Spyware Warrior

[blender]

[RexatorBirdo]

Yep. Thanks for all your help, I would've never realize those FTP servers were on my computer. But, one last thing. When AVG is scanning it always pauses on one file, sometimes it never finishes because of it

ntoskrnl.exe, is it just huge or something?

[blender]

Hi

ntoskrnl.exe...It should only be about 2mb in size.
Trying to find info about scanner freezing up on that file...no luck yet. let me ask a few of the others here.

Go to C:\Windows\system32\ntoskrnl.exe
Right click | properties
Let me know what you find in there...
Date created, date modified.
Under version tab....
file version, anything else you find.

I would like to see new hijack log too....this line looks odd...:

In your running processes..

C:\Documents and Settings\Johnathan Cruz\Desktop\Installers\MSPAINT.EXE

thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

[RexatorBirdo]

Oh, don't worry about that hijack line, I have MSPaint open often cause I take screenshots of alot of stuff. Its under that "Installers" folder cause that was my own dumb move. I was cleaning up my desktop, moving installers into there just to make it more neater, and put MSPaint in there by accident.

ntoskrnl
Type:Application
Description:NT Kernel & System
C:\WINDOWS\SYSTEM32
2.07 MB (2,180,992 bytes)
2.08 MB (2,183,168 bytes)
Created:Tuesday, January 01, 1980, 2:00:00 AM I don't understand this line, again, I don't think I've had this computer for two years yet.
Modified:Wednesday, August 04, 2004, 2:19:59 AM
Accessed:Today, April 07, 2005, 10:47:49 PM

Version: 5.1.2600.2180
Description: [same as above]
Copyright: Microsoft Corporation. All rights reserved.

Should I go on?

Logfile of HijackThis v1.99.1
Scan saved at 12:54:53 AM, on 4/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Johnathan Cruz\Desktop\HijackThis\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

[blender]

Hi

That date created line is kind of odd....Mine says:

Thursday, August 29, 2002, 4:03:30 AM

Lets check and see to make sure you havn't got a rootkit installed.

download rootkitrevealer from here:

http://www.sysinternals.com/files/rootkitrevealer.zip

Unzip it to its own folder
Double click rootkitrevealer.exe
Click "scan" and wait for it to finish.
Once done..
Click "file"
Click save
Save it somewhere you will find it and post its results.

Not necessarily anything it finds mean rootkit.

Thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

[RexatorBirdo]

I got this error when trying to browse into my desktop while saving the log.

http://img.photobucket.com/albums/v131/RexatorBirdo/Error.bmp

Errr, sorry about the small print. Photobucket resizes things automatically. -_-

HKLM\SOFTWARE\Classes\Installer\Products\B3D5AC652003B7E409EF70D1F8FD8341\ProductName 7/22/2004 7:47 PM 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}\DisplayName 7/22/2004 7:47 PM 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\d346prt\Cfg\0Jf40 9/26/2004 4:15 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\d346prt\Cfg\0Jf41 8/22/2004 1:49 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\d346prt\Cfg\0Jf42 8/22/2004 1:49 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\d346prt\Cfg\0Jf43 8/8/2004 9:50 AM 0 bytes Hidden from Windows API.

[blender]

Hi

I should have told you not to save to desktop either...I get same error but can save to desktop if I navigate thru the trees the save box shows ya.
Small print is ok...I have eyes like a hawk.

Those items all look to be related to Daemon Tools which I saw you had installed. Timeline about right?

Also going to get one of the other members here to pop in for a looksee. If anyone can figure out why date is screwy with ntoskrnl.exe she will.
Give her till tomorrow sometime.

Thanks.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

[Mosaic1]

Hi,

Yes. That date is odd.

Here is the information on the file from the MS dll Database.

[RexatorBirdo]

Timeline about right?

??? Is that sarcasm?...*Can't tell.*

Have a look at some of your other major SP2 files and see what they show as Date Created. I wonder if you had a time and date glitch. In fact, you can arrange the files by date and have a look around. This is a first step.

Ok...What are the other major SP2 files?

[blender]

Hi Rex

No that is not sarcasim...I meant was that about the time you installed Daemon tools. (July 2004)

Few files you can check...all in system32 folder:
Dont need to check all of em but do check a few.

alg.exe
svchost.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
userinit.exe

See if the date created is the same as your ntoskrnl.exe.

I wouldn't have both antivirus running either...just keep either AV Personal or AVG running all the time.
Having both running, especially while doing a scan will freeze things up.
While running scan with say AVG; AV Personal is also checking each file as AVG access them.

Let me know what you find on those other files.

Thanks.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

[blender]

Hi

Also check ntoskrnl.exe in this folder:

c:\Windows\ServicePackFiles\i386\ntoskrnl.exe
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

[RexatorBirdo]

No that is not sarcasim...I meant was that about the time you installed Daemon tools. (July 2004)

Ok. Then yes, I would think so. I downloaded it quite a long time ago.

I wouldn't have both antivirus running either...just keep either AV Personal or AVG running all the time.
Having both running, especially while doing a scan will freeze things up.
While running scan with say AVG; AV Personal is also checking each file as AVG access them.

No wonder. Thanks for letting me know, I'll continue to run AVG all the time, I turned AV off from startup now.

---

ntoskrnl - Tuesday, January 01, 1980, 2:00:00 AM

alg - Saturday, March 19, 2005, 5:19:23 PM (Remember, I deleted this one, and copied it back from the I386 folder.
svchost - Thursday, August 29, 2002, 7:00:00 AM
services - Thursday, August 29, 2002, 7:00:00 AM
winlogon - Thursday, August 29, 2002, 7:00:00 AM
csrss - Thursday, August 29, 2002, 7:00:00 AM
smss - Thursday, August 29, 2002, 7:00:00 AM
userinit - Thursday, August 29, 2002, 7:00:00 AM

ntoskrnl (from I386) - Wednesday, August 04, 2004, 2:19:59 AM

[blender]

Hi

Ok...lets scan that ntoskrnl.exe file from your system32 folder here:

http://virusscan.jotti.org/

Once on site; hit the 'browse' button, navigate to system32, hilight ntoskrnl.exe, hit "open" then submit.
It will take a few minuites cus its a 2 mb file and 13 scanners are looking at it.

If results post them here please.
Do tell me if it shows packers detected info.

Dont delete the file if it says anything about it or you wont get computer restarted.

Thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

[RexatorBirdo]

None of the scanners found anything.

File: ntoskrnl.exe
Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected:
-
Scanner results
AntiVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
mks_vir
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VBA32
Found nothing

[blender]

Ok...couple more questions...

You know anything about this program? (accessdiver)

c:\program files\accessdiver\ad4.170.exe

Did you at one point use a program to change your boot screen?
this program do that?

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

Thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

[RexatorBirdo]

That program (Accessdiver) is used to test the security of websites. But I never changed my boot screen.

Also, should I have six svchost.exes running at once? Three are from system, two are from network service, one is from local service.

[blender]

Hi Rex

Sorry for delay....getting burried in logs...lol

Yes it is normal to have several svchost.exe running.
Each one runs several services.
Dont try killing task on any or likely will crash machine.

Can I get you to send me a copy of ntoskrnl.exe from your system32 folder?
Prefer if you zip it up please.
You can click email button at bottom of my post for my email address.

thanks!
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

[RexatorBirdo]

Ok, sorry for such a late response, but I sent the exe. You should get an email from a McDaReskcator.

[blender]

Hi Rex

Can you try emailing that file again please?...I never recieved even a email from you.

Thanks.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

[RexatorBirdo]

Ok, resent.