Computer Help Forums: How to find and remove bot - Computer Help Forums

Jump to content


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

How to find and remove bot

#1 Christian R

  • Group: Guests

Posted 22 Apr 2009 - 07:14 PM

Hi!

I'm running Windows XP, SP3 with all updates.

I think I have some kind of bot on my system, but can't find it to get rid
of it. I have tried Norton Internet Security, Adaware, Spybot, MAW and other
tools without being able to find it. I've checked the usual suspects (run
registry keys) and what shows loading in MSCONFIG without seeing anything
unusual.

When I first log into the computer and it connects to the network, my
computer connects to a computer in China via a system process with no process
ID.

This is what netstat -b -v shows:
TCP car:1090 61.58.41.104:ftp TIME_WAIT 0

Additionally TCPView shows the above was started by process "system:0."

If it successfully connects, it starts making new connections to other
servers, so this appears to be some kind of botnet software that made it on
my computer.

Norton Internet Security is not asking me to authorize the connection,
probably because this is running as a system process.

My router shows the intrusion as well:

[LAN access from remote] from 61.58.41.104:20 to 192.168.1.52:1091

I have remote access disabled on the router.

I keep disabling terminal services in Windows XP, but after a restart, it
always flips itself bac to "manual" and starts, not sure if this is
bot-related or another great Microsoft "working as designed" feature from SP3
(I read other posts that stated that terminal services kept enabling for them
after SP3).

Below is the output of a "Hijack This," I'm not seeing anything unusual.

Any and all help/suggestions are appreciated.

Thanks!

Christian


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:10 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Documents and Settings\christian_roth\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Utilities\TCPView\Tcpview.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: DeviceVM Url Search Hook -
{0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F}
- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention -
{6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet
Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -
C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic
Edition\osCheck.exe"
O4 - HKLM\..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks Basic
Edition\NswUiTray.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton
Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage
Manager\iaanotif.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI
Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GBTUpd] C:\Program Files\GIGABYTE\GBTUpd\PreRun.exe
O4 - HKLM\..\Run: [EasyTuneVI] C:\Program Files\GIGABYTE\ET6\ETcall.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and
Settings\christian_roth\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [TranscodingService] "C:\Program
Files\TiVo\Desktop\TranscodingService.exe" /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TivoNotify] "C:\Program
Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program
Files\TiVo\Desktop\TiVoServer.exe" /service /registry
O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run: [Google
Update] "C:\Documents and Settings\christian_roth\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run: [Steam]
"c:\program files\steam\steam.exe" -silent (User '?')
O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run:
[TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe"
/auto (User '?')
O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run: [SpybotSD
TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run:
[TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service
/registry /auto:TivoNotify (User '?')
O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run:
[TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service
/registry (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49}
- C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56}
- C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup -
{5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks
Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) -
http://download.giga...bject/Dldrv.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.mi...b?1234924197937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1234924297453
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
https://transfers.ds...ransferCtrl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program
Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs -
C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative
Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel
Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: JBEJRAPXP - Sysinternals - www.sysinternals.com -
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\JBEJRAPXP.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program
Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton
Ghost\Agent\VProSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program
Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec
Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program
Files\Softex\OmniPass\Omniserv.exe
O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common
Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton
Ghost\Shared\Drivers\SymSnapService.exe

--
End of file - 10929 bytes


#2 Christian R

  • Group: Guests

Posted 22 Apr 2009 - 07:18 PM

More information:

Correction, TCPView shows:
[System Process]:0 TCP car:1090 61.58.41.104: ftp

I have also ran "ShieldsUp" and have it scan my ports and it found no open
ports, so in order for someone to connect back to my computer, my computer
has to have opened an outbound port through a connection.


#3 sgopus

  • Group: Guests

Posted 22 Apr 2009 - 07:37 PM

This is not the proper area for postings of hijackthis logs, please find the
proper area as they have experts in reading the logs, this area is for
windows xp general questions, although we do seem to have experts in many
themes here.

"Christian R" wrote:

> More information:
>
> Correction, TCPView shows:
> [System Process]:0 TCP car:1090 61.58.41.104: ftp
>
> I have also ran "ShieldsUp" and have it scan my ports and it found no open
> ports, so in order for someone to connect back to my computer, my computer
> has to have opened an outbound port through a connection.
>

#4 John John - MVP

  • Group: Guests

Posted 22 Apr 2009 - 08:04 PM

It's a Gigabyte server, and I see that you have Gigabyte utility
running: C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe it's probably the
one calling home.

John

Christian R wrote:
> Hi!
>
> I'm running Windows XP, SP3 with all updates.
>
> I think I have some kind of bot on my system, but can't find it to get rid
> of it. I have tried Norton Internet Security, Adaware, Spybot, MAW and other
> tools without being able to find it. I've checked the usual suspects (run
> registry keys) and what shows loading in MSCONFIG without seeing anything
> unusual.
>
> When I first log into the computer and it connects to the network, my
> computer connects to a computer in China via a system process with no process
> ID.
>
> This is what netstat -b -v shows:
> TCP car:1090 61.58.41.104:ftp TIME_WAIT 0
>
> Additionally TCPView shows the above was started by process "system:0."
>
> If it successfully connects, it starts making new connections to other
> servers, so this appears to be some kind of botnet software that made it on
> my computer.
>
> Norton Internet Security is not asking me to authorize the connection,
> probably because this is running as a system process.
>
> My router shows the intrusion as well:
>
> [LAN access from remote] from 61.58.41.104:20 to 192.168.1.52:1091
>
> I have remote access disabled on the router.
>
> I keep disabling terminal services in Windows XP, but after a restart, it
> always flips itself bac to "manual" and starts, not sure if this is
> bot-related or another great Microsoft "working as designed" feature from SP3
> (I read other posts that stated that terminal services kept enabling for them
> after SP3).
>
> Below is the output of a "Hijack This," I'm not seeing anything unusual.
>
> Any and all help/suggestions are appreciated.
>
> Thanks!
>
> Christian
>
>
> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 8:10:10 PM, on 4/22/2009
> Platform: Windows XP SP3 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.6000.16827)
> Boot mode: Normal
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Creative\Shared Files\CTAudSvc.exe
> C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
> C:\Program Files\Norton Ghost\Agent\VProSvc.exe
> C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
> C:\Program Files\Softex\OmniPass\Omniserv.exe
> C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
> C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
> C:\Program Files\Softex\OmniPass\OPXPApp.exe
> C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
> C:\Program Files\Norton Ghost\Agent\VProTray.exe
> C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
> C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
> C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
> C:\Program Files\Softex\OmniPass\scureapp.exe
> C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
> C:\Program Files\BOINC\boincmgr.exe
> C:\Program Files\BOINC\boinctray.exe
> C:\Documents and Settings\christian_roth\Local Settings\Application
> Data\Google\Update\GoogleUpdate.exe
> C:\Program Files\TiVo\Desktop\TranscodingService.exe
> C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
> C:\Program Files\TiVo\Desktop\TiVoNotify.exe
> C:\Program Files\BOINC\boinc.exe
> C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\mspaint.exe
> C:\WINDOWS\system32\notepad.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\WINDOWS\regedit.exe
> C:\Utilities\TCPView\Tcpview.exe
> C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
>
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://go.microsoft....k/?LinkId=69157
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
> http://go.microsoft....k/?LinkId=54896
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://go.microsoft....k/?LinkId=54896
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://go.microsoft....k/?LinkId=69157
> R3 - URLSearchHook: DeviceVM Url Search Hook -
> {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
> O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -
> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
> O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F}
> - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -
> C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
> O2 - BHO: Symantec Intrusion Prevention -
> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet
> Security\Engine\16.5.0.135\IPSBHO.DLL
> O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
> - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
> O2 - BHO: Java™ Plug-In 2 SSV Helper -
> {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
> Files\Java\jre6\bin\jp2ssv.dll
> O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -
> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
> O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -
> C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
> O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic
> Edition\osCheck.exe"
> O4 - HKLM\..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks Basic
> Edition\NswUiTray.exe
> O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton
> Ghost\Agent\VProTray.exe"
> O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage
> Manager\iaanotif.exe
> O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI
> Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
> O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
> O4 - HKLM\..\Run: [GBTUpd] C:\Program Files\GIGABYTE\GBTUpd\PreRun.exe
> O4 - HKLM\..\Run: [EasyTuneVI] C:\Program Files\GIGABYTE\ET6\ETcall.exe
> O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
> O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
> O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
> O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
> O4 - HKCU\..\Run: [Google Update] "C:\Documents and
> Settings\christian_roth\Local Settings\Application
> Data\Google\Update\GoogleUpdate.exe" /c
> O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
> O4 - HKCU\..\Run: [TranscodingService] "C:\Program
> Files\TiVo\Desktop\TranscodingService.exe" /auto
> O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
> Destroy\TeaTimer.exe
> O4 - HKCU\..\Run: [TivoNotify] "C:\Program
> Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
> O4 - HKCU\..\Run: [TivoServer] "C:\Program
> Files\TiVo\Desktop\TiVoServer.exe" /service /registry
> O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run: [Google
> Update] "C:\Documents and Settings\christian_roth\Local Settings\Application
> Data\Google\Update\GoogleUpdate.exe" /c (User '?')
> O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run: [Steam]
> "c:\program files\steam\steam.exe" -silent (User '?')
> O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run:
> [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe"
> /auto (User '?')
> O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run: [SpybotSD
> TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
> O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run:
> [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service
> /registry /auto:TivoNotify (User '?')
> O4 - HKUS\S-1-5-21-1004336348-1957994488-1417001333-1003\..\Run:
> [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service
> /registry (User '?')
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
> O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49}
> - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
> O9 - Extra 'Tools' menuitem: S&end to OneNote -
> {2670000A-7350-4f3c-8081-5663EE0C6C49} -
> C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
> O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56}
> - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
> O9 - Extra 'Tools' menuitem: Express Cleanup -
> {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks
> Basic Edition\Norton Cleanup\WCQuick.lnk
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
> C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
> O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
> C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
> {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
> O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
> {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
> Diagnostic\xpnetdiag.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
> O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) -
> http://download.giga...bject/Dldrv.ocx
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
> http://www.update.mi...b?1234924197937
> O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
> http://update.micros...b?1234924297453
> O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
> https://transfers.ds...ransferCtrl.cab
> O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
> C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
> O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program
> Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
> O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
> C:\WINDOWS\system32\Ati2evxx.exe
> O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
> O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
> C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
> O23 - Service: Creative Audio Engine Licensing Service - Creative Labs -
> C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
> O23 - Service: Creative Audio Service (CTAudSvcService) - Creative
> Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
> O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel
> Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
> O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
> Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
> 32\IDriverT.exe
> O23 - Service: JBEJRAPXP - Sysinternals - www.sysinternals.com -
> C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\JBEJRAPXP.exe
> O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program
> Files\Lavasoft\Ad-Aware\AAWService.exe
> O23 - Service: LiveUpdate - Symantec Corporation - C:\Program
> Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
> O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton
> Ghost\Agent\VProSvc.exe
> O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program
> Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
> O23 - Service: Norton UnErase Protection (NProtectService) - Symantec
> Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
> O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program
> Files\Softex\OmniPass\Omniserv.exe
> O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common
> Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
> O23 - Service: Speed Disk service - Symantec Corporation -
> C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
> O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton
> Ghost\Shared\Drivers\SymSnapService.exe
>
> --
> End of file - 10929 bytes
>

#5 John Wunderlich

  • Group: Guests

Posted 23 Apr 2009 - 01:27 PM

=?Utf-8?B?Q2hyaXN0aWFuIFI=?=
wrote in news:49CD69E0-E9D2-40AD-90D7-2E75A244D091@microsoft.com:

> More information:
>
> Correction, TCPView shows:
> [System Process]:0 TCP car:1090 61.58.41.104: ftp
>
> I have also ran "ShieldsUp" and have it scan my ports and it found
> no open ports, so in order for someone to connect back to my
> computer, my computer has to have opened an outbound port through
> a connection.
>

Submit your HijackThis log to:


You have a suspicious service running out of your temp directory
that this site labels "Nasty":

O23 - Service: JBEJRAPXP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\JBEJRAPXP.exe

HTH,
John

#6 Christian R

  • Group: Guests

Posted 23 Apr 2009 - 07:53 PM

John John,

you hit the nail in the head.

After smacking my forehead numerous times for panicking instead of
remembering that Gigabyte's main office is in Taiwan, I killed the program
since it creates a security risk and haven't had any "LAN access from remote"
logs in the router or strange remote connections.

Oh well, guess I should be happy it wasn't a real bot and appreciate all the
wonderful security utilities I got to learn about while trying to fix my
"bot" issue. ;-)


John Wunderlich,

JBEJRAPXP.exe is actually the executable that Microsoft's rootkit detection
utility created. There is probably some MalWare out there using the same
name, but this one is actually the real Mc Coy...

Thanks for letting me know where I need to go in the future with Hijack logs
since sgopus told me this forum was not it (sorry, sgopus, Microsoft's
website got me here...).


Thanks again to everyone!

Christian


"John John - MVP" wrote:

> It's a Gigabyte server, and I see that you have Gigabyte utility
> running: C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe it's probably the
> one calling home.
>
> John


#7 John John - MVP

  • Group: Guests

Posted 24 Apr 2009 - 07:37 AM

Christian R wrote:
> John John,
>
> you hit the nail in the head.

It wasn't hard to hit, I just punched in 61.58.41.104 in my browser
address bar and it took me to the Gigabyte server. You have shown good
investigating skills, you found tools to help you and you did a very
good sleuthing job!

John

> After smacking my forehead numerous times for panicking instead of
> remembering that Gigabyte's main office is in Taiwan, I killed the program
> since it creates a security risk and haven't had any "LAN access from remote"
> logs in the router or strange remote connections.
>
> Oh well, guess I should be happy it wasn't a real bot and appreciate all the
> wonderful security utilities I got to learn about while trying to fix my
> "bot" issue. ;-)
>
>
> John Wunderlich,
>
> JBEJRAPXP.exe is actually the executable that Microsoft's rootkit detection
> utility created. There is probably some MalWare out there using the same
> name, but this one is actually the real Mc Coy...
>
> Thanks for letting me know where I need to go in the future with Hijack logs
> since sgopus told me this forum was not it (sorry, sgopus, Microsoft's
> website got me here...).
>
>
> Thanks again to everyone!
>
> Christian
>
>
> "John John - MVP" wrote:
>
>> It's a Gigabyte server, and I see that you have Gigabyte utility
>> running: C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe it's probably the
>> one calling home.
>>
>> John
>

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users