BleepingComputer.com: Possibly part of a botnet?

My wife and I got kicked offline last night on our PCs but the network never went down. I power cycled modem/router and we were back on. Once back online, wife and I had trouble resolving common dns(s) such as msn, google, yahoo, etc and most other sites as well. The sites would 404 or simply fail to load, then if you hit refresh enough times they would load with no pictures, then another refresh would get you a normal page...but clicking any links or trying any other domains would end up 404. Son came in and said he couldn't go anywhere. Since it was late I figured ISP was doing maintenance and we went to bed.

Problem was intermittent throughout the day today, bad this morn, then good all day then bad again when son got home and turned on PC (hindsight). Called ISP and they said no problems on their end (in retrospect they clearly didn't check our traffic as you will see in a minute). Suddenly internet was fast again with no 404s... son came in and said he was running avast boot scan. Soon as scan stopped (avast found nothing) net went to crap again.

Unplugged his PC from lan and ran RKILL (clean), MBAM (clean), GMER (clean), aswMBR (clean), and finally Combofix (yes I know you arent supposed to if you are going to come here for assistance, but I never imagined I'd be here on what 'appeared' to be a clean system judging from the previous 6 tool reports).

Combofix made a couple deletions. I assumed it was good so I rebooted and plugged him in and heard daughter hollaring about internet within 20 seconds. Unplugged lan and ran mbam again (clean) then curiosity got the best of me and I plugged him back in to much protest and ran nirsoft's Network Traffic Viewer. Within 54 seconds it had made 20 round trip connections (incoming/outgoing) to IPs all over the world (checked with nirsoft's IPNetInfo). It is pullin a minimum of 20 connections to external IPs per minute with basically nothing running but OS and AV.

I only had one other tool on my flash and didn't feel like heading back to my pc, so I ran SuperAntiSpyware which found and deleted 6 additional malware, but didn't stop traffic. I am attaching combo fix 'excerpt' (since it was run by this rogue and not at the request of BC)and SAS log. I can also post the Network Traffic logs and IP reports, but I figured I should ask before I posted them pubically, but there are a ton in just a 5 min sample and they are worldwide locations. Alternately, if necessary I can mail those text files if necessary for assistance but inappropriate to post pubically.

Only interesting info from combofix (that I could see) was under 'other deletions':

c:\documents and settings\Pyro\WINDOWS
c:\windows\system32\dll
c:\windows\system32\E_FD4BAFA.DLL
c:\windows\system32\lvci1311021.dll
c:\windows\system32\nvdispco3220140.dll

SAS & MBAM logs attached. GMER was clean and generated empty log. DDS bluescreened PC on run. HOSTS file unaltered. Winsock and LSPs reset (WinsockFix for XP). IE was proxied but I cleared it under Internet Settings...wasn't effecting son who uses chrome.

Thanks in advance and sorry about the premature combofix run, I truly didn't expect to be requiring outside assistance after MBAM was clean

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button. Since you have run ComboFix, please include the ComboFix log in the new topic.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, include the information that you were unable to produce the other logs, include the ComboFix log, and describe what happens when you try to create the other logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom

Hi,

Followed guide. DDS ran this time after I coppied it to desktop instead of flash. GMER again produced a blank log, and blank results on run as well.

I was unclear on if you wanted a portion of the network activity log or the ip traces on those numerous 'botlike' connections so I did not attach any of those.

Thanks OB!

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/419172 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

• If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
  
  • Please do this even if you have previously posted logs for us.
    
  • If you were unable to produce the logs originally please try once more.
    
  • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
  
  
• Please tell us if you have your original Windows CD/DVD available.
  
• Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

I still need help, the required logs are attached above. I found that I was able to stop the massive ammounts of round trip traffic on that machine by disabling both Net.TCP Port Sharing Service and IPSEC services. The infections listed in the logs above are still present and whatever script, hack, or virus that initiates the outgoing connection is still present, because if I turn those services back on, the computer begins initiating connections within seconds.

Thanks!

BTW, sorry about the slow reply to helpbot, I was out of town for several days.

Hi
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log.

As this seems not to be a malware issue, as no logs show any infections as of yet

Lets start off with removing a program that has some other quite up set by using up their bandwidth.

Please go to Start > Control Panel > Add/Remove Programs (Windows Vista it’s Programs and Features) and remove the following (if present):

Pando Media Booster

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

c:\program files\pando networks

Please reboot the machine, test, and let me know how things are.

Thanks
maranatha

FYI on the pando media booster problems.

http://www.techsupportforum.com/forums/f112/solved-woah-woah-woah-some-werid-program-installed-on-my-computer-352654.html

http://neogaf.net/forum/showthread.php?t=385502

This post has been edited by maranatha: 25 September 2011 - 11:46 AM

Hi
If you still require help. please respond to this thread or it will be closed in 48 hours.

Thanks
maranatha

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.