Transfer in kBs without my knowledge!

[M@crosoft]

here's the log file-

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:48:08, on 01-05-2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\USB Safely Remove\USBSRService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ChgService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\NetLimiter 2 Monitor\NLClient.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\PersistenceThread.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Documents and Settings\PUSHP MISHRA\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\igfxext.exe

C:\Documents and Settings\PUSHP MISHRA\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\PUSHP MISHRA\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\PUSHP MISHRA\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\USB Safely Remove\USBSafelyRemove.exe

C:\Program Files\NetMeter\NetMeter.exe

C:\Documents and Settings\PUSHP MISHRA\Desktop\icons\ashut21\AutoShutdown\autoshutdown2.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\Documents and Settings\PUSHP MISHRA\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\PUSHP MISHRA\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Documents and Settings\PUSHP MISHRA\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = iGoogle Redirect

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = iGoogle Redirect

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = iGoogle Redirect

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = iGoogle Redirect

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iGoogle Redirect

F2 - REG:system.ini: UserInit=userinit.exe,

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [PersistenceThread] C:\WINDOWS\system32\PersistenceThread.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe

O4 - HKLM\..\Run: [Google Desktop Search] :"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [SunJavaUpdateSched] :"C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [SMART Monitor] C:\Program Files\SMART Monitor\SMART Monitor.exe

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdloader] :"C:\Documents and Settings\PUSHP MISHRA\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [msnmsgr] :"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Messenger (Yahoo!)] :"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [USB Safely Remove] C:\Program Files\USB Safely Remove\USBSafelyRemove.exe /startup

O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] :"C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [AutoShutdown] C:\Documents and Settings\PUSHP MISHRA\Desktop\icons\ashut21\AutoShutdown\autoshutdown2.exe

O4 - Global Startup: Acer VCM.lnk = ?

O4 - Global Startup: ~Disabled

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - (no file)

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1264845258703

O18 - Protocol: skyline - {3A4F9195-65A8-11D5-85C1-0001023952C1} - C:\Program Files\Bhuvan\TerraExplorerX.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll

O23 - Service: Change Modem Device Service - Unknown owner - C:\WINDOWS\system32\ChgService.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe

O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe

O23 - Service: USB Safely Remove Assistant (USBSafelyRemoveService) - Unknown owner - C:\Program Files\USB Safely Remove\USBSRService.exe

--

End of file - 9267 bytes

here is what i got when scanned with comodo internet security-

 

[sachin1]

confusing problem:S

 

[M@crosoft]

common guys..help me!

 

[MenTaLLyMenTaL]

There are no suspicious processes running on ur comp according to that log, except the "autoshut down2.exe". Do u know what it is? If no, delete it but take a backup of it in case some software doesnt work properly due to its removal.

Other than that, do the packet sniffing to see what data is being transfered over the net. That sniffer can also show the filename of the process doing the transfer even if it is a rootkit. If it is a rootkit, it wont show up in task manager or hijackthis log.

 

[M@crosoft]

autoshut down2.exe- that's a program i use to shut the PC automatically in my absence ,usually when downloading !^^

talking about Smartsniff..i have no idea how to use it:ashamed:

 

[Gaurish]

Hmmm..you machine seems clean. so try this.

1) Leave your machine idle for say 30minutes and check how much data is being transferred. don't trust any software, after 30minutes disconnect your internet and check usage for that session in BSNL's usage checking portal.

2) What method you are using to connect to internet? Ethernet or Wireless?

 

[MenTaLLyMenTaL]

Actually smartsniff is not a software for checking viruses, but it can sometimes prove useful to get some clues about the unnecessary internet activity. Its a lengthy process requiring some googling and may or may not be useful. Nevertheless, its better to give it a try.

You need to make sense of the data sniffed by it and decide whether it is suspicious or not. If it is suspicious, like say the data sniffed shows sending of spam emails by xyz.exe then it means xyz.exe is the culprit and since u cannot see it in task manger, it is a hidden process (rootkit) and then u need to hunt it down by checking all the startup entries. As u said, svchost.exe was doing the transfer, so if the sniffed data shows suspicious data for it, then it means it is injected with the virus's code. Then u'll have to check the dlls loaded by it.

Here's how to use smartsniffer:
1) Download it here: (download link at bottom) SmartSniff: Freeware Packet Sniffer - Capture TCP/IP packets on your network adapter
2) Extract and open smsniff.exe
3) From View>Choose columns tick Process Filename and Process ID.
4) Click the Play button. Select Capture method - Raw socket. Network Adapter - if there's only one well and good. if more, then select the one having ur comp's LAN IP.

Test if it is sniffing the data sent and received over the net properly by going to some site. You should see something like http://www.nirsoft.net/utils/smsniff.gif

Now when u see there is unnecessary transfer taking place when all none of ur internet related softwares are open, open the sniffer and start sniffing. You should see which process is transferring data. As u said earlier, svchost.exe will probably there. Check for any more processes which might be rootkits. If u see any, bingo! its the culprit. Otherwise, check for the data sent and received by svchost.exe by clicking on each packet stream. Try to get some clues from the data about which site or IP it was communicating with, port number. You can then lookup 'whois' information on net about that IP or site. *Google all the way*

EDIT: 4got to mention... use 'Sysinternals Autoruns' to check for all startup entries on ur computer. google it, first result.

 

[M@crosoft]

1) Leave your machine idle for say 30minutes and check how much data is being transferred. don't trust any software, after 30minutes disconnect your internet and check usage for that session in BSNL's usage checking portal.

2) What method you are using to connect to internet? Ethernet or Wireless?

1.i use netmeter to monitor the data transferred so don't really have to move around to get the accurate measurements

2.wireless(from a router+bsnl old modem)

Actually smartsniff is not a software for checking viruses, but it can sometimes prove useful to get some clues about the unnecessary internet activity. Its a lengthy process requiring some googling and may or may not be useful. Nevertheless, its better to give it a try.

You need to make sense of the data sniffed by it and decide whether it is suspicious or not. If it is suspicious, like say the data sniffed shows sending of spam emails by xyz.exe then it means xyz.exe is the culprit and since u cannot see it in task manger, it is a hidden process (rootkit) and then u need to hunt it down by checking all the startup entries. As u said, svchost.exe was doing the transfer, so if the sniffed data shows suspicious data for it, then it means it is injected with the virus's code. Then u'll have to check the dlls loaded by it.

Here's how to use smartsniffer:

1) Download it here: (download link at bottom) SmartSniff: Freeware Packet Sniffer - Capture TCP/IP packets on your network adapter

2) Extract and open smsniff.exe

3) From View>Choose columns tick Process Filename and Process ID.

4) Click the Play button. Select Capture method - Raw socket. Network Adapter - if there's only one well and good. if more, then select the one having ur comp's LAN IP.

Test if it is sniffing the data sent and received over the net properly by going to some site. You should see something like http://www.nirsoft.net/utils/smsniff.gif

Now when u see there is unnecessary transfer taking place when all none of ur internet related softwares are open, open the sniffer and start sniffing. You should see which process is transferring data. As u said earlier, svchost.exe will probably there. Check for any more processes which might be rootkits. If u see any, bingo! its the culprit. Otherwise, check for the data sent and received by svchost.exe by clicking on each packet stream. Try to get some clues from the data about which site or IP it was communicating with, port number. You can then lookup 'whois' information on net about that IP or site. *Google all the way*

EDIT: 4got to mention... use 'Sysinternals Autoruns' to check for all startup entries on ur computer. google it, first result.

thanks mate u guys are awesome...BTW i will sniff it out...and don't know why svchost.exe is not showing it's colours from a few days:S

- downloading rootkit revealer !helpful?

EDIT:when scanning^^ a blue error came in front of the screen and the system restarted!!!!!!?

 

[arjun123]

Try disabling BITS (Background Intelligent Data service). May be its some kinda windows update causing data transfer.

 

[MenTaLLyMenTaL]

- downloading rootkit revealer !helpful?
EDIT:when scanning^^ a blue error came in front of the screen and the system restarted!!!!!!?

The same had happened with me also using another anti-rootkit software when I was infected. But now when my system is clean, it doesn't crash. Guess it means u do have a rootkit.

 

[M@crosoft]

The same had happened with me also using another anti-rootkit software when I was infected. But now when my system is clean, it doesn't crash. Guess it means u do have a rootkit.

any straight and eazy way of cleaning it?^o

 

[M@crosoft]

no more suggestions?

 

[M@crosoft]

guys ,

the problem has revived !

i get any rootkit's when i scan with various other anti-rootkits other than rootkitreavealer

& a get warning when trying to fix them that-it may lead to system failure