Link to home
Start Free TrialLog in
Avatar of Alexjc01
Alexjc01

asked on

Confused! Is my PC infected or not

I recently ran an a2HijackFree and was astonished at the number of "bads" displayed.

Some I understood, researched and removed until only a few were left.  BUt these few I can't find and don't seem to suffer from the symptoms.  I ran a HijackThis and saved the log file.  It reads as follows.  I'm getting a bit out of my depth here so wondered if somebody can advise if I should be doing something more or not.

Logfile of HijackThis v1.99.1
Scan saved at 20:33:00, on 06/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Lotus\ntmulti.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\ALEXCA~1.R52\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {F11BFF96-CC7A-4482-819B-91EAE4C454EF} (NTR ActiveX 1.1.6) - http://www.inquiero.com/inquiero/mod/setup/ntractivex116_14.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It apprears that the hijackthis link didn't work for me...

All you have to do is copy/paste the log that you have above into the textbox and press analyze.

Avatar of Alexjc01
Alexjc01

ASKER

I think I have all those.  I'll run them again but last run found nothing more than a few cookies
Also do the following...

Turn Off System restore

>> Right click, My Computer,
>> Properties
>> Click on the System Restore Tab,
>> Put a checkmark in the box reboot computer into safemode (Press F8 before windows logo)
>> Run the above programs in safemode.

When finished, turn on system restore again.
I did the hijackthis analysis and am virus checking where recommended. Seems to be clean

http://www.hijackthis.de/logfiles/f2619ab6e5d82542c8dbe6a30ec1b977.html

this link is to the results
I don't have a checkbox for 'reboot computer into safemode (Press F8 before windows logo)'

Only turn system restore off!
No, when you turn off system restore reboot the computer and when it starts to load the POST before the windows logo press F8. It will then take you into the Advanced boot menu. From there select Safemode.

Done.  I now have these issues from a2Hijackfree

$statusbad$        1047        TCP        GateCrasher.b, GateCrasher.c

$statusbad$        1050        TCP        MiniCommand

$statusbad$        csrss.exe        %winpath%\        This worm is transmitted via e-mail and attempts to install itself on your computer.
$statusbad$       csrss.exe       %winpath%\winsecurity\       Email-Worm.Win32.Sober.z


Any ideas?
Can you please post the bad entries that you removed? all those entries point to something. You can look at the backup that hijackthis kept for all the fixed entries.

We could only diagnosed\fix malware if I see those bad entries.
What you really did by fixing them is disabling them from running at startup.
You're running in diagnostic startup mode which means you've disabled startup entries while running hijackthis and those entries didn't show in the log.

If you can't find the hijackthis backup, you could just run a Hijackthis startup list.
In Hijackthis "Misc Tools", click on "Generate Startup list log"
checkmark "list also minor sections(full)
checkmark "list empty sections(complete)

and upload the log at http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: just paste the log to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
http://www.rafb.net/paste/results/2zWFGC51.html

rpggamergirl - followed the second set of instructions and this is the link
Sorry the startup list didn't help maybe because some startup are disabled.
What startup entries did you unchecked in msconfig?


A2HijackFree is claiming you have that Email-Worm.Win32.Sober.z
If so, just go and look for their files in your system.
You might have to show hidden files and folders first.

Look for these files:
C:\WINDOWS\csrss.exe      
C:\WINDOWS\winsecurity\csrss.exe    

Also look for:
C:\Windows\WinSecurity\services.exe  
I unchecked msmsgs and ctfmon recently.  mamsgs seems to re-check itself everytime I boot

I find csrss in C:\\WINDOWS\system32.  I thought that one was OK

I also find services.exe in system32.
those csrss.exe and services.exe in system32 folder are okay.

Are you showing hidden files and folders while looking for these files:?
C:\WINDOWS\csrss.exe      
C:\WINDOWS\winsecurity\csrss.exe    
C:\Windows\WinSecurity\services.exe  


Don't use Search, because if you do, then you need to reconfigure it to search for hidden files and folders because by default it will NOT even if explorer is already showing hidden files.
Does that makes sense? :)
I don't even have a C:\Windows\winsecurity  folder and no C:\WINDOWS\csrss.exe   either
>>I don't even have a C:\Windows\winsecurity  folder and no C:\WINDOWS\csrss.exe   either<<
Well, then A2Hijackfree was giving a false positive report, that's all I can think of.
OK so this being the case, I guess I can assume it's pretty clean?  I thought running a Hijackthis would be the proof.  If the same issues were listed, they muxt be real.  You havn't seen anything else in my Hijack this log tho right?  So probably I should close this issue?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial