Please tell me if I'm infected with a virus - HJT log included

Status
Not open for further replies.

MelissaP

Posts: 10   +0
please help.

problems that make me think i have a virus:

-computer using up too 500MB a day doing i don't know what(5 gb cap)
-netstat always shows an open connection foreign address is 192.168.0.2 with a website next to it
-computer sends and receives a few million packets in a few hours
-when this computer is switched off the light on the router changes from green to orange but the other 2 computers stay green

i have read hijack this tutorials and tried to understand it as best as i could. i have did a scan but cant tell what to fix. i did a spybot scan and that picked up a FunWebBrowser

i cannot attach the log as an attachment for some reason, pasted below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:46 PM, on 2010/04/21
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eLock\autolockprocess\AutoLockProcess.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\rundll32.exe
C:\Acer\LANScope Agent\awtray.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.za.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.za.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [AutoLockProcess] C:\Acer\Empowering Technology\eLock\autolockprocess\autolockprocess.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eProtection Service (eProtection) - Unknown owner - C:\Program Files\Acer\eProtection\Service\eProtectionServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate1ca2c968d5b1939) (gupdate1ca2c968d5b1939) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 7841 bytes
 
Welcome to TechSpot Melissa. We do not 'screen' for malware with HijackThis.

Please follow the preliminary virus and malware removal steps HERE.

When you have finished, please leave the requested logs for review.

You can keep HijackThis as we will have you run it again.
FYI: the IP 192.168.0.2 is not for a foreign site. It is for your router. Are you trying to say that you are being redirected to a different site? I may need to have you reset the router later.
 
thanks i will follow those steps and report back.

Not sure if this helps to narrow it down but what i have noticed is that as soon as the computer is switched on, it starts accessing the net but invisible to us. if i do a netstat -o and see which ports are open then go to task manager to see which apps are using those ports, the only 1 unknown to me is "AdminWorks Agent X6". when i stop that program from running then all ports are closed.

could this be it?
 
Melissa, I do not have enough information to answer your question. But I did find this:

O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe

This is a valid program that is required to run at startup in order to send performance data to the master console. It is related to AdminWorks network management suite. File Location: C:\Program Files\Intel\IDU\awServ.exe
Source: bleepingcomputer.com.

You might want to have a look here as there may be an update for this firmware:
http://www.avocent.com/Legacy_Firmware_Updates/AdminWorks_Management_Software.aspx
 
sorry for the late reply. i have run a malware scan and saved the log file. but when i try to run gamer the computer starts acting up, freezes and shuts itself down. now i dont want any thing to happen to this computer by my doing as it is a company computer. does gamer cause a computer to behave that way?
 
Try running GMER in Safe Mode. If that doesn't work, uncheck 'Devices' on the right screen and try running.
 
malware, gamer and dds logs

attached is the logs for 1 pc.

sometimes when i'm on the net and i open netstat i see this...
lax04s01-in-f100.1e100.net:http connected to the avast pid. should i be worried?

anyway please tell me if there's anything in the logs that i should be aware of...

plus how do i post as attachments?
_________________________________________

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2010/05/10 16:02:23
mbam-log-2010-05-10 (16-02-23).txt

Scan type: Quick scan
Objects scanned: 128147
Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
___________________________________________________________________

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 14:59:52
Windows 5.1.2600 Service Pack 2
Running: 642cy1fm.exe; Driver: C:\DOCUME~1\USER~1.BIT\LOCALS~1\Temp\kgtiypoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF61986B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF6198574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF6198A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF619814C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF619864E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF619808C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF61980F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF619876E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF619872E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF61988AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS.0\system32\services.exe[596] @ C:\WINDOWS.0\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS.0\system32\services.exe[596] @ C:\WINDOWS.0\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----
_________________________________________________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 9:18:33.82 on 2010/05/11
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.475 [GMT 2:00]

AV: avast! antivirus 4.8.1368 [VPS 100510-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.0\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\VTTimer.exe
C:\WINDOWS.0\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\Documents and Settings\User.BITLINE-E153D3E\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.za/
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
mRun: [VTTimer] VTTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows.0\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows.0\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {41D8379B-69C6-4666-B506-9506BD5D55EA} = 192.168.0.1
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user~1.bit\applic~1\mozilla\firefox\profiles\776n2o30.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
FF - prefs.js: network.proxy.type - 4

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows.0\system32\drivers\aswSP.sys [2010-1-28 114768]
R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [2010-1-28 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-28 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-28 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-28 352920]
S3 PSSDK42;PSSDK42;c:\windows.0\system32\drivers\pssdk42.sys [2010-4-9 38976]
S3 tmeter;TMeter Service;c:\windows.0\system32\drivers\tmeter.sys --> c:\windows.0\system32\drivers\tmeter.sys [?]
S3 tmeterMP;tmeterMP;c:\windows.0\system32\drivers\tmeter.sys --> c:\windows.0\system32\drivers\tmeter.sys [?]
S3 w900bus;Sony Ericsson 900i driver (WDM);c:\windows.0\system32\drivers\w900bus.sys --> c:\windows.0\system32\drivers\w900bus.sys [?]
S3 w900mdfl;Sony Ericsson 900i USB WMC Modem Filter;c:\windows.0\system32\drivers\w900mdfl.sys --> c:\windows.0\system32\drivers\w900mdfl.sys [?]
S3 w900mdm;Sony Ericsson 900i USB WMC Modem Drivers;c:\windows.0\system32\drivers\w900mdm.sys --> c:\windows.0\system32\drivers\w900mdm.sys [?]
S3 w900mgmt;Sony Ericsson 900i USB WMC Device Management Drivers;c:\windows.0\system32\drivers\w900mgmt.sys --> c:\windows.0\system32\drivers\w900mgmt.sys [?]
S3 w900obex;Sony Ericsson 900i USB WMC OBEX Interface Drivers;c:\windows.0\system32\drivers\w900obex.sys --> c:\windows.0\system32\drivers\w900obex.sys [?]

=============== Created Last 30 ================

2010-04-21 09:00:44 0 d-----w- c:\program files\Trend Micro
2010-04-21 07:41:04 0 d-----w- c:\program files\Zone Labs
2010-04-21 07:39:14 0 d-----w- c:\windows.0\Internet Logs

==================== Find3M ====================

2010-04-09 07:05:44 38976 ----a-w- c:\windows.0\system32\drivers\pssdk42.sys
2010-03-29 22:46:30 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45:52 20824 ----a-w- c:\windows.0\system32\drivers\mbam.sys
2008-09-26 12:08:48 3659913 ----a-w- c:\program files\FileZilla_3.1.3_win32-setup.exe

============= FINISH: 9:19:05.12 ===============
_______________________________________________________________

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2008/08/04 14:31:55
System Uptime: 2010/05/11 07:23:30 (2 hours ago)

Motherboard: | | P4M800Pro-8237
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Socket 775 | 3009/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Socket 775 | 3009/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 76 GiB total, 48.931 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: HP Scan
Device ID: USB\VID_03F0&PID_5617&MI_00\6&1D7A1E04&0&0000
Manufacturer:
Name: HP Scan
PNP Device ID: USB\VID_03F0&PID_5617&MI_00\6&1D7A1E04&0&0000
Service:

==== System Restore Points ===================

RP296: 2010/02/11 13:33:06 - System Checkpoint
RP297: 2010/02/12 13:38:29 - System Checkpoint
RP298: 2010/02/15 09:35:16 - System Checkpoint
RP299: 2010/02/16 10:47:06 - System Checkpoint
RP300: 2010/02/17 13:40:28 - System Checkpoint
RP301: 2010/02/19 14:39:30 - System Checkpoint
RP302: 2010/02/22 09:18:00 - System Checkpoint
RP303: 2010/02/23 11:04:03 - System Checkpoint
RP304: 2010/02/24 13:23:07 - System Checkpoint
RP305: 2010/02/26 07:52:06 - System Checkpoint
RP306: 2010/03/01 08:51:21 - System Checkpoint
RP307: 2010/03/02 11:53:21 - Installed Microsoft Fix it 50126
RP308: 2010/03/02 16:26:23 - Installed Microsoft Fix it 50126
RP309: 2010/03/04 07:38:32 - System Checkpoint
RP310: 2010/03/05 13:15:28 - System Checkpoint
RP311: 2010/03/08 08:54:46 - System Checkpoint
RP312: 2010/03/09 13:22:46 - System Checkpoint
RP313: 2010/03/11 13:34:50 - System Checkpoint
RP314: 2010/03/15 08:38:56 - System Checkpoint
RP315: 2010/03/15 12:30:21 - Removed Apple Software Update
RP316: 2010/03/16 16:52:56 - System Checkpoint
RP317: 2010/03/18 11:30:11 - System Checkpoint
RP318: 2010/03/19 13:31:04 - System Checkpoint
RP319: 2010/03/23 15:14:43 - System Checkpoint
RP320: 2010/03/24 16:30:48 - System Checkpoint
RP321: 2010/03/26 10:40:18 - System Checkpoint
RP322: 2010/03/29 11:24:30 - Installed Microsoft Fix it 50126
RP323: 2010/03/30 12:26:16 - System Checkpoint
RP324: 2010/03/31 13:30:42 - System Checkpoint
RP325: 2010/04/01 15:25:33 - System Checkpoint
RP326: 2010/04/06 13:44:46 - System Checkpoint
RP327: 2010/04/08 07:51:03 - Installed Microsoft Fix it 50126
RP328: 2010/04/08 07:52:30 - Installed Microsoft Fix it 50126
RP329: 2010/04/08 07:56:32 - Installed Microsoft Fix it 50126
RP330: 2010/04/09 09:52:20 - Removed Sony Ericsson Communication Center
RP331: 2010/04/09 09:53:22 - Removed Sony Ericsson PC Suite 1.10.119
RP332: 2010/04/12 13:11:25 - System Checkpoint
RP333: 2010/04/13 13:15:09 - System Checkpoint
RP334: 2010/04/14 13:18:35 - System Checkpoint
RP335: 2010/04/15 13:10:47 - Installed Microsoft Fix it 50126
RP336: 2010/04/16 13:29:21 - System Checkpoint
RP337: 2010/04/19 13:15:27 - System Checkpoint
RP338: 2010/04/21 12:23:16 - System Checkpoint
RP339: 2010/04/21 14:52:29 - Removed QuickTime
RP340: 2010/04/23 16:47:25 - System Checkpoint
RP341: 2010/04/26 13:35:50 - System Checkpoint
RP342: 2010/04/28 13:15:01 - System Checkpoint
RP343: 2010/04/29 13:19:00 - System Checkpoint
RP344: 2010/04/30 13:22:28 - System Checkpoint
RP345: 2010/05/04 07:55:31 - System Checkpoint
RP346: 2010/05/05 13:45:56 - System Checkpoint
RP347: 2010/05/06 16:17:32 - System Checkpoint
RP348: 2010/05/10 09:13:42 - System Checkpoint

==== Installed Programs ======================

Adobe Reader 8.1.4
avast! Antivirus
Compatibility Pack for the 2007 Office system
HijackThis 2.0.2
HP LaserJet M1120 MFP Series
hppusgM1120
Java(TM) 6 Update 5
M1120 Scan To
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.3)
Nero 7 Ultra Edition
Pdf995
Realtek AC'97 Audio
S3GSetup
VC 9.0 Runtime
VIA/S3G Display Driver
WebFldrs XP

==== End Of File ===========================
 
Melissa, I see System Checkpoints which are restore points set as late 2010/05/10 . But in the activity for the last 30 days shows only 3 folders from 2010-04-21 for c:\program files\Trend Micro c:\program files\Zone Labs, c:\windows.0\Internet Logs. What happened?

And why are you checking netash?
I also notice that you ran the Microsoft Fix it 50126 which is for a print spooler problem. Has that bee fixed?

I notice also that you removed the Sony program and that there is also no indication of an install of TMeter Service Monitor which runs an executalbe as TrafMonitor.exe. Bothe of these still have drivers running and files loading so I have used script to remove them.

Go ahead and run download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=============================
After Combofix has been installed and run, do the following:
Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows.0\system32\drivers\w900bus.sys
c:\windows.0\system32\drivers\w900mdfl.sys 
c:\windows.0\system32\drivers\w900mdm.sys 
c:\windows.0\system32\drivers\w900mgmt.sys 
c:\windows.0\system32\drivers\w900obex.sys 
c:\windows.0\system32\drivers\tmeter.sys
 
Folder::

DDS::
mURLSearchHooks: H - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Registry::

Driver::
w900bus
w900mdfl
w900mdm
w900mgmt
w900obex
tmeter
tmeterMP
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please leave the Combofix log generated after you have run the script.

Please update the Java to v6u20:
Check this site: Java Updates Uninstall any earlier versions in Add/Remove Programs.
 
the system restores must have happened cos i ran hijack this. i just did that to see if any programs 'changed' their names.

the print spooler problem happened a few times. even after i fixed it it worked for a while then it will come back. but what i have noticed is there was an e-mail i received from a client- whenever i tried to print that 1 specific attachment the print spooler will come back and i'd have to run fixit all over again.

the sony program that i uninstalled not so long ago is that cd software that comes with the cellphone. sony ericsson w900i. didn't require it anymore cos cellphone has been replaced.

combofix log ...

ComboFix 10-05-10.05 - User 2010/05/12 12:05:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.458 [GMT 2:00]
Running from: c:\documents and settings\User.BITLINE-E153D3E\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\User.BITLINE-E153D3E\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100512-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\windows.0\system32\drivers\tmeter.sys"
"c:\windows.0\system32\drivers\w900bus.sys"
"c:\windows.0\system32\drivers\w900mdfl.sys"
"c:\windows.0\system32\drivers\w900mdm.sys"
"c:\windows.0\system32\drivers\w900mgmt.sys"
"c:\windows.0\system32\drivers\w900obex.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\java\jre1.6.0_05\bin\ssv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_tmeter
-------\Service_tmeterMP
-------\Service_w900bus
-------\Service_w900mdfl
-------\Service_w900mdm
-------\Service_w900mgmt
-------\Service_w900obex


((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-04-21 09:00 . 2010-04-21 09:00 -------- d-----w- c:\program files\Trend Micro
2010-04-21 07:41 . 2010-04-21 07:41 -------- d-----w- c:\program files\Zone Labs
2010-04-21 07:39 . 2010-04-21 07:42 -------- d-----w- c:\windows.0\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 09:40 . 2010-01-28 08:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-22 09:28 . 2010-03-25 13:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-22 09:26 . 2010-03-25 13:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Spybot - Search & Destroy
2010-04-21 12:52 . 2007-09-07 06:46 -------- d-----w- c:\program files\QuickTime
2010-04-14 14:51 . 2009-10-20 11:40 -------- d-----w- c:\program files\Comodo
2010-04-09 07:54 . 2008-05-06 11:19 -------- d-----w- c:\program files\Sony Ericsson
2010-04-09 07:54 . 2008-11-25 14:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Sony Ericsson
2010-04-09 07:54 . 2008-11-25 14:28 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-04-09 07:46 . 2010-04-09 07:02 -------- d---a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
2010-04-09 07:05 . 2010-04-09 07:05 38976 ----a-w- c:\windows.0\system32\drivers\pssdk42.sys
2010-04-09 07:05 . 2010-04-09 07:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Paessler
2010-03-29 22:46 . 2010-01-28 08:23 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2010-01-28 08:23 20824 ----a-w- c:\windows.0\system32\drivers\mbam.sys
2008-09-26 12:08 . 2008-09-26 12:08 3659913 ----a-w- c:\program files\FileZilla_3.1.3_win32-setup.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-05-12_08.17.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-12 10:12 . 2010-05-12 10:12 16384 c:\windows.0\Temp\Perflib_Perfdata_468.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows.0\system32\CTFMON.EXE" [2004-08-04 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows.0\system32\drivers\aswSP.sys [2010/01/28 10:39 114768]
R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [2010/01/28 10:39 20560]
S3 PSSDK42;PSSDK42;c:\windows.0\system32\drivers\pssdk42.sys [2010/04/09 09:05 38976]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {41D8379B-69C6-4666-B506-9506BD5D55EA} = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows.0\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User.BITLINE-E153D3E\Application Data\Mozilla\Firefox\Profiles\776n2o30.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
FF - prefs.js: network.proxy.type - 4

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 12:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows.0\system32\VTTimer.exe
c:\windows.0\SOUNDMAN.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows.0\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-12 12:17:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-12 10:17
ComboFix2.txt 2010-05-12 08:19

Pre-Run: 52,356,194,304 bytes free
Post-Run: 52,241,719,296 bytes free

- - End Of File - - B7CD81ECC71CF7418DA7F5FE5632CAC1
 
I don't think you have a malware problem. The process you mention AdminWorksAgentX6 is pre-installed software called Acer Lanscope Agent. ALA is a repackaging of software by Avocent called AdminWorks Agent. Adminworks is a network remote management tool for controlling clients from an administrator's console.

This 'Agent' is meant to respond to commands from the console. So, if your machine has ALA or AdminWorks Agent installed but is not part of a network using the AdminWorks Console part of the package, the Agent piece is useless.

Try uninstalling this in Add/Remove Programs. Then reboot the computer and see if it has made a difference.
=================================
There is some kind of problem with your system. First, a system restore is user activated. It doesn't just happen. running HijackThis does not make that happen. It still shows the only program created in the past 30 days are the 3 logs and yet you have downloaded and run several programs.

Most of the processes running are just for Avast and the system shows only a few basic programs installed. You have a program or application running that Specialized in network monitoring and testing scenarios> Paessler. There is a process running which is a Packet Sniffer SDK which s a development suite for network packet capture in multi-Gigabit network environment. This would indicate that you are capturing or limiting network traffic from a large network environment- and yet you say that "-computer sends and receives a few million packets in a few hours."

Sources of information from 'forum.soft32.com' , 'microolap.com' , 'paessler.com' and 'systemexplorer.mistergroup.org.'

If I had to rephrase all of this, I'd say the network is being over-managed, under-manager or incorrectly managed.
 
please ignore the 1st hijack this log.

here is a new 1 after all the scanning and java updates done...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:08:20, on 2010/05/13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\VTTimer.exe
C:\WINDOWS.0\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{41D8379B-69C6-4666-B506-9506BD5D55EA}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{41D8379B-69C6-4666-B506-9506BD5D55EA}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{41D8379B-69C6-4666-B506-9506BD5D55EA}: NameServer = 192.168.0.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 4292 bytes
 
Melissa, you need to clarify which system this work is being done on:

First HijackThis log:
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)


Malwarebytes' Anti-Malware 1.45>> old version> need new one
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

GMER 1.0.15.15281 -
Windows 5.1.2600 Service Pack 2

DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional

ComboFix 10-05-10.05 - User 2010/05/12 12:05:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.458

And the script I left was run on ComboFix 10-05-10.05 - User 2010/05/12 12:05:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.458 [GMT 2:00]
And it is showing in the log after you ran the script with these running processes:
c:\windows.0\system32\VTTimer.exe
c:\windows.0\SOUNDMAN.EXE
c:\windows.0\system32\wscntfy.exe
==========
Second HijackThis log:
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

========================
Although you did add "please ignore the 1st hijack this log.here is a new 1 after all the scanning and java updates done..." I did not take this to mean you had installed a different operating system!

The second log shown not only a different operating system, but also that the Services are in the wrong directory

C:\Windows.0 is not a legitimate Windows directory unless there's something
about your Windows install you forgot to tell us. So basically the Services can't do what they are suppose to do.

and these are from the current HJT log with Vista:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\VTTimer.exe
C:\WINDOWS.0\SOUNDMAN.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\wscntfy.exe


Please get it together and decide which system you're working on!
 
i am so sorry about that.

the 1st hijack this log is from another pc in our office which i incorrectly pasted.

so all the scans and the 2nd hijack this log was done on the windows xp.

about the C:\windows.0 the only thing i can think of is this computer crashed a few years back with a virus and just shut down completely. some1 tried their best to recover all the info from the computer. that is the only thing i can think of...

sorry about the inconvinience caused due to the 1st incorrect hjt log posted...
 
Guess I came on a bit strong! Sorry about that. But I spent a bit of time going back and forth on those logs and finally realized they had to be from 2 different machines. Must have been late at night- I growl louder then!

I have to figure out a way to move those files to the correct directory. As long as they are in the wrong directory, the operating system isn't going to find them when needed.

Please rescan with Combofix and leave a new log. I may be able to use script to move the files from the bad directory to the right one. Leave the new report for me in next reply.
 
Status
Not open for further replies.
Back