Solved

Confused!  Is my PC infected or not

Posted on 2006-07-06
17
366 Views
Last Modified: 2010-04-11
I recently ran an a2HijackFree and was astonished at the number of "bads" displayed.

Some I understood, researched and removed until only a few were left.  BUt these few I can't find and don't seem to suffer from the symptoms.  I ran a HijackThis and saved the log file.  It reads as follows.  I'm getting a bit out of my depth here so wondered if somebody can advise if I should be doing something more or not.

Logfile of HijackThis v1.99.1
Scan saved at 20:33:00, on 06/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Lotus\ntmulti.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\ALEXCA~1.R52\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {F11BFF96-CC7A-4482-819B-91EAE4C454EF} (NTR ActiveX 1.1.6) - http://www.inquiero.com/inquiero/mod/setup/ntractivex116_14.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

0
Comment
Question by:Alexjc01
  • 8
  • 5
  • 4
17 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 65 total points
ID: 17053518
Hello there,

Here is the link to the hijackthis log: http://www.hijackthis.de/#anl

It appears that there is a few things on your system that may cause some issues. you might also want to download the Following programs...

Ewido, http://www.ewido.net/en/download/

Spybot S&D, http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

Adaware, http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1

Try those apps they will more then likely find other stuff on your computer. Just look at the hijackthis log and delete any of the "hits" that it found that are unsafe.

Hope this helps


0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 17053525
It apprears that the hijackthis link didn't work for me...

All you have to do is copy/paste the log that you have above into the textbox and press analyze.

0
 

Author Comment

by:Alexjc01
ID: 17053530
I think I have all those.  I'll run them again but last run found nothing more than a few cookies
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 17053652
Also do the following...

Turn Off System restore

>> Right click, My Computer,
>> Properties
>> Click on the System Restore Tab,
>> Put a checkmark in the box reboot computer into safemode (Press F8 before windows logo)
>> Run the above programs in safemode.

When finished, turn on system restore again.
0
 

Author Comment

by:Alexjc01
ID: 17053670
I did the hijackthis analysis and am virus checking where recommended. Seems to be clean

http://www.hijackthis.de/logfiles/f2619ab6e5d82542c8dbe6a30ec1b977.html

this link is to the results
0
 

Author Comment

by:Alexjc01
ID: 17053692
I don't have a checkbox for 'reboot computer into safemode (Press F8 before windows logo)'

Only turn system restore off!
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 17053814
No, when you turn off system restore reboot the computer and when it starts to load the POST before the windows logo press F8. It will then take you into the Advanced boot menu. From there select Safemode.

0
 

Author Comment

by:Alexjc01
ID: 17054368
Done.  I now have these issues from a2Hijackfree

$statusbad$        1047        TCP        GateCrasher.b, GateCrasher.c

$statusbad$        1050        TCP        MiniCommand

$statusbad$        csrss.exe        %winpath%\        This worm is transmitted via e-mail and attempts to install itself on your computer.
$statusbad$       csrss.exe       %winpath%\winsecurity\       Email-Worm.Win32.Sober.z


Any ideas?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17054803
Can you please post the bad entries that you removed? all those entries point to something. You can look at the backup that hijackthis kept for all the fixed entries.

We could only diagnosed\fix malware if I see those bad entries.
What you really did by fixing them is disabling them from running at startup.
You're running in diagnostic startup mode which means you've disabled startup entries while running hijackthis and those entries didn't show in the log.

If you can't find the hijackthis backup, you could just run a Hijackthis startup list.
In Hijackthis "Misc Tools", click on "Generate Startup list log"
checkmark "list also minor sections(full)
checkmark "list empty sections(complete)

and upload the log at http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: just paste the log to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
0
 

Author Comment

by:Alexjc01
ID: 17054855
http://www.rafb.net/paste/results/2zWFGC51.html

rpggamergirl - followed the second set of instructions and this is the link
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17055486
Sorry the startup list didn't help maybe because some startup are disabled.
What startup entries did you unchecked in msconfig?


A2HijackFree is claiming you have that Email-Worm.Win32.Sober.z
If so, just go and look for their files in your system.
You might have to show hidden files and folders first.

Look for these files:
C:\WINDOWS\csrss.exe      
C:\WINDOWS\winsecurity\csrss.exe    

Also look for:
C:\Windows\WinSecurity\services.exe  
0
 

Author Comment

by:Alexjc01
ID: 17056580
I unchecked msmsgs and ctfmon recently.  mamsgs seems to re-check itself everytime I boot

I find csrss in C:\\WINDOWS\system32.  I thought that one was OK

I also find services.exe in system32.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17056759
those csrss.exe and services.exe in system32 folder are okay.

Are you showing hidden files and folders while looking for these files:?
C:\WINDOWS\csrss.exe      
C:\WINDOWS\winsecurity\csrss.exe    
C:\Windows\WinSecurity\services.exe  


Don't use Search, because if you do, then you need to reconfigure it to search for hidden files and folders because by default it will NOT even if explorer is already showing hidden files.
Does that makes sense? :)
0
 

Author Comment

by:Alexjc01
ID: 17057002
I don't even have a C:\Windows\winsecurity  folder and no C:\WINDOWS\csrss.exe   either
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17057074
>>I don't even have a C:\Windows\winsecurity  folder and no C:\WINDOWS\csrss.exe   either<<
Well, then A2Hijackfree was giving a false positive report, that's all I can think of.
0
 

Author Comment

by:Alexjc01
ID: 17057202
OK so this being the case, I guess I can assume it's pretty clean?  I thought running a Hijackthis would be the proof.  If the same issues were listed, they muxt be real.  You havn't seen anything else in my Hijack this log tho right?  So probably I should close this issue?
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 60 total points
ID: 17057298
>>OK so this being the case, I guess I can assume it's pretty clean?  I thought running a Hijackthis would be the proof.<<

If you're not experiencing any problems, then you're clean!
A clean Hijackthis log doesn't mean a clean pc anymore because some malware are now able to hide from hijackthis scan. Hijackthis is mainly for malware and not for viruses/trojans, viruses only appears in hijackthis if they happen to be located in the same place where malware are known to hide.

Your hijackthis log didn't show any malware entries. But the log also shows that you're in diagnostic startup mode, so I assumed you've disabled some startup entries that's why I asked what they are because any disabled startup entries does not show up in the scan.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now