Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Huge Volume Of Traffic


  • This topic is locked This topic is locked
2 replies to this topic

#1 Marcellus

Marcellus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 17 July 2008 - 05:29 AM

Hi Guys

This PC eats up my bandwidth. By just being connected to my Firewall/Router it will "exchange" more than 1 Gigabyte of data per week with some mysterious third/fourth/fifth party.

It started in June.

My ISP logs for March, April and May shows total usage of 1 Gigabyte for each month - in June it jumped to over 5 Gigabytes!

All this PC is used for is e-mail and on-line banking. E-mails hardly amounts to anything at all.

The lights on the Router never stops flashing, showing constant activity and the Packets in the Local Area Connection Status just keeps on ticking over.

This is driving me insane. I’m aware that this may not be an infection issue, but I do need to make sure.

All help will be appreciated.

Regards

Marcellus

Below is the contents of the two reports:

Deckard's System Scanner v20071014.68
Run by Sam's PC on 2008-07-17 11:59:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
82: 2008-07-17 10:00:15 UTC - RP113 - Deckard's System Scanner Restore Point
81: 2008-07-16 07:58:27 UTC - RP112 - System Checkpoint
80: 2008-07-15 07:43:29 UTC - RP111 - System Checkpoint
79: 2008-07-14 06:33:19 UTC - RP110 - System Checkpoint
78: 2008-07-12 16:55:48 UTC - RP109 - System Checkpoint


-- First Restore Point --
1: 2008-04-18 10:56:41 UTC - RP32 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Sam's PC.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:10 PM, on 2008/07/17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
C:PROGRA~1GrisoftAVGFRE~1avgcc.exe
C:Program FilesEveryday Auto BackupAutoBackup.exe
C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
C:WINDOWSSystem32svchost.exe
C:PVSWbinw3dbsmgr.exe
C:Documents and SettingsSam's PCDesktopdss.exe
C:PROGRA~1TRENDM~1HIJACK~1Sam's PC.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - HKCU..Run: [Everyday Auto Backup] C:Program FilesEveryday Auto BackupAutoBackup.exe /1
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [AVG7_Run] C:PROGRA~1GrisoftAVGFRE~1avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'Default user')
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:PVSWbinw3dbsmgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205263386328
O20 - Winlogon Notify: artm_newreg - C:WINDOWS
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe

--
End of file - 2485 bytes

-- HijackThis Fixed Entries (C:PROGRA~1TRENDM~1HIJACK~1backups) -----------

backup-20080311-174353-171 O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSSystem32HPZipm12.exe
backup-20080701-124244-264 O4 - Global Startup: KODAK Software Updater.lnk = C:Program FilesKodakKODAK Software Updater7288971ProgramKodak Software Updater.exe
backup-20080701-124244-422 O4 - Global Startup: Kodak EasyShare software.lnk = C:Program FilesKodakKodak EasyShare softwarebinEasyShare.exe
backup-20080701-124244-533 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
backup-20080701-124244-659 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
backup-20080701-124244-885 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:windowssystem32driverscdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R2 Fallback - c:windowssystem32drivershsf_fall.sys <Not Verified; Conexant; SoftK56>
R2 Fsks - c:windowssystem32drivershsf_fsks.sys <Not Verified; Conexant; SoftK56>
R2 K56 - c:windowssystem32drivershsf_k56k.sys <Not Verified; Conexant; SoftK56>
R2 mdmxsdk - c:windowssystem32driversmdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R2 SoftFax - c:windowssystem32drivershsf_faxx.sys <Not Verified; Conexant; SoftK56>
R2 Tones - c:windowssystem32drivershsf_tone.sys <Not Verified; Conexant; SoftK56>
R2 V124 - c:windowssystem32drivershsf_v124.sys <Not Verified; Conexant; SoftK56>
R3 HSF_DP - c:windowssystem32drivershsfdpsp2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWBS2 - c:windowssystem32drivershsfbs2s2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 ialm - c:windowssystem32driversialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT®>
R3 winachsf - c:windowssystem32drivershsfcxts2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S2 ntio256 (Input and output operations) - c:windowssystem32ntio256.sys (file missing)
S3 basic2 - c:windowssystem32drivershsf_bsc2.sys <Not Verified; Conexant; SoftK56>
S3 GMSIPCI - d:installgmsipci.sys (file missing)
S3 hsf_msft - c:windowssystem32drivershsf_msft.sys <Not Verified; Conexant; SoftK56>
S3 Rksample - c:windowssystem32drivershsf_samp.sys <Not Verified; Conexant; SoftK56>
S3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - c:windowssystem32driversrtl8139.sys (file missing)


pe386 driver present

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-17 and 2008-07-17 -----------------------------

2008-07-01 12:52:49 0 d-------- C:Documents and SettingsAll UsersApplication DataSpybot - Search & Destroy
2008-07-01 11:01:34 0 d-------- C:Program FilesEveryday Auto Backup


-- Find3M Report ---------------------------------------------------------------

2008-07-16 14:25:17 290912 --a------ C:WINDOWSxcopy.bin
2008-07-01 13:23:41 0 d-------- C:Program FilesTrustSoft AntiSpyware
2008-07-01 11:32:23 191597 --a------ C:logfile
2008-06-03 08:22:15 0 d-------- C:Documents and SettingsSam's PCApplication DataAdobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"AVG7_CC"="C:PROGRA~1GrisoftAVGFRE~1avgcc.exe" [2008/04/17 08:47 AM]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Everyday Auto Backup"="C:Program FilesEveryday Auto BackupAutoBackup.exe" [2007/11/28 11:55 AM]

C:Documents and SettingsAll UsersStart MenuProgramsStartup
Pervasive.SQL Workgroup Engine.lnk - C:PVSWbinw3dbsmgr.exe [2007/04/15 01:43:14 PM]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"DisableTaskMgr"=0 (0x0)

[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyartm_newreg]

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsecurityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalvds]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Reader Speed Launcher]
"C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregBestPopUpKiller]
C:Program FilesBestPopUpKillerBestPopupKiller.exe /startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHistoryKill]
C:Program FilesHistoryKillhistkill.exe /startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMSMSGS]
"C:Program FilesMessengermsmsgs.exe" /background

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
"C:Program FilesQuickTimeqttask.exe" -atboottime

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSunJavaUpdateSched]
"C:Program FilesJavajre1.6.0binjusched.exe"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 v4.windowsupdate.microsoft.com
127.0.0.1 v5.windowsupdate.microsoft.com
127.0.0.1 v5windowsupdate.microsoft.nsatc.net
127.0.0.1 windowsupdate.com
127.0.0.1 www.bitdefender.com
127.0.0.1 www.ravantivirus.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com

8764 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-17 12:03:48 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.80GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 503.48 MiB / 219.86 MiB
Pagefile Memory (total/avail): 1227.46 MiB / 1007.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1951.23 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 38.28 GiB total, 25.13 GiB free.
D: is CDROM (CDFS)

.PHYSICALDRIVE0 - Maxtor 6E040L0 - 38.29 GiB - 1 partition
PARTITION0 (bootable) - Installable File System - 38.28 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList]

[HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:Documents and SettingsAll Users
APPDATA=C:Documents and SettingsSam's PCApplication Data
CLASSPATH=C:PVSWbinpvjdbc2x.jar;C:PVSWbinpvjdbc2.jar;C:PVSWbinjpscs.jar;.;C:Program FilesJavajre1.5.0_06libextQTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:Program FilesCommon Files
COMPUTERNAME=SAM1
ComSpec=C:WINDOWSsystem32cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=Documents and SettingsSam's PC
LOGONSERVER=SAM1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:PVSWbin;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSsystem32WBEM;C:Program FilesQuickTimeQTSystem;;C:PROGRA~1COMMON~1MUVEET~1030625;;C:PROGRA~1COMMON~1MUVEET~1030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:Program Files
PROMPT=$P$G
QTJAVA=C:Program FilesJavajre1.5.0_06libextQTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:WINDOWS
TEMP=C:DOCUME~1SAM'SP~1LOCALS~1Temp
TMP=C:DOCUME~1SAM'SP~1LOCALS~1Temp
USERDOMAIN=SAM1
USERNAME=Sam's PC
USERPROFILE=C:Documents and SettingsSam's PC
VSL=C:PVSWbin
windir=C:WINDOWS


-- User Profiles ---------------------------------------------------------------

Sam's PC (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:WINDOWSINFPCHealth.inf
Ad-Aware SE Personal --> C:PROGRA~1LavasoftAD-AWA~1UNWISE.EXE C:PROGRA~1LavasoftAD-AWA~1INSTALL.LOG
Adobe Acrobat 5.0 --> C:WINDOWSISUNINST.EXE -f"C:Program FilesCommon FilesAdobeAcrobat 5.0NTUninst.isu" -c"C:Program FilesCommon FilesAdobeAcrobat 5.0NTUninst.dll"
Adobe Flash Player 9 ActiveX --> C:WINDOWSSystem32MacromedFlashUninstFl.exe -q
Adobe Flash Player ActiveX --> C:WINDOWSsystem32MacromedFlashuninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AVG Free Edition --> C:Program FilesGrisoftAVG Freesetup.exe /UNINSTALL
Canon PhotoRecord --> MsiExec.exe /X{D958FAC4-BAE0-4B1D-A42E-DE9BFDE7DDEE}
Canon Utilities Easy-PhotoPrint --> C:Program FilesCanonEasy-PhotoPrintuninst.exe C:Program FilesCanonEasy-PhotoPrintuninst.ini
Canon Utilities Easy-PrintToolBox --> C:WINDOWSBJPSUNST.EXE
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Easy-WebPrint --> C:WINDOWSIsUninst.exe -f"C:Program FilesCanonEasy-WebPrintUninst.isu"
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
Everyday Auto Backup 1.12 --> "C:Program FilesEveryday Auto Backupunins000.exe"
fflink --> MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
HijackThis 2.0.2 --> "C:PROGRA~1TRENDM~1HIJACK~1HijackThis.exe" /uninstall
HP Extended Capabilities 5.3 --> C:Program FilesHPDigital ImagingExtCapUninstallhpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.3 --> C:Program FilesHPDigital ImagingDigitalImagingMonitorhpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.B --> "C:Program FilesHPDigital Imaging{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}setuphpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:Program FilesHPDigital ImagingeSupporthpzscr01.exe -datfile hpqbud05.dat
ImageMixer VCD2 --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1PROFES~1RunTime0701Intel32Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{F8C6BABF-0837-4EA0-AD6C-8E5A392A7538}setup.exe" -l0x9 UNINSTALL
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:WINDOWSSystem32ialmrem.dll,UninstallW2KIGfx PCIVEN_8086&DEV_2562
Internet Explorer Q903235 --> C:WINDOWSieuninst.exe C:WINDOWSINFQ903235.inf
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:Documents and SettingsAll UsersApplication DataKodakEasyShareSetup$SETUP_140002_a017064Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Microsoft Bootvis --> MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
Pastel File Manager --> C:WINDOWSIsUninst.exe -fC:WINDOWSUninst.isu
Pastel Partner Version 5.2 --> C:WINDOWSIsUninst.exe -fC:PAS52Pas52.isu
Pastel Xpress 2007 --> C:PROGRA~1COMMON~1INSTAL~1Driver10INTEL3~1IDriver.exe /M{077E0FF9-CC35-435C-B946-DEA4009439FA}
Pervasive System Analyzer --> C:WINDOWSIsUninst.exe -f"C:Program FilesCommon FilesPervasive Software SharedPSApsa.isu"
Pervasive.SQL 9.60 Workgroup for Windows --> MsiExec.exe /X{D8C0330E-C815-4C6F-9BFD-0FD570155790}
Picture Package --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1PROFES~1RunTime0701Intel32Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}setup.exe" -l0x9 UNINSTALL
PowerDVD --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Realtek AC'97 Audio --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{FB08F381-6533-4108-B7DD-039E11FBC27E}setup.exe" REMOVE
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
skin0001 --> MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Sony USB Driver --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}setup.exe" UNINSTALL
Spybot - Search & Destroy --> "C:Program FilesSpybot - Search & Destroyunins000.exe"
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WinZip --> "C:Program FilesWinZipWINZIP32.EXE" /uninstall
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2054 / Error
Event Submitted/Written: 07/17/2008 10:18:18 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application services.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x00c700a5.
Processing media-specific event for [services.exe!ws!]

Event Record #/Type2051 / Error
Event Submitted/Written: 07/17/2008 10:02:03 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application services.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x00c700a5.
Processing media-specific event for [services.exe!ws!]

Event Record #/Type2048 / Error
Event Submitted/Written: 07/17/2008 08:25:54 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application services.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x00c700a5.
Processing media-specific event for [services.exe!ws!]

Event Record #/Type2042 / Error
Event Submitted/Written: 07/16/2008 04:01:15 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application services.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x00c300a5.
Processing media-specific event for [services.exe!ws!]

Event Record #/Type2039 / Error
Event Submitted/Written: 07/16/2008 03:50:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application services.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x00c700a5.
Processing media-specific event for [services.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2037 / Warning
Event Submitted/Written: 07/17/2008 11:27:00 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00110975A5E3. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type2034 / Error
Event Submitted/Written: 07/17/2008 11:13:39 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type2018 / Error
Event Submitted/Written: 07/17/2008 11:08:49 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Input and output operations service failed to start due to the following error:
%%2

Event Record #/Type2012 / Error
Event Submitted/Written: 07/17/2008 11:01:44 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type1995 / Error
Event Submitted/Written: 07/17/2008 10:56:53 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Input and output operations service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-07-17 12:03:48 ------------

Hi, Just a quick update:
I ran Mbam and it picked up two infections:

Registry Keys Infected:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesntio256 (Rootkit.Agent) -> Quarantined

Files Infected:
C:WINDOWSsystem32:lzx32.sys (Rootkit.ADS) -> Quarantined and deleted successfully.

Traffic seem to have ground to a halt.

Merged posts. ~ OB

Edited by Orange Blossom, 20 July 2008 - 12:46 AM.


BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:04:33 PM

Posted 06 August 2008 - 07:26 AM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:04:33 PM

Posted 10 August 2008 - 09:05 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users