seeker168 Posted October 8, 2018 ID:1274187 Share Posted October 8, 2018 My PC has been infected by a malware which keeps on opening connections to remote IP addresses. Somehow it manages to attach itself to legitimate exe files and makes them open remote connections (Firefox,svchost etc). First log files are attached for the experts. Thanks for looking. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 8, 2018 Root Admin ID:1274194 Share Posted October 8, 2018 Hello @seeker168 and As I'm sure you're aware. Microsoft Windows XP is no longer supported by Microsoft. It has known exploits that are not patched anymore and using this operating system is and always will be risky due to this non-support issue. I would highly recommend that you consider purchasing a new computer with Windows 10 or at least buying a valid Windows 10 license directly from Microsoft and install Windows 10 yourself. That said, we can look at scanning this computer to fix it but again, it will always be at risk and is not a safe computer to use on the Internet nowadays. You're also running uTorrent P2P software on it. That is risky even on a Windows 10 computer, on Windows XP that is like putting a sign on your front door that says please come in and take anything you want. Then leaving the door unlocked. If you're really stuck and cannot get onto Windows 10, then at least uninstall some junk like uTorrent and other apps that make it so easy to infect the computer. Do good, solid backups of your data to an external USB drive too. Please download Malwarebytes, install it, update it and run a Threat Scan and post back the log. https://downloads.malwarebytes.com/file/mb3_legacy Thank you Ron Link to post Share on other sites More sharing options...
seeker168 Posted October 8, 2018 Author ID:1274241 Share Posted October 8, 2018 Hi thanks for the advice.....it's an old pc running XP l'm not sure it can support windows 10. Regarding Utorrent I removed it and few other apps too. MBAM scan found 1 PUP which is quarantined. Thanks. MBAM Log.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 8, 2018 Root Admin ID:1274269 Share Posted October 8, 2018 Please download and run the following Kaspersky antivirus scanner to remove any found threats Kaspersky Virus Removal Tool Let me know if it finds anything or not Link to post Share on other sites More sharing options...
seeker168 Posted October 9, 2018 Author ID:1274497 Share Posted October 9, 2018 Kaspersky found 1 trojan downloader which was deleted. The actual malware however still remains active. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 10, 2018 Root Admin ID:1274531 Share Posted October 10, 2018 Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Link to post Share on other sites More sharing options...
seeker168 Posted October 10, 2018 Author ID:1274703 Share Posted October 10, 2018 Farbar logs... FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 10, 2018 Root Admin ID:1274742 Share Posted October 10, 2018 uTorrent still shows as being in the Add/Remove programs µTorrent (HKU\S-1-5-21-2025429265-261478967-839522115-1003\...\uTorrent) (Version: 3.4.3.40298 - BitTorrent Inc.) Please uninstall Java as well. Turn off MSCONFiG and set it back to Normal. Uninstall any software no longer used. If you don't want items starting then delete the startup entry for it. Please read the following article concerning the use of MSCONFIGMsconfig Is Not A Startup Manager Once you've done the above please run a new set of scans. Make sure both FRST and Additions are new logs. Please run the following steps and post back the logs as an attachment when ready.STEP 01 If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button. If you don't have Malwarebytes 3 installed yet please download it from here and install it. Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button. Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply. If Malwarebytes won't run then please skip to the next step and let me know on your next reply. STEP 02 Please download AdwCleaner by Malwarebytes and save the file to your Desktop. Right-click on the program and select Run as Administrator to start the tool. Accept the Terms of use. Wait until the database is updated. Click Scan Now. When finished, please click Clean & Repair. Your PC should reboot now if any items were found. After reboot, a log file will be opened. Copy its content into your next reply. RESTART THE COMPUTER Before running Step 3 STEP 03 Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens, click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here. Please attach the Additions.txt log to your reply as well. Thanks Ron Link to post Share on other sites More sharing options...
seeker168 Posted October 10, 2018 Author ID:1274757 Share Posted October 10, 2018 After reading your post the other day I removed a bunch of unused programs and as far as I can remember Utorrent also but nevertheless I checked the add/remove programs again but I am unable to find Utorrent listed...so I deleted the Utorrent folder in program files. Is there anything else I need to do ? Reg Java I need it for a site which is of particular importance to my work so it's absolutely essential for me. I will post the logs after scanning. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 11, 2018 Root Admin ID:1274769 Share Posted October 11, 2018 You can keep Java, but you should update it to the latest version and uninstall the old one. https://java.com Please go ahead and run the other scans as requested and post back the logs and we'll see if any other issues remain. Cheers Ron Link to post Share on other sites More sharing options...
seeker168 Posted October 11, 2018 Author ID:1275010 Share Posted October 11, 2018 I could not scan my system with adwcleaner, getting an error "dwmapi.dll was not found". Other things done. MBAM.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
seeker168 Posted October 12, 2018 Author ID:1275028 Share Posted October 12, 2018 I downloaded adwcleaner 6 supported by XP and scanned my system. Total 9 issues were detected and subsequently cleaned. I'm enclosing the fresh logs. Thanks AdwCleaner[C0].txt AdwCleaner[S0].txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 12, 2018 Root Admin ID:1275050 Share Posted October 12, 2018 Sorry about that, I forgot that 7.x of AdwCleaner no longer supports XP. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Thanks, Ron Link to post Share on other sites More sharing options...
seeker168 Posted October 13, 2018 Author ID:1275345 Share Posted October 13, 2018 The tool ran for about an hour but couldn't complete the fix and all this while cpu usage was about 50%. It seemed to me the tool got stuck somewhere so finally aborted. Should I give it a longer run ? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 13, 2018 Root Admin ID:1275347 Share Posted October 13, 2018 Yes, please download and run it again. Please try to be patient and let it run longer. Thanks Link to post Share on other sites More sharing options...
seeker168 Posted October 14, 2018 Author ID:1275461 Share Posted October 14, 2018 I let it run for six hours but still couldn't complete. The message says "Fixing in progress please be patient" but nothing happens. Please advise what to do ? Thanks. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 15, 2018 Root Admin ID:1275502 Share Posted October 15, 2018 Okay, ignore the fix for now. Please run the following Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller. PC Winvids - How to run Kaspersky TDSSKiller If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection. Once the tool has completed scanning make sure to re-enable your other security applications. Thank you Ron Link to post Share on other sites More sharing options...
seeker168 Posted October 16, 2018 Author ID:1275931 Share Posted October 16, 2018 Few false positives reported by tdsskiller so I skipped the threats. TDSSKiller.3.1.0.17_17.10.2018_01.32.39_log.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 17, 2018 Root Admin ID:1276031 Share Posted October 17, 2018 Download RogueKiller and save it on your desktop, ensure you download the correct version for your operating system.RogueKiller (X86)RogueKiller (x64) Exit all running applications. Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will display the software license (EULA), click on "Accept" to continue. If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it Winlogon. Click "Start Scan" to begin the analysis. This may take some time. Once the scan is complete, click the "Open TXT" button to display the scan report. Copy/Paste its content in your next reply. Do not use the Remove Selected option until I`ve had a look at the log. Thanks, Ron Link to post Share on other sites More sharing options...
seeker168 Posted October 17, 2018 Author ID:1276063 Share Posted October 17, 2018 Please find the roguekiller log. Thanks. RK LOG 171018.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 17, 2018 Root Admin ID:1276071 Share Posted October 17, 2018 Well, everything is coming back pretty clean. Let me have you run the following and I'll check back on you again sometime later today. Please visit this web page and read the ComboFix User's Guide: Once you've read the article and are ready to use the program you can download it directly from the link below. Important! - Please make sure you save combofix to your desktop and do not run it from your browser Direct download link for: ComboFix.exe Please make sure you disable your security applications before running ComboFix. Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load. Please attach that log file to your next reply. If needed the file can be located here: C:\combofix.txt NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer. Thanks, Ron Link to post Share on other sites More sharing options...
seeker168 Posted October 17, 2018 Author ID:1276169 Share Posted October 17, 2018 Combofix log. ComboFix.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 17, 2018 Root Admin ID:1276173 Share Posted October 17, 2018 Your tcpip.sys file does not appear to be valid. Do you have the Windows XP installation CD? Link to post Share on other sites More sharing options...
seeker168 Posted October 17, 2018 Author ID:1276178 Share Posted October 17, 2018 I have the ISO image on my hard drive which can be mounted on a virtual drive. Will that do ? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 17, 2018 Root Admin ID:1276196 Share Posted October 17, 2018 Let me see if I can repair it with what you have there on the system already. Looks like one of the files are valid. Back in a bit. Link to post Share on other sites More sharing options...
Recommended Posts