Is this the behavior of a Traffic bot?

[kimmygeorge908]

I first discovered this problem when IE started popping up by itself randomly on 3 occasions , once each day even though IE is not my default browser.
There is continuous dns query even after shutting down all possible applications including browsers.
I have attached a packet data log from Microsoft Network Monitor, which shows the dns query. There is a query every 30 second.
I was concerned that this is the behavior of a bot as I believe checking for google.com is the malwares way of detecting if internet is up or not.
Booting into safe mode , I noticed that there was no dns query.
As I have zonealarm installed I activated the option stop all Internet activity and found that the query also stopped.
Also I have noticed slow down of internet speed and blinking of the router light even when no programs are running on my laptop.
Please help
Thanks

 

[Fiery]

Hello and welcome to MT!

I'm Fiery and I will help you in removing your infection. If at any point, you are confused about the instructions, please stop and ask.

Are you currently using a proxy at the moment?


Please download Combofix

* make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.

* Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

* Double click on ComboFix.exe & follow the prompts.

* As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

* Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

[kimmygeorge908]

Hi firey
Thanks for the quick reply. I have run combofix, but now i am not able to use any application including fire fox and notepad . A Popup message appears " Illegal operation attempted on a registry key that has been marked for deletion".The drivers for the touch pad is also disabled.
Please help
I have attached the combofix log.

 

[Fiery]

Seems like Combofix deleted some registries. We will have to restore them. Reboot your computer. If you can't open notepad (try clicking Start, search notepad.exe and press Enter) go on another computer, open notepad and copy and paste the following:

Windows Registry Editor Version 6.1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Teco"="c:\program files (x86)\TOSHIBA\TECO\Teco.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TosWaitSrv"="c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TSleepSrv"="%ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe"

and save it as fix.reg
The file should have an icon that looks like this

Use a USB to transfer the .reg file to the infected computer and double-click the file.

Next,
Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 2:

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[kimmygeorge908]

Hi Firey,

As you said I have rebooted the computer, but now all apllications are running smoothly including the touchpad.
I could not run the reg file , got an error "can import only registry files". I have attached the adwCleaner and RogueKiller Logs.

 

[Fiery]

Run both Roguekiller and adwCleaner again and this time, click delete at the end of each scan.

Run a Malwarebytes scan and delete any objects it finds. Post the scan log after.

Then, please do a fresh OTL scan and post the logs after.

 

[kimmygeorge908]

Hi Firey
Just checked and found that the google.com query has stopped.

 

[Fiery]

That's good to hear. Let's clean up and we will be done here.

Open OTL, under custom scan/fixes, copy and paste the following:

:OTL

@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:7BB5E748

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]

Then click Run fix. After it finishes, please upload the log here.

Next, uninstall Combofix.

• Turn off all active protection software
• Goto Start, then Run. (Alternatively, you can press the "windows key" + "R")
• Copy and past the following into the box ComboFix /Uninstall and click OK.
  Note the space between the X and the /Uninstall, it needs to be there.

Next,

Double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with yes.

Finally, do a quick scan with Malwarebytes and let me know how everything is.