Free Malware Removal Forum

[Barkin]

OK so i rebooted and this popped up:

========== REGISTRY ==========
Registry key HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found.
========== FILES ==========
e:\documents and settings\Aqua\Application Data\uTorrent moved successfully.
========== COMMANDS ==========
File delete failed. E:\DOCUME~1\Aqua\LOCALS~1\Temp\etilqs_A4oTMITNhJ2fFUX0q3aR scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. E:\WINDOWS\temp\Perflib_Perfdata_764.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01242009_122927

Files moved on Reboot...
File E:\DOCUME~1\Aqua\LOCALS~1\Temp\etilqs_A4oTMITNhJ2fFUX0q3aR not found!
File move failed. E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File E:\WINDOWS\temp\Perflib_Perfdata_764.dat not found!
E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_001_ moved successfully.
E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_002_ moved successfully.
E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_003_ moved successfully.
E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_MAP_ moved successfully.
E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\urlclassifier3.sqlite moved successfully.
E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\XUL.mfl moved successfully.

Sometimes my computer lags loading h.264 files into media player classic and zoom player - it will hang sometimes.
Computer doesn't go into "standby" mode ... its standby mode became just shutting the harddrives down and leaving everything else on. Hibernate works like it should. Shut downs take long... around 2~3mins.
In cmd window, netstat shows that my computer is connecting to itself.

My computer never used to act this way... it's got decent specs so I don't know why it lags loading stuff it should be able to handle easily. if it's normal for something like that to happen, then i guess it's ok.

Here's a screenshot of netstsat:

[Bio-Hazard]

Hello!

Lets get the Netstat info on a textfile so it is easier to read. Please post that log for me to see.

So on command prompt window run this command.

netstat -b > \textfile.txt

You will find the log in here: E:/textfile.txt


Notice: Keep in mind that if you have network applications open, such as the browser you're using to view this page, additional items will be listed when you run "netstat" and/or the "netstat -b" command. If you want a true listing of what is running in the background, close all programs and run the command.

[Barkin]

Active Connections

Proto Local Address Foreign Address State PID
TCP sora:5152 localhost:2791 CLOSE_WAIT 1964
[jqs.exe]

TCP sora:2469 198.189.255.89:http CLOSE_WAIT 3268
[jusched.exe]

TCP sora:1057 localhost:8080 TIME_WAIT 0
TCP sora:1177 localhost:8080 TIME_WAIT 0
TCP sora:1213 localhost:8080 TIME_WAIT 0
TCP sora:1217 localhost:8080 TIME_WAIT 0
TCP sora:1229 localhost:8080 TIME_WAIT 0
TCP sora:1277 localhost:8080 TIME_WAIT 0
TCP sora:4952 localhost:8080 TIME_WAIT 0
TCP sora:8080 localhost:1341 TIME_WAIT 0
TCP sora:8080 localhost:1053 TIME_WAIT 0
TCP sora:8080 localhost:1453 TIME_WAIT 0
TCP sora:8080 localhost:1373 TIME_WAIT 0
TCP sora:8080 localhost:1357 TIME_WAIT 0
TCP sora:8080 localhost:1181 TIME_WAIT 0
TCP sora:8080 localhost:1245 TIME_WAIT 0
TCP sora:8080 localhost:1277 TIME_WAIT 0
TCP sora:8080 localhost:1229 TIME_WAIT 0
TCP sora:8080 localhost:1469 TIME_WAIT 0
TCP sora:8080 localhost:1149 TIME_WAIT 0
TCP sora:8080 localhost:1389 TIME_WAIT 0
TCP sora:8080 localhost:1117 TIME_WAIT 0
TCP sora:8080 localhost:1293 TIME_WAIT 0
TCP sora:8080 localhost:1325 TIME_WAIT 0
TCP sora:8080 localhost:1069 TIME_WAIT 0
TCP sora:8080 localhost:1101 TIME_WAIT 0
TCP sora:8080 localhost:1309 TIME_WAIT 0
TCP sora:8080 localhost:1133 TIME_WAIT 0
TCP sora:8080 localhost:1486 TIME_WAIT 0
TCP sora:8080 localhost:1406 TIME_WAIT 0
TCP sora:8080 localhost:1502 TIME_WAIT 0
TCP sora:8080 localhost:1195 TIME_WAIT 0
TCP sora:8080 localhost:1040 TIME_WAIT 0
TCP sora:8080 localhost:1440 TIME_WAIT 0
TCP sora:8080 localhost:1424 TIME_WAIT 0
TCP sora:8080 localhost:4944 TIME_WAIT 0
TCP sora:8080 localhost:4976 TIME_WAIT 0
TCP sora:8080 localhost:4992 TIME_WAIT 0
TCP sora:8080 localhost:4960 TIME_WAIT 0
TCP sora:8080 localhost:1137 TIME_WAIT 0
TCP sora:8080 localhost:1457 TIME_WAIT 0
TCP sora:8080 localhost:1261 TIME_WAIT 0
TCP sora:8080 localhost:1089 TIME_WAIT 0
TCP sora:8080 localhost:1085 TIME_WAIT 0
TCP sora:8080 localhost:1169 TIME_WAIT 0
TCP sora:8080 localhost:1377 TIME_WAIT 0
TCP sora:8080 localhost:1281 TIME_WAIT 0
TCP sora:8080 localhost:1345 TIME_WAIT 0
TCP sora:8080 localhost:1313 TIME_WAIT 0
TCP sora:8080 localhost:1105 TIME_WAIT 0
TCP sora:8080 localhost:1153 TIME_WAIT 0
TCP sora:8080 localhost:1393 TIME_WAIT 0
TCP sora:8080 localhost:1121 TIME_WAIT 0
TCP sora:8080 localhost:1185 TIME_WAIT 0
TCP sora:8080 localhost:1165 TIME_WAIT 0
TCP sora:8080 localhost:1297 TIME_WAIT 0
TCP sora:8080 localhost:1233 TIME_WAIT 0
TCP sora:8080 localhost:1073 TIME_WAIT 0
TCP sora:8080 localhost:1329 TIME_WAIT 0
TCP sora:8080 localhost:1265 TIME_WAIT 0
TCP sora:8080 localhost:1420 TIME_WAIT 0
TCP sora:8080 localhost:1436 TIME_WAIT 0
TCP sora:8080 localhost:1474 TIME_WAIT 0
TCP sora:8080 localhost:1490 TIME_WAIT 0
TCP sora:8080 localhost:1202 TIME_WAIT 0
TCP sora:8080 localhost:1411 TIME_WAIT 0
TCP sora:8080 localhost:1428 TIME_WAIT 0
TCP sora:8080 localhost:1044 TIME_WAIT 0
TCP sora:8080 localhost:4940 TIME_WAIT 0
TCP sora:8080 localhost:4996 TIME_WAIT 0
TCP sora:8080 localhost:4980 TIME_WAIT 0
TCP sora:8080 localhost:4948 TIME_WAIT 0
TCP sora:8080 localhost:4964 TIME_WAIT 0
TCP sora:8080 localhost:1317 TIME_WAIT 0
TCP sora:8080 localhost:1381 TIME_WAIT 0
TCP sora:8080 localhost:kpop TIME_WAIT 0
TCP sora:8080 localhost:1157 TIME_WAIT 0
TCP sora:8080 localhost:1077 TIME_WAIT 0
TCP sora:8080 localhost:1349 TIME_WAIT 0
TCP sora:8080 localhost:1365 TIME_WAIT 0
TCP sora:8080 localhost:1301 TIME_WAIT 0
TCP sora:8080 localhost:1461 TIME_WAIT 0
TCP sora:8080 localhost:1253 TIME_WAIT 0
TCP sora:8080 localhost:1141 TIME_WAIT 0
TCP sora:8080 localhost:1237 TIME_WAIT 0
TCP sora:8080 localhost:1333 TIME_WAIT 0
TCP sora:8080 localhost:1093 TIME_WAIT 0
TCP sora:8080 localhost:1445 TIME_WAIT 0
TCP sora:8080 localhost:1221 TIME_WAIT 0
TCP sora:8080 localhost:1285 TIME_WAIT 0
TCP sora:8080 localhost:1397 TIME_WAIT 0
TCP sora:8080 localhost:1269 TIME_WAIT 0
TCP sora:8080 localhost:1125 TIME_WAIT 0
TCP sora:8080 localhost:1173 TIME_WAIT 0
TCP sora:8080 localhost:1061 TIME_WAIT 0
TCP sora:8080 localhost:1494 TIME_WAIT 0
TCP sora:8080 localhost:1190 TIME_WAIT 0
TCP sora:8080 localhost:1478 TIME_WAIT 0
TCP sora:8080 localhost:1036 TIME_WAIT 0
TCP sora:8080 localhost:1415 TIME_WAIT 0
TCP sora:8080 localhost:4972 TIME_WAIT 0
TCP sora:8080 localhost:1032 TIME_WAIT 0
TCP sora:8080 localhost:1432 TIME_WAIT 0
TCP sora:8080 localhost:4968 TIME_WAIT 0
TCP sora:8080 localhost:4952 TIME_WAIT 0
TCP sora:8080 localhost:5000 TIME_WAIT 0
TCP sora:8080 localhost:1249 TIME_WAIT 0
TCP sora:8080 localhost:4984 TIME_WAIT 0
TCP sora:8080 localhost:4956 TIME_WAIT 0
TCP sora:8080 localhost:1337 TIME_WAIT 0
TCP sora:8080 localhost:1289 TIME_WAIT 0
TCP sora:8080 localhost:1209 TIME_WAIT 0
TCP sora:8080 localhost:1113 TIME_WAIT 0
TCP sora:8080 localhost:1321 TIME_WAIT 0
TCP sora:8080 localhost:1081 TIME_WAIT 0
TCP sora:8080 localhost:1145 TIME_WAIT 0
TCP sora:8080 localhost:1225 TIME_WAIT 0
TCP sora:8080 localhost:1161 TIME_WAIT 0
TCP sora:8080 localhost:1353 TIME_WAIT 0
TCP sora:8080 localhost:1129 TIME_WAIT 0
TCP sora:8080 localhost:1305 TIME_WAIT 0
TCP sora:8080 localhost:1449 TIME_WAIT 0
TCP sora:8080 localhost:1049 TIME_WAIT 0
TCP sora:8080 localhost:1465 TIME_WAIT 0
TCP sora:8080 localhost:1177 TIME_WAIT 0
TCP sora:8080 localhost:1273 TIME_WAIT 0
TCP sora:8080 localhost:1097 TIME_WAIT 0
TCP sora:8080 localhost:1385 TIME_WAIT 0
TCP sora:8080 localhost:1241 TIME_WAIT 0
TCP sora:8080 localhost:1065 TIME_WAIT 0
TCP sora:8080 localhost:1369 TIME_WAIT 0
TCP sora:8080 localhost:1257 TIME_WAIT 0
TCP sora:8080 localhost:4988 TIME_WAIT 0
TCP sora:8080 localhost:1402 TIME_WAIT 0
TCP sora:8080 localhost:1482 TIME_WAIT 0
TCP sora:8080 localhost:1498 TIME_WAIT 0
TCP sora:8080 localhost:1028 TIME_WAIT 0
TCP sora:1198 guru1.grisoft.cz:http TIME_WAIT 0
TCP sora:1199 198.189.255.82:http TIME_WAIT 0
TCP sora:1200 guru1.grisoft.cz:http TIME_WAIT 0
TCP sora:1205 198.189.255.82:http TIME_WAIT 0
TCP sora:1206 guru1.grisoft.cz:http TIME_WAIT 0
TCP sora:1207 198.189.255.82:http TIME_WAIT 0
TCP sora:1360 host.onoc.net:8008 TIME_WAIT 0

[Bio-Hazard]

Hello!

I have asked one of the Server Support Administrators to help me with this. He would like to know if you have installed this program: mIRC-->"G:\sysreset\mirc.exe" -uninstall. Are you using it as fileserver, this might explain few things. Could you also post a new Hijackthis log.

[Barkin]

Yes I did install that program many years ago. I used to fileshare tv shows back in 2002. I don't anymore and I haven't since 2003 because the channel closed and I lost interest in watching American television (NBC Universal sent me cease and desist letter through my ISP). It is now a means of communication for people playing Utopia, which I do. Let me make this clear: I do not fileshare anymore. I do, however, download fansubs off channels in rizon.

anyway... irc stuff:
irc.utonet.org (#confessions, #privateconfession)
rizon (#eclipse, #shinsen-subs, #gg...)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:02 PM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\SafeConnect\scManager.sys
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\SafeConnect\scClient.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\AIM\aim.exe
G:\sysreset\mirc.exe
E:\utop\Angel.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
F:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "E:\utop\Angel.exe"
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - E:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - E:\Program Files\SafeConnect\scManager.sys servicestart (file missing)

--
End of file - 6806 bytes

[Bio-Hazard]

Hello!

Server Support Administrator who is helping me ask me to run this program. He will then analyze the log for me.

Running Wireshark

I need you to download a program called Wireshark and installed it.

This program tells us what is being sent and received by your machine.

Once it is installed, reboot your machine and make sure all the programs that you normally use are active. DO NOT use SKYPE or IRC while running this program.

• Start Wireshark, and select the Icon underneath the "file" tab (1)
• It may only have one option available, if so select that option.
• If it has more than one option then select the option that has your IP address next to it and click start.
• Run it for 15 minutes, click the Stop icon (2)
• Now click the Save Icon (3)
• Save the log where you can find it.
• Post the log here.(You may have to upload the log file rather than posting it, depending on the file size.)

[Barkin]

o_o; lots of stuff came up. it's bigger than 256Kib compressed...

the thing's 1.79mbs. I ran it for 15 mins...

http://veraledaine.bol.ucla.edu/

on it should be a link to download the .pcap

[Bio-Hazard]

Hello!

Thank you for doing that. It will take some time to go through the log.

Regards

Bio-Hazard

[Barkin]

Must be serious.

[Bio-Hazard]

We have several issues to address... First, this machine has been used as a file server and still has software installed that makes it as vulnerable to malware infections as a computer running P2P software. Currently, you state the following:

It is now a means of communication for people playing Utopia, which I do. Let me make this clear: I do not fileshare anymore. I do, however, download fansubs off channels in rizon.

Therefore, given that its current configuration permits outside access, it is highly probable that this system would very likely be reinfected as soon as it is put back into service. Secondly, this forum is geared toward removing malware from home computers, and we are not equipped to deal with infected servers. Lastly, this machine is badly infected and the best results would be obtained by reformatting it.

In short, as cleaning this machine would likely be ineffective, and servers fall outside the scope of this forum, we are unable to assist you.

[Barkin]

Can you at least give a few names of infections you could identify?

And by format, I assume you mean that all three drives be wiped clean? or should I just purchase new drives and hope none of my academic work is 'infected' (eg .doc, .pdf)

[edit]
I forgot to express my gratitude. Seeing all those connections to myself confirmed my suspicions but I also am wary of the university's Resnet.

last question:
Are all drives infected?

In the context that if I reformat only one drive, will the infection come back solely because I did not reformat the other drives? Assume I never touch bittorent or IRC ever again meaning that the sysreset on G:\ is deleted. The only programs that will be on here are AIM, word processing, adobe, firefox, antivirus.

[NonSuch]

Barkin,

It would be pointless to begin describing the various infections and attempting to list all their names as infections rarely, if ever, have uniform names. Often, each anti-virus company will append a name of their own choosing to an infection, e.g., each infection will have multiple names.

Ultimately, the decision on what to do rests with you; however, it would be in your best interest to reformat all your drives. I'm sorry we don't have better news for you, but that is the best advice we can offer.

As this issue involves a server and therefore falls outside the scope of this forum, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal