Confused! Is my PC infected or not

I recently ran an a2HijackFree and was astonished at the number of "bads" displayed.

Some I understood, researched and removed until only a few were left.  BUt these few I can't find and don't seem to suffer from the symptoms.  I ran a HijackThis and saved the log file.  It reads as follows.  I'm getting a bit out of my depth here so wondered if somebody can advise if I should be doing something more or not.

Logfile of HijackThis v1.99.1
Scan saved at 20:33:00, on 06/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Lotus\ntmulti.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\ALEXCA~1.R52\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {F11BFF96-CC7A-4482-819B-91EAE4C454EF} (NTR ActiveX 1.1.6) - http://www.inquiero.com/inquiero/mod/setup/ntractivex116_14.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

Alexjc01Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
rpggamergirlConnect With a Mentor Commented:
>>OK so this being the case, I guess I can assume it's pretty clean?  I thought running a Hijackthis would be the proof.<<

If you're not experiencing any problems, then you're clean!
A clean Hijackthis log doesn't mean a clean pc anymore because some malware are now able to hide from hijackthis scan. Hijackthis is mainly for malware and not for viruses/trojans, viruses only appears in hijackthis if they happen to be located in the same place where malware are known to hide.

Your hijackthis log didn't show any malware entries. But the log also shows that you're in diagnostic startup mode, so I assumed you've disabled some startup entries that's why I asked what they are because any disabled startup entries does not show up in the scan.
0
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Hello there,

Here is the link to the hijackthis log: http://www.hijackthis.de/#anl

It appears that there is a few things on your system that may cause some issues. you might also want to download the Following programs...

Ewido, http://www.ewido.net/en/download/

Spybot S&D, http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

Adaware, http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1

Try those apps they will more then likely find other stuff on your computer. Just look at the hijackthis log and delete any of the "hits" that it found that are unsafe.

Hope this helps


0
 
Will SzymkowskiSenior Solution ArchitectCommented:
It apprears that the hijackthis link didn't work for me...

All you have to do is copy/paste the log that you have above into the textbox and press analyze.

0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Alexjc01Author Commented:
I think I have all those.  I'll run them again but last run found nothing more than a few cookies
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Also do the following...

Turn Off System restore

>> Right click, My Computer,
>> Properties
>> Click on the System Restore Tab,
>> Put a checkmark in the box reboot computer into safemode (Press F8 before windows logo)
>> Run the above programs in safemode.

When finished, turn on system restore again.
0
 
Alexjc01Author Commented:
I did the hijackthis analysis and am virus checking where recommended. Seems to be clean

http://www.hijackthis.de/logfiles/f2619ab6e5d82542c8dbe6a30ec1b977.html

this link is to the results
0
 
Alexjc01Author Commented:
I don't have a checkbox for 'reboot computer into safemode (Press F8 before windows logo)'

Only turn system restore off!
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
No, when you turn off system restore reboot the computer and when it starts to load the POST before the windows logo press F8. It will then take you into the Advanced boot menu. From there select Safemode.

0
 
Alexjc01Author Commented:
Done.  I now have these issues from a2Hijackfree

$statusbad$        1047        TCP        GateCrasher.b, GateCrasher.c

$statusbad$        1050        TCP        MiniCommand

$statusbad$        csrss.exe        %winpath%\        This worm is transmitted via e-mail and attempts to install itself on your computer.
$statusbad$       csrss.exe       %winpath%\winsecurity\       Email-Worm.Win32.Sober.z


Any ideas?
0
 
rpggamergirlCommented:
Can you please post the bad entries that you removed? all those entries point to something. You can look at the backup that hijackthis kept for all the fixed entries.

We could only diagnosed\fix malware if I see those bad entries.
What you really did by fixing them is disabling them from running at startup.
You're running in diagnostic startup mode which means you've disabled startup entries while running hijackthis and those entries didn't show in the log.

If you can't find the hijackthis backup, you could just run a Hijackthis startup list.
In Hijackthis "Misc Tools", click on "Generate Startup list log"
checkmark "list also minor sections(full)
checkmark "list empty sections(complete)

and upload the log at http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: just paste the log to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
0
 
Alexjc01Author Commented:
http://www.rafb.net/paste/results/2zWFGC51.html

rpggamergirl - followed the second set of instructions and this is the link
0
 
rpggamergirlCommented:
Sorry the startup list didn't help maybe because some startup are disabled.
What startup entries did you unchecked in msconfig?


A2HijackFree is claiming you have that Email-Worm.Win32.Sober.z
If so, just go and look for their files in your system.
You might have to show hidden files and folders first.

Look for these files:
C:\WINDOWS\csrss.exe      
C:\WINDOWS\winsecurity\csrss.exe    

Also look for:
C:\Windows\WinSecurity\services.exe  
0
 
Alexjc01Author Commented:
I unchecked msmsgs and ctfmon recently.  mamsgs seems to re-check itself everytime I boot

I find csrss in C:\\WINDOWS\system32.  I thought that one was OK

I also find services.exe in system32.
0
 
rpggamergirlCommented:
those csrss.exe and services.exe in system32 folder are okay.

Are you showing hidden files and folders while looking for these files:?
C:\WINDOWS\csrss.exe      
C:\WINDOWS\winsecurity\csrss.exe    
C:\Windows\WinSecurity\services.exe  


Don't use Search, because if you do, then you need to reconfigure it to search for hidden files and folders because by default it will NOT even if explorer is already showing hidden files.
Does that makes sense? :)
0
 
Alexjc01Author Commented:
I don't even have a C:\Windows\winsecurity  folder and no C:\WINDOWS\csrss.exe   either
0
 
rpggamergirlCommented:
>>I don't even have a C:\Windows\winsecurity  folder and no C:\WINDOWS\csrss.exe   either<<
Well, then A2Hijackfree was giving a false positive report, that's all I can think of.
0
 
Alexjc01Author Commented:
OK so this being the case, I guess I can assume it's pretty clean?  I thought running a Hijackthis would be the proof.  If the same issues were listed, they muxt be real.  You havn't seen anything else in my Hijack this log tho right?  So probably I should close this issue?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.