ISP say my system is compromised

HI All - As always, I get here when all else fails.

I have a client's system (Win2k) on a baby network (12 sta.) that is attracting attention by sending out thousands of packets continuously.  The ISP is about to turn off service if we don't 'clean' the system. I have performed the usual due diligence:
NAV
AVG
SpyBot
Windows Defender
Hijackthis   (log follows)

But I'm at a loss

Any ideas appreciated
Thanks,  Pat

Logfile of HijackThis v1.99.1
Scan saved at 8:55:12 PM, on 11/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.njo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


PFSullivanAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SelvarienConnect With a Mentor Commented:
First, pull the ethernet plug on the PC if permissable. Then clear all the temp/internet file folders from various profiles, check the registry (especially the Run reg and the FilesnamedMRU folder for IE in the registry), write down the things which don't look right. Check the Start menu for All Users, make sure something isn't there that shouldn't be. By the way, Nod32 is good at scanning/detecting viruses, etc., you can use that to bolster AVG's scans. (Use a disc or flash drive to copy over to the infected system.)

After all that, go ahead and put the system back on the network while Task Manager is up and running. See what processes jump to the fore. Obviously this isn't much help if a rootkit's to blame but it's a start.

0
 
r-kCommented:
The HJT log doesn't show anything unusual, except perhaps too few entries. Are you sure the above is a complete list as produced by HJT? Also, try renaming HiJackthis.exe to something else like temp.exe and run it again to see if something was hiding from it.

Is this Win2K workstation or Server?

Can you try the following:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.

(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.
0
 
SelvarienCommented:
P.S. If you can find which port the additional packets are being sent through (aside of some obvious/essential ones) you can just close that particular one. There's a command/utility for doing so but the name escapes me at this moment.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
PFSullivanAuthor Commented:
Hi All - Thanks for the input

I renamed the HJT program and the following is an updated report:


Logfile of HijackThis v1.99.1
Scan saved at 6:47:03 PM, on 11/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\autoruns.exe
C:\WINDOWS\system32\msiexec.exe
C:\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

This is the result from Autoruns - I don't see any evil.  Am I missing something important?

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                  

+ AVG7_CC      AVG Control Center      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgcc.exe

+ QuickTime Task            Apple Computer, Inc.      c:\program files\quicktime\qttask.exe

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components                  

+ 0                  File not found: About:Home

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler                  

+ Network Neighborhood                  c:\windows\inf\d3ui32.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved                  

+ AVG7 Find Extension      AVG Shell Extension      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgse.dll

+ AVG7 Shell Extension      AVG Shell Extension      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgse.dll

+ HyperTerminal Icon Ext      HyperTerminal Applet Library      Hilgraeve, Inc.      c:\windows\system32\hticons.dll

+ LDVP Shell Extensions      Norton AntiVirus      Symantec Corporation      c:\program files\common files\symantec shared\ssc\vpshell2.dll

+ Shell Extensions for RealOne Player      RealPlayer Shell Extensions      RealNetworks, Inc.      c:\program files\real\realone player\rpshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects                  

+ AcroIEHlprObj Class      Adobe Acrobat IE Helper Version 6.0 for ActivieX      Adobe Systems Incorporated      c:\program files\adobe\acrobat 6.0\reader\activex\acroiehelper.dll

+ {53707962-6F74-2D53-2644-206D7942484F}      Bad download blocker      Safer Networking Limited      c:\program files\spybot - search & destroy\sdhelper.dll

Task Scheduler                  

+ Symantec Drmc.job                  c:\program files\common files\symantec shared\symdrmc.exe

+ Tune-up Application Start.job                  File not found: walign

HKLM\System\CurrentControlSet\Services                  

+ Avg7Alrt      AVG Alert Manager      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgamsvr.exe

+ Avg7UpdSvc      AVG Update Service      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgupsvc.exe

+ AVGEMS      AVG E-Mail Scanner      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgemc.exe

+ DefWatch      Virus Definition Daemon      Symantec Corporation      c:\program files\navnt\defwatch.exe

+ Norton AntiVirus Server      Norton AntiVirus      Symantec Corporation      c:\program files\navnt\rtvscan.exe

HKLM\System\CurrentControlSet\Services                  

+ Avg7Core      AVG Scanning Engine      GRISOFT, s.r.o.      c:\windows\system32\drivers\avg7core.sys

+ Avg7RsNT      AVG Resident Anti-Virus Shield      GRISOFT, s.r.o.      c:\windows\system32\drivers\avg7rsnt.sys

+ Avg7RsW      AVG Resident Shield Unload Helper      GRISOFT, s.r.o.      c:\windows\system32\drivers\avg7rsw.sys

+ AvgClean      AVG7 Clean Driver      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgclean.sys

+ AvgTdi      AVG Network connection watcher      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgtdi.sys

+ dmio      NT Disk Manager I/O Driver      VERITAS Software Corp.      c:\windows\system32\drivers\dmio.sys

+ dmload      NT Disk Manager Startup Driver      VERITAS Software Corp.      c:\windows\system32\drivers\dmload.sys

+ E100B      NDIS 5 driver      Intel Corporation      c:\windows\system32\drivers\e100bnt5.sys

+ GEARAspiWDM      CDRom Class Filter Driver      GEAR Software Inc.      c:\windows\system32\drivers\gearaspiwdm.sys

+ NAVAP                  c:\program files\navnt\navap.sys

+ NAVAPEL                  c:\program files\navnt\navapel.sys

+ NAVENG      AV Engine      Symantec Corporation      c:\program files\common files\symantec shared\virusdefs\20061108.024\naveng.sys

+ NAVEX15      AV Engine      Symantec Corporation      c:\program files\common files\symantec shared\virusdefs\20061108.024\navex15.sys

+ Ptilink      Direct Parallel Link Driver      Parallel Technologies, Inc.      c:\windows\system32\drivers\ptilink.sys

+ SymEvent      Symantec Event Library      Symantec Corporation      c:\program files\symantec\symevent.sys

+ tmcomm      TrendMicro Common Module      Trend Micro Inc.      c:\windows\system32\drivers\tmcomm.sys

+ Winacpci      Modem      Conexant      c:\windows\system32\drivers\winacpci.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  

+ NavLogon                  c:\windows\system32\navlogon.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors                  

+ hpzlnt09            HP      c:\windows\system32\hpzlnt09.dll

+ PDF Port      Acrobat ® PDF Port      Adobe Systems Incorporated.      c:\windows\system32\pdfports.dll

Thanks for your time

Pat
0
 
PFSullivanAuthor Commented:
Almost forgot - I did pull the network cable
0
 
PFSullivanAuthor Commented:
Hi All - I ran the NOD32 package and while the otherprograms found nothing, this found:

W32/XScan

I deleted the file - Was this the cullprit??
Thanks,  Pat
0
 
SelvarienCommented:
At this point you can attach it to the network (with the Task Manager up to see if any programs start'acting up',and probably the Local Area Connection Status window as well). See what happens. You may find everything's fine until you open up IE. In serveral cases of an infected PC I couldn't find anything until I rebooted the PC and opened up Tack managaer asap---then I'd see one or two programs pop up and disappear (same with the Startup folder in Start\Programs). Run in Safe Mode while connected to the network as well, to further test this. With such a small list of programs running, anything else will stick out like a sore thumb.

And if you want to look for a rootkit, go read this:

http://www.wikistc.org/wiki/Detecting_rootkits

In particular:
http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx


If all's well the system should be running at a low hum with no unusual rev-ups.
0
 
SelvarienCommented:
Hmm, X-Scan is a tool for checking out vulnerabilities on a PC. A keylogger, too, IIRC. Not sure it would be sending a ton of packets unless it's sending in real-time.
0
 
PFSullivanAuthor Commented:
Hi Selvarian -
I have been running this system on the net for about 4 Hours - no problems and no internet activity that was uninvited.  I believe it was your NOD32 suggextion that turned the table

Thanks a million,  Pat


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.