Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Problem


  • This topic is locked This topic is locked
4 replies to this topic

#1 zeepman

zeepman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 24 April 2009 - 11:40 PM

Hi,

I am getting a lot of packets coming and going from the internet. Even with my browser closed. I have all automatic updates disabled in my programs.

I have run numerous scanners, local and online, rootkit detectors, etc. And they come up with nothing.

I was blocking traffic with Sunbelt firewall for awhile, but something kept closing it down.

There is a Service listed in Services called XFJU. I've never heard of it before and can't find a thing about it doing a Google search. There is no description offered for it. It was set to manual, but I disabled it. (supposedly)
The path to executable is: C:\DOCUME~1\jd\LOCALS~1\Temp\XFJU.exe

I was about to reformat, but thought I'd try here first.

Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:31 PM, on 4/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.musiclinx.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Eat At Joe's Diner!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: GLPNR - Unknown owner - C:\DOCUME~1\jd\LOCALS~1\Temp\GLPNR.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

--
End of file - 3282 bytes

DDS (Ver_09-03-16.01) - NTFSx86
Run by jd at 21:21:08.51 on Fri 04/24/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.153 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090423-0] *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\cisvc.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\jd\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uWindow Title = Eat At Joe's Diner!
mStart Page = hxxp://www.musiclinx.com
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
uSearchAssistant =
uCustomizeSearch =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
{a057a204-bacc-4d26-9990-79a187e2698e}
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
{a057a204-bacc-4d26-9990-79a187e2698e}
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {32564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
Notify: igfxcui - igfxsrvc.dll
LSA: Notification Packages =

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jd\applic~1\mozilla\firefox\profiles\twv0gctk.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-4 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-4-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-4-19 24336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-4 138680]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-4-19 700152]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-4 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-4 352920]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-12-2 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2003-3-14 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2007-12-2 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-12-2 10368]
S3 GLPNR;GLPNR;c:\docume~1\jd\locals~1\temp\glpnr.exe --> c:\docume~1\jd\locals~1\temp\GLPNR.exe [?]
S3 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-3-26 26488]
S3 XIRLINK;XIRLINK;c:\windows\system32\drivers\c-itnt.sys --> c:\windows\system32\drivers\C-itnt.sys [?]
S4 XFJU;XFJU;c:\docume~1\jd\locals~1\temp\xfju.exe --> c:\docume~1\jd\locals~1\temp\XFJU.exe [?]

=============== Created Last 30 ================

2009-04-23 02:10 <DIR> --d----- c:\program files\Trend Micro
2009-04-19 00:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-04-19 00:46 155,384 a------- c:\windows\system32\guard32.dll
2009-04-19 00:46 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-04-19 00:46 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-04-19 00:45 <DIR> --d----- c:\program files\COMODO
2009-04-14 06:02 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-04-14 06:02 <DIR> --d----- c:\program files\MSECACHE
2009-04-04 16:06 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-03-29 19:36 3,015 ac------ C:\rollback.ini
2009-03-29 17:25 <DIR> --d----- c:\docume~1\jd\applic~1\CheckPoint
2009-03-29 17:13 144 a------- c:\windows\system32\lkfl.dat
2009-03-29 17:13 96 a------- c:\windows\system32\pdfl.dat
2009-03-29 17:13 80 a------- c:\windows\system32\ibfl.dat
2009-03-29 17:13 <DIR> --d----- c:\program files\CheckPoint

==================== Find3M ====================

2009-03-31 14:14 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-06 07:44 283,648 a------- c:\windows\system32\pdh.dll
2009-02-20 01:14 668,160 a------- c:\windows\system32\wininet.dll
2009-02-20 01:14 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 03:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 03:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 03:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 03:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 16:12 90,112 a------- c:\windows\DUMP5da0.tmp
2009-02-06 10:24 2,180,480 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 10:14 110,592 a------- c:\windows\system32\services.exe
2009-02-06 09:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 09:49 2,057,728 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 13:08 55,808 a------- c:\windows\system32\secur32.dll
2009-01-28 18:43 410,984 a------- c:\windows\system32\deploytk.dll
2006-11-22 18:35 81,920 a------- c:\docume~1\jd\applic~1\ezpinst.exe
2006-11-22 18:35 47,360 a------- c:\docume~1\jd\applic~1\pcouffin.sys
2003-04-28 19:19 981 ac------ c:\docume~1\jd\applic~1\waver_2.81.dat
2002-07-31 20:55 104 ---sh--- c:\windows\WSYS049.SYS

============= FINISH: 21:22:15.04 ===============

BC AdBot (Login to Remove)

 


#2 zeepman

zeepman
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 30 April 2009 - 05:19 PM

It's been a week. Why is no one helping me?

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:28 AM

Posted 07 May 2009 - 04:30 AM

Hi zeepman,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have done anything since previous post. Or you have run any other tools. Also tell me how is the current condition of your computer.

  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Set the scan files/folders to 3 Months.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

    Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

    Note 2: The tool takes not more than one minute to scan the system.
You might want to save this page on your favorites, so you can find it again when you return.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:28 AM

Posted 09 May 2009 - 05:23 PM

Is there anybody?
I'll wait one more day before closing the topic.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:28 AM

Posted 14 May 2009 - 04:15 PM

This thread will now be closed due to inactivity.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users