Committed connection

whoololon

Note that while I am writing this, I am doing what I can to get rid of the problem.
Basically, one day I find that the wifi light keeps flashing without any application open. I confirm that no one is connected to my computer or my connection, and I check with system explorer the applications that are running. Everything is normal.
The antivirus doesn't flag anything and malwarebytes gives me 6 alerts in the registry:

Detected Registry Values: 1
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> data: 1 -> No action taken.

Detected Registry Data Elements: 5
HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer|NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.
HKLM\\SOFTWARE\\Microsoft\\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\\SOFTWARE\\Microsoft\\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\\SOFTWARE\\Microsoft\\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

I put them in soak, clean the browser cache and the temporary files on the hard drive, but even so, I keep getting the following connections:

Active Connections

Proto Local Address Remote Address State PID
TCP Whoololon:8879 87.159.187.177.isp.timbrasil.com.br:20142 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:8885 cpe-67-249-72-175.twcny.res.rr.com:10744 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:8886 109.88.48.118:10406 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:8889 host57-239-dynamic.8-87-r.retail.telecomitalia.it:32898 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:8890 a79-169-184-50.cpe.netcabo.pt:26600 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:8891 84.123.146.156.dyn.user.ono.com:51936 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:8892 197.162.58.127:33912 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:8893 91-233-157-99.interkonekt.pl:15941 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:8897 41.130.69.223:19683 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:1063 localhost:1064 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:1064 localhost:1063 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:8136 62.43.57.93.dyn.user.ono.com:57024 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:8895 230.56.20.95.dynamic.jazztel.es:49469 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:8896 154.45.216.171:1238 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:8881 219-90-200-49.ip.adam.com.au:26940 LAST_ACK 1876
[Explorer.EXE]

TCP Whoololon:8888 216.244.80.26:http TIME_WAIT 0

I restart, and I check them again:

Active Connections

Proto Local Address Remote Address State PID
TCP Whoololon:11155 131.182.30.109.rev.sfr.net:13997 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:11156 host251-14-dynamic.53-79-r.retail.telecomitalia.it:36665 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:11157 175.142.157.236:25540 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:11159 chello089173025114.chello.sk:27065 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:1063 localhost:1064 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:1064 localhost:1063 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:11072 localhost:11073 ESTABLISHED 3420
[firefox.exe]

TCP Whoololon:11073 localhost:11072 ESTABLISHED 3420
[firefox.exe]

TCP Whoololon:11078 lis01s06-in-f18.1e100.net:http ESTABLISHED 3420
[firefox.exe]

TCP Whoololon:11079 lis01s06-in-f24.1e100.net:http ESTABLISHED 3420
[firefox.exe]

TCP Whoololon:11081 lis01s06-in-f24.1e100.net:http ESTABLISHED 3420
[firefox.exe]

TCP Whoololon:11082 lis01s06-in-f24.1e100.net:http ESTABLISHED 3420
[firefox.exe]

TCP Whoololon:11088 mad01s15-in-f15.1e100.net:http ESTABLISHED 3420
[firefox.exe]

TCP Whoololon:11104 c-68-32-93-199.hsd1.mi.comcast.net:63256 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:11152 host124-99-dynamic.233-95-r.retail.telecomitalia.it:6881 ESTABLISHED 1876
[Explorer.EXE]

And I am already getting nervous, it is consuming half of the upload capacity and it is getting on my nerves, so I need to fix it soon or I will give it a format and that's it.
Any ideas?
Thanks in advance.

Sylver

Have you isolated the options? Maybe some self-executable bug?

whoololon

It was the second thing I checked, but Process Explorer didn't show me anything strange. Extract in simplified view:

Process CPU Private Bytes Working Set PID Description Company Name Network Receives Network Sends Network Delta Send Bytes
ZCfgSvc.exe 13.500 K 19.060 K 712 Intel(R) PROSet/Wireless Zero Config Service Intel(R) Corporation
unsecapp.exe 3.784 K 6.244 K 2852 WMI Microsoft Corporation
TSVNCache.exe 5.688 K 8.532 K 604 TortoiseSVN status cache TortoiseSVN
rundll32.exe 9.892 K 12.600 K 688 Run a DLL as an application Microsoft Corporation
RTHDCPL.EXE 25.744 K 26.508 K 1788 Realtek HD Audio Control Panel Realtek Semiconductor Corp.
procexp.exe 12.648 K 17.356 K 4024 Sysinternals Process Explorer Sysinternals - Windows Sysinternals: Documentation, downloads and additional resources
procexp.exe 2.31 13.080 K 19.624 K 2156 Sysinternals Process Explorer Sysinternals - Windows Sysinternals: Documentation, downloads and additional resources
iFrmewrk.exe 17.040 K 22.688 K 808 Intel(R) PROSet/Wireless Framework Intel(R) Corporation
iexplore.exe 77.556 K 2.984 K 3664 Internet Explorer Microsoft Corporation
explorer.exe 0.77 51.836 K 48.552 K 1876 Windows Explorer Microsoft Corporation
DTLite.exe 8.820 K 18.264 K 856 DAEMON Tools Lite DT Soft Ltd
DivXUpdate.exe 4.088 K 8.700 K 840 DivX Update
avgnt.exe 10.456 K 3.056 K 1900 Avira System Tray Tool Avira Operations GmbH & Co. KG

Both MalwareBytes and Panda ActiveScan only found registry keys and cookies, but no other suspicious or infected files. And the thing is, no matter what I do, as soon as I press the wifi button, I wait two minutes and it starts sending data, I extract the report with netstat -b >> file.txt and then use systemlook to read it and it gives me a bunch of random ones, for example:

Active connections

Protocol Local Address Remote Address State PID
TCP Whoololon:23706 41-133-134-143.dsl.mweb.co.za:17911 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:23708 186.1.199.185:10900 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:23709 179.187.168.92.dynamic.adsl.gvt.net.br:24679 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:23710 a95-95-114-46.cpe.netcabo.pt:10769 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:23712 50-10-93-254.gar.clearwire-wmx.net:24515 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:23713 xdsl-87-79-125-34.netcologne.de:26869 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:23714 d24-36-242-237.home1.cgocable.net:23415 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:23715 cm10.omega15.maxonline.com.sg:37635 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:23716 201-229-28-6.setardsl.aw:17366 SYN_SENT 1876
[Explorer.EXE]

TCP Whoololon:1063 localhost:1064 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:1064 localhost:1063 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:22408 37.208.60.135:61388 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:23079 bb401c8a.virtua.com.br:18139 ESTABLISHED 1876
[Explorer.EXE]

TCP Whoololon:23705 216.244.80.26:http TIME_WAIT 0

I promise this is the most alien thing that has happened to me with this issue.:wall:

EDIT: I'm getting closer. Something that calls through explorer.exe, (in fact, if I stop it, the activity ceases), which isn't reflected as a threat by any antivirus or by MWB, but it's causing a lot of trouble.

ferelxyx

I'm afraid you have a trojan and some are difficult to remove

Sylver

In case it's some bug or trojan, there must be at least some file belonging to it resident on your computer, even if it's a library or something...

I suggest:

System restore to before it happened

or

after restoring, enter directly (or enter without restoring or by putting the disk as a slave on another PC, the latter is better to prevent whatever is running from working) and look for recently added or modified files (usually it's better to search by last creation date). By the way, include folders and hidden files, obviously. When you have the culprit or culprits, delete them mercilessly or isolate them in quarantine in case you can't delete them for any circumstance (they might resist due to association with important files).

Something like this has never happened to me, but for some strange bugs that have ended up on my computer a few times, I've followed these procedures instead of racking my brains with the antivirus, and I've almost always managed to cut their crap. Although maybe you don't feel like investigating "by eye", and even less at this hour... it's understandable :sleeping:

Night greetings and good luck with the hunt :sisi:

whoololon

The usual thing, format and period.
That said, it is clear that free antivirus programs are a sovereign m:mudo:, that only serve to give up:mudo: with ads about the paid version.
Whatever it is, they have screwed up all of them, from "Abirria" to "Mimosin" among others.
It's that none of them have pulled out more than a couple of cookies and suspicious registration keys, others not even that. ComboFix did pull out two infected libraries, but after deleting them, running OTL, CCleaner and running MWB again, it was still the same.
What bothers me the most is that whatever it is, it's still there, and no antivirus recognizes it as a threat, and that's the worst part.
Anyway, thanks and sorry for the trouble. :love:

Bm4n

Put some antispy to see if they detect it, and surely there must be some background process unless it has infected explorer but then the antivirus should detect it. Good luck, I recently found myself after many years with an infection that avast detected late and 15,000 files were screwed up… Now I have returned to avg :lol:

Kernel1.0

Have you tried Microsoft's tools... Security Essentials and the Malicious Software Removal Tool??

Fassou

In good (paid) Antivirus programs, you can create a bootable CD to fight rootkits that run in stealth mode :frio:

But you can take a look at these free antirootkit utilities and these free versions of those bootable CDs.

Salu2!

whoololon

I already checked the rootkits last night and nothing, and I couldn't use hijackthis because the wifi connections get stuck, so this morning I messed around a bit and decided that it would take less time to shave the OS and reinstall than to spend the day trying to fix it by ear.
Full format, reinstall, backup and run antivirus on the partition where I keep the drivers and the "serious" programs... nothing. From there I install and restore until I get to DaemonTools... And it starts again!
I uninstall it, run CCleaner, restart and it's good again. I install an older version (I always keep the older versions that I check work well, both in applications and drivers) and it works normally.

Curious, isn't it?

Sylver

So it's Daemon Tools... So I must also be losing bandwidth as if there were no tomorrow I'll take a look...

EDIT:

Well, with Daemon Tools not working (which is how I had it xD) there don't seem to be any strange connections, apart from those of Firefox, Dropbox and SugarSync. I'll go to sleep peacefully Best regards

whoololon

Well, I'm not blaming the DT, but rather the DT that I already had downloaded on my hard drive, which, even if I downloaded it from the official site or from that one with the name of the soft drink that you put in gin, could have easily "constipated" while it was on my computer.
Constipated in a very bad way, because neither before, during, nor after did it trigger the "Abirria" or the RUBooted.

Edit: Did you have any strange connections before? O.o

Edit: So that this doesn't just end up as a stumble of a fool when he found the nail, I will describe the "tools" I used below:

Process Explorer for me an indispensable program, old but capable of offering an incredible amount of information about open processes and their resources.
ComboFix
HijackThis
RogueKiller
OTL
CCCleaner
MalwareBytes
ADWCleaner

I won't go into antivirus, because it's a never-ending story, and on the subject of rootkits, Fassou has already put the link. ;D

Sylver

Nothing nothing, I'm not saying it was the DT either, but since it happened to you, you had to check just in case, which is just a moment and that's how you stay calm xD
Everything is as it was before, that is, correctly

Thanks for sharing the steps and programs you used, this post will be very useful and will definitely help many

Best regards!

P.D.: Yes, I said I was going to sleep at 12 and here I still am… :ugly: Blessed final exams... :alone: