Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Sleepless in Mojave..

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Sleepless in Mojave..

Unread postby a1sound » April 19th, 2007, 12:09 am

Hi gang,

I was running Zone Alarm Pro and F-Prot on demand when I lost control of my system. Spoofed IPs and fake clients flooded the Zone Alarm log, and F-Prot went merrily on telling me everything was A-OK. I switched to an ancient but definite firewall, AtGuard, and ran that until I got outsmarted. Now, I 'm running Comodo and Kaspersky on demand.

I don't know if my machine is OK or not. It was running badly one day, and suddenly it rebooted after a long unattended stretch. When I tried to see what caused the reboot, I found so many badboys running with me that I gave up and rebuilt the machine from original CDs or one-off backups. Finding all the keys and codes and whatever was a nightmare, but I was determined to get this machine running again.

It seems stable now, but I don't believe it. I had tried a bandwidth limiter that probably loaded something I didn't want. Having a Ghost image of my boot drive, I reverted the system to an earlier moment and updated email and other things that were time oriented.

There still were unwanted calls to "mommy", such as to 69.22.138.73 for several IPs and to another band 67.29.128.73 for several more. I finally knocked both domains out in my router. That wasn't a good answer, but it plugged up the initial leak. The badboys kept trying, and my devices kept going off line or running slowly as the badboys tried to get through the router.

Thinking all was lost yet again, I reverted back to better times with Ghost, and am slowly making progress with all the settings and things to get myself running "clean" again. I had a lock-up with Thunderbird and installed an updated version on top of the existing client. So far, no problems.

Before I did the last reversion (Symantec calls it "restore", but that's too much like Microsoft's "restore" which is not a complete drive image), the latest badboy faked the first address off the top of my Hosts file, sending me to the Moon on a goose chase. I tracked it with a DOS window running "netstat -b 10". This gave me a clue that I was hung out to dry. Reverting to a cleaner image was my only choice at the time.

I didn't know how to read these hijack lists. Maybe you can show me what you see and where you see it.

I downloaded the latest HijackThis and ran it. The output seems simpler than it was before, when I knew I had problems; however, I couldn't read it then, and I'm not so sure what it tells me now. Here is the output..

Logfile of HijackThis v1.99.1
Scan saved at 19:40:30, on 2007-04-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\DUMETE~1\DUMeter.exe
C:\pfiles\D4\D4.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MOTU\Audio\MFWAKeys.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\pfiles\bclknt30\BARCLOCK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\UPSMON\UPSInt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\netstat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [DU Meter] C:\PROGRA~1\DUMETE~1\DUMeter.exe
O4 - HKLM\..\Run: [Dimension4] C:\pfiles\D4\D4.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: barclock.lnk = C:\pfiles\bclknt30\BARCLOCK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MOTU Pedal Handler.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6107475218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://L:\AUTORUN\Flash\swflash.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe


-=-=-

I want to enroll in the Malware Removal University, but I am told that I must be a patient first and have a clean machine at the get go.

So, *shudder* what do you think?

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA
Advertisement
Register to Remove

Unread postby silver » April 20th, 2007, 10:02 pm

Hi a1sound,

My name is silver and I'll be helping you clean your computer. Please hold on while I research a fix for you.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby a1sound » April 21st, 2007, 2:00 am

Hi Silver!

This is good news. Let me know what you need.

Cheers,
Buzz.[/quote]
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

incoming activity..

Unread postby a1sound » April 21st, 2007, 4:42 am

Hi Silver,

My system has tried to reach the following IP addresses over the last 10 hours. These were blocked by Comodo on this machine; however, they are also blocked in the router NATing this computer. Any socket use will provoke some output attempts, and that causes delays as the attempts await acknowlegment. SYN_SENT is all the badboys get.

This behavior could be a simple marketing tracker which I doubt, or it could be a serious attempt to connect and load more badboys which I believe is true. Any socket use on my part is soon to start this activity again.

Here is the list of the sites my machine attempted to reach..

67.29.128.43:80 LVLT band
67.29.128.57:80
67.29.128.35:80
67.29.128.59:80

69.22.138.18:80 nLayer band
69.22.138.33:80
69.22.138.75:80

67.29.128.49:80
67.29.128.24:80

64.68.9.19:80 elan.net

67.29.128.42:80

This afternoon, three hours of ICMP attempts from my gateway to this computer via LAN followed, one every five seconds. I had a modem/router issue with my ISP today which may have caused this. All were stopped by Comodo. I found all this in the Comodo logs.

One thing that Comodo does is report a parent application fostering an accepted client application and trying to use that client to get out. I missed this earlier because I was sure that I had permitted a client such as Winamp to access the Net and was annoyed that the settings were ignored.

The parented attempts which followed a legitimate use of Winamp was a surprise. I had blindly accepted and permitted these attempts earlier. Lucky for me that I had doubled the firewall block in my router which stopped my error from letting the badboy call mommy.

Comodo is certainly a useful tool when you actually read the warnings.

Anyway, These IPs map to big banded networks probably on the Pacific Rim. I did not dig much deeper than that. The behavior of the trojan(s) [if that is what the badboys are] in my machine seems to be sophisticated enough to be piloted by some human, but I am not sure how he could gain access without my noticing.

One frustration is that no downloadable software scan finds anything wrong. I never run any executable--even from my associates--without a local scan. Now, I don't even trust Kaspersky, probably the most robust virus scanner of them all. I upload executables to VirusTotal.com.

Here is a copy of a continuous monitor I run with netstat. "netstat -b 10" produced the following, updated every ten seconds..

Active Connections

Proto Local Address Foreign Address State PID
TCP svenskatec:2072 67.29.128.17:http SYN_SENT 500
[firefox.exe]

TCP svenskatec:1042 localhost:1043 ESTABLISHED 500
[firefox.exe]

TCP svenskatec:1043 localhost:1042 ESTABLISHED 500
[firefox.exe]

TCP svenskatec:1044 localhost:1045 ESTABLISHED 500
[firefox.exe]

TCP svenskatec:1045 localhost:1044 ESTABLISHED 500
[firefox.exe]

TCP svenskatec:1983 mc-in-f147.google.com:http ESTABLISHED 500
[firefox.exe]

TCP svenskatec:1984 mc-in-f147.google.com:http ESTABLISHED 500
[firefox.exe]

TCP svenskatec:1965 bu-in-f93.google.com:http TIME_WAIT 0

-=-=-

Svenskatec is localhost.


About a minute later, this showed up for the first line..


Proto Local Address Foreign Address State PID
TCP svenskatec:2105 67.29.128.59:http SYN_SENT 500
[firefox.exe]

-=-=-

Then it doubled, and then it changed to this again..

Active Connections

Proto Local Address Foreign Address State PID
TCP svenskatec:2131 67.29.128.17:http SYN_SENT 500
[firefox.exe]

TCP svenskatec:2132 67.29.128.17:http SYN_SENT 500
[firefox.exe]


-=-=-

Then, out of nowhere, this..

Active Connections

Proto Local Address Foreign Address State PID
TCP svenskatec:1423 localhost:1424 ESTABLISHED 1364
[firefox.exe]

TCP svenskatec:1424 localhost:1423 ESTABLISHED 1364
[firefox.exe]

TCP svenskatec:1425 localhost:1426 ESTABLISHED 1364
[firefox.exe]

TCP svenskatec:1426 localhost:1425 ESTABLISHED 1364
[firefox.exe]

TCP svenskatec:1428 mc-in-f104.google.com:http ESTABLISHED 1364
[firefox.exe]

TCP svenskatec:1440 167.88.178.40:https ESTABLISHED 1364
[firefox.exe]

TCP svenskatec:1646 po-in-f147.google.com:http ESTABLISHED 1364
[firefox.exe]

TCP svenskatec:1647 po-in-f147.google.com:http ESTABLISHED 1364
[firefox.exe]

TCP svenskatec:1476 64-68-9-19.ip.elan.net:http FIN_WAIT_2 1364
[firefox.exe]

TCP svenskatec:1431 static-fxfeeds.nslb.sj.mozilla.com:http TIME_WAIT 0
TCP svenskatec:ms-sql-s static-fxfeeds.nslb.sj.mozilla.com:http TIME_WAIT 0
TCP svenskatec:1509 206.24.222.158:http TIME_WAIT 0
TCP svenskatec:1523 206.24.222.158:http TIME_WAIT 0
TCP svenskatec:1561 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1562 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1564 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1570 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1575 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1576 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1578 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1585 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1593 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1594 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1598 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1602 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1608 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1609 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1610 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1611 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1613 64-68-9-19.ip.elan.net:http TIME_WAIT 0
TCP svenskatec:1614 64-68-9-19.ip.elan.net:http TIME_WAIT 0

-=-=-

This is a typical day for this computer. Having locked down the networks involved has slowed a lot of this down to almost nothing. I still get the dragged down speed when something is waiting for an ACK.

I'm not all that good at this, and probably stepped on myself trying to get to understand what's going, but I'm furious that I've been victimized.

I hope all this extra information doesn't confuse the issue. I'll download and run anything you think is necessary.

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Unread postby silver » April 21st, 2007, 6:25 am

Hi a1sound,

You seem to have had a lot of difficulties recently, but the way I've read your post it sounds like since the most recent re-imaging you've had no specific issues apart from the lock-up with Thunderbird - is this correct? In any case, we'll have a thorough look and once your machine is clean you can make a new disk image which you can keep in case of future problems.

I can't see anything obviously suspicious in the network traffic log information you posted; however the first list didn't have any application name associated with the connection attempts so it's difficult to be sure. I'll be concentrating first on finding and removing malware from your machine, and then afterwards we can see if the firewall logs show anything unusual.

I have a couple of other questions for you:

You have a program Barclock (C:\pfiles\bclknt30\BARCLOCK.EXE) running on your computer. I can't find much information on it, do you know what it is and did you knowingly install it?

You have an FTP client installed on your computer called WS_FTP, are you aware of this and did you knowingly install it?

You have BitComet, a P2P file sharing program installed on your computer. This program does not come bundled with malware as some similar programs do, but P2P file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I strongly recommend you remove it, but of course the choice is yours.
If you wish to remove it, open Start->Control Panel->Add/Remove Programs, look down the list for BitComet and remove it.

If you removed BitComet, then we will remove it's Internet Explorer entries using HijackThis:
Open HijackThis, choose Do a system scan only and place a checkmark next to the following lines (if present):
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Please run an online scan with Panda Activescan:
Open this page in Internet Explorer:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country, State/Province, enter an e-mail address and click Send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report.

Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button, then press Save list...
Save the Uninstall log to your deskop and include a copy in your next response.
Now press Back and Scan and then Save log to create and save a new HijackThis log.

Once complete, please post the ActiveScan log, the uninstall log along with a new HijackThis log, and let me know about the programs at the top of this post.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby a1sound » April 21st, 2007, 7:09 am

Hi Silver,

You seem to have had a lot of difficulties recently, but the way I've read your post it sounds like since the most recent re-imaging you've had no specific issues apart from the lock-up with Thunderbird - is this correct?


Any socket activity is dragged along because I have the the badboys blocked. They are hanging waiting for an ACK which never comes. This makes my net browsing slow. AVG is taking forever to update, but I see that it will complete eventually. I may not have allowed it to complete before.


Once your machine is clean you can make a new disk image which you can keep in case of future problems.


This is the right thing to do--a man after my own heart!


You have a program Barclock (C:\pfiles\bclknt30\BARCLOCK.EXE) running on your computer. I can't find much information on it, do you know what it is and did you knowingly install it?


This is an old friend. It puts a timestamp on the top of each window. I've run it for almost 10 years. The exe scans clean at VirusTotal.com.


You have an FTP client installed on your computer called WS_FTP, are you aware of this and did you knowingly install it?


Yes, I installed it. I have read that this is a perfect back door, so I watch all the traffic and check logs whenever I'm away. I move big audio files with it. Some of my local recorders become FTP servers for a non invasive offload of audio. Otherwise, I pull a caddy and use a firewire adaptor to move these files to a computer.


You have BitComet, a P2P file sharing program installed on your computer...


I use this to move big edit environments as torrents from my personal site which is right on a backbone of the NET. It seems odd, but the customers understand torrents which are easier to export than HTML. I will remove BitComet and follow what you suggest to give a less confusing environment. It's easy to reinstall, and as you pointed out, it is not bundled.

Getting Panda to load is going to be a problem. I'm hung waiting for the badboys trying to connect with mommy. I will try to do this in "safe mode". Somehow, I am not sure I'll get the active-x stuff to work.

I will out wait this thing first, and when that doesn't work, I'll try safe mode.

OK. Here goes..

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Unread postby a1sound » April 21st, 2007, 9:29 am

Hi Silver,

This computer won't let me access the pandasoftware.com site. I tried to fake the IP but I couldn't research it easily. When I did a traceroute, it ended up on a fake address in the zone that I blocked. Any access on any browser causes the lock.

Here's a good one--my pocket pc uses the same router and ended on the same IP. Red flag there.

I tried on another machine that is a server. It worked using IE. And I was dismayed to find it working with the 67... and the 69... band. It's running the scan now. Might as well because it has been connected to the badboy for an unknown time.

No attempt on this machine seems to work. When I ran "safe mode with Networking", I couldn't access the Net, even though this computer had managed to get an IP from the DHCP server.

Is there anything you can do without the scan? I don't really want to cut this machine loose with all my files on it, so, I'm reluctant to open it up to the world by unblocking the addresses.

Let me know,
Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Unread postby a1sound » April 21st, 2007, 10:04 am

Hi Silver,

This computer won't let me access the pandasoftware.com site. I tried to fake the IP but I couldn't research it easily. When I did a traceroute, it ended up on a fake address in the zone that I blocked. Any access on any browser causes the lock.

Here's a good one--my pocket pc uses the same router and ended on the same IP. Red flag there.

I tried on another machine that is a server. It worked using IE. And I was dismayed to find it working with the 67... and the 69... band. It's running the scan now. Might as well because it has been connected to the badboy for an unknown time.

No attempt on this machine seems to work. When I ran "safe mode with Networking", I couldn't access the Net, even though this computer had managed to get an IP from the DHCP server.

Is there anything you can do without the scan? I don't really want to cut this machine loose with all my files on it, so, I'm reluctant to open it up to the world by unblocking the addresses.

Let me know,
Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Unread postby a1sound » April 21st, 2007, 1:39 pm

Hi Silver,

I decided to move off my sensitive stuff and open up the locked down addresses. IE required the 67... series to be unlocked. Here is the report from the scan..

Incident Status Location



Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\buzz\Application Data\Mozilla\Firefox\Profiles\mpv3nr2g.default\cookies.txt[.atdmt.com/]


Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\buzz\Application Data\Mozilla\Firefox\Profiles\mpv3nr2g.default\cookies.txt[.tribalfusion.com/]


Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\buzz\Application Data\Mozilla\Firefox\Profiles\mpv3nr2g.default\cookies.txt[.2o7.net/]


Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\buzz\Application Data\Mozilla\Firefox\Profiles\mpv3nr2g.default\cookies.txt[.advertising.com/]


Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\buzz\Application Data\Mozilla\Firefox\Profiles\mpv3nr2g.default\cookies.txt[.statcounter.com/]


Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\buzz\Application Data\Mozilla\Firefox\Profiles\mpv3nr2g.default\cookies.txt[.mediaplex.com/]


Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\buzz\Application Data\Mozilla\Firefox\Profiles\mpv3nr2g.default\cookies.txt[.dist.belnk.com/]


Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\buzz\Application Data\Mozilla\Firefox\Profiles\mpv3nr2g.default\cookies.txt[.belnk.com/]


Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\buzz\Application Data\Thunderbird\new-old stuff\Profiles\n19lotlu.default\Mail\mail.zz.com\Inbox[Word_Document.hqx]


Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\buzz\Application Data\Thunderbird\Profiles\n19lotlu.default\Mail\mail.zz.com\Inbox[Word_Document.hqx]


Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\buzz\Cookies\buzz@2o7[1].txt


Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\buzz\Cookies\buzz@atdmt[2].txt


Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\buzz\Cookies\buzz@atwola[1].txt


Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\buzz\Cookies\buzz@questionmarket[1].txt


Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe

-=-=-

Anyway, most of the badboys here are cookies, and the only disinfected files are email attachments that are known to be bad. Oh, well.

Hope you can find something in the rest of the stuff. Here is the current HijackThis log..

Logfile of HijackThis v1.99.1
Scan saved at 07:20:15, on 2007-04-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\UPSMON\UPSInt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\DUMETE~1\DUMeter.exe
C:\pfiles\D4\D4.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MOTU\Audio\MFWAKeys.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\pfiles\bclknt30\BARCLOCK.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\netstat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\pfiles\EditPad\EditPad.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\pfiles\ztw151\ZTW.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [DU Meter] C:\PROGRA~1\DUMETE~1\DUMeter.exe
O4 - HKLM\..\Run: [Dimension4] C:\pfiles\D4\D4.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: barclock.lnk = C:\pfiles\bclknt30\BARCLOCK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MOTU Pedal Handler.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6107475218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://L:\AUTORUN\Flash\swflash.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe

-=-=-

Here's the Uninstall list..

ACDSee 32
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Creative Suite 2
Adobe Help Center 1.0
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Apple Software Update
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
BugOff 1.10
CCleaner (remove only)
COMODO Firewall Pro
Dimension 4 v4.3
DU Meter
EULAlyzer v1.2
Final Draft 7
foobar2000 v0.9.4.2
Forté Agent
Google Earth
HD Tune 2.53
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB898108)
HotKey Detective (PC Magazine)
Ipswitch WS_FTP Pro
Kaspersky Anti-Virus 6.0
Kaspersky Anti-Virus 6.0
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Dreamweaver 8
Macromedia Extension Manager
Marvell Miniport Driver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft ActiveSync 3.7
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 Redistributable
MOTU FireWire/USB Audio Installer
Mozilla Firefox (2.0.0.1)
Mozilla Firefox (2.0.0.3)
Mozilla Thunderbird (1.5)
Nero 7 Premium
Net Transport 1.92.273
Norton Ghost 10.0
NVIDIA Drivers
PGP 8.0.2
PowerISO
QuickPar 0.9
QuickTime
RealPlayer
SONAR 6 Producer Edition
Sony Media Manager 2.2
Sony Sound Forge 8.0d
Sony Vegas 7.0
SoundMAX
Steinberg Nuendo v3.1.1.944
Suite Specific
SyncroSoft Emu (Remove only)
Syncrosoft's License Control
Trojan Remover 6.6.0
Tweak-XP Pro
Update for Windows XP (KB898461)
UPSMON Plus for Windows
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver

-=-=-

Thanks for looking! I sure hope this is easy. I did notice this..

IE won't run on certain locations without the 67. . . series open.
FireFox won't run without the same without the 69 . . . series open.

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Unread postby silver » April 22nd, 2007, 5:27 am

Hi a1sound,

As you know, you have two emails in your inbox which have infected attachments. Please open Thunderbird, find and delete the relevant emails without opening them, and then empty the trash. If you have trouble locating them you can try using the search function, let me know if you have difficulty.

Next please do another couple of scans, both these scanners can be downloaded on another machine and then transferred if that's easier for you.

Download Dr.WEB CureIt to your desktop from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Double-click cureit.exe to start the program.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and remove the check mark from Heuristic analysis and press OK
  • Then select all hard drives to be scanned by clicking on them - choose all drives - a red dot confirms they will be scanned
  • Then click the green arrow on the right to start the scan
  • Click Yes to all if it asks if you want to cure/move a file
  • When the scan has finished, look if you can click next icon next to the files found:
    Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Image
    This will move incurable files to %userprofile%\DoctorWeb\quarantine-folder
  • Then click File-> Save report list and save the report to your desktop
  • Close Dr.Web Cureit and reboot your computer (this is important as files may be moved/deleted during reboot)

Please download F-Secure Blacklight (blbeta.exe):
https://europe.f-secure.com/blacklight/try.shtml
  • Click I ACCEPT and download the graphical user interface version to your Desktop
  • Double click the file to run it, choose I accept the agreement then press Scan
  • It will create the "fsbl-xxxxxxx.log" on your desktop.
  • The log will have a list of all items found.
  • Do not choose to rename any yet! I want to see the log first because legitimate items can also be present.
  • Exit Blacklight and post the contents of the log in your next reply.


Once complete, please post the contents of DrWeb.csv and the Blacklight log along with a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Last scan results and HJT log..

Unread postby a1sound » April 22nd, 2007, 4:36 pm

Hi Silver,

Here is the output from the DrWeb scan..

Process.exe;C:\SDFix\apps;Tool.Prockill;Deleted.;
A0015278.exe;D:\System Volume Information\_restore{83FF70A7-BCD3-431B-99E0-53A2C34E0B8D}\RP47;Tool.ShutDown.11;Moved.;
Process.exe;D:\_install\Dry Cleaners\SmitfraudFix;Tool.Prockill;Deleted.;
Revelation.exe;D:\_install\Revelation;Tool.PassRevel;;

-=-=-

I left Revelation.exe alone because I use this to salvage a forgotten password when I have a confused user. Another computer has an FTP server running. It does what it says it does.

-=-=-

Here is the fsbl log..

04/22/07 12:38:22 [Info]: BlackLight Engine 1.0.61 initialized
04/22/07 12:38:22 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/22/07 12:38:22 [Note]: 7019 4
04/22/07 12:38:22 [Note]: 7005 0
04/22/07 12:42:18 [Note]: 7006 0
04/22/07 12:42:18 [Note]: 7011 232
04/22/07 12:42:18 [Note]: 7026 0
04/22/07 12:42:19 [Note]: 7026 0
04/22/07 12:42:21 [Note]: FSRAW library version 1.7.1021
04/22/07 12:44:47 [Note]: 7007 0

-=-=-

Upon one of the reboot cycles, Kaspersky found this..

deleted: adware not-a-virus:AdWare.Win32.OnFlow File: D:\RECYCLER\S-1-5-21-839522115-1979792683-725345543-1003\Dn1487.iso//Utilities/Area Code Reverse Lookup/Area Code Reverse Lookup Install File.exe//data0004
deleted: Trojan program Trojan-Downloader.Win32.Agent.bng File: C:\Program Files\Adobe\Adobe Version Cue CS2\jre\bin\hpi.dll

-->I copied this above as it went by. I almost missed it. The Adobe dll is an eye opener. I wonder if it is needed by anything I want.

-=-=-

And here is the HJT log..

Logfile of HijackThis v1.99.1
Scan saved at 12:46:54, on 2007-04-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\DUMETE~1\DUMeter.exe
C:\pfiles\D4\D4.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MOTU\Audio\MFWAKeys.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\pfiles\bclknt30\BARCLOCK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\UPSMON\UPSInt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [DU Meter] C:\PROGRA~1\DUMETE~1\DUMeter.exe
O4 - HKLM\..\Run: [Dimension4] C:\pfiles\D4\D4.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: barclock.lnk = C:\pfiles\bclknt30\BARCLOCK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MOTU Pedal Handler.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6107475218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://L:\AUTORUN\Flash\swflash.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe

-=-=-
I looked at several websites that were difficult, thinking this might have snagged the badboy, but when I went to http://microsoft.com, he showed up again. Here is the netstat output..

Active Connections

Proto Local Address Foreign Address State PID
TCP svenskatec:1469 67.29.128.33:http SYN_SENT 3160
[firefox.exe]

TCP svenskatec:1027 localhost:1028 ESTABLISHED 3160
[firefox.exe]

TCP svenskatec:1028 localhost:1027 ESTABLISHED 3160
[firefox.exe]

TCP svenskatec:1029 localhost:1030 ESTABLISHED 3160
[firefox.exe]

TCP svenskatec:1030 localhost:1029 ESTABLISHED 3160
[firefox.exe]

TCP svenskatec:1225 207.138.126.198:http ESTABLISHED 3160
[firefox.exe]

TCP svenskatec:1226 207.138.126.198:http ESTABLISHED 3160
[firefox.exe]

TCP svenskatec:1458 wwwtkttest4.microsoft.com:http ESTABLISHED 3160
[firefox.exe]

-=-=-

Notice the first entry 67.29.128.33:http. This is an address that varies significantly. Sometimes it is in the 69... realm. Rats. I had set Comodo to block the entire domain which is huge..

67.24.0.0--67.31.255.255 LVLT (domain)

This is probably overkill, but I'll bet it slowed things down for the badboy.

Thanks for looking at all this. The thought of getting my editing computer back is heartening.

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Unread postby silver » April 23rd, 2007, 8:31 pm

Hi a1sound,

The filename hpi.dll is normally associated with Java, and the folder location on your machine looks OK also, so it's possible that it was a false positive, but it would require further checking to be sure.

Since it's now been deleted you should check to see if your Adobe software is still working correctly. If not, you may need to copy that file from the installation media or reinstall the software. When you do, I suggest you upload hpi.dll to VirusTotal for checking, and assuming it's clean, ensure Kaspersky it set to ignore it.

There's nothing else I can see in your logs which is a cause for concern, and from what I am reading in your posts, the main symptom is unexpected outbound network communications - is this correct?

All your netstat postings have communications related to Firefox web browser. Firefox makes outbound connections to check for program, theme and extension updates, to check RSS feeds and obviously to show web-pages; there may be other reasons also. There are so many variables that it's difficult for me to know for sure whether a Firefox connection is legitimate or not, unless there is some evidence that the IP address is bad.

As you have pointed out, 67.29.128.33 might require further checking. I can't find much information on this IP address, so it's a bit of a dead end.
I'd then try to find out what functionality in Firefox is causing the connection.

First, try running Firefox in Safe Mode - this disables all your extensions & themes - to see if it's one of these which is causing the connection:
Close all Firefox windows
Press Start->Run
Type firefox -safe-mode in the box and press OK
When the box appears, choose Continue in Safe Mode
Then use netstat to monitor connections and see if there is any change.

You should also try temporarily unsubscribe from any RSS or "Live Bookmarks" you have in Firefox as these may create connections without any action from you. Perform the netstat analysis again and see if there is any change.

As a last resort you could uninstall Firefox, backup/delete your profile folder, and then reinstall a clean copy. Some information on locating and backing up your profile folder can be found here:
http://www.mozilla.org/support/firefox/profile

I understand why you are blocking off IP ranges, but if you wish to have normal internet access using this machine, then it isn't a permanent solution. I recommend you aim to find out what is causing the connections and then decide what is and what isn't acceptable - you should be able to do this with Firefox.

I have some further recommendations to help keep your machine clean:

Operating system vulnerabilities can easily be exploited by malware so please ensure your operating system is automatically kept up to date by using Windows Update:
Go to Start->Control Panel->Automatic Updates
Select Automatic and select a suitable schedule

You have good protective software installed, however please check that all programs automatically update as often as practical, the latest updates are essential for the best level of protection.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
If you install this, please take care to follow the DNS Client service instructions in the tutorial.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Find out how to prevent infection in the future
http://forum.malwareremoval.com/viewtopic.php?p=33687

Please post back to let me know how you got on, and if there are any further issues.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

..Still not sure..

Unread postby a1sound » April 23rd, 2007, 8:43 pm

Hi Silver,

I get the badboys accessed with any socket activity. Sometimes yes and sometimes, if I let a locked up page sit, no activity--it lets me browse without any problems. That means both IE and Thunderbird. Even access via Winamp will cause this--which I block. What can I run that will tell me what process is trying to grab those addresses?

This is just the seat of my pants feeling, but I don't like having my web activity running a request for an address that I don't know about.

Maybe a packet sniffer to see what it wants.

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Unread postby silver » April 24th, 2007, 8:59 pm

Hi a1sound,

This is just the seat of my pants feeling, but I don't like having my web activity running a request for an address that I don't know about.

I'd like to clarify my previous post by confirming that I don't know that these connections you have logged are OK, I don't know that they are bad either, and I think you are quite right to check them out.

However, in the absence of any evidence of malware, I'd first be looking at the normal functionality of the application to explain the connections. If it couldn't be explained by this, then I'd be considering other possibilities. Unfortunately, this isn't always easy. Have you tried the steps I've posted and checked the results?

What can I run that will tell me what process is trying to grab those addresses?

The netstat command you have been using can tell you which process is communicating, your personal firewall can also be set to log processes and connections. Sysinternals (now part of Microsoft) have a free program called TCPView which is just like netstat but in a GUI format which I recommend you try.

If you follow the steps with Firefox then perhaps you'll discover what it is which causes the unknown connections, you can then take appropriate steps and then move on to another application.

I know that you feel very suspicious of your system, and that's understandable given you have seen some activity you haven't verified yet. However, I recommend you do not make conclusions about the nature of the activity without evidence one way or the other.

There's one more scan I'd like you to run, it shows a type of infection that might not have shown up in our examination so far:

Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe

Once downloaded, double-click on the file to run it.
When it is done there will be a file called awf.txt on your desktop, and it will be open in Notepad.
Please post the contents of that file in your next response.

When complete, please post the FindAWF log and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby a1sound » April 24th, 2007, 10:24 pm

Hi Silver,

Here is the AWF report..

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

-=-=-

And here is the HijackThis Log..

Logfile of HijackThis v1.99.1
Scan saved at 19:22:34, on 2007-04-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\DUMETE~1\DUMeter.exe
C:\pfiles\D4\D4.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\DU Super Controler\DUSuperControler.exe
C:\Program Files\DU Super Controler\DUSuperControler.exe
C:\Program Files\MOTU\Audio\MFWAKeys.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\pfiles\bclknt30\BARCLOCK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\UPSMON\UPSInt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\netstat.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [DU Meter] C:\PROGRA~1\DUMETE~1\DUMeter.exe
O4 - HKLM\..\Run: [Dimension4] C:\pfiles\D4\D4.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: barclock.lnk = C:\pfiles\bclknt30\BARCLOCK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DUSuperControler.lnk = C:\Program Files\DU Super Controler\DUSuperControler.exe
O4 - Global Startup: MOTU Pedal Handler.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6107475218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://L:\AUTORUN\Flash\swflash.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe

-=-=-

Thanks for staying with this,

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 60 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware