View Full Version : Slow PC; Constant network activity
bhubertus
2006-11-30, 08:57
Logfile of HijackThis v1.99.1
Scan saved at 1:53:02 AM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Temp\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161872385809
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B140D6C-6588-4AA0-993D-28DCF579F03B}: NameServer = 170.56.58.53
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B140D6C-6588-4AA0-993D-28DCF579F03B}: NameServer = 170.56.58.53
O17 - HKLM\System\CS2\Services\Tcpip\..\{3B140D6C-6588-4AA0-993D-28DCF579F03B}: NameServer = 170.56.58.53
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
bhubertus
2006-11-30, 08:58
Online antivirus scan report:
Incident Status Location
Virus:Trj/Alanchum.IQ Disinfected C:\!KillBox\adirss.exe
Adware:Adware/Adsmart Not disinfected C:\!KillBox\gcmpaaaa.exe
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\ipw.dll
Virus:Trj/Agent.CVI Disinfected C:\!KillBox\jwnaaaaa.exe
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\motxwcqc.exe
Virus:Trj/Alanchum.IQ Disinfected C:\!KillBox\taskdir~.exe
Virus:Bck/Agent.CYO Disinfected C:\!KillBox\vhwnkbdn.exe
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.2o7.net/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.server.iad.liveperson.net/hc/62672927]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[server.iad.liveperson.net/hc/51301799]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\585f2gpn.default\cookies.txt[server.iad.liveperson.net/hc/79113249]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sandra\Cookies\sandra@112.2o7[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Sandra\Cookies\sandra@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Sandra\Cookies\sandra@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Sandra\Cookies\sandra@burstnet[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Sandra\Cookies\sandra@cgi-bin[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Sandra\Cookies\sandra@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Sandra\Cookies\sandra@dist.belnk[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Sandra\Cookies\sandra@go[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Sandra\Cookies\sandra@www.burstbeacon[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Sandra\Cookies\sandra@www.myaffiliateprogram[1].txt
pskelley
2006-12-04, 13:10
Hello and welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help and are not receiving it at another forum, please do this.
Is this a company computer? Krupp Gerlach Company
You are running HJT from a Temp folder: C:\Temp\Hijackthis\HijackThis.exe it needs a permanent folder to store backups for safety and logs you create. Make a folder like this: C:\HJT\ and move the .exe into it. Delete that other folder.
C:\!KillBox\ <<< you have an old Killbox backup file, delete it. If you ever need Killbox again, download it fresh.
I just do not see any malware in this HJT log. I can say that activity is normal for a computer as programs reach out to update, check for updates, download email, etc. You should be able to look at your firewall logs to see what programs are accessing the internet. As far as the computer being slow, many things can cause this beside malware, and I also see quite a few programs running at every bootup that you may be able to turn off and start in All Programs if you need them. Look to this information to help you:
http://netsquirrel.com/msconfig/ It is of couse important that you do not turn off any security programs, they need to run to protect you.
You are storing a lot of junk cookies, this information should help:
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
Here are some ideas that may help you improve speed:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
http://www.techbuilder.org/recipes/59201471
Just because we can see it in the HJT log, does not mean it could not be there hidden. If you want to check, use this tool with the instructions in the link. If you run the scan, post the scan results and a new HJT log for me to view.
http://forums.security-central.us/showthread.php?t=3165
Thanks...Phil
bhubertus
2006-12-04, 17:07
Hi Phil,
No, it's not a company PC - I don't know anything about Krupp Gerlach?? This PC was infected about six weeks ago when I let someone use it while I was on vacation and I went through the forum to clean it. At the time, I received an email from my ISP that my IP was identified as originating spam and they threatened to suspend my acct. I have another desktop PC connected to the same router which doesn't show activity (blinking port LED) like this one - whenever I enable the LAN connection on this PC the port LED shows continuous activity that never stops. Also, an Internet Gateway showed up under Network Connections after infection (I disabled it) and I assume it's evidence of control from an external PC.
I'll disable any other PCs on the network and check my router log, plus I'll go through the links you sent to see if that helps and post any scan logs. The TEMP folder isn't really temporary but I can move HJT to its own folder and I'll delete the old Killbox.
This PC definitely still has some problems - there's a big difference b/w now and before all this happened and the constant activity wasn't there before.
Thanks - I'll post again when I get a chance to go through your links.
-Bobby
pskelley
2006-12-04, 17:37
OK, thanks for the feedback, here are those lines:
No, it's not a company PC - I don't know anything about Krupp Gerlach??
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B140D6C-6588-4AA0-993D-28DCF579F03B}: NameServer = 170.56.58.53
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B140D6C-6588-4AA0-993D-28DCF579F03B}: NameServer = 170.56.58.53
O17 - HKLM\System\CS2\Services\Tcpip\..\{3B140D6C-6588-4AA0-993D-28DCF579F03B}: NameServer = 170.56.58.53
Have a look yourself: http://www.whois.sc/ enter 170.56.58.53
http://whois.domaintools.com/170.56.58.53
I would find out what that is first, perhaps discuss it with your ISP, if you are sure it has nothing to do with you I would get rid of it.
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=flush+the+DNS
My suggestion would be to have the ISP help you with this, we don't want to create a problem. This is slightly out of my area of expertise.
I suggest you run a good spyware scan to see if it picks up on anything. I would suggest this one which is free for the trial period and use the instructions in the link. Post the results for me to view.
http://forums.security-central.us/showthread.php?t=3165
That's a start...thanks
bhubertus, how is it going?
bhubertus
2006-12-13, 23:36
Hi Tashi,
Sorry to take so long. I contacted my ISP (Time Warner) and they had no knowledge of 170.56.58.53 so my guess is that it's nefarious in nature. I got busy and distracted by other things so I haven't gotten rid of it, flushed the DNS or run the spyware scan recommended in pskelley's post. Sorry for being so tardy in this:red: I'll run the scan and post tonight.
Thanks!
Bobby
bhubertus
2006-12-17, 07:40
I removed the three entries related to 170.56.58.53, flushed the DNS and for a little while it seemed like the LAN activity may have slowed down somewhat. I downloaded the AVG Anti-Spyware app from the link provided and have been trying to update and scan my system but AVG seems to lock up for long periods and hang. At one point I think I was able to update and scan and I thought I saved the scan but I can't find it now. There's still CONSTANT network activity and the system is slow.
One other thing - I looked at the Network Connections - the Internet Gateway is still there and still disabled but the LAN Local Area Connection doesn't have the Windows Firewall enabled. When I click on "Change Windows Firewall Settings" I get a window with the following message:
"Due to an unidentified problem, Windows cannot display Windows Firewall settings"
Something is still so very wrong with this computer :sad:
bhubertus
2006-12-17, 07:41
Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:37:45 AM, on 12/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Temp\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161872385809
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
pskelley
2006-12-17, 13:58
Hi Bobby, let's look some more to see what we can find out. I see nothing in the HJT log, please see if you can get AVG Anti-Spyware to run, if not we will remove it and try another tool.
Let me say I am also on a LAN (Verizon DSL) and activity is normal. I am wondering if you have a third party firewall running in your Norton Internet Security program? If so you would not want the SP2 firewall enabled anyway according to Microsoft.
If you are depending on the SP2 firewall (and I do not believe you should) this problem seems to be a common one according to Google, look first at this information: http://windowsxp.mvps.org/sharedaccess.htm
Then look at the complete Google. Let me know what corrects the issue for future reference please.
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=Due+to+an+unidentified+problem%2c+Windows+cannot+display+Windows+Firewall+settings
If you can not get the AVG Anti-Spyware program to run, uninstall it from your computer and try this one:
http://www.trendmicro.com/spyware-scan/ Please copy and paste the scan report to your topic:
When the detection process is complete, the tool will display a report describing the result including which if any, spyware were detected, and prompt you before the removal process.
Let's take a look for a rootkit with Blacklight:
Download the free trial here:
http://www.f-secure.com/blacklight/try_blacklight.html
Save it to your Desktop and run it, do not do anything with the information. It will appear in a notepad on the Desktop near the program. Copy and paste that information to this topic.
Thanks
How is it going bhubertus?
bhubertus
2006-12-26, 05:00
Finally getting back to this issue....
I checked the firewall and this pc has Norton Internet Security running but the firewall was off. I enabled the firewall and got a warning that protector.exe was attempting to access the internet. I searched online and protector.exe sounded like it may be bad so I tried blocking access from Norton but the box keeps popping back up. I clicked on the Alert Assistant in NIS and it said that protector.exe is attempting to connect to a computer at 72.232.61.114:8080 using port 3384.
Do you know what this means?
bhubertus
2006-12-26, 05:36
I removed the AVG Anti-spyware program and I'm trying to do the Trendmicro Anti-Spyware scan. I clicked the link to do an online scan and it took me to the next page and says "Please wait while Trend Micro Anti-Spyware for the web loads..." but it just sits there and hasn't done anything. I tried refreshing the page - nothing. I tried going back to the previous page and clicked the Scan button again and it's doing the same thing - basically nothing. :mad:
bhubertus
2006-12-26, 05:39
BTW, on the NIS window for protector.exe I finally ended up clicking Block all access.
bhubertus
2006-12-26, 06:01
I just downloaded Blacklight and ran the scan and here is the logfile:
12/25/06 22:51:12 [Info]: BlackLight Engine 1.0.47 initialized
12/25/06 22:51:12 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/25/06 22:51:12 [Note]: 7019 4
12/25/06 22:51:12 [Note]: 7005 0
12/25/06 22:51:27 [Note]: 7006 0
12/25/06 22:51:27 [Note]: 7011 168
12/25/06 22:51:27 [Note]: 7026 0
12/25/06 22:51:27 [Note]: 7026 0
12/25/06 22:51:27 [Note]: 7024 3
12/25/06 22:51:27 [Info]: Hidden process: C:\WINDOWS\system32\protector.exe
12/25/06 22:51:27 [Note]: FSRAW library version 1.7.1020
12/25/06 22:54:39 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\ntio256.sys
12/25/06 22:54:39 [Note]: 7002 0
12/25/06 22:54:39 [Note]: 7003 1
12/25/06 22:54:39 [Note]: 10002 1
12/25/06 22:54:58 [Info]: Hidden file: C:\WINDOWS\system32\protector.exe
12/25/06 22:54:58 [Note]: 7002 0
12/25/06 22:54:58 [Note]: 7003 1
12/25/06 22:54:58 [Note]: 10002 1
pskelley
2006-12-26, 12:47
According to a google, this protector.exe has to do with this item:
http://www.liutilities.com/products/wintaskspro/processlibrary/protector/
Here is the google on the item:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=protector%2eexe+
According to that first link the item can be removed in Add Remove programs in the Control panel and has probably been install on the computer by someone?
See if it is there and uninstall it first, then run Blacklight again and follow the instructions in step two to clean, these are the bad items.
12/25/06 22:54:39 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\ntio256.sys
12/25/06 22:54:58 [Info]: Hidden file: C:\WINDOWS\system32\protector.exe
after you do that, then post a new HJT log for me to view. Once that log is posted, then do this:
Click here (http://beta.grisoft.cz/beta/betarep.files/antirootkit/AVG_AntiRootkit_1.0.0.13.exe) to download AVG Anti Rootkit and save it to your desktop.
Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
Click "I Agree" to agree to the EULA.
By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
Click "Next" to begin the installation then click "Install".
It will then ask you to reboot now to finish the installation.
Click "Finish" and your computer will reboot.
After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click on the "Perform in-depth search" button to begin the scan.
The scan will take a while so be patient and let it complete.
When the scan is finished, click the "Save result to file" button.
Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.
Thanks
bhubertus
2006-12-26, 17:25
I had Googled protector.exe when it popped up in NIS and I definitely didn't install anything from Spytech or SpyAnywhere to allow remote administration. Add/Remove doesn't list protector, Spytech or SpyAnywhere. Also, I know the difference b/w normal LAN activity and non-stop constant activity as I had mentioned that this PC had and since blocking access to protector.exe the activity on this machine's LAN port has dropped to practically zero and looks much more normal. So I feel pretty confident that these hidden files have been at least part of the source of my frustration on this and my previous post a few months ago when this issue first creeped up. Both times after initial cleaning I've been told that my system looked clean and both times I've felt that wasn't true due to the amount of LAN activity and the PC's response - I think this is something that should be checked for before a clean bill of health can be assumed. <soapbox_off>
Here's my HJT log after renaming the two files in Blacklight and rebooting:
Logfile of HijackThis v1.99.1
Scan saved at 10:22:03 AM, on 12/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\AntiSpyware\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161872385809
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
pskelley
2006-12-26, 18:09
Thanks for returning your information and the feedback. I also agree with all you had to say. Understand these rootkit infections are fairly new, here is a little information:
http://www.us-cert.gov/cas/tips/ST06-001.html
The shame of it all is the hackers are making big $$ infecting your computer and a handfull of volunteers are being overwhelmed.
As far as I can see, Blacklight removed the infection. I asked you to run the other rootkit program as a double check, and would appreciate seeing that scan information. Please let me know how the computer in running now. You should clean the System Restore files:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Thanks
bhubertus
2006-12-26, 19:12
Hi, back now. AVG Anti-Rootkit says no rootkits found so no log to post. I turned off System Restore, rebooted and turned it back on again. System seems stable - I'm defragging now to try and (hopefully) speed things up a bit.
I really appreciate your volunteer effort to help me fix this - BIG thanks! :bigthumb:
pskelley
2006-12-26, 19:14
Here are other suggestions that may help:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
http://www.techbuilder.org/recipes/59201471
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks
pskelley
2006-12-30, 12:05
I apologize, I can not see where I had you clean your System Restore files and that should be done, follow these directions:
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Thanks
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.