Help requested

  1. 03-08-2004  #1
    ficochm
    ficochm is offline Newbie

    Question Help requested

    Hi all,
    First of all, thanks in advance for any help I can get from u guys, and second, congrats for this service you're providing... it's good to know there's someone willing to help people like me who are not much into this stuff...

    Ok, here I go: I dont know if I'm paranoid or something , but there's a lot of traffic (inbound and outbound) that I can see is going on through my Internet conection, even if I'm not doing anything in the browser and no activity is apparentely being performed by any other process.

    I also need to mention that Norton detected two times the virus PWSteal.Bank.B first in a dll + a sys file and then in an exe. The first time (the dll), Norton was not able to remove the virus, so I made changes in my registry manually and I removed the file myself. This happened this last weekend. Earlier last week I removed myself two other exe's files: WinFixIds.exe and systemc32.exe These two were constantly trying to access certain odd URLs which I didn't know but I was aware of them because I blocked them in the Personal Firewall. My anti spyware (Spysweeper) didn't alerted me of these two last...

    My pc: current Configuration:
    Win XP sp1
    IE 6.0 sp1
    AV: McAfee Viruscan 7.1.0, virus fefinition 4382 (july 28) I just installed this today (I had Norton until earlier today). I already full scanned my computer twice today and neither Norton or McAfee found anything.
    PF: Sygate Personal Firewall 5.5
    Access to Internet through a DSL Conection.
    AntiSpyware: Spysweeper.

    I've already blocked in Sygate:
    NTOSKRNL.EXE
    SVCHOST.EXE
    LSASS.EXE
    But even when SVCHOST is blocked some income and outcome transmissions are allowed.

    Sometimes, a message alerting that "EXPLORER.EXE is trying to access Internet 200.0.0.24" is also generated by the PF. (I always say no for this event).

    So... What do u suggest me to do ??? or what else can I do to stop this transmissions ?? I'm afraid something is going on with my computer and it really frustrates me not knowing what it is or even worse if its some kind of virus or spyware that somehow the antivirus is not detecting...

    Thx again. I'll look forward for any kind of help regarding this.
    Fico
    Lima - Perú.

    PS - Sorry if my English is not that clear... whatever clarification you might need, pls ask me.

    PS2 - The HijackThis log follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 09:07:15 p.m., on 02/08/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Archivos de programa\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
    C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
    C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
    C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
    C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
    C:\Archivos de programa\Arescom\NDS1060USB ADSL Adapter\dslmon.exe
    C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
    D:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [SmcService] C:\ARCHIV~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKCU\..\Run: [Microsoft Updates Resources] WinFixIDs.exe
    O4 - HKCU\..\Run: [Microsoft Updates] systemc32.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: DSLMON.lnk = ?
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
    O9 - Extra button: Referencia (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{95458564-062B-4404-8884-AE5AB1B96085}: NameServer = 200.48.225.130 200.48.225.146

  3. 03-08-2004  #2
    Nirvana
    Nirvana is offline Elite Member
    Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

    O4 - HKCU\..\Run: [Microsoft Updates Resources] WinFixIDs.exe
    O4 - HKCU\..\Run: [Microsoft Updates] systemc32.exe


    Make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode then run a search for and delete:

    WinFixIDs.exe and systemc32.exe

    Reboot, then post another log and let us know how things are running.
  4. 04-08-2004  #3
    ficochm
    ficochm is offline Newbie
    Hi Nirvana,
    I followed the steps you requested. You may have not noticed it but I told that I've already manually removed these 2 files (winfixids and systemc32) and their entries in registry last week.

    Pls find attached the new hijackthis log: Entries for those 2 files are not showing anymore... but the odd transmision behavior persists.
    When I checked Sygate personal firewall, svchost seems to be sending and receiving something (although I set it "blocked", still some packets are allowed), however the incoming and outgoing traffic doesnot match the bytes that you can see in the conecction properties. It's not that much, but I still would like to know what's going on with my pc...


    Logfile of HijackThis v1.97.7
    Scan saved at 01:18:37 a.m., on 04/08/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Archivos de programa\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
    C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
    C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
    C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
    C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
    C:\Archivos de programa\Arescom\NDS1060USB ADSL Adapter\dslmon.exe
    D:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [SmcService] C:\ARCHIV~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: DSLMON.lnk = ?
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
    O9 - Extra button: Referencia (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{95458564-062B-4404-8884-AE5AB1B96085}: NameServer = 200.48.225.130 200.48.225.146
  5. 04-08-2004  #4
    owen
    owen is offline D-A-L Team Member (UK)
    Can't see anything wrong with that log now.
  6. 04-08-2004  #5
    ficochm
    ficochm is offline Newbie
    Yes Owen, me neither, but then again what's with the transmission activity when there's not even a browser windor or any other program running? I really will appreciate any clues as to what could be happening with svchost.exe... Or should I assume it's only natural in Win XP to see some bytes of unknown information coming and going from my PC through the DSL connection? Maybe I just need to learn with it...
    Thx again, Fico
  7. 05-08-2004  #6
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Your svchost will do lots of jobs like Sychronize time, etc and a variety of other jobs. Its expected to receive and send some packets. Even though it is blocked, there are different svchost modules and each one does a different job. Your internet connection will be dependent on some modules so they are automatically allowed access. Nothing to worry about I can asure you.
+ Reply to Thread
« cpp01's About:Blank Problem (Resolved) | Fatal Error »