Spyware help

[[BTF]Sigma]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:52:24 AM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\DOCUME~1\ANOTHE~1.ANO\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis_v2.zip\HiJackThis_v2.exe

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182716003500
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0217811183308650) (0217811183308650mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\021781~1.EXE
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 6694 bytes



I am noticing high usage of my network connection that is slowing everything wlse down. Since resetting my network connection I have 3,000,000bytes sent and over 9,000,000 received in the last 20mins

[reaper]

if you do a netstat -a , and netstat -s 5

[reaper]

ah, looks like even netstat will display the process associated with the connection.

[reaper]

yeah, ntop would work great: so you would look at ntop for the high traffic on a certain protocol (dns, http), so say it's .. http, then you look at netstat -b and see what process is tied to that protocol (keep in mind the timing), then you got your offender of network usage.

[Carnage]

Active Ports which is a free utilty will also help you figure out who is connected to you and what port they are connected on.

http://www.download.com/Active-Ports/3000-2085_4-10121832.html

[[BTF]Sigma]

Here we go again....

Been having Firefox open pages from "Agloclo.com" and "Bonjour" I think I managed to nix the bonjour pop-up but the agloco one is quite persistent. I use the NoScript Plugin for firefox so the site opens but NoScript blocks all the content.

Halp mee!!!



Logfile of HijackThis v1.99.1
Scan saved at 1:15:25 PM, on 9/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\windows\system32\msnmsg.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Mcafee\MWL\MWLGui.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MonAppli] C:\windows\system32\msnmsg.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGui.exe /Start
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188012740812
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor -   - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

[reaper]

you already run Spybot, and Lava soft Adware, with updates, along with an anti-virus scan?

[Whirlingdervish]

looks like he's using McAffee Viruscan and Spybot too (teatimer is in there, and there are reg entries for MVS)

 

[[BTF]Sigma]

you already run Spybot, and Lava soft Adware, with updates, along with an anti-virus scan?

Yup, yeah, those too, and uh-huh. Shit still hits me.

looks like he's using McAffee Viruscan and Spybot too (teatimer is in there, and there are reg entries for MVS)

 

So does this mean whatever I have is hooked into a process that hides it from these programs?

[DWxchzrles]

rootkit?

i use these

ad-aware 2007
avg anti-spyware
bazooka
emco malware destroyer
spybot search & destroy
spyware doctor
windows defender
spyware blaster
blacklight rootkit eliminator
mcafee security center

everything is up to date

[Whirlingdervish]

you already run Spybot, and Lava soft Adware, with updates, along with an anti-virus scan?

Yup, yeah, those too, and uh-huh. Shit still hits me.

looks like he's using McAffee Viruscan and Spybot too (teatimer is in there, and there are reg entries for MVS)

 

So does this mean whatever I have is hooked into a process that hides it from these programs?

it could also be hooked to the startup routine early on, so that it runs prior to teatimer and MVS.
I've seen some of the more resilient adware/spyware programs do this.

This could be a real pain to destroy.


I noticed one thing that looked kinda funny to me:

what's this and why is it in your system32 folder?


C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


usually legit windows components will have lowercase file names.
(not always the case, but a majority of the time it is)

3rd party stuff in that folder will often have files that have uppercase characters in them.
It could easily be legit, but I can't think of any useful software that it could be a part of, and why it would be running in the background..

 


EDIT:
disregard this, it seems to be part of a new Battlefield 2 update, which you probably play.
I think it's some sort of anticheat.
http://forums.bf2s.com/viewtopic.php?pid=1742338

funny thing is, even the bf2 players think it's spyware. 


Back to the drawing board...

[[BTF]Sigma]

Thanks for your investigation. Yeah it's punkbuster... if memory serves me it's the standard for popular multiplayer games post Q3.

[reaper]

see if you got a hacked version of trend micro security.

[[BTF]Sigma]

Running your checks ATM...


Hmmm.... found a process running called msnmsg.exe in my system32 dir.

Since I loathe talking on msn these days and haven't installed messenger it's a little odd.

Looking into the already installed version that comes with XP it's executable is msnmsgs.exe ...... the official one has a "s" on the end of it.


Read from...http://www.sophos.com/security/analyses/w32rbotgo.html
W32/Rbot-GO is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Rbot-GO spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers and exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP).

W32/Rbot-GO can be controlled by a remote attacker over IRC channels.

W32/Rbot-GO moves itself to the file MSNMSG.EXE in the Windows system folder and creates entries at the following locations in the registry so as to run itself on Windows login:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
msn = msnmsg.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
msn = msnmsg.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
msn = msnmsg.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
msn = msnmsg.exe

W32/Rbot-GO may also set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-GO attempts to terminate processes relating to the following files:

regedit.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
taskmon_exe
wincfg32.exetaskmon.exe
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe

[[BTF]Sigma]

Reap... here's the optput of the netstat scan.

                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -v            When used in conjunction with -b, will display sequence of
                components involved in creating the connection or listening
                port for all executables.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

C:\Documents and Settings\Mark>netstat -b -a -n

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1220
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\ADVAPI32.dll
  [svchost.exe]

  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  [System]

  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING       1644
  C:\WINDOWS\system32\httpapi.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  TCP    0.0.0.0:6636           0.0.0.0:0              LISTENING       2824
  [MwlSvc.exe]

  TCP    0.0.0.0:6646           0.0.0.0:0              LISTENING       1980
  [mcnasvc.exe]

  TCP    127.0.0.1:1109         0.0.0.0:0              LISTENING       3484
  [alg.exe]

  TCP    192.168.1.101:139      0.0.0.0:0              LISTENING       4
  [System]

  TCP    127.0.0.1:3039         127.0.0.1:3040         ESTABLISHED     2812
  [FIREFOX.EXE]

  TCP    127.0.0.1:3040         127.0.0.1:3039         ESTABLISHED     2164
  [mcproxy.exe]

  TCP    127.0.0.1:3042         127.0.0.1:3043         ESTABLISHED     2812
  [FIREFOX.EXE]

  TCP    127.0.0.1:3043         127.0.0.1:3042         ESTABLISHED     2164
  [mcproxy.exe]

  TCP    127.0.0.1:3045         127.0.0.1:3046         ESTABLISHED     2812
  [FIREFOX.EXE]

  TCP    127.0.0.1:3046         127.0.0.1:3045         ESTABLISHED     2164
  [mcproxy.exe]

  TCP    192.168.1.101:3041     72.14.255.99:80        ESTABLISHED     2164
  [mcproxy.exe]

  TCP    192.168.1.101:3044     64.233.167.104:80      ESTABLISHED     2164
  [mcproxy.exe]

  TCP    192.168.1.101:3047     74.53.71.226:80        ESTABLISHED     2164
  [mcproxy.exe]

  TCP    192.168.1.101:1660     89.78.133.2:16486      FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:1685     89.159.67.214:3854     FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:2158     82.201.233.143:14837   FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:2196     81.233.48.12:53281     FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:2200     213.22.83.131:11911    FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:2219     69.205.207.115:56710   FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:2447     190.154.70.21:57936    FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:2554     89.174.76.21:44394     FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:2644     212.165.166.32:54556   FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:2661     82.41.67.81:25075      FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:3267     194.69.207.135:8082    FIN_WAIT_2      3276
  [System]

  TCP    192.168.1.101:14803    24.147.81.220:2067     FIN_WAIT_2      3276
  [System]

  TCP    192.168.1.101:14803    58.8.129.56:3401       FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:14803    67.68.105.187:1403     FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    67.175.229.171:59288   FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:14803    72.150.227.76:1868     FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    76.26.58.239:2414      FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    76.110.34.111:2696     FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    79.119.190.171:4434    FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    83.176.71.43:3552      FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:14803    83.226.223.192:4334    FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    84.139.16.137:63355    FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    87.209.91.187:3769     FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    88.107.27.157:2645     FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:14803    89.242.233.60:3768     FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    122.167.80.168:1994    FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:14803    149.99.66.34:2944      FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:14803    189.129.3.143:57515    FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    190.0.143.7:3982       FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:14803    194.212.215.131:11713  FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:14803    195.23.220.78:54535    FIN_WAIT_2      4072
  [System]

  TCP    192.168.1.101:14803    211.27.39.140:4868     FIN_WAIT_2      3180
  [System]

  TCP    192.168.1.101:14803    217.174.64.211:12754   FIN_WAIT_2      4072
  [System]

  TCP    127.0.0.1:3049         127.0.0.1:3048         TIME_WAIT       0
  TCP    127.0.0.1:3053         127.0.0.1:3052         TIME_WAIT       0
  TCP    127.0.0.1:3056         127.0.0.1:3055         TIME_WAIT       0
  TCP    127.0.0.1:3059         127.0.0.1:3058         TIME_WAIT       0
  TCP    127.0.0.1:3062         127.0.0.1:3061         TIME_WAIT       0
  TCP    127.0.0.1:3065         127.0.0.1:3064         TIME_WAIT       0
  TCP    127.0.0.1:3068         127.0.0.1:3066         TIME_WAIT       0
  TCP    127.0.0.1:3071         127.0.0.1:3070         TIME_WAIT       0
  TCP    127.0.0.1:3074         127.0.0.1:3073         TIME_WAIT       0
  TCP    127.0.0.1:3077         127.0.0.1:3076         TIME_WAIT       0
  TCP    127.0.0.1:3080         127.0.0.1:3078         TIME_WAIT       0
  TCP    127.0.0.1:3083         127.0.0.1:3082         TIME_WAIT       0
  TCP    127.0.0.1:3086         127.0.0.1:3085         TIME_WAIT       0
  TCP    127.0.0.1:3089         127.0.0.1:3088         TIME_WAIT       0
  TCP    127.0.0.1:3091         127.0.0.1:3092         TIME_WAIT       0
  TCP    127.0.0.1:3094         127.0.0.1:3095         TIME_WAIT       0
  TCP    192.168.1.101:3093     67.19.248.74:80        TIME_WAIT       0
  TCP    192.168.1.101:3096     67.19.248.74:80        TIME_WAIT       0
  UDP    0.0.0.0:3206           *:*                                    1516
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    0.0.0.0:500            *:*                                    980
  [lsass.exe]

  UDP    0.0.0.0:4500           *:*                                    980
  [lsass.exe]

  UDP    0.0.0.0:1026           *:*                                    1516
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    0.0.0.0:3073           *:*                                    1516
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    0.0.0.0:1200           *:*                                    1516
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    0.0.0.0:445            *:*                                    4
  [System]

  UDP    127.0.0.1:123          *:*                                    1384
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    127.0.0.1:1900         *:*                                    1644
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    127.0.0.1:3418         *:*                                    492
  [msnmsg.exe]

  UDP    127.0.0.1:44301        *:*                                    2520
  [PnkBstrA.exe]

  UDP    127.0.0.1:3100         *:*                                    1384
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\System32\WINHTTP.dll
  C:\WINDOWS\system32\upnp.dll
  C:\WINDOWS\system32\RPCRT4.dll
  C:\WINDOWS\system32\ole32.dll
  [svchost.exe]

  UDP    192.168.1.101:137      *:*                                    4
  [System]

  UDP    192.168.1.101:138      *:*                                    4
  [System]

  UDP    192.168.1.101:123      *:*                                    1384
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    192.168.1.101:6646     *:*                                    1980
  [mcnasvc.exe]

  UDP    192.168.1.101:6636     *:*                                    2824
  [MwlSvc.exe]

  UDP    192.168.1.101:1900     *:*                                    1644
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]