Odd virus behavior...

[DeaconFrost]

....at least I think it is due to a virus or malware. I recently was tasked with cleaning the malware from a relative's computer. It had several infections, including the Vundo virus. I believe, through various tools and scanners, I have the system mostly clean. However, whnever I reboot the system, a VPN connection called test is created, and set to connect on startup, once you log in....and this is true with any account on the system. If I let the VPN connection successfully connect, I can cancel it and remove it, and all seems normal. However, I can't figure out what is creating this connection, or how to stop it. It is connecting to an IP of 213.155.1.3, and I currently have the HOST file edited to point this address to the loopback IP.

Has anyone seen this behavior before? I can't figure out where the connection is coming from. All start up items are normal, and no odd processes are running in the background. Avira and Symantec Corp scans come up clean, as well as Spybot and SuperAntiSpyware scans.

This is an XP Pro SP3 machine.

 

[LGZdarkside]

It sounds like it is a Network someone has configured. You should be able to delete it in the "Network and Sharing Center" application.

 

[DeaconFrost]

I should have mentioned that it was an XP Pro SP3 machine. No one created this connection, and this computer isn't used for any business related work. I'm 100% sure of both of those statements. I stated above that I can delete the connection, but it reappears each time I reboot.

 

[oROEchimaru]

try combofix.exe
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

first prompt click yes, second click no

 

[YeOldeStonecat]

. It is connecting to an IP of 213.155.1.3, .

Heh..figures....so many DNS redirects from malware go to DNS servers in Russia...sure enough, the above IP is from the Ukraine.

 

[YeOldeStonecat]

Time to bring a whole truckload of cleaning utilities on this machine..

TCP/Winsock repair
MalwareBytes
AntiVir
CCleaner

Some better antivirus....AntiVir or NOD32 or Kaspersky.

 

[MrGuvernment]

format.

 

[DeaconFrost]

format.

I'm trying to avoid that, but I'm leaning more heavily towards it each passing moment. My father-in-law downloaded a ton of games from BigFishGames (legitimate site), and is supposed to be looking for his print out of all the serial numbers for the games he purchased. He didn't take my advice and keep the installer files or digital copy of the confirmation e-mails with his serial numbers, so I could burn him a CD as a backup. However, I think the amount of time spent on this warrants a format.

 

[oROEchimaru]

use yeoldes suggestions and also use combofix.exe a miracle program!

 

[oROEchimaru]

also flush your dns

command prompt:
ipconfig /flushdns
ipconfig /registerdns

 

[number69]

Heh..figures....so many DNS redirects from malware go to DNS servers in Russia...sure enough, the above IP is from the Ukraine.

Yep, first thing I did when I read his post was trace the IP.


Hook the drive up to a another machine if you can and scan from there. UBCD4Win is good too, but for malware that I know is going to be a pain in the ass I like a separate rig to put the drive into with an assortment of programs at my disposal and I can install other malware removal tools at a whim.

Worse comes to worse back the data up and format as mentioned above.

 

[xSDMx]

Considering how much time you have already spent on diagnosing and reparing the computer and the projected time you will need to spend to finish the job, re-installing windows is the best option avaliable. Just be sure to include solid protection for your relative (NOD32, etc.).

Seriously though, I usually end up spending days trying to fix a computer when just re-installing would have saved time and effort.

 

[DeaconFrost]

I normally give it a 2 hour window, and if I don't have it cleaned up by then, or close to it, I reformat. I'm really trying to avoid that option at this point, but if I can't figure out where this VPN connection is coming from, I'm going to reformat to be sure.

 

[YeOldeStonecat]

, but if I can't figure out where this VPN connection is coming from,

I know that feeling...sometimes the curious in you just wants to keep digging into it...to find out.

And the stubborn part of you refuses to give up..and wants to keep trying for the fix.

Oh man that drives me crazy.....gets to a point...13 hours later into the project...you're ready to delete the partition and format..and a light pops in your head.."Just..one more thing to try..."

 

[Gott]

I'm sure you checked but just to clarify, did you make sure there's no startup task under "Scheduled Tasks?"

If this file is only creating a VPN connection then I don't see any program detecting this as malicious.

I supposed you could load Cygwin on the machine and do a "grep "test" *" from the root. It might take some time but if the VPN connection is being created with the name "test", it's worth a shot if you want to try it.