A Sticky Situation, I Think I'm Out Of...
RichD
Essex, UK
Greetings,
My parents have been recently haveing a lot of problems with virus/spyware attacks and as I have a reasonable knowledge of computers it falls to me to try and fix it; however I would still consider myself a somewhat novice when it comes to viruses and spyware. Shortly after Christmas I found they had been infected with smitfraud which after hours of tinkering scanning more tinkering more scanning and trawling the internet I managed to resolve (Thanks to this site and one Mr. Trogan). I don't live with my parents and I come home once a month and usually perform a few system scans etc. when here (because I know they don't!). I have today had an alert from PC-Cillen informing me that they have been infected with TROJ_RENOS.AA. PC-Cillen seems to have cured this but I am a little worried about the state of the system.
Both Spybot and Adaware had been removed from the PC and Mum and Dad insist it was not done by them. The machine does also tend to run slowly at times, but that may just be down to the fact that my PC is a beast compared to theirs.
Anyway, I have re-installed Adaware and Spybot and removed anything found by them I have also run a full PC-Cillen scan and as an extra measure downloaded and installed AVG. I have run HijackThis and I was wondering if someone could take a look at my log to make sure that it is clean and that there isn't anything missing that should be there.
Thanks,
Rich.
Logfile of HijackThis v1.99.1
Scan saved at 19:57:09, on 12/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\BitComet\BitComet.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\admin\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c11.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PC-cillin Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
My parents have been recently haveing a lot of problems with virus/spyware attacks and as I have a reasonable knowledge of computers it falls to me to try and fix it; however I would still consider myself a somewhat novice when it comes to viruses and spyware. Shortly after Christmas I found they had been infected with smitfraud which after hours of tinkering scanning more tinkering more scanning and trawling the internet I managed to resolve (Thanks to this site and one Mr. Trogan). I don't live with my parents and I come home once a month and usually perform a few system scans etc. when here (because I know they don't!). I have today had an alert from PC-Cillen informing me that they have been infected with TROJ_RENOS.AA. PC-Cillen seems to have cured this but I am a little worried about the state of the system.
Both Spybot and Adaware had been removed from the PC and Mum and Dad insist it was not done by them. The machine does also tend to run slowly at times, but that may just be down to the fact that my PC is a beast compared to theirs.
Anyway, I have re-installed Adaware and Spybot and removed anything found by them I have also run a full PC-Cillen scan and as an extra measure downloaded and installed AVG. I have run HijackThis and I was wondering if someone could take a look at my log to make sure that it is clean and that there isn't anything missing that should be there.
Thanks,
Rich.
Logfile of HijackThis v1.99.1
Scan saved at 19:57:09, on 12/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\BitComet\BitComet.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\admin\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c11.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PC-cillin Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
0
This discussion has been closed.
Comments
Could you enable everything on startup please and then post a new HJT log.
Uninstall AVG now that you don't need it (or keep AVG and uninstall the other AV). Having two or more is not a good idea
Cheers
Rich.
I have checked the virus log in PC-Cillin and found a further two attacks which were picked up by realtime scan.
They were:
PC-cillin 2003 Log List
"Time","Event","Source Type","Virus Name","File Name","First Action","Second Action"
"16:25","Real-time Scan","File","TROJ_RENOS.AA","C:\System Volume Information\_restore{6E4AA423-1976-4065-B4C4-9F805ACBF7E5}\RP75\A0016185.dll","Clean Fail","Quarantine Success"
PC-cillin 2003 Log List
"Time","Event","Source Type","Virus Name","File Name","First Action","Second Action"
"18:52","Real-time Scan","File","TROJ_ZLOB.BQ","C:\System Volume Information\_restore{6E4AA423-1976-4065-B4C4-9F805ACBF7E5}\RP75\A0016174.exe","Clean Fail","Quarantine Success"
PC-cillin 2003 Log List
"Time","Event","Source Type","Virus Name","File Name","First Action","Second Action"
"01:19","Manual Scan","File","TROJ_NASCENE.GEN","C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\GH01PL4W\wmf_dcode[1].wmf","Clean Fail","Quarantine Success"
PC-cillin 2003 Log List
"Time","Event","Source Type","Virus Name","File Name","First Action","Second Action"
"09:15","Real-time Scan","File","HTML_MHTREDIR.A","C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\63SR0HKN\nan28[1].htm","Clean Fail","Quarantine Success"
Can any of these infections target and delete security software, and how do I enable applications on startup without ASO.
Thanks for your help.
EDIT
OK this is just wierd. Windows update does not seem to work as it keeps failing and there hasn't been a successfull update since before Christmas. I am trying to remove PC-Cillen as I am Now using AVG but Windows installer is missing!!! Thus I can't Uninstall!!
Could this all just be fall out from an attack. Also Dad has been complaining that PC-Cillen was turning itself on when he connected to the internet under his login. I am seriously considering a re-install.
What you need to do is this:
- Disable System Restore
- Reboot
- Enable System Restore
- Create a new restore point.
Instructions on Disabling/Enabling System Restore and creating a restore point can be found here.=====
Download this tool
Download ATF (Atribune Temp File) Cleaner© by Atribune
http://www.atribune.org/ccount/click.php?id=1
It is a stand-alone program that does not need to be "installed". Save it to a convenient location and make a shortcut on your desktop.
Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu
=====
Let me know how it goes.
Also post a HJT log please
Right, while I was waiting for a reply I decided to do an online Panda scan. It showed up 25 pieces of spyware, 2 Dialers, and 2 pieces of Hackware. Details below. I have also found out that Dad was unable to access the internet at all from his login but mine and mums were fine
Incident Status Location
Adware:adware/wupd Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\admin\Cookies\admin@ad.yieldmanager[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\admin\Cookies\admin@adultfriendfinder[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\admin\Cookies\admin@belnk[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\admin\Cookies\admin@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\admin\Cookies\admin@dist.belnk[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\admin\Cookies\admin@searchportal.information[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\admin\Cookies\admin@stat.onestat[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\admin\Cookies\admin@ad.yieldmanager[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\admin\Cookies\admin@adultfriendfinder[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\admin\Cookies\admin@belnk[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\admin\Cookies\admin@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\admin\Cookies\admin@dist.belnk[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\admin\Cookies\admin@searchportal.information[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\admin\Cookies\admin@stat.onestat[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\admin\Desktop\SmitRem\smitRem\Process.exe
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Ann\Cookies\ann@ask[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Ann\Cookies\ann@gostats[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\David\Cookies\david@adultfriendfinder[1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\David\Cookies\david@ask[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@belnk[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\David\Cookies\david@ccbill[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@dist.belnk[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\David\Cookies\david@searchportal.information[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\David\Cookies\david@webpower[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\David\Cookies\david@xiti[1].txt
Dialer:Dialer.ECG Not disinfected C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9SB3V12L\sexy_blondes[1].exe
Dialer:Dialer.ECG Not disinfected C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\GH01PL4W\sexy_blondes[1].exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\BitComet\Downloads\smitRem.exe[Process.exe]
I then followed your above instructions. I assume all of the cookies will have been removed by ATF.
The Dialer and Hack ware are a bit more worrying.
I have re-installed windows over my existing copy to get back Install Shield and Windows update. Both were successfull. I have replaced Windows Firewall with Zone Alarm free version. PC-Cillin has been replaced with AVG.
While typing this message I recieved a Zone Alarm Alert, I think, telling me that someone was trying to connect to my PC and that they had been blocked. See attached picture for screen shot.
I assume this means that the Hackware is still present on the system. Below is a new HJT Log.
Logfile of HijackThis v1.99.1
Scan saved at 19:50:57, on 18/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\admin\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c11.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140290407765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140275301250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
The internet is still not working correctly on my Dads Loggin. It works fine on mine and my Mums but not his. I dont think the problem is with the connection but rather somthing to do with I.E. I don't understand why it should only occur on one Loggin.
Cheers for your help so far. I think I am nearly there.
You may want to print these instructions out!
Can you download Ad-Aware and SpyBot, if you havn't already. Update the definitions but do not run any scans yet.
Next, download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
When installing the program, under "Additonal Options" uncheck..
- Install background guard
- Install scan via context menu
Once installed, update the definitions to the newest files. Do NOT run a scan yet.Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
Once in Safe Mode, scan with Ad-Aware and SpyBot, removing everything they find.
Please run Ewido
(Do not use the computer while Ewido is scanning)
- Click on scanner
- Click Complete System Scan and the scan will begin.
- NOTE: During some scans with ewido it is finding cases of false positives.
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
Close EwidoRestart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
I have now done the above. Spybot and AdAware failed to detect anything. Ewido found 7 tracker cookies and the 2 dialers detected by Panda. However it failed to find any trace of the Hackware. Logs below.
Logfile of HijackThis v1.99.1
Scan saved at 23:13:34, on 18/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\admin\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c11.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140290407765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140275301250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
ewido anti-malware - Scan report
+ Created on: 23:07:07, 18/02/2006
+ Report-Checksum: B1BAB309
+ Scan result:
C:\Documents and Settings\Ann\Cookies\ann@e-2dj6wfk4akc5idp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ann\Cookies\ann@e-2dj6wfkokmdzacp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ann\Cookies\ann@e-2dj6wfkosidpkbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ann\Cookies\ann@e-2dj6wfmicmc5alo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ann\Cookies\ann@e-2dj6wjk4ujazoap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ann\Cookies\ann@e-2dj6wjlokoajohq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ann\Cookies\ann@server4.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9SB3V12L\sexy_blondes[1].exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\GH01PL4W\sexy_blondes[1].exe -> Dialer.Generic : Cleaned with backup
::Report End
I'm off to bed shortly but I will set another Panda Active Scan to run over night and and schedule an AVG scan for the early hours.
Just had another attempt to hack in blocked by zone
details are from <voyager.home (192.168.1.2)>
Am I right in saying this is someone trying to hack in? and would I be right in saying voyager.home is the guys PC name with his IP being what is in the brackets. Screen Capture below.
Thanks for your help. Speak to you tomorrow.
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...bridge-c11.cab
The log is clean.
=====
IPs that start with 192.168 are associated with Routers. I DON'T think anyone is hacking into the system and I hope that is true.
The pic shows NetBIOS. A quick google found me this page.
It seems to me that there might be some networking problem going on and could be the reason why your dad can't connect on his account?
I'm not an expert at networking but let me know what you think and i'll ask someone with better knowledge to have a look at this thread.
Can you do the following on your account and your dads account:
Go to Start | Run | type cmd | type ipconfig | post back the results here.
Im not sure why that IP would be trying to connect to my PC but I don't no very much about ADSL.
Also, I just tried loging into my hotmail account and got an alert saying my pc had been blocked trying to connect to that IP.
No offence intended but im reluctant to post my ipconfig results as im fairly sure that is the info hackers use to get in. If you or any of the other guys from the site feel they can help with regard to getting my dad back on line I will happily email the results to them. But having just installed a firewall to stop people getting in, it seems a bit silly posting my details on a website that is open for anyone to view.
I apologise if I am wrong about that and I certainly don't wish to sound ungrateful. You guys are doing a great job. As this is the second time you have sorted this machine out. Thanks for your help on getting this system clean and if you know anyone who can help with regard to getting my old man back online i'd be gratefull of any advice.
I'm going to pm someone to see if they can offer some advice.
To elaborate, Public IP's are used for connecting to remote computers, such as the Short-Media server. The Local ranges have been reserved to make it easy to set up a home or business network where you have a router or other WAN (Wide Area Network) device to handle what is known as NAT (Network Address Translation). My main computer currently has been assigned the address of 192.169.1.105 by my router. When I clicked on this web page the router Translated that address into a Public IP so the Short-Media server would know where to send the page.
There are scads of free tools available to read your IP Address. They are no more sinister than someone driving down the street and noticing that the green house on the corner has the number 4592 affixed to the mailbox. It tells them nothing about what is going on inside. (It's the job of your firewall to keep it that way.
Sending the info privately is fine, but you are at no real risk posting it publicly - as long as you maintain proper security measures on the machine itself. The fact that you are concerned about it at all indicates that you have developed some excellent anti-hacking habits, though.
Trogan has you well on the way to recovery. I'll keep an eye on this thread and pitch in where I can.
Lastly, are you still having trouble with the Windows Installer issue? I've attached a program from Microsoft which may get you back in business if you are.
Nice to meet you Prof. Cheers for the link. It was really interesting and I now understand what all the numbers in the IP etc mean.
The results of the Panda Scan I ran over night showed that the dialers and some of the cookies had been removed but the "Hackware" and the rest of the tracker cookies were still present. I have deleted the SmitFraud Remover process as this seemed to be referenced to in the Panda Log file. I will run another scan this afternoon and see if it makes a difference.
--Update--
Hackware gone. SmitRem was the cause.
--End--
The results of Shields Up were really interesting. The file sharing test was passed with flying colours. The first time I ran the common ports test it failed on two out of three of the tests. Four ports were running in stealth mode and the rest were closed (none were open). I then ran the all ports test and that showed all ports running in stealth which I found odd seeing as the previous test was showing some closed. Im guessing that Zone has adaptive technology and when Shields Up try to connect to those ports it turned them to stealth mode. Any way Im happy that this is pretty secure as no information made it through the firewall.
Now for the interesting bit. I listened to the pod cast about LAN's. Before I go any further I think it is worth telling you what equipment we have. This is a home setup with one computer atached the internet via a BT Voyager ADSL Router. The router has the IP 192.168.1.1 and the PC has the address 192.168.1.3. The PC may have changed sinse last night as it has been restarted so it may have picked up a new IP from DHCP but I assume the router will keep its IP.
What I learnt from the pod cast says that IP.1 should always be present as it is the router and given that there is only ever one PC connected to the router there should only be one other IP active on the network. Zone Firewall has been blocking connections between IP 192.168.1.3 (My Machine) and 192.168.1.2. This suggests someone else is connected to my network? The program which is actioning these connection is svchost. I have included a screen capture below.
--update--
I can successfully ping all three IP's and get a response
--End--
Thanks for the patch for windows installer but I reinstalled windows over the top of my old copy as windows update was not working either.
Any suggestions as to what is going on here would be great.
Just posting coz I havn't heard anything for a while. I went back home at the weekend and inspected my parents computer. All seems good on the infections front but the zone report log shows fifteen or so atempts by this mystery IP to connect or request info from their machine.
I'm not too worried because zone is blocking them but I still don't understand why it should be throwing these warnings up. Is this something I should be worried about or not?
I fixed my Dads internet conection by creating a new login acount and copying his profile accross.
Sorry to keep harrassing you if there is nothing to worry about but I don't like it when stuff happens that I don't understand
Cheers for your help.
Notice both and source and destination IP addresses are local. That means they are started and intended to end on your network, inside your house. They're not meant to go out on the internet. So while ZoneAlarm blocks them (for good reasons, in some cases) it's not always necessary.
What we see in the picture is port 53 and port 137. Also, two ports over 1024; these are dynamic and used mostly to send traffic out.
Port 53 - DNS (translates .coms and the like to IPs) - Harmless
Port 137 - NetBIOS name serves (says my IP is 192.168.x.x and computer name is "LivingRoomPC" for example) Harmless in good case
In a bad case, NetBIOS can be exploited to find shared folders and copy malicious stuff to. In a good case, you just want to share your documents with all your PCs. Only a small amount of malicious programs actual use NetBIOS shares to spread, so 99% of the time ZoneAlarm is over protective.
I've got to leave but will check back on this thread later. Good luck
EDIT:// Sorry I forgot to address the 192.168.1.2 address. I will do so when I return in a few.
You can get the MAC of the device that has the IP address and compare it to the OUI for what company makes the device. Maybe it'll give you a hint about something you possibly own. Ping the 192.168.1.2 address. When it's complete type "arp -a" and you'll see a "Physical Address" corresponding to the IP. You can search the OUI here. (top box, first 6 letters/numbers, no hyphens)
Since you say you do not have a piece of equipment that owns 192.168.1.2 I would try to shut everything down. Router, PC, everything. That will get rid of DHCP leases. Turn everything back on after 60 seconds. Within the router's configuration (http://192.168.1.1) there's a DHCP table option that shows you the leases. Watch it and see if another mystery IP comes back (your computer may take .2 after you power back up)
My file:
Logfile of HijackThis v1.99.1
Scan saved at 19:30:22, on 14/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140290407765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140275301250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Mums File:
Logfile of HijackThis v1.99.1
Scan saved at 19:38:12, on 14/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140290407765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140275301250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Dads File:
Logfile of HijackThis v1.99.1
Scan saved at 19:49:50, on 3/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140290407765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140275301250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Thanks Again.
TCP exosee ExoSee 6/20/2004
TCP ICKiller [trojan] ICKiller 6/23/2003
UDP exosee ExoSee 6/20/2004
Ports 0-1023 are Well-known ports reserved and used by the OS. Anything slighly above is usually not of concern since the range for the freely used and open ports are 49152-65535. Usually ports between these two ranges are for critical devices, hardware or programs. One definition listed for ports in these ranges is:
"Microsoft operating systems tend to allocate one or more unsuspected, publicly exposed services (probably DCOM, but who knows) among the first handful of ports immediately above the end of the service port range (1024+)."
Below are local reserved IP address ranges:
10.0.0.0 - 10.255.255.255
192.168.0.0 - 192.168.255.255
172.16.0.0 - 172.31.255.255
If you ever see anything about something trying to connect to or from these ranges, do not be alarmed, as it is on your local network. Usually it's from windows netbios(port 137) or some programs looking to map your local network.
Any address such as:
x.x.x.1 is a device such as a router/switch/gateway/modem. .1 addresses cannot be used by computers. If you see any traffic to or from a .1 address do not be alarmed. Usable ip ranges by any other device/computer are .2-254.
For your HJT:
The BY Voyager is a program for your DSL you installed on your computer. You can see it in your HJT log:
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
You should actually have ZoneAlarm allow this program to connect to your modem(192.168.x.x).
You can delete these lines from all PC's as well:
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
Your Dad's pc is of concern with this file missing:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
This notifies you when your viruscan/firewall/updates are turned off.
Unfortunetaly really good viruses/trojans are extremely hard to be detected by today's scanners. Never rely on just 1 scanner. Such as, AVG may not detect a virus, but F-prot might detect it. Virus makers can pack viruses so they do not match any known or probable signature known so far. This is why there are many versions of the same viruses but undetectable until the signatures are updated by the companies. They simply scramble the code and it's undetectable until the signatures are updated.
Another problem is that they can encode the virus/trojan code to be ran only once the file is opened. I'm not sure how to explain it clearly, but the malicious code is not in order and scrambled so that once the file is executed it runs through the malicious code step by step. Therefore, there is no way to know that the file even has any malicious code in it until tested. Thankfully most virus makers aren't smart enough to do this, but they are getting smarter and smarter, meanwhile the virus scanner companies methods have hardly improved since the late 1990's.
If you are concerned about whethere a file is infected or not, I would reccomend first submitting it to these free websites that use multiple scanners:
http://virusscan.jotti.org/
http://www.virustotal.com/flash/index_en.html
Never rely on one scanner. And if it detects a packer, be VERY cautious about opening the file. Packers hide malicious code.
If the files are even more complex you can also use Dependency Walker for free:
http://www.dependencywalker.com/
This program is a little advanced for the geek-impared, but can help determine if the file is calling up more files and what exactly the file will do if you execute it.
I realize this is a lot to read but I hope at least one person found this information usefull.
I'm assuming that your modem is using the .2 ip address as well as .1
type in ipconfig/all in msdos and if the default gateway is .1 that should be your router.
If you have multiple Interface Cards or have a bridged adapter that leases 2 ips from the router, this could be whats using the .2 address. Try pinging the .2 address by typing: ping 192.168.1.2 in msdos. If you get a response then something is connected to the router. Go to control panel and click on network connections so see all your adapters. Hopefully only your NIC is in here.
Your modem should be a different ip address from the router. Probably 192.168.0.1. It's not always this address. Since you have DSL, you would have had to set the PPP Location to bridged mode in order to use a router, so you won't be able to ping it, or login to the modem through the web browser interface by typing in http://192.168.0.1
If you know how to log into your router; there should be a page where you can see all active connections. You should only see your computer(192.168.1.3)
Just so i'm clear about this, you Only have a DSL modem hooked into the Router which your PC is plugged into the router which has no wireless capabilities, correct? You have two seperate devices, or is this a router/modem device?
voyager.home 192.168.1.2 sounds like your modem since your dsl program is called BT Voyager 205 ADSL Router. But this doesn't sounds like a normal ip address for a modem.
If it's not another adapter on your computer and your default gateway(routers ip) is .1, I'm stumped.