and settings\usuario\Reciente\kernel32.dll
c:\windows\system32\midas.dll

.
((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))
.

2011-02-28 12:52 . 2011-02-28 12:52 -------- d-----w- c:\archivos de programa\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 17:09 . 2011-01-28 01:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 17:08 . 2011-01-28 01:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-10 15:10 . 2010-12-10 15:10 338760 ----a-w- c:\archivos de programa\RegtaskTool_Installer.exe
2010-12-10 12:09 . 2010-12-10 12:09 6252136 ----a-w- c:\archivos de programa\winzip100.exe
2010-05-10 08:44 . 2010-05-10 08:40 62223760 ----a-w- c:\archivos de programa\cisfree_installer_x86.exe
2009-01-28 12:34 . 2009-01-28 12:33 26193832 ----a-w- c:\archivos de programa\AdbeRdr90_es_ES.exe
2008-12-11 12:15 . 2008-12-11 12:13 6024704 ----a-w- c:\archivos de programa\easypdf5_setup.msi
2006-09-01 09:00 . 2010-12-16 10:24 746600 ----a-w- c:\archivos de programa\GDS.EXE
2006-09-01 09:00 . 2010-12-16 10:24 702120 ----a-w- c:\archivos de programa\GTB9X.EXE
2006-09-01 09:00 . 2010-12-16 10:24 558248 ----a-w- c:\archivos de programa\GTBXP.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre1.6.0\bin\jusched.exe" [2007-05-22 77824]
"HP Software Update"="c:\archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"QuickTime Task"="c:\archivos de programa\QuickTime\QTTask.exe" [2008-03-28 413696]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"COMODO Internet Security"="c:\archivos de programa\COMODO\COMODO Internet Security\cfp.exe" [2010-04-08 2029456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-20 15360]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
WinZip Quick Pick.lnk - c:\archivos de programa\WinZip\WZQKPICK.EXE [2010-12-10 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5184:TCP"= 5184:TCP:Services
"8868:TCP"= 8868:TCP:Services
"7682:TCP"= 7682:TCP:Services
"7683:TCP"= 7683:TCP:Services
"9316:TCP"= 9316:TCP:Services
"8504:TCP"= 8504:TCP:Services
"7597:TCP"= 7597:TCP:Services
"6722:TCP"= 6722:TCP:Services
"8488:TCP"= 8488:TCP:Services
"8489:TCP"= 8489:TCP:Services
"9410:TCP"= 9410:TCP:Services
"7144:TCP"= 7144:TCP:Services
"8691:TCP"= 8691:TCP:Services
"8269:TCP"= 8269:TCP:Services
"8457:TCP"= 8457:TCP:Services
"9832:TCP"= 9832:TCP:Services
"8066:TCP"= 8066:TCP:Services
"9175:TCP"= 9175:TCP:Services
"7738:TCP"= 7738:TCP:Services
"2020:TCP"= 2020:TCP:Services
"9019:TCP"= 9019:TCP:Services
"8738:TCP"= 8738:TCP:Services
"4297:TCP"= 4297:TCP:Services
"8347:TCP"= 8347:TCP:Services
"8175:TCP"= 8175:TCP:Services

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [27/01/2011 13:29 28552]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [09/04/2010 0:25 15464]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [09/04/2010 0:25 225344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [09/04/2010 0:25 25240]
R2 CLPSLS;COMODO livePCsupport Service;c:\archivos de programa\Comodo\COMODO livePCsupport\CLPSLS.exe [19/02/2010 16:00 148744]
R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [12/01/2011 10:35 372480]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [16/04/2007 15:12 35968]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys --> c:\windows\system32\DRIVERS\kmxagent.sys [?]
S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys --> c:\windows\system32\DRIVERS\KmxFile.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4AC016F5-A2A5-41F3-8D84-E68CDB2D0775} = 80.58.0.33,80.58.32.97
TCP: {CFC6972C-C5C8-4883-8144-72131CF4214F} = 87.216.1.65,87.216.1.66
FF - ProfilePath - c:\documents and settings\usuario\Datos de programa\Mozilla\Firefox\Profiles\0tsey6q8.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-SkyTel - SkyTel.EXE
HKLM-Run-RegTask - c:\archivos de programa\RegTask\RegTask.exe
AddRemove-Microsoft Interactive Training - c:\windows\IsUn040a.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-28 18:22
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(1124)
c:\windows\system32\guard32.dll
.
Completion time: 2011-02-28 18:23:35
ComboFix-quarantined-files.txt 2011-02-28 17:23

Pre-Run: 131.064.639.488 bytes libres
Post-Run: 131.033.149.440 bytes libres

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Modo Seguro Windows" /fastdetect /safeboot:minimal/sos/bootlog /fastdetect

- - End Of File - - C61B43890C6698503202036DEF3FC4DC

 

[Bobbye]

Please download the Rootkit Removal Tool HERE. and save it to the desktop.> there is an indication that he may have a GROMOZON Rootkit

Gromozon is not a single infection, but a blended attack designed to bypass traditional anti-malware tools. The end result meaning that the machine is not only infected by several well known Trojans but also a highly dangerous Rootkit.

You can find more information on this malware here: http://info.prevx.com/gromozon.asp?sessionid=9645A4EC-10B9-404B-AF84-F4DC043A0CFB

Please follow the screen prompts, save log and paste into your next reply.

I'll be setting up some script to run through Combofix.

 

[BaronCzerny]

Hello Bobbye,

my brother has downloaded the Rootkit Removal Tool and run the software. After the scan it says that it couldn't find any Rootkit. He has't found any log either (maybe because there wasn't anything to report about).

Miguel

 

[Bobbye]

What is the status of the system now?

 

[BaronCzerny]

Dear Bobbye,

sorry for the delay. I've asked my brother to monitor his PC's function for a couple of days.

He's noticed the following:

1. He still can't download complete web pages. The browser halts at a certain point.
2. This is really odd: Whenever he starts the computer, after logging in, he get a Windows warning asking him whether he wants to start the following program:

9645A4EC10B9404BAF84.EXE

My brother obviously answers "No".

This program is located in the same folder where all the scanning and malware removal tools used for the "8 steps" and the ones following your further indications are saved.

The Comodo antivirus scanner doesn't report any virus in this file. I've tried to identify it with Marco Pontello's TrID, and it says that it is most likely a Windows executable.

Best,

Miguel

 

[Bobbye]

Miguel, the problems he reports about partial loads of web pages sound more like it's system related. But the attempts of 9645A4EC10B9404BAF84.EXE asking to start most surely sounds like malware. Somethhing is on the Startup menu connected to this .exe file. It is possible he can find and stop it, possibly identify it using the msconfig utility:
The only processes that need to start on boot are:
Antivirus program
Firewall if using third party firewall such as Comodo or ZoneAlarm.
Touchpad if on laptop
Network process is using Cisco or Metwork Magic
Nothing else- but almost all users have many other unnecessary processes.
=============================================
To remove entries from Startup using the msconfig utility:

• Click on Start> Run> type in msconfig> enter>
• Click on Selective Startup
• Choose the Startup tab:
  This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
• To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
  [o]By expanding this colume, he may be able to see what the unknown 9645A4EC10B9404BAF84.EXE is associated with and i can be unchecked.
• Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
===================================
The Combofix scan before the rootkit scan showed this:
The NDTLL code modification indicates a kernel modification- usually a giveaway that a rootkit is on board. Running this script will generate a new Combofix log. I may get information from that to see status of rootkit.
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
c:\windows\system32\DRIVERS\kmxagent.sys
;c:\windows\system32\DRIVERS\KmxFile.sys
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
Driver::
KmxAgent
KmxFile

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Have him follow with this: Be sure the directions for setting up the Directory for HJT are followed: Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[BaronCzerny]

Bobbye,

thanks so much again for your help. I'll report back later.

Best,

Miguel

 

[BaronCzerny]

Hello again, Bobbye.

Here are the logs:

ComboFix 11-03-09.03 - usuario 10/03/2011 12:33:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.2022.1613 [GMT 1:00]
Running from: c:\software\ComboFix.exe
Command switches used :: c:\software\CFScript.txt
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
FILE ::
"c:\windows\system32\DRIVERS\kmxagent.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_KMXAGENT
-------\Legacy_KMXFILE
-------\Service_KmxAgent
-------\Service_KmxFile
.
.
((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
.
.
2011-03-01 12:46 . 2011-03-01 12:46 -------- d-----w- c:\documents and settings\All Users\Datos de programa\TEMP
2011-02-28 12:52 . 2011-02-28 12:52 -------- d-----w- c:\archivos de programa\ESET
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 17:09 . 2011-01-28 01:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 17:08 . 2011-01-28 01:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-10 15:10 . 2010-12-10 15:10 338760 ----a-w- c:\archivos de programa\RegtaskTool_Installer.exe
2010-12-10 12:09 . 2010-12-10 12:09 6252136 ----a-w- c:\archivos de programa\winzip100.exe
2010-05-10 08:44 . 2010-05-10 08:40 62223760 ----a-w- c:\archivos de programa\cisfree_installer_x86.exe
2009-01-28 12:34 . 2009-01-28 12:33 26193832 ----a-w- c:\archivos de programa\AdbeRdr90_es_ES.exe
2008-12-11 12:15 . 2008-12-11 12:13 6024704 ----a-w- c:\archivos de programa\easypdf5_setup.msi
2006-09-01 09:00 . 2010-12-16 10:24 746600 ----a-w- c:\archivos de programa\GDS.EXE
2006-09-01 09:00 . 2010-12-16 10:24 702120 ----a-w- c:\archivos de programa\GTB9X.EXE
2006-09-01 09:00 . 2010-12-16 10:24 558248 ----a-w- c:\archivos de programa\GTBXP.EXE
.
.
((((((((((((((((((((((((((((( SnapShot@2011-02-28_17.22.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-09-06 10:58 . 2011-03-10 11:10 53744 c:\windows\system32\perfc009.dat
- 2004-09-06 10:58 . 2011-02-28 16:03 53744 c:\windows\system32\perfc009.dat
+ 2004-09-06 10:58 . 2011-03-10 11:10 383390 c:\windows\system32\perfh009.dat
- 2004-09-06 10:58 . 2011-02-28 16:03 383390 c:\windows\system32\perfh009.dat
+ 2010-05-10 12:15 . 2011-03-10 11:15 1349840 c:\windows\system32\drivers\sfi.dat
- 2010-05-10 12:15 . 2011-02-28 17:08 1349840 c:\windows\system32\drivers\sfi.dat
+ 2007-05-25 17:22 . 2011-03-09 12:54 37943240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre1.6.0\bin\jusched.exe" [2007-05-22 77824]
"HP Software Update"="c:\archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"QuickTime Task"="c:\archivos de programa\QuickTime\QTTask.exe" [2008-03-28 413696]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"COMODO Internet Security"="c:\archivos de programa\COMODO\COMODO Internet Security\cfp.exe" [2010-04-08 2029456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-20 15360]
.
c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
WinZip Quick Pick.lnk - c:\archivos de programa\WinZip\WZQKPICK.EXE [2010-12-10 122880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxRootkitRemovalTool]
2011-03-01 12:44 737280 ----a-w- c:\software\9645A4EC10B9404BAF84.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5184:TCP"= 5184:TCP:Services
"8868:TCP"= 8868:TCP:Services
"7682:TCP"= 7682:TCP:Services
"7683:TCP"= 7683:TCP:Services
"9316:TCP"= 9316:TCP:Services
"8504:TCP"= 8504:TCP:Services
"7597:TCP"= 7597:TCP:Services
"6722:TCP"= 6722:TCP:Services
"8488:TCP"= 8488:TCP:Services
"8489:TCP"= 8489:TCP:Services
"9410:TCP"= 9410:TCP:Services
"7144:TCP"= 7144:TCP:Services
"8691:TCP"= 8691:TCP:Services
"8269:TCP"= 8269:TCP:Services
"8457:TCP"= 8457:TCP:Services
"9832:TCP"= 9832:TCP:Services
"8066:TCP"= 8066:TCP:Services
"9175:TCP"= 9175:TCP:Services
"7738:TCP"= 7738:TCP:Services
"2020:TCP"= 2020:TCP:Services
"9019:TCP"= 9019:TCP:Services
"8738:TCP"= 8738:TCP:Services
"4297:TCP"= 4297:TCP:Services
"8347:TCP"= 8347:TCP:Services
"8175:TCP"= 8175:TCP:Services
"1630:TCP"= 1630:TCP:Services
"1760:TCP"= 1760:TCP:Services
"3458:TCP"= 3458:TCP:Services
"6707:TCP"= 6707:TCP:Services
"8191:TCP"= 8191:TCP:Services
"9707:TCP"= 9707:TCP:Services
"7425:TCP"= 7425:TCP:Services
"9050:TCP"= 9050:TCP:Services
"9660:TCP"= 9660:TCP:Services
"9816:TCP"= 9816:TCP:Services
"9222:TCP"= 9222:TCP:Services
"8550:TCP"= 8550:TCP:Services
"8816:TCP"= 8816:TCP:Services
"7769:TCP"= 7769:TCP:Services
"9566:TCP"= 9566:TCP:Services
"7504:TCP"= 7504:TCP:Services
"7457:TCP"= 7457:TCP:Services
"7458:TCP"= 7458:TCP:Services
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [27/01/2011 13:29 28552]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [09/04/2010 0:25 15464]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [09/04/2010 0:25 225344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [09/04/2010 0:25 25240]
R2 CLPSLS;COMODO livePCsupport Service;c:\archivos de programa\Comodo\COMODO livePCsupport\CLPSLS.exe [19/02/2010 16:00 148744]
R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [12/01/2011 10:35 372480]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [16/04/2007 15:12 35968]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4AC016F5-A2A5-41F3-8D84-E68CDB2D0775} = 80.58.0.33,80.58.32.97
TCP: {CFC6972C-C5C8-4883-8144-72131CF4214F} = 87.216.1.65,87.216.1.66
FF - ProfilePath - c:\documents and settings\usuario\Datos de programa\Mozilla\Firefox\Profiles\0tsey6q8.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-10 12:39
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2936)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\AstSrv.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2011-03-10 12:43:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-10 11:43
ComboFix2.txt 2011-02-28 17:23
.
Pre-Run: 130.626.637.824 bytes libres
Post-Run: 130.556.817.408 bytes libres
.
- - End Of File - - E1880DA315D62702D5B28F35D47D2592



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:58:13, on 10/03/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Archivos de programa\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AstSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Mozilla Thunderbird\thunderbird.exe
C:\Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: HopSurf toolbar - {E9FAB13D-4600-49E1-90D1-EE961C859D39} - C:\Archivos de programa\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Archivos de programa\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: HopSurf - {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - C:\Archivos de programa\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AC016F5-A2A5-41F3-8D84-E68CDB2D0775}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFC6972C-C5C8-4883-8144-72131CF4214F}: NameServer = 87.216.1.65,87.216.1.66
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\system32\AstSrv.exe
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Archivos de programa\COMODO\COMODO livePCsupport\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Archivos de programa\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 6578 bytes

 

[Bobbye]

Okay, something has caused more ports to open. We need to find out what processes are using these ports:

How do I close a specific TCP port
To close a port, it's usually only necessary to shut down the program holding the port open. Some ports can be closed by just telling the program or service that the port should not be opened. Examples: If Microsoft Internet Information Services in Windows 2000 and Windows XP are installed, they open three ports automatically: Port 21 which is the FTP server, Port 25 which is the SMTP server (email server) and Port 80m which is the webserver for http.

Here's how we find out what processes are keeping those ports open:

1. . Press Windows key + r (or click start --> run)
2. . Type cmd
3. . Press enter (or click 'OK')
4. . Type 'netstat -ano (note space before -ano)
5. . Press enter

This lists all ports, the IP addresses using them, and more importantly, the Process IDentifier (PID) that has them open. Find any listings for the following list of the ports and make a note of the PID.

Now, follow these steps:

1. . Hold down ctrl + shift + esc
2. . From the 'View' menu, select 'Select Columns'
3. . Check the box next to 'Process Identifier'
4. . Press 'OK

The Task Manager will show you all the processes running on your machine, and the PID of each. Find the processes with the same PID that you noted earlier. Stop the process.,
Courtesy of Help from Majorgeeks.

The following is the list of Open Ports to be identified:
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5184:TCP"= 5184:TCP:Services
"8868:TCP"= 8868:TCP:Services
"7682:TCP"= 7682:TCP:Services
"7683:TCP"= 7683:TCP:Services
"9316:TCP"= 9316:TCP:Services
"8504:TCP"= 8504:TCP:Services
"7597:TCP"= 7597:TCP:Services
"6722:TCP"= 6722:TCP:Services
"8488:TCP"= 8488:TCP:Services
"8489:TCP"= 8489:TCP:Services
"9410:TCP"= 9410:TCP:Services
"7144:TCP"= 7144:TCP:Services
"8691:TCP"= 8691:TCP:Services
"8269:TCP"= 8269:TCP:Services
"8457:TCP"= 8457:TCP:Services
"9832:TCP"= 9832:TCP:Services
"8066:TCP"= 8066:TCP:Services
"9175:TCP"= 9175:TCP:Services
"7738:TCP"= 7738:TCP:Services
"2020:TCP"= 2020:TCP:Services
"9019:TCP"= 9019:TCP:Services
"8738:TCP"= 8738:TCP:Services
"4297:TCP"= 4297:TCP:Services
"8347:TCP"= 8347:TCP:Services
"8175:TCP"= 8175:TCP:Services
"1630:TCP"= 1630:TCP:Services
"1760:TCP"= 1760:TCP:Services
"3458:TCP"= 3458:TCP:Services
"6707:TCP"= 6707:TCP:Services
"8191:TCP"= 8191:TCP:Services
"9707:TCP"= 9707:TCP:Services
"7425:TCP"= 7425:TCP:Services
"9050:TCP"= 9050:TCP:Services
"9660:TCP"= 9660:TCP:Services
"9816:TCP"= 9816:TCP:Services
"9222:TCP"= 9222:TCP:Services
"8550:TCP"= 8550:TCP:Services
"8816:TCP"= 8816:TCP:Services
"7769:TCP"= 7769:TCP:Services
"9566:TCP"= 9566:TCP:Services
"7504:TCP"= 7504:TCP:Services
"7457:TCP"= 7457:TCP:Services
"7458:TCP"= 7458:TCP:Services
.Additional ports have been opened since the last scan. I notice he is using the Telnet Protcol. Security advisors recommend that the use of Telnet for remote logins should be discontinued under all normal circumstances, for the following reasons:

• Telnet, by default, does not encrypt any data sent over the connection (including passwords)
• Most implementations of Telnet have no authentication that would ensure communication is carried out between the two desired hosts and not intercepted in the middle.
• Commonly used Telnet daemons have several vulnerabilities discovered over the years.