3 replies to this topic

[Senor.Afro]

Ok, this is just getting frustrating now - for the past month or so one of the computers on my home network has been down/up loading every night at 11:57 - now ive been through all three, run virus scans, checked running processes, ive now even setup and auto-shutdown on the computers for midnight so whatever the hell's going on is stopped.
but the only computer that didnt setup the auto-shutdown for was mine, mainly coz i use it as an alarm clock too

so now heres the problem, when i check my d/l limit breakdown it still says that im down/up loading hundreds of mbs in the 24hour gap from 11:57 - 11:57 every day!!!

ill post my hijackthis log for u wonderful tech's to show me if theres some process or program that im running that could do this

Logfile of HijackThis v1.99.1
Scan saved at 10:57:24 AM, on 26/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Alwil Software\Avast4\aswUpdSv.exe
E:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Documents and Settings\Steven De La Mata\Policies\catsrv.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
E:\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
E:\Java\jre1.6.0_05\bin\jusched.exe
E:\DAEMON Tools\daemon.exe
E:\FlashMute\FlashMute.exe
E:\TVersity\Media Server\TVersity.exe
E:\Winamp\winamp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
e:\oracle\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
E:\Oracle\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
E:\TVersity\Media Server\MediaServer.exe
E:\Alwil Software\Avast4\ashMaiSv.exe
E:\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
E:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [catsrv] C:\Documents and Settings\Steven De La Mata\Policies\catsrv.exe
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [avast!] E:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "E:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [uTorrent] "E:\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [FlashMute] E:\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "E:\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\Steven De La Mata\Policies\catsrv.exe -AutoStart
O4 - Startup: GIGABYTE VGA Utility.lnk = ?
O4 - Startup: TVersity.lnk = E:\TVersity\Media Server\TVersity.exe
O4 - Startup: Winamp.lnk = E:\Winamp\winamp.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://selftest.supp...rg/ESTPTest.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA10E985-B03A-4021-800F-E81E2283E4B5}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - E:\Oracle\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - e:\oracle\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - E:\Oracle\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - E:\Oracle\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TVersityMediaServer - Unknown owner - E:\TVersity\Media Server\MediaServer.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

Now i know there are some strange processes running, but they can all be explained as drivers or programs i have legitimately installed - so what the hell is downloading constantly from 11:57 every night!!! this is becoming a problem because this can sometimes d/l in excess of a gb a day - leaving me with little to download myself.....PLS HELP!!

PS: i just did a scan with Malwarebytes' anti-malware, here are the results:

Malwarebytes' Anti-Malware 1.09
Database version: 542

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 201008
Time elapsed: 44 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\drv32dta (Password+KeystrokeLogs) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drv32dta\klg.tmp (Password+KeystrokeLogs) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drv32dta\pstore_070730_173339.txt (Password+KeystrokeLogs) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WService.exe (BackDoor.ProRat) -> Quarantined and deleted successfully.

Edited by Senor.Afro, 25 March 2008 - 07:17 PM.

[Senor.Afro]

its been over a week - just BUMPing it to see if anyone could help

[bob4]

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

• Save and quit any work your doing before beginning the fix.
• All hijackthis logs I ask for should be done in normal mode ( not safe mode)
• These logs should be done last after you have followed my instructions in the previous post.

Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!

P.S. Never bump your topics here or other forums like this one.
As helpers we look for 0 replies to a topic. I found yours by mistake.
Also as volunteers it may take some time to get to the log itself. There are certainly many more logs than there are helpers.



________________________________________________
I am going to check with the creator of Malwarebytes program itself to be sure.
But I do not like at all the looks of these.


C:\WINDOWS\system32\drv32dta\klg.tmp (Password+KeystrokeLogs]) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drv32dta\pstore_070730_173339.txt ((Password+KeystrokeLogs])-> Quarantined and deleted successfully.
C:\WINDOWS\system32\WService.exe (BackDoor.ProRat) -> Quarantined and deleted successfully.



This looks to me as if you could have had both a backdoor trojan and keylogger on this computer

If this is so here is what I recommend you do.



It looks like you have been infected by a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files .

The keylogger does just that records every keystroke you make on your computer. Including all passwords and any account information.

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:

• Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
• Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Should you decide to clean this machine start by doing the following.




_____________________________
Task Manager
I would like you to open the task manager by pressing simeltaniously
Ctrl+Shift+Esc or cntrl /alt/delete
then go to the processes tab and end the following if present:
by: right clicking on and choosing end process.

catsrv.exe




______________________________
RUN HJT

HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [catsrv] C:\Documents and Settings\Steven De La Mata\Policies\catsrv.exe
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\Steven De La Mata\Policies\catsrv.exe -AutoStart
O4 - Startup: GIGABYTE VGA Utility.lnk = ?

Close that.

___________________________________
Search for and remove
Now I want you to search for and delete the following folder and all it's contents if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD

C:\Documents and Settings\Steven De La Mata\Policies\catsrv.exe




1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

2. Click start/run and copy and Paste this in exactly using the picture below for reference:

"%userprofile%\desktop\combofix.exe" /killall

3. Combo will begin to run DO NOTHING while this is happeneing.

• It will kill a few processes and disconnect you from the internet.
• If by chance it stops prematurly you can re-establish your internet connection by restarting your computer.
• This needs to be done so the program can work most efficiently for you.

Do not attempt to use the internet or anything else while it's doing its job for you.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt

______________________________





Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

• Set Cookie Retention.
  Click on the Options block on the left, then choose Cookies.
  Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  
• Reset Temp File Removal for Regular Use.
  Click on the Options block on the left. Select the Advanced button.
  Check "Only delete files in Windows Temp folders older than 48 hours".
  
  
  Now run the program and click on Run Cleaner
  ( Do not use the Registry function to clean anything with this program. Having anything auto clean your regisrty is risky).

_________________________________

Using Internet Explorer, please do a Kaspersky Online Scan

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure as follows: [list]
• Scan using the following Anti-Virus database:
  [list]
• Extended
  [list]
• Scan Options:[list]
• Scan Archives
• Scan Mail Bases
  
  
• Click OK & have it scan My Computer
• Once the scan is complete, it will provide a report if your system is infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click save report as



[*] Click the Save as Text button to save the file to your desktop and post it in your next reply




Turn off the real time scanner of any existing antivirus program while performing the online scan




_________________________
In your next reply I would like to see:

• A new HJT log
• The report from ComboFix
• The report fromv Kasperskys

[bob4]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log