Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Connections to malicious IPs even after disinfection


  • Please log in to reply
13 replies to this topic

#1 tonatsan

tonatsan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 08 November 2018 - 01:32 PM

Greetings,

After running several tools (malwarebytes, norton power eraser, eset online scanner) that found a lot of malicious files in the computer, I keep detecting connections to 2 IPs that to my best knowledge are related to malware activity:

 

[1]   70.39.124.70 (requested as www.upme0611.info)

[2]   66.117.2.182 (requested as mbr.kill0604.ru)

 

These connections are performed by winlogon.exe process, which I have scanned many times (also uploaded to virustotal) and is apparently not malicious.

 

When I try to run other antimalware tools like avira, kaspersky, rkill, the processes are closed immediately. I managed to run rkill and avira antivirus changing the names of the executables, but they found nothing.

 

Just GMER seems to detect that a thread of System is malicious.

 

How can I find where the remaining malware is? How can I get rid of it?

 

Thanks in advance.

 

--

As mentioned in the "preparation guide" I will paste the contents of the FRST.txt log below:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07.11.2018
Ran by computo (administrator) on ESTACIONAMIENTO (07-11-2018 21:01:36)
Running from C:\Users\computo\Desktop\herramientasAntimalware
Loaded Profiles: computo (Available Profiles: computo)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmacthlp.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Sysinternals - www.sysinternals.com) C:\Users\computo\Desktop\herramientasAntimalware\Sysinternals\procexp64.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{895ff9a7-5d9e-416a-9c9c-7a5c22671a37} <==== ATTENTION (Restriction - IP)
Tcpip\Parameters: [DhcpNameServer] 172.16.251.2
Tcpip\..\Interfaces\{28334BDF-1126-4D50-A3D5-EDBA162533EE}: [DhcpNameServer] 172.16.251.2
 
Internet Explorer:
==================
HKU\S-1-5-21-2798475316-1413316318-2199699979-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.dell.com/
HKU\S-1-5-21-2798475316-1413316318-2199699979-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.dell.com
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.)
S3 TPVCGateway; C:\Program Files\VMware\VMware Tools\TPVCGateway.exe [2498744 2018-03-22] (Cortado AG)
R2 VGAuthService; C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe [179640 2018-03-22] (VMware, Inc.)
R2 VMware Physical Disk Helper Service; C:\Program Files\VMware\VMware Tools\vmacthlp.exe [575416 2018-03-22] (VMware, Inc.)
S3 VMwareCAFCommAmqpListener; C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\CommAmqpListener.exe [68096 2018-03-22] () [File not signed]
S3 VMwareCAFManagementAgentHost; C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\ManagementAgentHost.exe [61440 2018-03-22] () [File not signed]
U2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S4 Windows Audio Control; C:\Program Files (x86)\Common Files\conime.exe -s [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
S1 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp6.sys [119712 2016-06-28] (Oracle Corporation)
S3 vm3dmp-debug; C:\Windows\System32\DRIVERS\vm3dmp-debug.sys [371640 2018-03-22] (VMware, Inc.)
S3 vm3dmp-stats; C:\Windows\System32\DRIVERS\vm3dmp-stats.sys [296888 2018-03-22] (VMware, Inc.)
R3 vm3dmp_loader; C:\Windows\System32\DRIVERS\vm3dmp_loader.sys [42936 2018-03-22] (VMware, Inc.)
R2 VMMemCtl; C:\Windows\System32\DRIVERS\vmmemctl.sys [42456 2018-03-22] (VMware, Inc.)
R1 vmrawdsk; C:\Windows\System32\DRIVERS\vmrawdsk.sys [64984 2018-03-22] (VMware, Inc.)
R3 vmusbmouse; C:\Windows\System32\DRIVERS\vmusbmouse.sys [34880 2018-03-22] (VMware, Inc.)
R0 vsock; C:\Windows\System32\DRIVERS\vsock.sys [93648 2018-03-21] (VMware, Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-11-07 21:00 - 2018-11-07 21:01 - 000000000 ____D C:\FRST
2018-11-07 20:41 - 2018-11-07 20:41 - 000002183 _____ C:\Users\computo\Desktop\aswMBR_scan1.txt
2018-11-07 20:41 - 2018-11-07 20:41 - 000000512 _____ C:\Users\computo\Desktop\MBR.dat_posiblementeInfectado
2018-11-07 20:39 - 2018-11-07 20:39 - 005200384 _____ (AVAST Software) C:\Users\computo\Downloads\aswmbr.exe
2018-11-07 20:12 - 2018-11-07 20:15 - 000713608 _____ C:\TDSSKiller.3.1.0.17_07.11.2018_20.12.44_log.txt
2018-11-07 20:06 - 2018-11-07 20:09 - 000004644 _____ C:\TDSSKiller.3.1.0.17_07.11.2018_20.06.40_log.txt
2018-11-07 19:53 - 2018-11-07 19:55 - 000002398 _____ C:\Users\computo\Desktop\Rkill.txt
2018-10-30 19:28 - 2018-10-30 19:28 - 000000000 ____D C:\Windows\Microsoft Antimalware
2018-10-29 17:12 - 2018-10-29 17:12 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_avusbflt_01011.Wdf
2018-10-25 20:32 - 2018-10-25 20:32 - 000001407 _____ C:\Users\computo\Desktop\Procmon - Acceso directo.lnk
2018-10-25 17:01 - 2018-10-25 17:01 - 000001992 _____ C:\Users\Public\Desktop\AccessData FTK Imager.lnk
2018-10-25 17:00 - 2018-10-25 17:00 - 000000000 ____D C:\Program Files\AccessData
2018-10-23 22:35 - 2018-10-23 22:37 - 003704780 _____ C:\Users\computo\Documents\captura1.pcap
2018-10-23 22:33 - 2018-10-23 22:38 - 000000000 ____D C:\Users\computo\AppData\Roaming\Wireshark
2018-10-23 22:31 - 2018-10-23 22:31 - 000001774 _____ C:\Users\Public\Desktop\Wireshark.lnk
2018-10-23 22:31 - 2018-10-23 22:31 - 000000000 ____D C:\Program Files (x86)\WinPcap
2018-10-23 22:29 - 2018-10-23 22:45 - 000000000 ____D C:\Program Files\Wireshark
2018-10-23 22:28 - 2018-10-23 22:28 - 059534280 _____ (Wireshark development team) C:\Users\computo\Downloads\Wireshark-win64-2.6.4.exe
2018-10-23 22:25 - 2018-10-23 22:25 - 004107130 _____ C:\Users\computo\Documents\antirootkit1.txt
2018-10-23 14:40 - 2018-10-23 14:40 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2018-10-18 22:25 - 2018-03-22 01:58 - 000042456 _____ (VMware, Inc.) C:\Windows\system32\Drivers\vmmemctl.sys
2018-10-18 22:25 - 2018-03-22 01:57 - 000171992 _____ (VMware, Inc.) C:\Windows\system32\Drivers\vmhgfs.sys
2018-10-18 22:25 - 2018-03-22 01:57 - 000142296 _____ (VMware, Inc.) C:\Windows\system32\vmhgfs.dll
2018-10-18 22:25 - 2018-03-22 01:57 - 000129496 _____ (VMware, Inc.) C:\Windows\SysWOW64\vmhgfs.dll
2018-10-18 22:25 - 2018-03-22 01:56 - 000064984 _____ (VMware, Inc.) C:\Windows\system32\Drivers\vmrawdsk.sys
2018-10-18 22:25 - 2018-03-21 00:08 - 000093648 _____ (VMware, Inc.) C:\Windows\system32\Drivers\vsock.sys
2018-10-18 22:25 - 2018-03-21 00:08 - 000084952 _____ (VMware, Inc.) C:\Windows\system32\vsocklib.dll
2018-10-18 22:25 - 2018-03-21 00:08 - 000080848 _____ (VMware, Inc.) C:\Windows\SysWOW64\vsocklib.dll
2018-10-18 22:24 - 2018-10-18 22:24 - 000000000 ____D C:\Program Files\VMware
2018-10-18 22:24 - 2018-03-22 01:39 - 000037816 _____ (VMware, Inc.) C:\Windows\system32\VMWSU_V1_0.DLL
2018-10-18 22:23 - 2018-10-18 22:24 - 000000000 ____D C:\Program Files\Common Files\VMware
2018-10-18 17:52 - 2018-10-18 17:52 - 000000000 ____D C:\Program Files\McAfee
2018-10-18 17:45 - 2018-10-30 18:57 - 000000000 ____D C:\Users\computo\AppData\Local\CrashDumps
2018-10-18 17:31 - 2018-10-25 15:53 - 000001363 _____ C:\Users\computo\Desktop\procexp64 - Acceso directo.lnk
2018-10-16 08:19 - 2018-10-16 08:20 - 000000012 _____ C:\Users\tonafile.test
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-11-07 21:01 - 2018-09-27 10:16 - 000000000 ____D C:\Users\computo\Desktop\herramientasAntimalware
2018-11-07 20:59 - 2009-07-13 23:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-11-07 20:59 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\Registration
2018-11-07 20:55 - 2010-11-21 01:09 - 000697520 _____ C:\Windows\system32\perfh00A.dat
2018-11-07 20:55 - 2010-11-21 01:09 - 000134338 _____ C:\Windows\system32\perfc00A.dat
2018-11-07 20:55 - 2009-07-13 23:13 - 001536084 _____ C:\Windows\system32\PerfStringBackup.INI
2018-11-07 20:55 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\inf
2018-11-07 20:54 - 2009-07-13 22:45 - 000034128 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-11-07 20:54 - 2009-07-13 22:45 - 000034128 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-10-25 15:53 - 2018-09-27 15:57 - 000001269 _____ C:\Users\computo\Desktop\Tcpview - Acceso directo.lnk
2018-10-23 23:41 - 2018-09-27 13:41 - 000000000 ____D C:\Windows\Minidump
2018-10-23 14:57 - 2016-05-12 19:42 - 000000000 ____D C:\Program Files\Microsoft SQL Server
2018-10-23 14:50 - 2016-05-12 18:32 - 000000000 ____D C:\Program Files (x86)\Rosslare
2018-10-18 17:58 - 2018-09-27 09:38 - 000000000 ____D C:\Windows\pss
2018-10-17 06:29 - 2016-05-11 18:21 - 000000000 ____D C:\Users\computo
2018-10-17 06:28 - 2009-07-13 21:20 - 000000000 ____D C:\Program Files\Windows NT
2018-10-10 12:38 - 2009-07-13 23:32 - 000000000 ____D C:\Windows\system32\FxsTmp
 
==================== Files in the root of some directories =======
 
2016-07-27 12:14 - 2016-07-27 14:52 - 000000600 _____ () C:\Users\computo\AppData\Local\PUTTY.RND
 
Some files in TEMP:
====================
2018-10-30 18:56 - 2018-10-30 18:56 - 000478080 _____ (Sysinternals - www.sysinternals.com) C:\Users\computo\AppData\Local\Temp\CLJUI.exe
2018-10-30 18:57 - 2018-10-30 18:57 - 000400256 _____ (Sysinternals - www.sysinternals.com) C:\Users\computo\AppData\Local\Temp\FGODQYNWUD.exe
2018-10-29 17:17 - 2018-10-29 17:18 - 001186440 ____H (Sysinternals - www.sysinternals.com) C:\Users\computo\AppData\Local\Temp\Procmon64.exe
2018-10-30 18:57 - 2018-10-30 18:57 - 000506752 _____ (Sysinternals - www.sysinternals.com) C:\Users\computo\AppData\Local\Temp\SSBSSDFFLI.exe
2018-10-30 18:57 - 2018-10-30 18:57 - 000355200 _____ (Sysinternals - www.sysinternals.com) C:\Users\computo\AppData\Local\Temp\ZCMJBO.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-10-25 16:21
 
==================== End of FRST.txt ============================
 
==========================================================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07.11.2018
Ran by computo (07-11-2018 21:02:20)
Running from C:\Users\computo\Desktop\herramientasAntimalware
Windows 7 Professional Service Pack 1 (X64) (2016-05-12 00:21:07)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrador (S-1-5-21-2798475316-1413316318-2199699979-500 - Administrator - Disabled)
computo (S-1-5-21-2798475316-1413316318-2199699979-1000 - Administrator - Enabled) => C:\Users\computo
Invitado (S-1-5-21-2798475316-1413316318-2199699979-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
AccessData FTK Imager (HKLM\...\{46714B4F-795C-4AEA-B6BC-4F70BE800763}) (Version: 4.2.0.13 - AccessData)
Crystal Reports Basic Runtime for Visual Studio 2008 (HKLM-x32\...\{CE26F10F-C80F-4377-908B-1B7882AE2CE3}) (Version: 10.5.1.0 - Business Objects)
DahuaMerge (HKLM-x32\...\{5580DA35-F174-42B2-8DBD-025ED097ADE3}) (Version: 0.1.0 - Rosslare)
HASP Device Drivers (HKLM-x32\...\HASP Device Drivers) (Version:  - )
Microsoft SQL Server 2012 Setup (English) (HKLM-x32\...\{CEA86648-87FA-4775-8F3B-A57F720BAE85}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (HKLM-x32\...\{e2ee15e2-a480-4bc5-bfb7-e9803d1d9823}) (Version: 14.12.25810.0 - Microsoft Corporation)
Microsoft VSS Writer for SQL Server 2012 (HKLM\...\{3E0DD83F-BE4C-4478-86A0-AD0D79D1353E}) (Version: 11.0.2100.60 - Microsoft Corporation)
Paquete de controladores de Windows - Silicon Laboratories (silabenm) Ports  (10/18/2013 6.6.1.0) (HKLM\...\F92C2D6CB4EA0EE558BDF5F8BDD69083DFC62179) (Version: 10/18/2013 6.6.1.0 - Silicon Laboratories)
StrokeScribe 4.1.10 (x86 and x64) (HKLM\...\{640558C4-B442-4CD4-B6F0-DCA99EFD2117}_is1) (Version:  - strokescribe.com)
TreeSize Free V3.4.5 (HKLM-x32\...\TreeSize Free_is1) (Version: 3.4.5 - JAM Software)
VMware Tools (HKLM\...\{43D9111A-EA02-4682-BF3C-EFDCB62A89B0}) (Version: 10.2.5.8068393 - VMware, Inc.)
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
Wireshark 2.6.4 64-bit (HKLM-x32\...\Wireshark) (Version: 2.6.4 - The Wireshark developer community, hxxps://www.wireshark.org)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\":
WMI:subscription\__FilterToConsumerBinding->\\.\root\subscription:ActiveScriptEventConsumer.Name=\"bleepyoumm2_consumer\"",Filter="\\.\root\subscription:__EventFilter.Name=\"bleepyoumm2_filter\": <==== ATTENTION
WMI:subscription\__TimerInstruction->bleepyoumm2_itimer: <==== ATTENTION
WMI:subscription\__IntervalTimerInstruction->:
WMI:subscription\__EventFilter->bleepyoumm2_filter: <==== ATTENTION
WMI:subscription\__EventFilter->BVTFilter:
WMI:subscription\CommandLineEventConsumer->BVTConsumer:
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-03-22 01:39 - 2018-03-22 01:39 - 000454584 _____ () C:\Program Files\VMware\VMware Tools\VMware VGAuth\pcre.dll
2018-03-22 02:00 - 2018-03-22 02:00 - 000454584 _____ () C:\Program Files\VMware\VMware Tools\pcre.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\55099275.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SMR521 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SMR521.SYS => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\55099275.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR521 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR521.SYS => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 20:34 - 2018-09-27 15:51 - 000000826 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2798475316-1413316318-2199699979-1000\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 172.16.251.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
If an entry is included in the fixlist, it will be removed.
 
MSCONFIG\startupfolder: C:^Users^computo^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^rkill - Acceso directo.lnk => C:\Windows\pss\rkill - Acceso directo.lnk.Startup
MSCONFIG\startupfolder: C:^Users^computo^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^TcpLogView - Acceso directo.lnk => C:\Windows\pss\TcpLogView - Acceso directo.lnk.Startup
MSCONFIG\startupfolder: C:^Users^computo^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Tcpview - Acceso directo.lnk => C:\Windows\pss\Tcpview - Acceso directo.lnk.Startup
MSCONFIG\startupreg: VMware User Process => "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{C1D20662-E4BF-4F14-B7BB-523FEFBE9025}] => (Allow) %SystemRoot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
FirewallRules: [{AC47412E-51DA-4FD7-9572-18DE8173D4CA}] => (Allow) LPort=1003
FirewallRules: [TCP Query User{3391BC6D-F86B-4682-B770-D6253499AE04}C:\program files (x86)\rosslare\axtraxng client\client.exe] => (Allow) C:\program files (x86)\rosslare\axtraxng client\client.exe
FirewallRules: [UDP Query User{10FE43F8-52E6-4919-A657-F86E623B0BE7}C:\program files (x86)\rosslare\axtraxng client\client.exe] => (Allow) C:\program files (x86)\rosslare\axtraxng client\client.exe
FirewallRules: [{EFDA3D0C-C3CA-4C04-A076-E97DFAFDD4D0}] => (Allow) LPort=1003
FirewallRules: [{3E6906BF-11CC-4FDA-A161-3FC75899B5AA}] => (Allow) LPort=1003
FirewallRules: [{E3131EF3-1DA6-4BE8-83EE-EBB5FA730C3D}] => (Allow) LPort=445
FirewallRules: [{270023C5-A9A6-40D5-8ED4-17704FF8AD71}] => (Allow) %ProgramFiles%\Oracle\VirtualBox\VirtualBox.exe
FirewallRules: [{A1941E85-6978-4F45-8F2A-B52786DBB109}] => (Block) LPort=445
FirewallRules: [{8124D7C9-17D1-47E6-B84D-9056E3367E16}] => (Block) LPort=139
FirewallRules: [{EB76B914-D0C1-4659-BE88-40A2E2121DB6}] => (Block) LPort=135
 
==================== Restore Points =========================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (11/07/2018 09:01:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema.
 
Error: (11/07/2018 08:59:30 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Windows\system32\msiexec.exe /V; descripción = Removed Sophos Virus Removal Tool.; error = 0x80042318).
 
Error: (11/07/2018 08:59:30 PM) (Source: VSS) (EventID: 12347) (User: )
Description: Error del Servicio de instantáneas de volumen: se detectó una incoherencia
interna al intentar ponerse en contacto con los escritores del servicio de
instantáneas. Error del escritor del Registro al responder a una consulta de
VSS. Compruebe que el servicio de eventos y el Servicio de instantáneas de
volumen funcionan correctamente y compruebe si hay algún otro evento en el
registro de eventos de la aplicación.
 
 
Operación:
   Recopilando datos del escritor
   Ejecutando operación asincrónica
 
Contexto:
   Contexto de ejecución: Requestor
   Estado actual: GatherWriterMetadata
 
Error: (11/07/2018 08:59:15 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: No se pudo crear el punto de restauración (proceso = C:\Windows\system32\msiexec.exe /V; descripción = Removed Sophos Virus Removal Tool.; error = 0x800706be).
 
Error: (11/07/2018 08:48:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema.
 
Error: (11/07/2018 08:43:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema.
 
Error: (11/07/2018 08:33:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema.
 
Error: (11/07/2018 08:28:27 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: No se puede inicializar el índice.
 
Detalles:
El sistema no puede encontrar el archivo especificado.  (HRESULT : 0x80070002) (0x80070002)
 
 
System errors:
=============
Error: (11/07/2018 09:02:17 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: El servicio Windows Search se terminó de manera inesperada. Esto ha sucedido 4 veces.
 
Error: (11/07/2018 09:02:17 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: El servicio Windows Search se cerró con el siguiente error: 
El sistema no puede encontrar el archivo especificado.
 
Error: (11/07/2018 09:01:01 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: El servicio Instantáneas de volumen se terminó de manera inesperada. Esto ha sucedido 1 veces.
 
Error: (11/07/2018 09:00:45 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: El servicio Windows Search se terminó de manera inesperada. Esto ha sucedido 3 veces.
 
Error: (11/07/2018 09:00:45 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: El servicio Windows Search se cerró con el siguiente error: 
El sistema no puede encontrar el archivo especificado.
 
Error: (11/07/2018 09:00:44 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: El servicio Windows Search no pudo iniciarse debido al siguiente error: 
El servicio no respondió a tiempo a la solicitud de inicio o de control.
 
Error: (11/07/2018 09:00:44 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Se agotó el tiempo de espera (30000 ms) para la conexión con el servicio Windows Search.
 
Error: (11/07/2018 09:00:20 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: El servicio Windows Search no pudo iniciarse debido al siguiente error: 
El servicio no respondió a tiempo a la solicitud de inicio o de control.
 
 
Windows Defender:
===================================
Date: 2018-10-23 23:17:49.710
Description: 
El examen de Windows Defender se detuvo antes de completarse.
Id. de examen:{D5741811-51E5-48EC-8DCC-988A1096FD8D}
Tipo de examen:AntiSpyware
Parámetros de examen:Examen rápido
Usuario:estacionamiento\computo
 
CodeIntegrity:
===================================
 
Date: 2018-10-03 10:05:04.098
Description: 
Integridad de código no puede comprobar la integridad de imagen del archivo \Device\HarddiskVolume2\Windows\System32\l3codeca.acm porque el conjunto de hashes de imagen por página no se encuentra en el sistema.
 
Date: 2018-10-03 08:45:09.463
Description: 
Integridad de código no puede comprobar la integridad de imagen del archivo \Device\HarddiskVolume2\Windows\System32\l3codeca.acm porque el conjunto de hashes de imagen por página no se encuentra en el sistema.
 
Date: 2018-10-03 08:19:02.902
Description: 
Integridad de código no puede comprobar la integridad de imagen del archivo \Device\HarddiskVolume2\Windows\System32\l3codeca.acm porque el conjunto de hashes de imagen por página no se encuentra en el sistema.
 
Date: 2018-10-02 15:20:08.502
Description: 
Integridad de código no puede comprobar la integridad de imagen del archivo \Device\HarddiskVolume2\Windows\System32\l3codeca.acm porque el conjunto de hashes de imagen por página no se encuentra en el sistema.
 
Date: 2018-10-02 14:26:46.616
Description: 
Integridad de código no puede comprobar la integridad de imagen del archivo \Device\HarddiskVolume2\Windows\System32\l3codeca.acm porque el conjunto de hashes de imagen por página no se encuentra en el sistema.
 
Date: 2018-10-02 14:09:55.238
Description: 
Integridad de código no puede comprobar la integridad de imagen del archivo \Device\HarddiskVolume2\Windows\System32\l3codeca.acm porque el conjunto de hashes de imagen por página no se encuentra en el sistema.
 
Date: 2018-10-01 20:07:40.472
Description: 
Integridad de código no puede comprobar la integridad de imagen del archivo \Device\HarddiskVolume2\Windows\System32\l3codeca.acm porque el conjunto de hashes de imagen por página no se encuentra en el sistema.
 
Date: 2018-09-27 19:26:28.326
Description: 
Integridad de código no puede comprobar la integridad de imagen del archivo \Device\HarddiskVolume2\Windows\System32\l3codeca.acm porque el conjunto de hashes de imagen por página no se encuentra en el sistema.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-7600 CPU @ 3.50GHz
Percentage of memory in use: 19%
Total physical RAM: 4095.43 MB
Available physical RAM: 3278.13 MB
Total Virtual: 8189.01 MB
Available Virtual: 7358.57 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:31.9 GB) (Free:4.45 GB) NTFS
 
\\?\Volume{8817f1b3-1800-11e6-a0cb-806e6f6e6963}\ (Reservado para el sistema) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 32 GB) (Disk ID: 4FCA6B10)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=31.9 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 
==========================================================
GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2018-11-08 12:17:36
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005f VMware,_ rev.1.0_ 32.00GB
Running: blpncmptr_gemer.exe; Driver: C:\Users\computo\AppData\Local\Temp\kxpcapog.sys
 
 
---- Threads - GMER 2.2 ----
 
Thread  System [4:316]                              fffffa8003d81c08
Thread  C:\Windows\System32\svchost.exe [1972:688]  000007fef13e9688
 
---- EOF - GMER 2.2 ----
 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:59 AM

Posted 10 November 2018 - 09:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 
Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{895ff9a7-5d9e-416a-9c9c-7a5c22671a37} <==== ATTENTION (Restriction - IP)
 
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
 
Reboot:
 
 
End
 
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.
 
Run FRST and click Fix only once and wait.
 
The tool will create a log (Fixlog.txt) please post it to your reply.
===
 
Let me know what problem persists.
 


#3 tonatsan

tonatsan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 12 November 2018 - 01:07 PM

Hello nasdaq, 

 

thank you very much for your help. Here is the Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 11.11.2018
Ran by computo (12-11-2018 11:56:13) Run:1
Running from C:\Users\computo\Desktop\herramientasAntimalware
Loaded Profiles: computo (Available Profiles: computo)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{895ff9a7-5d9e-416a-9c9c-7a5c22671a37} <==== ATTENTION (Restricion - IP)
 
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
 
Reboot:
 
 
End
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\\ActivePolicy" => removed successfully
 
========= ipconfig /flushdns =========
 
 
Configuraci¢n IP de Windows
 
Se vaci¢ correctamente la cach‚ de resoluci¢n de DNS.
 
========= End of CMD: =========
 
 
========= IPCONFIG /release =========
 
 
Configuraci¢n IP de Windows
 
 
Adaptador de Ethernet Conexi¢n de  rea local:
 
   Sufijo DNS espec¡fico para la conexi¢n. . : 
   V¡nculo: direcci¢n IPv6 local. . . : fe80::d578:ee2e:bfdf:edbc%11
   Puerta de enlace predeterminada . . . . . : 
 
Adaptador de t£nel isatap.localdomain:
 
   Estado de los medios. . . . . . . . . . . : medios desconectados
   Sufijo DNS espec¡fico para la conexi¢n. . : 
 
Adaptador de t£nel Teredo Tunneling Pseudo-Interface:
 
   Estado de los medios. . . . . . . . . . . : medios desconectados
   Sufijo DNS espec¡fico para la conexi¢n. . : 
 
========= End of CMD: =========
 
 
========= IPCONFIG /renew =========
 
 
Configuraci¢n IP de Windows
 
 
Adaptador de Ethernet Conexi¢n de  rea local:
 
   Sufijo DNS espec¡fico para la conexi¢n. . : localdomain
   V¡nculo: direcci¢n IPv6 local. . . : fe80::d578:ee2e:bfdf:edbc%11
   Direcci¢n IPv4. . . . . . . . . . . . . . : 172.16.251.131
   M scara de subred . . . . . . . . . . . . : 255.255.255.0
   Puerta de enlace predeterminada . . . . . : 172.16.251.2
 
Adaptador de t£nel isatap.{28334BDF-1126-4D50-A3D5-EDBA162533EE}:
 
   Estado de los medios. . . . . . . . . . . : medios desconectados
   Sufijo DNS espec¡fico para la conexi¢n. . : 
 
Adaptador de t£nel Teredo Tunneling Pseudo-Interface:
 
   Estado de los medios. . . . . . . . . . . : medios desconectados
   Sufijo DNS espec¡fico para la conexi¢n. . : 
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 8965513 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => -6653952 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 33125 B
systemprofile32 => 69178 B
LocalService => 66228 B
NetworkService => 1546126 B
computo => 364490050 B
 
RecycleBin => 3166 B
EmptyTemp: => 359.5 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 11:56:35 ====
 
 
(The connections to the mentioned IPs are still being performed by winlogon.exe)


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:59 AM

Posted 12 November 2018 - 01:54 PM

Hi,

 

Has your problem been solved?



#5 tonatsan

tonatsan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 12 November 2018 - 05:36 PM

Hi,

 

The problem persists. The connections  to the mentioned IPs are still being performed by winlogon.exe.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:59 AM

Posted 13 November 2018 - 07:43 AM

Hii,
 
--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
  • =======


    #7 tonatsan

    tonatsan
    • Topic Starter

    • Members
    • 7 posts
    • OFFLINE
    •  
    • Local time:10:59 AM

    Posted 13 November 2018 - 07:40 PM

    Hi,

    RogueKiller detected two potentially malicious registry keys. I deleted them (with RogueKiller option).

    Unfortunately, the malicious connections are still performed after reboot.

     

    The log below:

    RogueKiller Anti-Malware V13.0.9.0 (x64) [Nov 12 2018] (Gratuito) por Adlice Software
    correo : https://adlice.com/contact/
    Página Web : https://adlice.com/download/roguekiller/
    Sistema Operativo : Windows 7 (6.1.7601 Service Pack 1) 64 bits
    Iniciado en : Modo Normal
    Usuario : computo [Administrador]
    Iniciado desde : C:\Program Files\RogueKiller\RogueKiller64.exe
    Modo : Análisis estandar, Análisis -- Fecha : 2018/11/13 12:37:08 (Duración : 00:09:04)
    Conmutadores : -refid 3
    
    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Procesos ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    
    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Procesar Módulos ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    
    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Servicios ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    
    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tareas ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    
    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registro ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    >>>>>> XX - Explorer Advanced
      [PUM.StartMenu (Potencialmente Malicioso)] (X64) HKEY_USERS\S-1-5-21-2798475316-1413316318-2199699979-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyGames -- 0 -> Encontrado
      [PUM.StartMenu (Potencialmente Malicioso)] (X86) HKEY_USERS\S-1-5-21-2798475316-1413316318-2199699979-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyGames -- 0 -> Encontrado
    
    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    
    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Archivo Hosts ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    
    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Archivos ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    
    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Navegadores Web ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    

     

    Is there something I can do to detect who is telling winlogon.exe to make those connections ?



    #8 nasdaq

    nasdaq

    • Malware Response Team
    • 40,508 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:11:59 AM

    Posted 14 November 2018 - 08:39 AM

    Hi,
     
     
    Run Note pad and open the hosts file (no extension) in the location listed below.
    .
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC\.\hosts
     
    If you do not see the the file it's hidden, 
     
     
    How To: Unhide files/folders Windows.
    <<<>>
     
    If these two lines are listed delete them nothing else.
    Save the file before closing Notepac.
     
    [1]   70.39.124.70 (requested as www.upme0611.info)
     
    [2]   66.117.2.182 (requested as mbr.kill0604.ru)
    ===
     
    If the issue is still not solved run this search.
     
    Lets see what we can find in the Registry.
     
    Run the Farbar program .exe as an Administrator.
     
    In the Search text area, copy and paste the following:
     
    70.39.124.70;upme0611.info;66.117.2.182;mbr.kill0604.ru
     
    Once done, click on the Search Registry button and wait for FRST to finish the search
    On completion, a log will open in Notepad. Copy and paste its content in your next reply
    ====


    #9 tonatsan

    tonatsan
    • Topic Starter

    • Members
    • 7 posts
    • OFFLINE
    •  
    • Local time:10:59 AM

    Posted 14 November 2018 - 06:31 PM

    Hi nasdaq,

     

    Thanks for keeping helping me with this.

     

    All the lines in the hosts file are commented out.

     

    The Farbar log below: 

     

    Farbar Recovery Scan Tool (x64) Version: 14.11.2018
    Ran by computo (14-11-2018 17:12:29)
    Running from C:\Users\computo\Desktop\herramientasAntimalware
    Boot Mode: Normal
     
    ================== Search Registry: "70.39.124.70;upme0611.info;66.117.2.182;mbr.kill0604.ru" ===========
     
     
    ===================== Search result for "70.39.124.70" ==========
     
     
    ===================== Search result for "upme0611.info" ==========
     
     
    ===================== Search result for "66.117.2.182" ==========
     
     
    ===================== Search result for "mbr.kill0604.ru" ==========
     
    ====== End of Search ======
     
    :(


    #10 nasdaq

    nasdaq

    • Malware Response Team
    • 40,508 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:11:59 AM

    Posted 15 November 2018 - 08:29 AM

    Did you see any of these entries?

     

    70.39.124.70

    upme0611.info

    66.117.2.182

    mbr.kill0604.ru

     

    If the file is long search it. It's a text file.



    #11 tonatsan

    tonatsan
    • Topic Starter

    • Members
    • 7 posts
    • OFFLINE
    •  
    • Local time:10:59 AM

    Posted 15 November 2018 - 07:00 PM

    Do you mean in the "hosts" file?

    The hosts file is not that long. Every line starts with "#" sign (I think is the generic/default hosts file), and neither the IPs nor the domains appear in it. 

     

     



    #12 nasdaq

    nasdaq

    • Malware Response Team
    • 40,508 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:11:59 AM

    Posted 16 November 2018 - 08:48 AM

    Hi,

    Every line starts with "#" sign (I think is the generic/default hosts file), and neither the IPs nor the domains appear in it.


    The host file is compromised. This will replace with the default file.

    Press the windows key Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.+ r on your keyboard at the same time. This will open the RUN BOX.
    Type Notepad and and click the OK key.
    Please copy the entire contents of the code box below to the a new file.
     
    start
    
    CloseProcesses:
    
    Hosts:
    
    Reboot:
    
    End
    
    Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
    The location is listed in the 3rd line of the Farbar log you have submitted.

    Run FRST and click Fix only once and wait.

    The tool will create a log (Fixlog.txt) please post it to your reply.
    ===

    If the problem is not solved:

    Launch Notepad, and copy/paste all the blue instructions below to it.
    Save in: Desktop
    File Name: fixme.reg
    Save as Type: All files
    Click: Save

    Windows Registry Editor Version 5.00

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


    Then, disconnect from the Internet!
    Next,
    Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
    Optional if the following programs are in your computer.
    Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

    Restart the computer normally.
    ===

    If the problem persists, reset your router. It may be compromised.

    How to Reset a Router Back to the Factory Default Settings
    http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

    Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

    http://www.routerpasswords.com/
    http://www.phenoelit-us.org/dpl/dpl.html
    ===

    Reset for Linksys, Netgear, D-Link and Belkin Routers
    http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

    ===

    Keep me posted.

    #13 tonatsan

    tonatsan
    • Topic Starter

    • Members
    • 7 posts
    • OFFLINE
    •  
    • Local time:10:59 AM

    Posted 16 November 2018 - 03:21 PM

    Hi nasdaq,

     

    I proceeded with the fixlist and with the registry keys change. The connections are still being performed after reboot  :(   (about 50 tries, mixed between the two IPs)

    I'd like to add that, in safe mode (with network), the connections are not present.

     

    Do you think this is something related with rootkits?



    #14 nasdaq

    nasdaq

    • Malware Response Team
    • 40,508 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:11:59 AM

    Posted Yesterday, 08:23 AM

    Hi,

    Download the Sustemlook appropriate for you system.

    SystemLook (32-Bit Version) or SystemLook (64-Bit Version)
    • Double-click SystemLook.exe/SystemLook_x64.exe
    • to run it.
    • Copy and paste the content of the following bold text into the main textfield:
    • :reg
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify /sub
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    • Note: The log can also be found on your Desktop entitled SystemLook.txt.
    • ===

      Please scan the computer again with the Farbar Programs and program and post fresh FRST.TXT and Addition.txt logs for my review.

      To create a fresh Addition.txt log ensure that the box to create the file is marked.






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users