TechSpot

Please tell me if I'm infected with a virus - HJT log included

By MelissaP
Apr 22, 2010
  1. please help.

    problems that make me think i have a virus:

    -computer using up too 500MB a day doing i don't know what(5 gb cap)
    -netstat always shows an open connection foreign address is 192.168.0.2 with a website next to it
    -computer sends and receives a few million packets in a few hours
    -when this computer is switched off the light on the router changes from green to orange but the other 2 computers stay green

    i have read hijack this tutorials and tried to understand it as best as i could. i have did a scan but cant tell what to fix. i did a spybot scan and that picked up a FunWebBrowser

    i cannot attach the log as an attachment for some reason, pasted below

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:28:46 PM, on 2010/04/21
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18882)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\RtHDVCpl.exe
    C:\Acer\Empowering Technology\SysMonitor.exe
    C:\Acer\Empowering Technology\eLock\autolockprocess\AutoLockProcess.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Windows\System32\rundll32.exe
    C:\Acer\LANScope Agent\awtray.exe
    C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.za.acer.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.za.acer.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
    O4 - HKLM\..\Run: [AutoLockProcess] C:\Acer\Empowering Technology\eLock\autolockprocess\autolockprocess.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
    O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
    O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    O23 - Service: eProtection Service (eProtection) - Unknown owner - C:\Program Files\Acer\eProtection\Service\eProtectionServ.exe
    O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    O23 - Service: Google Update Service (gupdate1ca2c968d5b1939) (gupdate1ca2c968d5b1939) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

    --
    End of file - 7841 bytes
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot Melissa. We do not 'screen' for malware with HijackThis.

    Please follow the preliminary virus and malware removal steps HERE.

    When you have finished, please leave the requested logs for review.

    You can keep HijackThis as we will have you run it again.
    FYI: the IP 192.168.0.2 is not for a foreign site. It is for your router. Are you trying to say that you are being redirected to a different site? I may need to have you reset the router later.
     
  3. MelissaP

    MelissaP TS Rookie Topic Starter

    thanks i will follow those steps and report back.

    Not sure if this helps to narrow it down but what i have noticed is that as soon as the computer is switched on, it starts accessing the net but invisible to us. if i do a netstat -o and see which ports are open then go to task manager to see which apps are using those ports, the only 1 unknown to me is "AdminWorks Agent X6". when i stop that program from running then all ports are closed.

    could this be it?
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Melissa, I do not have enough information to answer your question. But I did find this:

    O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe

    This is a valid program that is required to run at startup in order to send performance data to the master console. It is related to AdminWorks network management suite. File Location: C:\Program Files\Intel\IDU\awServ.exe
    Source: bleepingcomputer.com.

    You might want to have a look here as there may be an update for this firmware:
    http://www.avocent.com/Legacy_Firmware_Updates/AdminWorks_Management_Software.aspx
     
  5. MelissaP

    MelissaP TS Rookie Topic Starter

    sorry for the late reply. i have run a malware scan and saved the log file. but when i try to run gamer the computer starts acting up, freezes and shuts itself down. now i dont want any thing to happen to this computer by my doing as it is a company computer. does gamer cause a computer to behave that way?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Try running GMER in Safe Mode. If that doesn't work, uncheck 'Devices' on the right screen and try running.
     
  7. MelissaP

    MelissaP TS Rookie Topic Starter

    malware, gamer and dds logs

    attached is the logs for 1 pc.

    sometimes when i'm on the net and i open netstat i see this...
    lax04s01-in-f100.1e100.net:http connected to the avast pid. should i be worried?

    anyway please tell me if there's anything in the logs that i should be aware of...

    plus how do i post as attachments?
    _________________________________________

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 3930

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    2010/05/10 16:02:23
    mbam-log-2010-05-10 (16-02-23).txt

    Scan type: Quick scan
    Objects scanned: 128147
    Time elapsed: 4 minute(s), 53 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ___________________________________________________________________

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-05-10 14:59:52
    Windows 5.1.2600 Service Pack 2
    Running: 642cy1fm.exe; Driver: C:\DOCUME~1\USER~1.BIT\LOCALS~1\Temp\kgtiypoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF61986B8]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF6198574]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF6198A52]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF619814C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF619864E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF619808C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF61980F0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF619876E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF619872E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF61988AE]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS.0\system32\services.exe[596] @ C:\WINDOWS.0\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
    IAT C:\WINDOWS.0\system32\services.exe[596] @ C:\WINDOWS.0\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- EOF - GMER 1.0.15 ----
    _________________________________________________________________

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by User at 9:18:33.82 on 2010/05/11
    Internet Explorer: 6.0.2900.2180
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.475 [GMT 2:00]

    AV: avast! antivirus 4.8.1368 [VPS 100510-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

    ============== Running Processes ===============

    C:\WINDOWS.0\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS.0\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS.0\Explorer.EXE
    C:\WINDOWS.0\system32\VTTimer.exe
    C:\WINDOWS.0\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS.0\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS.0\system32\wscntfy.exe
    C:\Documents and Settings\User.BITLINE-E153D3E\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.za/
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    mRun: [VTTimer] VTTimer.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    dRun: [CTFMON.EXE] c:\windows.0\system32\CTFMON.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: Microsoft XML Parser for Java - file://c:\windows.0\java\classes\xmldso.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: {41D8379B-69C6-4666-B506-9506BD5D55EA} = 192.168.0.1
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user~1.bit\applic~1\mozilla\firefox\profiles\776n2o30.default\
    FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
    FF - prefs.js: network.proxy.type - 4

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;avast! Self Protection;c:\windows.0\system32\drivers\aswSP.sys [2010-1-28 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [2010-1-28 20560]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-28 138680]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-28 254040]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-28 352920]
    S3 PSSDK42;PSSDK42;c:\windows.0\system32\drivers\pssdk42.sys [2010-4-9 38976]
    S3 tmeter;TMeter Service;c:\windows.0\system32\drivers\tmeter.sys --> c:\windows.0\system32\drivers\tmeter.sys [?]
    S3 tmeterMP;tmeterMP;c:\windows.0\system32\drivers\tmeter.sys --> c:\windows.0\system32\drivers\tmeter.sys [?]
    S3 w900bus;Sony Ericsson 900i driver (WDM);c:\windows.0\system32\drivers\w900bus.sys --> c:\windows.0\system32\drivers\w900bus.sys [?]
    S3 w900mdfl;Sony Ericsson 900i USB WMC Modem Filter;c:\windows.0\system32\drivers\w900mdfl.sys --> c:\windows.0\system32\drivers\w900mdfl.sys [?]
    S3 w900mdm;Sony Ericsson 900i USB WMC Modem Drivers;c:\windows.0\system32\drivers\w900mdm.sys --> c:\windows.0\system32\drivers\w900mdm.sys [?]
    S3 w900mgmt;Sony Ericsson 900i USB WMC Device Management Drivers;c:\windows.0\system32\drivers\w900mgmt.sys --> c:\windows.0\system32\drivers\w900mgmt.sys [?]
    S3 w900obex;Sony Ericsson 900i USB WMC OBEX Interface Drivers;c:\windows.0\system32\drivers\w900obex.sys --> c:\windows.0\system32\drivers\w900obex.sys [?]

    =============== Created Last 30 ================

    2010-04-21 09:00:44 0 d-----w- c:\program files\Trend Micro
    2010-04-21 07:41:04 0 d-----w- c:\program files\Zone Labs
    2010-04-21 07:39:14 0 d-----w- c:\windows.0\Internet Logs

    ==================== Find3M ====================

    2010-04-09 07:05:44 38976 ----a-w- c:\windows.0\system32\drivers\pssdk42.sys
    2010-03-29 22:46:30 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
    2010-03-29 22:45:52 20824 ----a-w- c:\windows.0\system32\drivers\mbam.sys
    2008-09-26 12:08:48 3659913 ----a-w- c:\program files\FileZilla_3.1.3_win32-setup.exe

    ============= FINISH: 9:19:05.12 ===============
    _______________________________________________________________

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2008/08/04 14:31:55
    System Uptime: 2010/05/11 07:23:30 (2 hours ago)

    Motherboard: | | P4M800Pro-8237
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Socket 775 | 3009/200mhz
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Socket 775 | 3009/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 76 GiB total, 48.931 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description: HP Scan
    Device ID: USB\VID_03F0&PID_5617&MI_00\6&1D7A1E04&0&0000
    Manufacturer:
    Name: HP Scan
    PNP Device ID: USB\VID_03F0&PID_5617&MI_00\6&1D7A1E04&0&0000
    Service:

    ==== System Restore Points ===================

    RP296: 2010/02/11 13:33:06 - System Checkpoint
    RP297: 2010/02/12 13:38:29 - System Checkpoint
    RP298: 2010/02/15 09:35:16 - System Checkpoint
    RP299: 2010/02/16 10:47:06 - System Checkpoint
    RP300: 2010/02/17 13:40:28 - System Checkpoint
    RP301: 2010/02/19 14:39:30 - System Checkpoint
    RP302: 2010/02/22 09:18:00 - System Checkpoint
    RP303: 2010/02/23 11:04:03 - System Checkpoint
    RP304: 2010/02/24 13:23:07 - System Checkpoint
    RP305: 2010/02/26 07:52:06 - System Checkpoint
    RP306: 2010/03/01 08:51:21 - System Checkpoint
    RP307: 2010/03/02 11:53:21 - Installed Microsoft Fix it 50126
    RP308: 2010/03/02 16:26:23 - Installed Microsoft Fix it 50126
    RP309: 2010/03/04 07:38:32 - System Checkpoint
    RP310: 2010/03/05 13:15:28 - System Checkpoint
    RP311: 2010/03/08 08:54:46 - System Checkpoint
    RP312: 2010/03/09 13:22:46 - System Checkpoint
    RP313: 2010/03/11 13:34:50 - System Checkpoint
    RP314: 2010/03/15 08:38:56 - System Checkpoint
    RP315: 2010/03/15 12:30:21 - Removed Apple Software Update
    RP316: 2010/03/16 16:52:56 - System Checkpoint
    RP317: 2010/03/18 11:30:11 - System Checkpoint
    RP318: 2010/03/19 13:31:04 - System Checkpoint
    RP319: 2010/03/23 15:14:43 - System Checkpoint
    RP320: 2010/03/24 16:30:48 - System Checkpoint
    RP321: 2010/03/26 10:40:18 - System Checkpoint
    RP322: 2010/03/29 11:24:30 - Installed Microsoft Fix it 50126
    RP323: 2010/03/30 12:26:16 - System Checkpoint
    RP324: 2010/03/31 13:30:42 - System Checkpoint
    RP325: 2010/04/01 15:25:33 - System Checkpoint
    RP326: 2010/04/06 13:44:46 - System Checkpoint
    RP327: 2010/04/08 07:51:03 - Installed Microsoft Fix it 50126
    RP328: 2010/04/08 07:52:30 - Installed Microsoft Fix it 50126
    RP329: 2010/04/08 07:56:32 - Installed Microsoft Fix it 50126
    RP330: 2010/04/09 09:52:20 - Removed Sony Ericsson Communication Center
    RP331: 2010/04/09 09:53:22 - Removed Sony Ericsson PC Suite 1.10.119
    RP332: 2010/04/12 13:11:25 - System Checkpoint
    RP333: 2010/04/13 13:15:09 - System Checkpoint
    RP334: 2010/04/14 13:18:35 - System Checkpoint
    RP335: 2010/04/15 13:10:47 - Installed Microsoft Fix it 50126
    RP336: 2010/04/16 13:29:21 - System Checkpoint
    RP337: 2010/04/19 13:15:27 - System Checkpoint
    RP338: 2010/04/21 12:23:16 - System Checkpoint
    RP339: 2010/04/21 14:52:29 - Removed QuickTime
    RP340: 2010/04/23 16:47:25 - System Checkpoint
    RP341: 2010/04/26 13:35:50 - System Checkpoint
    RP342: 2010/04/28 13:15:01 - System Checkpoint
    RP343: 2010/04/29 13:19:00 - System Checkpoint
    RP344: 2010/04/30 13:22:28 - System Checkpoint
    RP345: 2010/05/04 07:55:31 - System Checkpoint
    RP346: 2010/05/05 13:45:56 - System Checkpoint
    RP347: 2010/05/06 16:17:32 - System Checkpoint
    RP348: 2010/05/10 09:13:42 - System Checkpoint

    ==== Installed Programs ======================

    Adobe Reader 8.1.4
    avast! Antivirus
    Compatibility Pack for the 2007 Office system
    HijackThis 2.0.2
    HP LaserJet M1120 MFP Series
    hppusgM1120
    Java(TM) 6 Update 5
    M1120 Scan To
    Malwarebytes' Anti-Malware
    MarketResearch
    Microsoft .NET Framework 2.0
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.3)
    Nero 7 Ultra Edition
    Pdf995
    Realtek AC'97 Audio
    S3GSetup
    VC 9.0 Runtime
    VIA/S3G Display Driver
    WebFldrs XP

    ==== End Of File ===========================
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Melissa, I see System Checkpoints which are restore points set as late 2010/05/10 . But in the activity for the last 30 days shows only 3 folders from 2010-04-21 for c:\program files\Trend Micro c:\program files\Zone Labs, c:\windows.0\Internet Logs. What happened?

    And why are you checking netash?
    I also notice that you ran the Microsoft Fix it 50126 which is for a print spooler problem. Has that bee fixed?

    I notice also that you removed the Sony program and that there is also no indication of an install of TMeter Service Monitor which runs an executalbe as TrafMonitor.exe. Bothe of these still have drivers running and files loading so I have used script to remove them.

    Go ahead and run download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =============================
    After Combofix has been installed and run, do the following:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows.0\system32\drivers\w900bus.sys
    c:\windows.0\system32\drivers\w900mdfl.sys 
    c:\windows.0\system32\drivers\w900mdm.sys 
    c:\windows.0\system32\drivers\w900mgmt.sys 
    c:\windows.0\system32\drivers\w900obex.sys 
    c:\windows.0\system32\drivers\tmeter.sys
     
    Folder::
    
    DDS::
    mURLSearchHooks: H - No File
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    Registry::
    
    Driver::
    w900bus
    w900mdfl
    w900mdm
    w900mgmt
    w900obex
    tmeter
    tmeterMP
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please leave the Combofix log generated after you have run the script.

    Please update the Java to v6u20:
    Check this site: Java Updates Uninstall any earlier versions in Add/Remove Programs.
     
  9. MelissaP

    MelissaP TS Rookie Topic Starter

    the system restores must have happened cos i ran hijack this. i just did that to see if any programs 'changed' their names.

    the print spooler problem happened a few times. even after i fixed it it worked for a while then it will come back. but what i have noticed is there was an e-mail i received from a client- whenever i tried to print that 1 specific attachment the print spooler will come back and i'd have to run fixit all over again.

    the sony program that i uninstalled not so long ago is that cd software that comes with the cellphone. sony ericsson w900i. didn't require it anymore cos cellphone has been replaced.

    combofix log ...

    ComboFix 10-05-10.05 - User 2010/05/12 12:05:44.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.458 [GMT 2:00]
    Running from: c:\documents and settings\User.BITLINE-E153D3E\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\User.BITLINE-E153D3E\Desktop\CFScript.txt
    AV: avast! antivirus 4.8.1368 [VPS 100512-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

    FILE ::
    "c:\windows.0\system32\drivers\tmeter.sys"
    "c:\windows.0\system32\drivers\w900bus.sys"
    "c:\windows.0\system32\drivers\w900mdfl.sys"
    "c:\windows.0\system32\drivers\w900mdm.sys"
    "c:\windows.0\system32\drivers\w900mgmt.sys"
    "c:\windows.0\system32\drivers\w900obex.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\java\jre1.6.0_05\bin\ssv.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_tmeter
    -------\Service_tmeterMP
    -------\Service_w900bus
    -------\Service_w900mdfl
    -------\Service_w900mdm
    -------\Service_w900mgmt
    -------\Service_w900obex


    ((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
    .

    2010-04-21 09:00 . 2010-04-21 09:00 -------- d-----w- c:\program files\Trend Micro
    2010-04-21 07:41 . 2010-04-21 07:41 -------- d-----w- c:\program files\Zone Labs
    2010-04-21 07:39 . 2010-04-21 07:42 -------- d-----w- c:\windows.0\Internet Logs

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-23 09:40 . 2010-01-28 08:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-22 09:28 . 2010-03-25 13:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-04-22 09:26 . 2010-03-25 13:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Spybot - Search & Destroy
    2010-04-21 12:52 . 2007-09-07 06:46 -------- d-----w- c:\program files\QuickTime
    2010-04-14 14:51 . 2009-10-20 11:40 -------- d-----w- c:\program files\Comodo
    2010-04-09 07:54 . 2008-05-06 11:19 -------- d-----w- c:\program files\Sony Ericsson
    2010-04-09 07:54 . 2008-11-25 14:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Sony Ericsson
    2010-04-09 07:54 . 2008-11-25 14:28 -------- d-----w- c:\program files\Common Files\Teleca Shared
    2010-04-09 07:46 . 2010-04-09 07:02 -------- d---a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
    2010-04-09 07:05 . 2010-04-09 07:05 38976 ----a-w- c:\windows.0\system32\drivers\pssdk42.sys
    2010-04-09 07:05 . 2010-04-09 07:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Paessler
    2010-03-29 22:46 . 2010-01-28 08:23 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
    2010-03-29 22:45 . 2010-01-28 08:23 20824 ----a-w- c:\windows.0\system32\drivers\mbam.sys
    2008-09-26 12:08 . 2008-09-26 12:08 3659913 ----a-w- c:\program files\FileZilla_3.1.3_win32-setup.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-05-12_08.17.10 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-05-12 10:12 . 2010-05-12 10:12 16384 c:\windows.0\Temp\Perflib_Perfdata_468.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" [2005-03-08 53248]
    "SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows.0\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;avast! Self Protection;c:\windows.0\system32\drivers\aswSP.sys [2010/01/28 10:39 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [2010/01/28 10:39 20560]
    S3 PSSDK42;PSSDK42;c:\windows.0\system32\drivers\pssdk42.sys [2010/04/09 09:05 38976]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.za/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: {41D8379B-69C6-4666-B506-9506BD5D55EA} = 192.168.0.1
    DPF: Microsoft XML Parser for Java - file://c:\windows.0\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\User.BITLINE-E153D3E\Application Data\Mozilla\Firefox\Profiles\776n2o30.default\
    FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
    FF - prefs.js: network.proxy.type - 4

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-12 12:12
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\windows.0\system32\VTTimer.exe
    c:\windows.0\SOUNDMAN.EXE
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    c:\windows.0\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-05-12 12:17:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-05-12 10:17
    ComboFix2.txt 2010-05-12 08:19

    Pre-Run: 52,356,194,304 bytes free
    Post-Run: 52,241,719,296 bytes free

    - - End Of File - - B7CD81ECC71CF7418DA7F5FE5632CAC1
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't think you have a malware problem. The process you mention AdminWorksAgentX6 is pre-installed software called Acer Lanscope Agent. ALA is a repackaging of software by Avocent called AdminWorks Agent. Adminworks is a network remote management tool for controlling clients from an administrator's console.

    This 'Agent' is meant to respond to commands from the console. So, if your machine has ALA or AdminWorks Agent installed but is not part of a network using the AdminWorks Console part of the package, the Agent piece is useless.

    Try uninstalling this in Add/Remove Programs. Then reboot the computer and see if it has made a difference.
    =================================
    There is some kind of problem with your system. First, a system restore is user activated. It doesn't just happen. running HijackThis does not make that happen. It still shows the only program created in the past 30 days are the 3 logs and yet you have downloaded and run several programs.

    Most of the processes running are just for Avast and the system shows only a few basic programs installed. You have a program or application running that Specialized in network monitoring and testing scenarios> Paessler. There is a process running which is a Packet Sniffer SDK which s a development suite for network packet capture in multi-Gigabit network environment. This would indicate that you are capturing or limiting network traffic from a large network environment- and yet you say that "-computer sends and receives a few million packets in a few hours."

    Sources of information from 'forum.soft32.com' , 'microolap.com' , 'paessler.com' and 'systemexplorer.mistergroup.org.'

    If I had to rephrase all of this, I'd say the network is being over-managed, under-manager or incorrectly managed.
     
  11. MelissaP

    MelissaP TS Rookie Topic Starter

    please ignore the 1st hijack this log.

    here is a new 1 after all the scanning and java updates done...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:08:20, on 2010/05/13
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS.0\Explorer.EXE
    C:\WINDOWS.0\system32\VTTimer.exe
    C:\WINDOWS.0\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS.0\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS.0\system32\wscntfy.exe
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{41D8379B-69C6-4666-B506-9506BD5D55EA}: NameServer = 192.168.0.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{41D8379B-69C6-4666-B506-9506BD5D55EA}: NameServer = 192.168.0.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{41D8379B-69C6-4666-B506-9506BD5D55EA}: NameServer = 192.168.0.1
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

    --
    End of file - 4292 bytes
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Melissa, you need to clarify which system this work is being done on:

    First HijackThis log:
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18882)


    Malwarebytes' Anti-Malware 1.45>> old version> need new one
    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    GMER 1.0.15.15281 -
    Windows 5.1.2600 Service Pack 2

    DDS (Ver_10-03-17.01)
    Microsoft Windows XP Professional

    ComboFix 10-05-10.05 - User 2010/05/12 12:05:44.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.458

    And the script I left was run on ComboFix 10-05-10.05 - User 2010/05/12 12:05:44.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.458 [GMT 2:00]
    And it is showing in the log after you ran the script with these running processes:
    c:\windows.0\system32\VTTimer.exe
    c:\windows.0\SOUNDMAN.EXE
    c:\windows.0\system32\wscntfy.exe
    ==========
    Second HijackThis log:
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    ========================
    Although you did add "please ignore the 1st hijack this log.here is a new 1 after all the scanning and java updates done..." I did not take this to mean you had installed a different operating system!

    The second log shown not only a different operating system, but also that the Services are in the wrong directory

    C:\Windows.0 is not a legitimate Windows directory unless there's something
    about your Windows install you forgot to tell us. So basically the Services can't do what they are suppose to do.

    and these are from the current HJT log with Vista:
    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\Explorer.EXE
    C:\WINDOWS.0\system32\VTTimer.exe
    C:\WINDOWS.0\SOUNDMAN.EXE
    C:\WINDOWS.0\system32\spoolsv.exe
    C:\WINDOWS.0\system32\wscntfy.exe


    Please get it together and decide which system you're working on!
     
  13. MelissaP

    MelissaP TS Rookie Topic Starter

    i am so sorry about that.

    the 1st hijack this log is from another pc in our office which i incorrectly pasted.

    so all the scans and the 2nd hijack this log was done on the windows xp.

    about the C:\windows.0 the only thing i can think of is this computer crashed a few years back with a virus and just shut down completely. some1 tried their best to recover all the info from the computer. that is the only thing i can think of...

    sorry about the inconvinience caused due to the 1st incorrect hjt log posted...
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Guess I came on a bit strong! Sorry about that. But I spent a bit of time going back and forth on those logs and finally realized they had to be from 2 different machines. Must have been late at night- I growl louder then!

    I have to figure out a way to move those files to the correct directory. As long as they are in the wrong directory, the operating system isn't going to find them when needed.

    Please rescan with Combofix and leave a new log. I may be able to use script to move the files from the bad directory to the right one. Leave the new report for me in next reply.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...