[Tripredacus]

I have recently decided that it would be interesting to see just how well off my computer is at home. This computer is called 'Infocore' (as mentioned above) and has never had any anti-virus on it. Back in 2002, it used to have Zone Alarm and Adaware, but it has been anti-virus clean for at least 5 years. So I am going to try running some apps to see if it actually has anything on it!

Here is some history. This PC was built in 2001 and had Windows XP Pro RTM installed on it. It stayed that way until a couple of months ago when I replaced the motherboard and had to do a repair install. It is now at SP2. The following are facts:

1. There is no anti-virus installed
2. There are no anti-spyware programs installed
3. It has never encountered a BSOD*
4. It has no firewall installed, but Windows ICF is enabled. There is a hardware firewall.
5. The system drive has never been reformatted and had Windows reinstalled. If you ignore the repair install, Windows is on its first install.
6. No Windows updates are installed on it except for what came with SP1 and/or the SP2 repair install.
7. Default browser is IE6, but only to launch HTML files. Used browser is Firefox with NoScript plugin.
8. CCleaner has been run twice ever, but those 2 times were both within the past 3 months, when I started using the program
9. System restore is disabled

*BSOD was encountered once during a write operation to a failing storage hard drive.

When I get home I will post a process list to start out. I will then run some apps. Those apps include:

- gmer
- rootkit revealer
- hijackthis
- malwarebytes antimalware app
- Symantec Conflicker removal tool*

Any other things I should test as well? And don't say PCMark, as I ran that after the repair install and it pulled a measely 800 marks, but it can play Crysis so

*added per DigeratiPrime.

Also wanted to add the other programs I used besides the ones listed in this thread:
- UltraEdit
- PE Explorer
- Fireworks for the screenshots

[DigeratiPrime]

I'll bet nothing but I will point out that Conficker for example would punch right through that

[Tripredacus]

First up, TASK Manager. I opened it up when I got home, but I did close a few things first. The things I closed were LeetchFTP and Trillian, which were shrunk to the systemtray, and also the PunkBuster client which is opened by Quake 3 but doesn't get closed when you exit it. So I have these:



22 total, - the Epson service (I have a scanner), 2x ATi and taskmgr and we are at 18. I've tried running without the Epson software but when I try to use the printer it gives me errors so I just leave it there. Also I haven't gotten around to doing the driver-only install for ATI but it also doesn't cause me any problems.

Oh and how about that uptime?

First up, HiJackThis. Now of course, some of the info is different because I am also running these with Firefox open. The following log is edited to remove the trusted sites for IE.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:01 PM, on 6/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tripredacus.net/wiki/Main_Page
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\RunOnce: [Delete USB Error Key] "C:\Program Files\Samsung\Samsung PC Studio 3\USB Drivers\SPS3_USB_Driver_Setup.exe"
O4 - HKCU\..\Run: [EPSON Stylus NX400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE /FU "C:\WINDOWS\TEMP\E_S932.tmp" /EF "HKCU"
O4 - HKCU\..\Policies\Explorer\Run: [{E423C74E-069E-1033-0801-011008010001}] "C:\Program Files\Common Files\{E423C74E-069E-1033-0801-011008010001}\Update.exe" mc-110-12-0000272
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zones **** REMOVED FROM LIST
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95A592CA-9194-48CD-AA23-4B7527E1FB01}: NameServer = x.x.x.x
O20 - AppInit_DLLs: NVDESK32.DLL,wbsys.dll
O20 - Winlogon Notify: ljhhg - C:\WINDOWS\System32\ljhhg.dll (file missing)
O20 - Winlogon Notify: winilb32 - C:\WINDOWS\
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5165 bytes

Rootkit Revealer up next

Quote

I'll bet nothing but I will point out that Conficker for example would punch right through that

Ummm.... what is this: O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

[gamehead200]

Run Ad-Aware and Spybot and see if anything comes up.

[Tripredacus]

Tripredacus, on Jun 15 2009, 05:31 PM, said:

Quote

I'll bet nothing but I will point out that Conficker for example would punch right through that

Ummm.... what is this: O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Oh don't get yer hopes up yet, that file is simply "Client Service for NetWare Provider and Authentication Package DLL"...

Rootkit Revealer came back with 12 discrepancies. They are all the "Key name contains embedded nulls" and one "Data mismatch between Windows API and raw hive data", which under most circumstances means absolutely nothing is wrong.

But its funny that Conflicker was brought up. Its appearance was the number one reason why I had this thread idea going around in my head. When Conflicker came out, I was still on SP1 with no updates, other than my hacked USB 2.0 functionality. I am on SP2 now (as noted) but even a repair install wouldn't have removed it on me.

Alas since the last test passed as far as I am concerned, I'll move onto the FixDownAdUp.exe from Symantec. And while I was waiting, I've been playing Solitaire, because being productive is key amongst us business types. I am playin 1 card vegas and sitting at a healthy score of -$26.

[cluberti]

Tripredacus, on Jun 15 2009, 05:31 PM, said:

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)

http://www.ca.com/us/securityadvisor/pest/...px?id=453100212 - trojan downloader. That's 1

Tripredacus, on Jun 15 2009, 05:31 PM, said:

O4 - HKCU\..\Policies\Explorer\Run: [{E423C74E-069E-1033-0801-011008010001}] "C:\Program Files\Common Files\{E423C74E-069E-1033-0801-011008010001}\Update.exe" mc-110-12-0000272

IEAK - you ever installed IE via an IEAK package on this box? If not, this is *suspicious* - that's 1.5

Tripredacus, on Jun 15 2009, 05:31 PM, said:

O20 - Winlogon Notify: ljhhg - C:\WINDOWS\System32\ljhhg.dll (file missing)
O20 - Winlogon Notify: winilb32 - C:\WINDOWS\

http://www.spywareterminator.com/es/item/4...onde298048.html - looks like you may have a malware infection with this one - that's 2.5

Tripredacus, on Jun 15 2009, 05:31 PM, said:

O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file)

http://threatinfo.trendmicro.com/vinfo/gra...KE%5FRENOS%2EDS - Spyware. That's 3.5

I voted cookies, but now I realize I should've voted most infected machine Trip probably owns .

[Tarun]

Voted spyware. Cookies don't count imho.

Trip, you should use my AMT to get your tools.

[Tripredacus]

Why is that spam Tarun?

The Conflicker scan took forever! Here's the results, along with the solitaire update:



Next I'll run Malwarebytes.

However I will garauntee that it will find cookies. I don't clean those often enough.

[Tripredacus]

I figured that Malwarebytes would find something. I must confess however. A long time ago I had purposely infected my PC with an AIM trojan so that I could learn how to remove it. I did this because a friend of mine had gotten it, but I didn't use AIM. Of course it did nothing on my PC but perhaps one of these are its remnants:



Mirar
Adware.Mirar attempts to find Web pages that are related to the Web page currently being viewed. It also displays advertisements based on the URLs and search terms used while navigating the Internet. It will also attempt to download and install the Mirar toolbar from a predetermined Web site. This toolbar is also detected as Adware.Mirar.

My current settings block all domains unless I say so, especially scripts. This being present doesn't cause a security breach for me. You may have noticed I have IE as my default browser, however, I only use it to display local files and my website, nothing else.

Netmon.exe
netmon.exe is a process which is registered mass-mailing worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open its hostile attachment. The worm has it's own SMTP mailing engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. This process is a security risk and should be removed from your system.

With exception to the Microsoft tools of the same name (sneaky they are eh) but I have not installed netmon on this computer. Alas, STMP port is blocked by the hardware firewall, and even so, I have no default Email client anyways. But from its own log, you can see it hasn't run in a while:

 
06-09-28 11.23.13: *** WAITING 240 SECS ***
06-09-28 11.27.13: *** FETCHING ***
06-09-28 11.27.14: *** SKIPPING POST ***
06-09-28 11.27.14: *** WAITING 240 SECS ***
06-09-28 11.31.14: *** FETCHING ***
06-09-28 11.31.14: *** SKIPPING POST ***
06-09-28 11.31.14: *** WAITING 240 SECS ***
06-09-28 11.35.14: *** FETCHING ***
06-09-28 11.35.15: *** SKIPPING POST ***
06-09-28 11.35.15: *** WAITING 240 SECS ***
06-09-28 11.39.15: *** FETCHING ***
06-09-28 11.39.15: *** SKIPPING POST ***
06-09-28 11.39.15: *** WAITING 240 SECS ***
06-09-28 11.43.15: *** FETCHING ***
06-09-28 11.43.16: *** SKIPPING POST ***
06-09-28 11.43.16: *** WAITING 240 SECS ***
06-09-28 11.47.16: *** FETCHING ***
06-09-28 11.47.16: *** SKIPPING POST ***
06-09-28 11.47.16: *** WAITING 240 SECS ***
06-09-28 11.51.16: *** FETCHING ***
06-09-28 11.51.17: *** SKIPPING POST ***
06-09-28 11.51.17: *** WAITING 240 SECS ***
06-09-28 11.55.17: *** FETCHING ***
06-09-28 11.55.18: *** SKIPPING POST ***
06-09-28 11.55.18: *** WAITING 240 SECS ***
06-09-28 11.59.18: *** FETCHING ***
06-09-28 11.59.19: *** SKIPPING POST ***
06-09-28 11.59.19: *** WAITING 240 SECS ***
06-09-28 12.03.19: *** FETCHING ***
06-09-28 12.03.20: *** SKIPPING POST ***
06-09-28 12.03.20: *** WAITING 240 SECS ***
06-09-28 12.07.20: *** FETCHING ***
06-09-28 12.07.21: *** SKIPPING POST ***
06-09-28 12.07.21: *** WAITING 240 SECS ***
06-09-28 12.11.21: *** FETCHING ***
06-09-28 12.11.21: *** SKIPPING POST ***
06-09-28 12.11.21: *** WAITING 240 SECS *** 

This makes sense, if you ever look in your spam folder. You get a lot of emails with the wrong year on them. Probably coming from trojans like this. Too bad they are still out there. Only makes sense for Tbird, and OE/Outlook clients, perhaps others. Webmail clients (as I exclusively use besides at work) automatically sort these incorrect year emails into the spam/bulk folder. Pretty stupid for the worm to log that info tho.

atmtd.dll
cmdService, also known as Command Service, is adware that displays commercial advertisements and opens annoying pop-ups. The parasite is usually installed through drive-by downloads. Its makers are able to partially control the compromised system by disabling or removing any other advertising-supported programs installed. cmdService runs a service on every Windows startup.

This malware also appears to be non-functional.

idt0.dll
This is a "Quake" variant! HA I think I'll keep it.

MShosts.exe
Looks bad, I think I'll remove it.
http://www.bleepingcomputer.com/startups/m....exe-23825.html

Unist1.htm and Uninst2.htm
Source

 
<html>
<title>SearchB</title>
<body bgcolor='#eeeeee'>
<font size=+2><b>Search The Web</b></font>
<form method=post action='http://www.openforum.com/search.php'>
<input name=searchTerms value=''> <input type=submit value='Search'>
</form>
<br>
<br>
Type The Letters Below To Verify You Wish To Uninstall
<table bgcolor=#FFFFFF><tr><td><font size=+3>X475Q</font></td></tr></table>
<form action=Uninst2.htm Method=GET>
<input type=text name=verifyText>
<input type=submit value='uninstall'>
</form> 

Source

 
<html>
<title>SearchB</title>
<body bgcolor='#eeeeee'>
<center>
<table width=60% border=0>
<tr>
<td  colspan=3><font size=+1>Do you want to continue to enhance your internet?</font>
</td>
</tr>
<tr>
<td>
<form method=Get action='java script:window.close();'>
<input type=submit value='YES'>
</form>
</td>
<td width=100%>&nbsp;</td>

<td>
<form method=Get action="uni_eh.exe">
<input type=submit value='no'>
</form>
</td>
</table>
</center>
</body>
</html> 

I think I'll remove this also.

... oh noes Vundo...

Last few things from Security Center, those are my doing.

All in all, it isn't as bad as I thought. But that is all for tonight, I make decide to try more things tomorrow night if you are interested.

[Tarun]

Tripredacus, on Jun 15 2009, 06:43 PM, said:

Why is that spam Tarun?

Huh?

----

Definitely scan with more than MBAM. I can guarantee you SuperAntiSpyware will find more than MBAM missed. Malwarebytes doesn't see a purpose in finding older malware, sadly.

So here's my canned speech.
Please download my Anti-Malware Toolkit and get the package that matches your Operating System. Then follow the directions in the PC Cleanup guide. After that, please post a HijackThis log.

[Tripredacus]

I'll check it out. I've actually seen a lot of mention of PCcleanUp before on other forums. I only use MBAM because I found it could find rootkits.

Oh and I knew I said I would run GMER but I don't have it on my keys, so I'll have to copy it tomorrow.

[Dude112]

Well whatever the outcome that computer IS IN GOOD HANDS!!

You will have her happy again in no time

Good luck bud!

[Tripredacus]

It was actually running fine anyways. I just decided to see if it had anything.

[Dude112]

Ah i see

[DigeratiPrime]

So what have we learned?
That even if your pc is seemingly running fine, there may still be a ghost in the machine.

Some other handy programs include:
Process Explorer http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx
Process Hacker http://processhacker...e.net/index.php
YAPM http://yaprocmon.sou...ge.net/faq.html

[cluberti]

Well, considering the mark of a good rogue app is that the user doesn't know it's there, I'd say any machine seeing the internet (or even other networked machines) should be scanned at least once in a while to make sure it's actually as clean as it feels .

[Tripredacus]

I agree. From now on, I will scan for viruses at least twice a decade.