Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Pc Attacks Router - Hjt Log Attached...


  • This topic is locked This topic is locked
7 replies to this topic

#1 ~whirled-peas~

~whirled-peas~

    New Member

  • Authentic Member
  • Pip
  • 4 posts
  • Interests:Telecom (SIP 235-6797) and computers... they -are- my life!

Posted 29 July 2007 - 07:56 PM

8:21 PM 7/29/2007

I have a D-Link DI-624 router connected to a friend's broadband cable modem which provides me free WiFi internet access. I installed 'Free SMTP Server' (www.softstack.com) to email the router's log data to my inbox, as I'm trying to monitor my screwy hybrid network (below).

Never received a successful email, but found router log now shows floods of 'spoof attacks' -- from MAC address on -my- desktop system! Since uninstalling 'Free SMTP Server', these attacks continue. Task Mgr/Processes shows no trace. Only way to stop attacks is to disable/disconnect the LAN adapter, or shut down the computer. I've even tried System Restore (2 days back) to no avail!

Below is my HJT log. I've also included a short snippet of my router log. I will await direction for what to do next (being thankful my notebook is still working!).

Thanks in advance!
--Tom

= - = - = MY PC SYSTEM CONFIGURATION = - = - =
WinXP Home SP2 (2600) w/ALL security & critical updates
Asus A7N8X-E Deluxe (rev 2) w/AMD Athlon XP 2500+ @1.83GHz
- Phoenix ACPI BIOS Rev 1013 (11/12/2004)
- NVIDIA NFORCE2 Ultra 400 + MCP-T Chipset
- Dual-Channel DDR400 Memory/400 MHz FSB
- 1.00 GB RAM (2x 256MB[s2,3] as DDR, 1x 512MB[s1]) <-- this may need reconfigured...


= - = - = MY "SCREWY HYBRID NETWORK" = - = - =
*
* Broadband ----- DI-624 ~~~~~ ENRXWI-G ------- A7N8X-E Dlx (desktop system)
* . . . . . . . . . . . . . .+~~~~~~~ DWL G-120 - - - - Acer Notebook
*
* <pls ignore the dots -- needed the spacing>
*
* -------- = Cat5
* ~~~~~ = WiFi
* - - - - - = USB
* (ENRXWI-G is a Repeater in 'AP Client' mode, to give Cat5 connection)


= - = - = THE HJT LOG = - = - =
Logfile of HijackThis v1.99.1
Scan saved at 7:42:58 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1183347813484
O17 - HKLM\System\CCS\Services\Tcpip\..\{02F089F0-0DC6-4B92-AC3C-4DBE97FDFEC2}: NameServer = <router IP>
O17 - HKLM\System\CCS\Services\Tcpip\..\{E62BA079-03C4-45F7-97EE-E2732155F1D0}: NameServer = <router IP>
O17 - HKLM\System\CS1\Services\Tcpip\..\{02F089F0-0DC6-4B92-AC3C-4DBE97FDFEC2}: NameServer = <router IP>
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = <router IP>
O17 - HKLM\System\CS2\Services\Tcpip\..\{02F089F0-0DC6-4B92-AC3C-4DBE97FDFEC2}: NameServer = <router IP>
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe


= - = - = THE ROUTER LOG = - = - =
Jul/29/2007 21:11:57
Drop TCP packet from WAN src:69.85.107.93:2520 dst:<router IP>:135 Rule: Default deny
Jul/29/2007 21:11:00
Target IP(224.0.0.22), Target Port(3) Packet Dropped
Jul/29/2007 21:11:00
Spoof IP(<desktop IP>), Spoof Port(2150259464)
Jul/29/2007 21:11:00
Spoof Attack fromd MAC(<desktop MAC>) Detect,
Jul/29/2007 21:10:59
Target IP(224.0.0.22), Target Port(3) Packet Dropped
Jul/29/2007 21:10:59
Spoof IP(<desktop IP>), Spoof Port(2150259464)
Jul/29/2007 21:10:59
Spoof Attack fromd MAC(<desktop MAC>) Detect,

Jul/29/2007 21:10:31
Drop UDP packet from WAN src:24.64.60.161:14065 dst:<router IP>:1028 Rule: Default deny
Jul/29/2007 21:10:31
Drop UDP packet from WAN src:24.64.60.161:14065 dst:<router IP>:1027 Rule: Default deny
Jul/29/2007 21:10:30
Drop UDP packet from WAN src:24.64.60.161:14065 dst:<router IP>:1026 Rule: Default deny

...yes, it's a short snippet because I disabled the adapter after about 2 seconds. The 'other' (non-spoof) entries are typical log entries.

.

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 10 August 2007 - 05:53 PM

Hello and welcome to the forums

Not sure we're going to find anything but we'll give it a try.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 ~whirled-peas~

~whirled-peas~

    New Member

  • Authentic Member
  • Pip
  • 4 posts
  • Interests:Telecom (SIP 235-6797) and computers... they -are- my life!

Posted 10 August 2007 - 06:21 PM

8:11 PM 8/10/2007

Hi , got your msg - ran ATF Cleaner, restarted, ran combofix (saved log file to desktop), restarted, ran HijackThis, combined logs... thank you so much for helping. Thanks also for the Classroom link! I'll be checking that out!

--Tom

ComboFix 07-08-09.3 - "New user" 2007-08-10 20:05:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.614 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-10 20:03 51,200 --a------ C:\WINDOWS.0\nircmd.exe
2007-08-10 00:35 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\vlc
2007-08-09 23:54 <DIR> d-------- C:\Program Files\VideoLAN
2007-08-09 17:42 <DIR> d-------- C:\Program Files\Seagate
2007-08-09 15:54 26,680 --a------ C:\WINDOWS.0\system32\drivers\purendis.sys
2007-08-09 15:54 25,528 --a------ C:\WINDOWS.0\system32\drivers\pnarp.sys
2007-08-09 15:54 <DIR> d----c--- C:\WINDOWS.0\system32\DRVSTORE
2007-08-09 15:54 <DIR> d-------- C:\Program Files\Pure Networks
2007-08-09 15:54 <DIR> d-------- C:\Program Files\Common Files\Pure Networks Shared
2007-08-09 15:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\APPLIC~1\Pure Networks
2007-08-08 00:46 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\BitTorrent
2007-08-08 00:45 <DIR> d-------- C:\Program Files\BitTorrent
2007-08-07 22:41 <DIR> d-------- C:\Program Files\ebcd-0.6.1-pro
2007-08-07 22:36 <DIR> d-------- C:\Downloads
2007-08-07 22:36 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\GetRightToGo
2007-08-07 21:55 18,944 --a------ C:\WINDOWS.0\system32\simptcp.dll
2007-08-06 21:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1.DT\APPLIC~1\Help
2007-08-06 21:44 524,288 --ah----- C:\DOCUME~1\ADMINI~1.DT\NTUSER.DAT
2007-08-06 17:11 <DIR> d-------- C:\Program Files\7-Zip
2007-07-29 11:49 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Help
2007-07-28 11:38 2,621,440 --a------ C:\DOCUME~1\NEWUSE~1\ntuser.dat
2007-07-24 23:27 94,264 --a------ C:\WINDOWS.0\system32\hcwi2c32.dll
2007-07-24 23:27 90,190 --a------ C:\WINDOWS.0\system32\Bt848WST.DLL
2007-07-24 23:27 639,049 --a------ C:\WINDOWS.0\system32\hcwtvwnd.dll
2007-07-24 23:27 61,440 --a------ C:\WINDOWS.0\system32\Hcwtuner.dll
2007-07-24 23:27 393,216 --a------ C:\WINDOWS.0\system32\hcwsnbd9.dll
2007-07-24 23:27 36,921 --a------ C:\WINDOWS.0\system32\hcwutl32.dll
2007-07-24 23:27 229,432 --a------ C:\WINDOWS.0\system32\hcwpnp32.dll
2007-07-24 23:27 213,050 --a------ C:\WINDOWS.0\system32\Hcwchan.dll
2007-07-24 23:27 192,571 --a------ C:\WINDOWS.0\system32\hcwav.dll
2007-07-24 23:27 139,329 --a------ C:\WINDOWS.0\system32\hcwaud32.dll
2007-07-24 23:27 11,264 --a------ C:\WINDOWS.0\system32\hcwhook.dll
2007-07-24 23:27 106,559 --a------ C:\WINDOWS.0\system32\hcwTVDlg.dll
2007-07-24 23:23 66,048 -ra------ C:\WINDOWS.0\system32\hcwXDS.dll
2007-07-24 23:23 177,152 -ra------ C:\WINDOWS.0\system32\drivers\hcwPP2.sys
2007-07-24 21:52 94,208 --a------ C:\WINDOWS.0\system32\getpntid.exe
2007-07-21 22:41 95,608 --a------ C:\WINDOWS.0\system32\AvastSS.scr
2007-07-21 22:41 94,416 --a------ C:\WINDOWS.0\system32\drivers\aswmon2.sys
2007-07-21 22:41 92,848 --a------ C:\WINDOWS.0\system32\drivers\aswmon.sys
2007-07-21 22:41 783,224 --a------ C:\WINDOWS.0\system32\aswBoot.exe
2007-07-21 22:41 42,912 --a------ C:\WINDOWS.0\system32\drivers\aswTdi.sys
2007-07-21 22:41 26,624 --a------ C:\WINDOWS.0\system32\drivers\aavmker4.sys
2007-07-21 22:41 23,152 --a------ C:\WINDOWS.0\system32\drivers\aswRdr.sys
2007-07-21 22:41 1,060,864 --a------ C:\WINDOWS.0\system32\MFC71.dll
2007-07-21 20:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\APPLIC~1\Spybot - Search & Destroy
2007-07-21 19:16 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Lavasoft
2007-07-14 18:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\APPLIC~1\Yahoo!
2007-07-11 16:03 5,504 --a------ C:\WINDOWS.0\system32\drivers\MSTEE.sys
2007-07-11 16:02 85,376 --a------ C:\WINDOWS.0\system32\drivers\NABTSFEC.sys
2007-07-11 16:02 53,760 --a------ C:\WINDOWS.0\system32\vfwwdm32.dll
2007-07-11 16:02 19,328 --a------ C:\WINDOWS.0\system32\drivers\WSTCODEC.SYS
2007-07-11 16:02 17,024 --a------ C:\WINDOWS.0\system32\drivers\CCDECODE.sys
2007-07-11 16:02 15,360 --a------ C:\WINDOWS.0\system32\drivers\StreamIP.sys
2007-07-11 16:02 11,136 --a------ C:\WINDOWS.0\system32\drivers\SLIP.sys
2007-07-11 16:02 10,880 --a------ C:\WINDOWS.0\system32\drivers\NdisIP.sys
2007-07-11 15:25 16,128 --a------ C:\WINDOWS.0\system32\drivers\MODEMCSA.sys
2007-07-11 15:24 58,293 --a------ C:\WINDOWS.0\system32\IntelSdi.dll
2007-07-11 15:24 1,903,370 --a------ C:\WINDOWS.0\system32\drivers\IntelS51.sys
2007-07-11 14:29 3,840 --a------ C:\WINDOWS.0\system32\drivers\BANTExt.sys
2007-07-11 14:29 <DIR> d-------- C:\Program Files\Belarc
2007-07-10 19:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\APPLIC~1\nView_Profiles
2007-07-10 19:32 <DIR> d-------- C:\WINDOWS.0\nview
2007-07-10 18:21 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\SystemRequirementsLab
2007-07-10 17:38 1,277 --a------ C:\WINDOWS.0\mozver.dat
2007-07-10 17:10 208,896 --a------ C:\WINDOWS.0\system32\nvudisp.exe
2007-07-10 16:19 208,896 --a------ C:\WINDOWS.0\system32\nvumctl.exe
2007-07-10 15:51 208,896 --a------ C:\WINDOWS.0\system32\nvumpu.exe
2007-07-10 15:42 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\TMP
2007-07-10 14:03 208,896 --a------ C:\WINDOWS.0\system32\NVUninst.exe
2007-07-10 14:01 208,896 --a------ C:\WINDOWS.0\system32\nvusmb.exe
2007-07-10 14:01 <DIR> d-------- C:\WINDOWS.0\system32\ReinstallBackups
2007-07-10 10:52 306,688 --a------ C:\WINDOWS.0\IsUninst.exe
2007-07-10 09:23 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\AdobeUM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 17:41 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-27 10:38 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-24 23:30 --------- d-------- C:\Program Files\WinTV
2007-07-11 08:22 97408 --a------ C:\WINDOWS.0\system32\drivers\SI3112r.sys
2007-07-11 08:22 10240 --a------ C:\WINDOWS.0\system32\drivers\SiWinAcc.sys
2007-07-10 16:20 --------- d-------- C:\Program Files\NVIDIA Corporation
2007-07-08 16:23 --------- d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\Talkback
2007-07-08 16:22 0 --a------ C:\WINDOWS.0\nsreg.dat
2007-07-07 15:00 --------- d-------- C:\Program Files\Winamp
2007-06-26 04:15 262912 --a------ C:\WINDOWS.0\system32\drivers\yk51x86.sys
2007-06-19 08:34 --------- d-------- C:\Program Files\Movie Maker
2007-06-19 08:33 21640 --a------ C:\WINDOWS.0\system32\emptyregdb.dat
2007-06-19 07:14 80128 --a------ C:\WINDOWS.0\system32\drivers\parport.sys
2007-06-19 07:14 63744 --a------ C:\WINDOWS.0\system32\drivers\mf.sys
2007-06-19 07:14 61824 --a------ C:\WINDOWS.0\system32\drivers\nic1394.sys
2007-06-19 07:14 60800 --a------ C:\WINDOWS.0\system32\drivers\arp1394.sys
2007-06-19 07:14 52736 --a------ C:\WINDOWS.0\system32\wzcsapi.dll
2007-06-19 07:14 52224 --a------ C:\WINDOWS.0\system32\dmutil.dll
2007-06-19 07:14 476160 --a------ C:\WINDOWS.0\system32\wzcsvc.dll
2007-06-19 07:14 47104 --a------ C:\WINDOWS.0\system32\cnbjmon.dll
2007-06-19 07:14 4352 --a------ C:\WINDOWS.0\system32\drivers\swenum.sys
2007-06-19 07:14 36992 --a------ C:\WINDOWS.0\system32\drivers\amdk6.sys
2007-06-19 07:14 35328 --a------ C:\WINDOWS.0\system32\pid.dll
2007-06-19 07:14 35328 --a------ C:\WINDOWS.0\system32\drivers\processr.sys
2007-06-19 07:14 30080 --a------ C:\WINDOWS.0\system32\drivers\modem.sys
2007-06-19 07:14 25472 --a------ C:\WINDOWS.0\system32\drivers\sonydcam.sys
2007-06-19 07:14 23040 --a------ C:\WINDOWS.0\system32\drivers\mouclass.sys
2007-06-19 07:14 20992 --a------ C:\WINDOWS.0\system32\hid.dll
2007-06-19 07:14 16000 --a------ C:\WINDOWS.0\system32\drivers\usbintel.sys
2007-06-19 07:14 15488 --a------ C:\WINDOWS.0\system32\drivers\mssmbios.sys
2007-06-19 07:14 15360 --a------ C:\WINDOWS.0\system32\pjlmon.dll
2007-06-19 07:14 14592 --a------ C:\WINDOWS.0\system32\drivers\ndisuio.sys
2007-06-19 07:14 12416 --a------ C:\WINDOWS.0\system32\drivers\tunmp.sys
2007-06-19 07:11 86073 --a------ C:\WINDOWS.0\system32\usrfaxa.dll
2007-06-19 07:11 8192 --a------ C:\WINDOWS.0\system32\streamci.dll
2007-06-19 07:11 77891 --a------ C:\WINDOWS.0\system32\usrmlnka.exe
2007-06-19 07:11 77890 --a------ C:\WINDOWS.0\system32\usrdpa.dll
2007-06-19 07:11 77883 --a------ C:\WINDOWS.0\system32\usrrtosa.dll
2007-06-19 07:11 72192 --a------ C:\WINDOWS.0\system32\sprio800.dll
2007-06-19 07:11 70656 --a------ C:\WINDOWS.0\system32\sprio600.dll
2007-06-19 07:11 69700 --a------ C:\WINDOWS.0\system32\usrshuta.exe
2007-06-19 07:11 69699 --a------ C:\WINDOWS.0\system32\usrcoina.dll
2007-06-19 07:11 69632 --a------ C:\WINDOWS.0\system32\spnike.dll
2007-06-19 07:11 61508 --a------ C:\WINDOWS.0\system32\usrprbda.exe
2007-06-19 07:11 61500 --a------ C:\WINDOWS.0\system32\usrcntra.dll
2007-06-19 07:11 58112 --a------ C:\WINDOWS.0\system32\drivers\vdmindvd.sys
2007-06-19 07:11 55296 --a------ C:\WINDOWS.0\system32\dvdplay.exe
2007-06-19 07:11 53305 --a------ C:\WINDOWS.0\system32\usrlbva.dll
2007-06-19 07:11 51712 --a------ C:\WINDOWS.0\system32\drivers\tosdvd.sys
2007-06-19 07:11 49211 --a------ C:\WINDOWS.0\system32\usrvpa.dll
2007-06-19 07:11 49211 --a------ C:\WINDOWS.0\system32\usrsdpia.dll
2007-06-19 07:11 49209 --a------ C:\WINDOWS.0\system32\usrv80a.dll
2007-06-19 07:11 45116 --a------ C:\WINDOWS.0\system32\usrvoica.dll
2007-06-19 07:11 41019 --a------ C:\WINDOWS.0\system32\usrsvpia.dll
2007-06-19 07:11 323641 --a------ C:\WINDOWS.0\system32\usrdtea.dll
2007-06-19 07:11 262528 --a------ C:\WINDOWS.0\system32\drivers\cinemst2.sys
2007-06-19 07:11 23936 --a------ C:\WINDOWS.0\system32\drivers\usbcamd2.sys
2007-06-19 07:11 23808 --a------ C:\WINDOWS.0\system32\drivers\usbcamd.sys
2007-06-19 07:11 21376 --a------ C:\WINDOWS.0\system32\drivers\tsbvcap.sys
2007-06-19 07:11 18688 --a------ C:\WINDOWS.0\system32\drivers\cdaudio.sys
2007-06-19 07:11 157696 --a------ C:\WINDOWS.0\system32\paqsp.dll
2007-06-19 07:11 147968 --a------ C:\WINDOWS.0\system32\mdwmdmsp.dll
2007-06-19 07:11 12160 --a------ C:\WINDOWS.0\system32\drivers\fsvga.sys
2007-06-19 07:11 12032 --a------ C:\WINDOWS.0\system32\drivers\riodrv.sys
2007-06-19 07:11 12032 --a------ C:\WINDOWS.0\system32\drivers\rio8drv.sys
2007-06-19 07:11 12032 --a------ C:\WINDOWS.0\system32\drivers\nikedrv.sys
2007-06-19 07:11 11776 --a------ C:\WINDOWS.0\system32\drivers\cpqdap01.sys
2007-06-19 07:11 102457 --a------ C:\WINDOWS.0\system32\usrv42a.dll
2007-06-19 07:00 360576 --a------ C:\WINDOWS.0\system32\drivers\tcpip.sys
2007-06-19 07:00 140288 --a------ C:\WINDOWS.0\system32\sfc_os.dll
2007-06-19 06:59 984576 --a------ C:\WINDOWS.0\system32\syssetup.dll
2007-06-19 06:57 123392 --a------ C:\WINDOWS.0\system32\input.dll
2007-06-19 06:56 364160 --a------ C:\WINDOWS.0\system32\drivers\update.sys
2007-06-19 06:56 1843968 --a------ C:\WINDOWS.0\system32\win32k.sys
2007-06-19 06:56 144896 --a------ C:\WINDOWS.0\system32\schannel.dll
2007-06-19 06:42 343040 --a------ C:\WINDOWS.0\system32\msvcrt.dll
2007-06-19 06:41 185344 --a------ C:\WINDOWS.0\system32\upnphost.dll
2007-06-19 06:40 292864 --a------ C:\WINDOWS.0\system32\winsrv.dll
2007-06-19 03:00 143488 --a------ C:\WINDOWS.0\system32\drivers\usbport.sys
2007-06-19 01:42 713216 --a------ C:\WINDOWS.0\system32\sxs.dll
2007-06-19 01:42 578048 --a------ C:\WINDOWS.0\system32\user32.dll
2007-06-19 01:42 40960 --a------ C:\WINDOWS.0\system32\mf3216.dll
2007-06-19 01:42 36352 --a------ C:\WINDOWS.0\system32\tsgqec.dll
2007-06-19 01:42 288768 --a------ C:\WINDOWS.0\system32\rhttpaa.dll
2007-06-19 01:42 2854400 --a------ C:\WINDOWS.0\system32\msi.dll
2007-06-19 01:42 282112 --a------ C:\WINDOWS.0\system32\gdi32.dll
2007-06-19 01:42 1866240 --a------ C:\WINDOWS.0\system32\mstscax.dll
2007-06-19 01:42 122880 --a------ C:\WINDOWS.0\system32\oledlg.dll
2007-06-19 01:41 981760 --a------ C:\WINDOWS.0\system32\mfc42u.dll
2007-06-19 01:41 600576 --a------ C:\WINDOWS.0\system32\mstsc.exe
2007-06-19 01:41 36864 --a------ C:\WINDOWS.0\system32\drivers\hidclass.sys
2007-06-19 01:41 116736 --a------ C:\WINDOWS.0\system32\aaclient.dll
2007-06-19 01:40 927504 --a------ C:\WINDOWS.0\system32\mfc40u.dll
2007-06-19 01:40 726528 --a------ C:\WINDOWS.0\system32\lsasrv.dll
2007-06-19 01:40 132096 --a------ C:\WINDOWS.0\system32\wkssvc.dll
2007-06-19 01:40 1084416 --a------ C:\WINDOWS.0\system32\msxml3.dll
2007-06-19 01:39 617472 --a------ C:\WINDOWS.0\system32\comctl32.dll
2007-06-19 01:39 332928 --a------ C:\WINDOWS.0\system32\drivers\srv.sys
2007-06-19 01:39 128768 --a------ C:\WINDOWS.0\system32\drivers\fltMgr.sys
2007-06-19 01:38 72704 --a------ C:\WINDOWS.0\system32\hlink.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 18:22]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51]
"NvCplDaemon"="C:\WINDOWS.0\system32\NvCpl.dll" [2005-06-15 17:20]
"nwiz"="nwiz.exe" [2005-06-15 17:20 C:\WINDOWS.0\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS.0\system32\NvMcTray.dll" [2005-06-15 17:20]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 18:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-05-21 10:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS.0\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

C:\Documents and Settings\New user\Start Menu\Programs\Startup\
Net.Medic.lnk - C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe [2005-11-29 22:01:41]
taskmgr.exe.lnk - C:\WINDOWS.0\system32\taskmgr.exe [2004-08-04 00:56:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideRunAsVerb"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMMyDocs"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMMyDocs"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^D-link AirPlus G DWL-G120 Wireless USB.lnk]
path=C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\D-link AirPlus G DWL-G120 Wireless USB.lnk
backup=C:\WINDOWS.0\pss\D-link AirPlus G DWL-G120 Wireless USB.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^New user^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\New user\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS.0\pss\Microsoft Find Fast.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^New user^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\New user\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS.0\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TermService"=3 (0x3)

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS.0\system32\DRIVERS\SI3112r.sys
R2 pnarp;Network Magic Device Discovery Driver;C:\WINDOWS.0\system32\DRIVERS\pnarp.sys
R2 purendis;Network Magic Wireless Driver;C:\WINDOWS.0\system32\DRIVERS\purendis.sys
R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS.0\system32\tcpsvcs.exe
R3 hcwPP2;Hauppauge WinTV PVR PCI II ([23|25|26]xxx);C:\WINDOWS.0\system32\DRIVERS\hcwPP2.sys
R3 IntelS51;Intel® 536EP Modem;C:\WINDOWS.0\system32\DRIVERS\IntelS51.sys
R3 NVENET;NVIDIA nForce Networking Controller Driver;C:\WINDOWS.0\system32\DRIVERS\NVENET.sys
S3 ASUSHWIO;ASUSHWIO;\??\C:\WINDOWS.0\system32\drivers\ASUSHWIO.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS.0\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 PRISM_A02;D-link AirPlus G DWL-G120 WLAN USB Driver;C:\WINDOWS.0\system32\DRIVERS\PRISMA02.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS.0\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService WebClient LmHosts upnphost SSDPSRV


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 20:06:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 20:06:53

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 8:15:08 PM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\tcpsvcs.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
C:\WINDOWS.0\system32\taskmgr.exe
C:\Program Files\VitalSigns\Net.Medic\Program\syshook.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\system32\notepad.exe
C:\WINDOWS.0\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

IP's removed:

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - Startup: Net.Medic.lnk = C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS.0\system32\taskmgr.exe
O4 - Startup: wizmo.exe.lnk = C:\WINDOWS\wizmo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1183347813484

Removed IP's

O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS.0\System32\ups.exe (file missing)

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 10 August 2007 - 07:09 PM

I don't see anything bad, If those IP addresses are right.

I suggest you go over to our Other Computer Problems and post a topic there explaining the issues you're having. They're really good with this type of issues.

Also let them know your HijackThis log has been cleaned.

http://forums.tomcoy...oblems_f83.html

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 ~whirled-peas~

~whirled-peas~

    New Member

  • Authentic Member
  • Pip
  • 4 posts
  • Interests:Telecom (SIP 235-6797) and computers... they -are- my life!

Posted 10 August 2007 - 07:37 PM

9:26 PM 8/10/2007 I specifically checked those entries (IPs) and they are correct. I also should tell you the 'attacks' on the router stopped showing up in the router log after I installed Network Magic. I really don't like the application - it doesn't really seem to do anything special, but - it *did* get those attacks stopped where I could have my desktop system back online and have some bandwidth, too. Unfortunately, because I don't care for Network Magic, I was going to look for something else - or just go all-Static IPs and kill DHCP in my D-Link DI-624. Thank you, LDTate, for your time and trouble. I will follow-up in "Other Computer Problems" as soon as I finish composing my Classroom entrance request email. Many, many 'thank you's! --Tom

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 10 August 2007 - 07:43 PM

I removed the IP's. I'm sure the OCP tech can help.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 ~whirled-peas~

~whirled-peas~

    New Member

  • Authentic Member
  • Pip
  • 4 posts
  • Interests:Telecom (SIP 235-6797) and computers... they -are- my life!

Posted 10 August 2007 - 07:48 PM

Thank you so much again! I can't wait to get through 'boot camp' and start helping folks out here... I know how much better *I* feel now... --Tom PS - any quick suggestions on how I *should* have pursued auto-emailing my router logs? Maybe a link? It's a D-Link DI-624 (rev C). If not, I'll go bother the folk at OCP. (grin)

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 10 August 2007 - 08:11 PM

Thank you so much again! I can't wait to get through 'boot camp' and start helping folks out here... I know how much better *I* feel now...

--Tom

PS - any quick suggestions on how I *should* have pursued auto-emailing my router logs? Maybe a
link? It's a D-Link DI-624 (rev C). If not, I'll go bother the folk at OCP. (grin)

Go ask them :rofl:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users