Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Am I going batty?


  • This topic is locked This topic is locked
9 replies to this topic

#1 Danoid

Danoid

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 11 February 2006 - 08:55 PM

Back in November(I think) I was surfing and Norton AV complained of a virus in a .wmf file - said it fixed it. When I closed all open windows I had this menu embedded in my desktop inviting me to online gambling, dating, pharmacy, porn, etc.

Couldn't remove it. Hours and hours and the purchase of Webroot SpySweeper later - it was identified and removed as downloader.ruin.

OK fine. 'Cept things didn't run well. I had all of the classic symptoms - crash / freeze / reboot within a minute after bootup - some programs didn't run, etc.

A couple of weeks ago I noticed that SVCHOST was continually calling out to 85.155.115.etc. An internet search described this as a 'rogue website - somewhere in the Ukraine' and suggested blocking 85.255.112 to 85.255.127 and 69.50.160 to 69.50.191. I did that in my router and violla - no internet access at all! (other computers going thru the same router didn't notice) My access to the internet was linked to the router rule - block = no access / no block = access.

Then I tried HijackThis. It found a group of registry entries
HKLM\System\CSS\Services\TCPIP\...NameServer = 85.255.115.30,85.255.112.153 - deleted them = couldn't boot!

Eventually got rid of them. Then SVCHOST went nuts - it's continually dialing out. If it weren't for ZoneAlarm I'm sure it would have been able to phone home to whoever's targeting me.

I've tried Norton AV, McAffe AV, McAffe Spyware, AdAware, SpySweeper, Spybot S&D, I've pulled the drive & put it in a USB sled and scanned it from another machine - haven't found a thing.

I'm ready fo FDISK and start over. Am I just being paranoid? Are the crashes / slowdowns hardware?

Hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 9:22:50 PM, on 2/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BHR4.1] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.netflix.com
O15 - Trusted IP range: http://192.168.0.1
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...687/mcfscan.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ZoneAlarm log...

ZoneAlarm Logging Client v6.1.737.000
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
FWOUT,2006/02/10,20:55:42 -5:00 GMT,192.168.0.102:1026,192.168.0.1:53,UDP
PE,2006/02/10,20:56:12 -5:00 GMT,Windows Media Player,127.0.0.1:1275,N/A
PE,2006/02/10,21:06:12 -5:00 GMT,Zone Labs Client,129.9.44.200:53,N/A
FWOUT,2006/02/10,21:06:12 -5:00 GMT,192.168.0.102:1032,192.168.0.1:53,UDP
FWIN,2006/02/10,21:45:02 -5:00 GMT,192.168.0.1:1900,239.255.255.250:1900,UDP
PE,2006/02/10,21:46:56 -5:00 GMT,Generic Host Process for Win32 Services,192.168.0.1:53,N/A
ACCESS,2006/02/10,21:46:56 -5:00 GMT,Generic Host Process for Win32 Services was unable to obtain permission for connecting to the Internet (192.168.0.1:DNS); access was denied.,N/A,N/A
PE,2006/02/10,21:46:56 -5:00 GMT,Generic Host Process for Win32 Services,192.168.0.1:53,N/A
ACCESS,2006/02/10,21:47:00 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.1:Port 1900).,N/A,N/A
PE,2006/02/10,21:47:00 -5:00 GMT,Generic Host Process for Win32 Services,192.168.0.1:1900,N/A
PE,2006/02/10,21:47:00 -5:00 GMT,Generic Host Process for Win32 Services,239.255.255.250:1900,N/A
PE,2006/02/10,21:50:18 -5:00 GMT,McAfee Security HTML Dialog,216.49.88.118:80,N/A
PE,2006/02/10,21:58:32 -5:00 GMT,Generic Host Process for Win32 Services,192.168.0.1:53,N/A
ACCESS,2006/02/10,21:58:32 -5:00 GMT,Generic Host Process for Win32 Services was unable to obtain permission for connecting to the Internet (192.168.0.1:DNS); access was denied.,N/A,N/A
PE,2006/02/10,21:58:32 -5:00 GMT,Generic Host Process for Win32 Services,239.255.255.250:1900,N/A
ACCESS,2006/02/10,21:58:32 -5:00 GMT,Generic Host Process for Win32 Services was unable to obtain permission for connecting to the Internet (239.255.255.250:Port 1900); access was denied.,N/A,N/A
PE,2006/02/10,21:58:32 -5:00 GMT,Generic Host Process for Win32 Services,192.168.0.1:53,N/A
ACCESS,2006/02/10,21:58:32 -5:00 GMT,Generic Host Process for Win32 Services was unable to obtain permission for sending data to the Internet (192.168.0.1:DNS); access was denied.,N/A,N/A
PE,2006/02/10,21:58:34 -5:00 GMT,Generic Host Process for Win32 Services,192.168.0.1:53,N/A
PE,2006/02/10,21:58:36 -5:00 GMT,Generic Host Process for Win32 Services,192.168.0.1:53,N/A
PE,2006/02/10,21:58:36 -5:00 GMT,Generic Host Process for Win32 Services,239.255.255.250:1900,N/A
ACCESS,2006/02/10,21:58:44 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.1:Port 1900).,N/A,N/A
FWIN,2006/02/10,21:58:54 -5:00 GMT,192.168.0.1:1027,192.168.0.102:2869,TCP (flags:S)
LOCK,2006/02/10,21:59:52 -5:00 GMT,Generic Host Process for Win32 Services,192.168.0.1,N/A
FWIN,2006/02/10,22:00:16 -5:00 GMT,192.168.0.1:1028,192.168.0.102:2869,TCP (flags:S)
LOCK,2006/02/10,22:00:46 -5:00 GMT,Generic Host Process for Win32 Services,,N/A
FWIN,2006/02/10,22:01:28 -5:00 GMT,192.168.0.1:1029,192.168.0.102:2869,TCP (flags:S)
FWOUT,2006/02/10,22:56:24 -5:00 GMT,192.168.0.102:1025,192.168.0.1:53,UDP
PE,2006/02/10,22:56:24 -5:00 GMT,Zone Labs Client,208.185.174.66:53,N/A
FWIN,2006/02/10,22:56:32 -5:00 GMT,192.168.0.1:1030,192.168.0.102:2869,TCP (flags:S)
FWIN,2006/02/10,22:57:54 -5:00 GMT,192.168.0.1:1031,192.168.0.102:2869,TCP (flags:S)
FWIN,2006/02/10,22:59:06 -5:00 GMT,192.168.0.1:1032,192.168.0.102:2869,TCP (flags:S)
LOCK,2006/02/10,23:00:28 -5:00 GMT,Generic Host Process for Win32 Services,192.168.0.1,N/A
LOCK,2006/02/10,23:01:24 -5:00 GMT,Generic Host Process for Win32 Services,,N/A
LOCK,2006/02/11,00:31:22 -5:00 GMT,Windows Media Player,127.0.0.1,N/A
LOCK,2006/02/11,00:31:22 -5:00 GMT,Generic Host Process for Win32 Services,,N/A
ACCESS,2006/02/11,08:25:04 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.1:Port 1900).,N/A,N/A
ACCESS,2006/02/11,08:25:08 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.101:Port 1035).,N/A,N/A
FWIN,2006/02/11,08:25:10 -5:00 GMT,192.168.0.101:1039,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/11,08:25:12 -5:00 GMT,192.168.0.101:0,192.168.0.102:0,ICMP (type:8/subtype:0)
PE,2006/02/11,08:25:16 -5:00 GMT,McAfee VirusScan Virus Map Reporting,216.49.88.80:443,N/A
FWIN,2006/02/11,08:25:16 -5:00 GMT,192.168.0.101:1038,192.168.0.102:445,TCP (flags:S)
ACCESS,2006/02/11,08:25:32 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.101:Port 1031).,N/A,N/A
FWIN,2006/02/11,08:25:48 -5:00 GMT,192.168.0.101:1054,192.168.0.102:80,TCP (flags:S)
FWIN,2006/02/11,08:26:24 -5:00 GMT,192.168.0.101:1056,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/11,08:26:30 -5:00 GMT,192.168.0.101:1055,192.168.0.102:445,TCP (flags:S)
FWOUT,2006/02/11,08:26:40 -5:00 GMT,192.168.0.102:1065,192.168.0.101:139,TCP (flags:S)
FWIN,2006/02/11,08:28:50 -5:00 GMT,192.168.0.101:1066,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/11,08:28:56 -5:00 GMT,192.168.0.101:1065,192.168.0.102:445,TCP (flags:S)
FWOUT,2006/02/11,08:29:06 -5:00 GMT,192.168.0.102:1069,192.168.0.101:139,TCP (flags:S)
FWOUT,2006/02/11,08:40:42 -5:00 GMT,192.168.0.102:1071,192.168.0.101:139,TCP (flags:S)
FWOUT,2006/02/11,08:41:32 -5:00 GMT,192.168.0.102:1073,192.168.0.101:139,TCP (flags:S)
FWIN,2006/02/11,08:42:04 -5:00 GMT,192.168.0.101:1095,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/11,08:42:10 -5:00 GMT,192.168.0.101:1094,192.168.0.102:445,TCP (flags:S)
FWOUT,2006/02/11,08:42:22 -5:00 GMT,192.168.0.102:1077,192.168.0.101:139,TCP (flags:S)
FWIN,2006/02/11,08:42:30 -5:00 GMT,192.168.0.101:1098,192.168.0.102:80,TCP (flags:S)
FWIN,2006/02/11,08:42:52 -5:00 GMT,192.168.0.101:1100,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/11,08:42:56 -5:00 GMT,192.168.0.101:1099,192.168.0.102:445,TCP (flags:S)
FWOUT,2006/02/11,08:43:12 -5:00 GMT,192.168.0.102:1082,192.168.0.101:139,TCP (flags:S)
FWOUT,2006/02/11,08:43:44 -5:00 GMT,192.168.0.102:1084,192.168.0.101:139,TCP (flags:S)
PE,2006/02/11,08:43:52 -5:00 GMT,Zone Labs Client,65.54.134.93:53,N/A
PE,2006/02/11,08:48:14 -5:00 GMT,Microsoft Application Error Reporting,127.0.0.1:1095,N/A
FWOUT,2006/02/11,08:53:56 -5:00 GMT,192.168.0.102:1097,192.168.0.101:139,TCP (flags:S)
FWIN,2006/02/11,09:01:04 -5:00 GMT,192.168.0.101:1141,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/11,09:01:08 -5:00 GMT,192.168.0.101:1140,192.168.0.102:445,TCP (flags:S)
FWIN,2006/02/11,09:04:30 -5:00 GMT,192.168.0.101:1151,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/11,09:04:36 -5:00 GMT,192.168.0.101:1150,192.168.0.102:445,TCP (flags:S)
FWOUT,2006/02/11,09:06:22 -5:00 GMT,192.168.0.102:1102,192.168.0.101:139,TCP (flags:S)
FWOUT,2006/02/11,09:18:48 -5:00 GMT,192.168.0.102:1104,192.168.0.101:139,TCP (flags:S)
FWOUT,2006/02/11,09:31:12 -5:00 GMT,192.168.0.102:1106,192.168.0.101:139,TCP (flags:S)
FWIN,2006/02/11,09:33:16 -5:00 GMT,192.168.0.101:1221,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/11,09:33:16 -5:00 GMT,192.168.0.101:0,192.168.0.102:0,ICMP (type:8/subtype:0)
FWIN,2006/02/11,09:33:22 -5:00 GMT,192.168.0.101:1220,192.168.0.102:445,TCP (flags:S)
FWOUT,2006/02/11,09:43:38 -5:00 GMT,192.168.0.102:1110,192.168.0.101:139,TCP (flags:S)
PE,2006/02/11,09:46:14 -5:00 GMT,LiveUpdate Engine COM Module,204.10.29.13:80,N/A
FWOUT,2006/02/11,09:56:04 -5:00 GMT,192.168.0.102:1113,192.168.0.101:139,TCP (flags:S)
ACCESS,2006/02/11,09:59:50 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.29.13:HTTP).,N/A,N/A
ACCESS,2006/02/11,09:59:50 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (68.22.73.148:DNS).,N/A,N/A
ACCESS,2006/02/11,09:59:50 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (192.168.0.1:DNS).,N/A,N/A
ACCESS,2006/02/11,09:59:52 -5:00 GMT,LiveUpdate Engine COM Module was blocked from sending data to the Internet (192.168.0.1:DNS).,N/A,N/A
ACCESS,2006/02/11,10:00:06 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (64.156.240.51:FTP).,N/A,N/A
ACCESS,2006/02/11,10:00:06 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (65.214.50.147:FTP).,N/A,N/A
ACCESS,2006/02/11,10:00:06 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (208.254.75.146:FTP).,N/A,N/A
ACCESS,2006/02/11,10:00:06 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (209.133.111.3:FTP).,N/A,N/A
ACCESS,2006/02/11,10:05:18 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.29.6:HTTP).,N/A,N/A
ACCESS,2006/02/11,10:05:18 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.29.7:HTTP).,N/A,N/A
ACCESS,2006/02/11,10:05:18 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.29.13:HTTP).,N/A,N/A
ACCESS,2006/02/11,10:05:18 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.30.8:HTTP).,N/A,N/A
ACCESS,2006/02/11,10:05:20 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.63:HTTP).,N/A,N/A
ACCESS,2006/02/11,10:05:20 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.65:HTTP).,N/A,N/A
ACCESS,2006/02/11,10:05:20 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.70:HTTP).,N/A,N/A
ACCESS,2006/02/11,10:05:20 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.55:HTTP).,N/A,N/A
ACCESS,2006/02/11,10:05:20 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.56:HTTP).,N/A,N/A
ACCESS,2006/02/11,10:05:20 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (209.133.111.3:FTP).,N/A,N/A
ACCESS,2006/02/11,10:05:20 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (209.133.111.196:FTP).,N/A,N/A
ACCESS,2006/02/11,10:05:20 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (64.41.192.107:FTP).,N/A,N/A
ACCESS,2006/02/11,10:05:20 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (65.214.50.147:FTP).,N/A,N/A
FWIN,2006/02/11,10:05:30 -5:00 GMT,192.168.0.101:0,192.168.0.102:0,ICMP (type:8/subtype:0)
FWIN,2006/02/11,10:05:32 -5:00 GMT,192.168.0.1:1900,239.255.255.250:1900,UDP
FWIN,2006/02/11,10:05:34 -5:00 GMT,192.168.0.101:1302,192.168.0.102:445,TCP (flags:S)
LOCK,2006/02/11,10:10:00 -5:00 GMT,Symantec NetDetect,209.133.111.3,N/A
LOCK,2006/02/11,10:10:00 -5:00 GMT,Symantec NetDetect,192.168.0.1,N/A
LOCK,2006/02/11,10:10:00 -5:00 GMT,Symantec NetDetect,,N/A
ACCESS,2006/02/11,11:04:14 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.1:Port 1900).,N/A,N/A
FWIN,2006/02/11,11:04:22 -5:00 GMT,192.168.0.1:1027,192.168.0.102:2869,TCP (flags:S)
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.29.13:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.29.15:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (65.169.170.139:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.29.11:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.56:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.63:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.65:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.70:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.55:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (64.124.186.85:FTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (64.156.240.51:FTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (208.254.75.146:FTP).,N/A,N/A
ACCESS,2006/02/11,11:05:14 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (213.61.6.18:FTP).,N/A,N/A
FWIN,2006/02/11,11:05:36 -5:00 GMT,192.168.0.1:1028,192.168.0.102:2869,TCP (flags:S)
FWIN,2006/02/11,11:06:50 -5:00 GMT,192.168.0.1:1029,192.168.0.102:2869,TCP (flags:S)
ACCESS,2006/02/11,11:10:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.64:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:10:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.56:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:10:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.63:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:10:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (216.200.68.152:FTP).,N/A,N/A
ACCESS,2006/02/11,11:10:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (65.214.50.147:FTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.29.11:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.29.14:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (204.10.30.9:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (64.156.240.50:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.65:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.70:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.55:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (70.245.59.56:HTTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (209.133.111.196:FTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (216.200.68.151:FTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (64.156.240.51:FTP).,N/A,N/A
ACCESS,2006/02/11,11:15:12 -5:00 GMT,LiveUpdate Engine COM Module was blocked from connecting to the Internet (208.254.75.146:FTP).,N/A,N/A
PE,2006/02/11,11:20:00 -5:00 GMT,Zone Labs Client,70.245.59.55:53,N/A
LOCK,2006/02/11,14:30:42 -5:00 GMT,Generic Host Process for Win32 Services,239.255.255.250,N/A
LOCK,2006/02/11,14:30:44 -5:00 GMT,Generic Host Process for Win32 Services,,N/A
LOCK,2006/02/11,14:30:50 -5:00 GMT,Generic Host Process for Win32 Services,127.0.0.1,N/A

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 February 2006 - 09:35 AM

Hello Danoid, welcome to the TC Forum.

Did you add these to your trusted zones?
O15 - Trusted Zone: http://www.netflix.com
O15 - Trusted IP range: http://192.168.0.1

This address was a indication of the Cool Web Search infection.
85.255.112

Lets try this:

Please download the trial version of ewido anti-malware 3.5 here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Danoid

Danoid

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 12 February 2006 - 03:28 PM

Ah yes Ewido - when this started I used it. It could identify the downloader.ruin, but couldn't remove it.

I've also found and (I thought) removed Cool Web Search in this process.

I did as you requested - it searched 223817 items and found nothing. I'm sorry I forgot to save the log.

Possibly to punish me the computer refused to boot (normally) twice after exiting safe mode. I had to boot in safe mode, then reboot again to get back to normal.

Yes - I entered Netflix and http://192.168.0.1 (my router) as trusted zones. The list of trusted zones is actually longer than that, now come only those two show up?

latest Hijack this...

Logfile of HijackThis v1.99.1
Scan saved at 4:14:48 PM, on 2/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BHR4.1] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.netflix.com
O15 - Trusted IP range: http://192.168.0.1
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...687/mcfscan.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 Danoid

Danoid

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 12 February 2006 - 03:39 PM

Any idea what these might be? From Adsspy.txt D:\Edited Videos : Šõw¬Âw (1382 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E) D:\Edited Videos : Šõw¬Âw (1382 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)

#5 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 February 2006 - 03:40 PM

lets see if this will helps.

Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL



I recommend you download RegSeeker. Extract it to it's own folder, open and double click RegSeeker.exe to start the program. Maximize the window and click clean registry. Check all sections and click OK. When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again. Then right click within the search results and select delete. Run it again and again, deleting everything it finds until it finds nothing. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything). In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. A reboot may be required for the effects to be seen. Reboot When done.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 Danoid

Danoid

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 14 February 2006 - 05:19 AM

OK,

I beat on the registry (1300+ items removed), lots of reboots, recleans, removed an unused user account, removed a few unused programs, (hopefully) removed the last of the Symantec 'virus', etc.until I couldn't boot anymore. Then I started up in safe mode, started Ewido, and went to bed.

Woke up this morning and it had rebooted. Good news is it boots normally again, bad news is I lost the 'Please send Microsoft an error log', because I had to reboot again to restore my network connection. I don't know if Ewido ran - I'll try running it again.

There's still a little suspicious traffic that ZoneAlarm reports.

ZoneAlarm Logging Client v6.1.737.000
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
ACCESS,2006/02/12,21:10:34 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.1:Port 1900).,N/A,N/A
FWIN,2006/02/12,21:10:44 -5:00 GMT,192.168.0.1:1024,192.168.0.102:2869,TCP (flags:S)
FWIN,2006/02/12,21:12:06 -5:00 GMT,192.168.0.1:1025,192.168.0.102:2869,TCP (flags:S)
FWIN,2006/02/12,21:13:20 -5:00 GMT,192.168.0.1:1026,192.168.0.102:2869,TCP (flags:S)
PE,2006/02/12,21:21:22 -5:00 GMT,Microsoft Excel,127.0.0.1:1067,N/A
PE,2006/02/12,21:30:36 -5:00 GMT,Zone Labs Client,68.22.73.155:53,N/A
ACCESS,2006/02/12,21:50:48 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.101:Port 1039).,N/A,N/A
FWIN,2006/02/12,21:50:52 -5:00 GMT,192.168.0.101:1041,192.168.0.102:139,TCP (flags:S)
ACCESS,2006/02/12,21:50:58 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.101:Port 1030).,N/A,N/A
FWIN,2006/02/12,21:51:20 -5:00 GMT,192.168.0.101:1055,192.168.0.102:80,TCP (flags:S)
FWIN,2006/02/12,21:51:42 -5:00 GMT,192.168.0.101:1056,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/12,21:52:36 -5:00 GMT,192.168.0.101:1062,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/12,21:53:28 -5:00 GMT,192.168.0.101:1067,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/12,21:54:08 -5:00 GMT,192.168.0.101:1080,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/12,21:56:46 -5:00 GMT,192.168.0.101:1097,192.168.0.102:139,TCP (flags:S)
FWIN,2006/02/12,21:56:46 -5:00 GMT,192.168.0.101:0,192.168.0.102:0,ICMP (type:8/subtype:0)
FWIN,2006/02/12,21:56:52 -5:00 GMT,192.168.0.101:1096,192.168.0.102:445,TCP (flags:S)
FWIN,2006/02/12,22:06:34 -5:00 GMT,192.168.0.101:1189,192.168.0.102:139,TCP (flags:S)
FWOUT,2006/02/12,22:06:56 -5:00 GMT,192.168.0.102:138,192.168.0.101:138,UDP
LOCK,2006/02/13,05:16:24 -5:00 GMT,Generic Host Process for Win32 Services,239.255.255.250,N/A
LOCK,2006/02/13,05:16:26 -5:00 GMT,Generic Host Process for Win32 Services,,N/A
LOCK,2006/02/13,05:16:32 -5:00 GMT,Generic Host Process for Win32 Services,127.0.0.1,N/A
ACCESS,2006/02/13,17:01:40 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.1:Port 1900).,N/A,N/A
ACCESS,2006/02/13,18:12:28 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.1:Port 1900).,N/A,N/A
FWIN,2006/02/13,18:12:38 -5:00 GMT,192.168.0.1:1024,192.168.0.102:2869,TCP (flags:S)
FWIN,2006/02/13,18:13:50 -5:00 GMT,192.168.0.1:1025,192.168.0.102:2869,TCP (flags:S)
FWIN,2006/02/13,18:15:22 -5:00 GMT,192.168.0.1:1026,192.168.0.102:2869,TCP (flags:S)
ACCESS,2006/02/13,18:18:00 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.1:Port 1900).,N/A,N/A
FWIN,2006/02/13,18:18:16 -5:00 GMT,192.168.0.1:1027,192.168.0.102:2869,TCP (flags:S)
FWOUT,2006/02/13,20:22:12 -5:00 GMT,192.168.0.102:1032,192.168.0.101:139,TCP (flags:S)
ACCESS,2006/02/13,20:22:16 -5:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.1:Port 1900).,N/A,N/A
FWIN,2006/02/13,20:22:26 -5:00 GMT,192.168.0.1:1033,192.168.0.102:2869,TCP (flags:S)
FWOUT,2006/02/13,20:23:04 -5:00 GMT,192.168.0.102:1052,192.168.0.101:139,TCP (flags:S)
FWOUT,2006/02/13,20:23:42 -5:00 GMT,192.168.0.102:1056,192.168.0.101:139,TCP (flags:S)
FWIN,2006/02/13,20:23:48 -5:00 GMT,192.168.0.1:1034,192.168.0.102:2869,TCP (flags:S)
FWOUT,2006/02/13,20:24:34 -5:00 GMT,192.168.0.102:1061,192.168.0.101:139,TCP (flags:S)


hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 6:10:12 AM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.netflix.com
O15 - Trusted IP range: http://192.168.0.1
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...687/mcfscan.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 February 2006 - 04:34 PM

How's it running now?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 Danoid

Danoid

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 14 February 2006 - 07:22 PM

I was going to reply "well." Until it rebooted while I was typing the reply... Another really odd thing. My DVD burner doesn't show up. It still has power, but it doesn't show in Windows Explorer or Device Manager. It did just before the reboot, I checked. Sometimes it's there, sometimes it's not. I finally got an Ewido (safe mode) log. --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 8:54:30 AM, 2/14/2006 + Report-Checksum: EE94E8C5 + Scan result: No infected objects found. ::Report End At least ZoneAlarm is only reporting traffic from 192.168.0... which is my local network. Looks like I may have to just live with it. The hardware is 3 years old and has a lot of hours, I keep it plenty cool, guess that isn't enough. Thanks for your guidance.

Edited by Danoid, 14 February 2006 - 07:23 PM.


#9 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 February 2006 - 07:28 PM

You can use Add/Remove Programs and remove Ewido, it's only a 14 day trial version.

I don't know about the DVD drive. Maybe see if there are any new drivers for it.


Your HJT log looks good.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Click Start> My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults
Select: Apply, and click OK




If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 February 2006 - 08:16 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users