Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
25 Posts
Discussion Starter · #1 ·
Hi !

I have a problem with intrusion attempts really in my Sygate personal firewall.
Actually hundreds per minute.



I also have a problem with some driver file ('NDIS User mode I/O Driver' located in '.../WINNT/system32/DRIVERS/ndisuio.sys') that I now have stopped in services.


how ever something is still getting blocked all the time,

how ever not the ndisuio.sys as the numbers in "blocked" doesn't rise anymore

Here is my system specs just so you know what might me "legit" or not.

Win2K servicepack 4 + rollup
Norton antivirus + norton utilities
Augity soundcard
Lexmark printer
Firefox
both e-mule and BOINC are voluntarily, so they are legit !
Logitech webcam pro 4000
ATI Radeon SE vga card !

This is my hijacklog. (OBS THOSE THAT I HAVE PUT IN BOLD, I'M SUSPICIOUS ABOUT),
how ever if you find something else you're welcome to bring them to my attention !!!

Logfile of HijackThis v1.99.0
Scan saved at 20:12:24, on 2007-01-13
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\Ati2evxx.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\BOINC\boinc.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINNT\system32\Ati2evxx.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
E:\WINNT\Explorer.EXE
E:\WINNT\system32\MSTask.exe
E:\Program Files\Speed Disk\nopdb.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\finally\regprot\regprot.exe
E:\WINNT\system32\LVCOMSX.EXE
E:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Lexmark 3300 Series\lxccmon.exe
E:\WINNT\CTHELPER.EXE
E:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
E:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\BoincLogX\boinclogx.exe
E:\Program Files\ATI Multimedia\main\ATIDtct.EXE
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\BOINC\boincmgr.exe
E:\Program Files\OpenOffice.org 2.0\program\soffice.exe
E:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
E:\WINNT\system32\lxcccoms.exe
E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\BOINC\projects\setiathome.berkeley.edu\SaH_5.15_KWSN_SSE2_generic_Ben-Joe_2.0_B.exe
C:\BOINC\projects\setiathome.berkeley.edu\SaH_5.15_KWSN_SSE2_generic_Ben-Joe_2.0_B.exe
E:\finally\hijackthis2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hem.bredband.net/b360565/smilies/90/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RegProt] e:\finally\regprot\regprot.exe /start
O4 - HKLM\..\Run: [LVCOMSX] E:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [lxccmon.exe] "E:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "E:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "E:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BoincLogX] "E:\Program Files\BoincLogX\boinclogx.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] E:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [eMuleAutoStart] E:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: BOINC Manager.lnk = C:\BOINC\boincmgr.exe
O4 - Startup: OpenOffice.org 2.0.lnk = OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office Snabbsökning.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office-autostart.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Office-genvägar.lnk = E:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O8 - Extra context menu item: &ieSpell Options - res://E:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Blocking access to the document address by AliveProxy - E:\Program Files\AiS AliveProxy Server\aisBlockDocument.html
O8 - Extra context menu item: Blocking access to the image address by AliveProxy - E:\Program Files\AiS AliveProxy Server\aisBlockImage.html
O8 - Extra context menu item: Blocking access to the link address by AliveProxy - E:\Program Files\AiS AliveProxy Server\aisBlockLink.html
O8 - Extra context menu item: Check &Spelling - res://E:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Cut proxy addresses from selected text by AliveProxy - E:\Program Files\AiS AliveProxy Server\aisCutProxyFromSelectedTåxt.html
O8 - Extra context menu item: Download with GetRight Pro - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - E:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - E:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - E:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - E:\Program Files\ieSpell\iespell.dll
O12 - Plugin for .mp3: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124234875937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129158428500
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - E:\WINNT\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\BOINC\boinc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcc_device - Lexmark International, Inc. - E:\WINNT\system32\lxcccoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Sandra Data Service - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: Symantec AVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

-------
 

·
Registered
Joined
·
25 Posts
Discussion Starter · #3 ·
cybertech said:
Citrix ICA Client and IBM Access Support are legit.

If you want to remove the program that is likely causing problems remove eMule.
No, I don't think it could be E-mule, it was inactive/closed at the time when this was going on !!!

How ever it's not 100% impossible, I had it on earlier today and it could have been old incoming file-request coming in...

What exactly is the Citrix ICA Client ?
It seemed to be some remote control thingy, and I don't think I have installed anything like that on my computer, I have a normal Windows2K setup !

And what is this IBM Access Support ?
I don't think I have any IBM parts installed, my monitor is Samtron and nothing else is IBM as I can recall.

and this ndisuio.sys ?

How ever it seemed to have cooled down for a bit, now I only have a few to five intrusion attempts per minute ...
 

·
Retired Moderator
Joined
·
72,109 Posts
1 - 4 of 4 Posts
Status
Not open for further replies.
Top