Something rotten afoot...

Post by **Dog Pants** » June 24th, 2007, 18:36

I've been noticing that in my processes I've got two incidents of IEXPLORE.EXE running, both under my profile and taking up 156,472k and 8,552k. Now generally I don't use IE, only when I've logged on to Steam usually, so I'm puzzled as to why it's there and why it's taking up so much memory. Probably related, whenever I open Steam I get popups for poker sites. Now, malware or spyware immediately springs to mind, but I've scanned my entire system with an up-to-date version of McAfee and with Spybot, and apart from a couple of cookies and one virus (that was deleted) it appears to be clean. I've done all this before though so I don't think it was any of those as they didn't show up last time.

So, is this just Windows pissing about, or is it something more sinister? Anybody know?

Post by **Dr. kitteny berk** » June 24th, 2007, 18:42

sounds iffy.

grab a free trial of sophos and any other random any spyware.

also, hijackthis.

Post by **deject** » June 24th, 2007, 18:57

sounds bad to me.

run HijackThis!, a squared anti-spyware, and SUPERantispyware.

cheeseandham · Post by **cheeseandham** » June 24th, 2007, 19:40

HijackThis
run a system-scan and save a log file.
Post said logfile here. (put it in [code] and [/code] tags for readability)
wait

Post by **Dog Pants** » June 24th, 2007, 19:45

This should earn me a few 5perm...

Code: Select all

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:44:08, on 24/06/2007
Platform: Windows XP  (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Xfire\Xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Simon Naylor\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.5punk.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Dvd Proc] C:\DOCUME~1\SIMONN~1\APPLIC~1\ROAMME~1\DataDoes.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DATA - Unknown owner - C:\WINDOWS\data.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 6639 bytes

Post by **Dr. kitteny berk** » June 24th, 2007, 19:51

Only thing that really jumps out at me is.

Code: Select all

O4 - HKCU\..\Run: [Dvd Proc] C:\DOCUME~1\SIMONN~1\APPLIC~1\ROAMME~1\DataDoes.exe 

O23 - Service: DATA - Unknown owner - C:\WINDOWS\data.exe (file missing)

buzzmong · Post by **buzzmong** » June 24th, 2007, 19:59

Simple something, try renaming the proper IE "C:\Program Files\Internet Explorer\iexplore.exe" to something slightly different.

See what happens.

But I'd agree, with the pop ups it sounds iffy.

Post by **Dog Pants** » June 24th, 2007, 20:03

Well, I've manually deleted the registry entry for that and the files. Fuck knows what they were, but if I need it I can always re-install it.

cheeseandham · Post by **cheeseandham** » June 24th, 2007, 20:07

I do this a lot so a quick looksee shows me:-
(you're compromised)

O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
http://www.ca.com/us/securityadvisor/pe ... x?id=20983

O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
http://www.ca.com/us/securityadvisor/pe ... x?id=20983

O23 - Service: DATA - Unknown owner - C:\WINDOWS\data.exe (file missing)
http://www.symantec.com/security_respon ... 10-3226-99
(note that "file missing" doesn't necessarily mean that)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
http://www.punksbusted.com/forums/index ... opic=35677

O4 - HKCU\..\Run: [Dvd Proc] C:\DOCUME~1\SIMONN~1\APPLIC~1\ROAMME~1\DataDoes.exe
research shows nothing, so delete as the position it is in shows it's trying to hide. possibly a new trojan.

Go into safe mode and use Hijack this to delete these values.
Then scan with a decent spyware/av program

P.S. I recommend NOD32 as an AV over McAfee and Norton any day of the week. It classes spyware as a threat, so very little need for spyware programs.
Also is very resource friendly compared to others.

But don't just take my word for it, research it and don't buy it from us when you've found it's the best

(just so you know it's not self interest I'm saying this)

cheeseandham · Post by **cheeseandham** » June 24th, 2007, 20:14

BTW,
Services - either disable or delete from the registry (HKLM/System/CurrentControlSet/Services)

and another point on NOD32, there are others that have better file access times, but check out the Virus Bulletin website for it's In The Wild capture rates compared to the others.

Post by **deject** » June 24th, 2007, 21:33

DO NOT get rid of PnkBstrA.exe, that's a PunkBuster file used by BF2142.

data.exe and DataDoes.exe are definite bad guys, and should be terminated.

unregmp2.exe appears to be Windows Media Player related, but I'm not quite sure about it. I'd say leave it unless the problem persists after dumping the other ones.

Post by **Dog Pants** » June 24th, 2007, 21:40

Cheers guys. Not very impressed with McAfee after this, but I bought it because it was a tenner for MOD employees. I'll check out NOD32, and delete it all manually in a minute.

Fear · Post by **Fear** » June 24th, 2007, 23:19

deject wrote:DO NOT get rid of PnkBstrA.exe, that's a PunkBuster file used by BF2142.

I have no idea if it is really a bad guy or not, but wtf is it doing in the windows folder? If legitimate (which I'm not convinced) that is really stupid place to put it. It certainly shouldn't be running unless a game is. Steam doesn't use it for sure.

In past experience PB sits in with the game folder itself.

Also might be worth looking at the calling process. If it is explorer.exe then I'd kill it, if it is some legitimate application like a game I'd leave it.

Post by **Dr. kitteny berk** » June 24th, 2007, 23:22

Afaik they (PnkBstrA.exe & PnkBstrb.exe) are fine, my machine is totally clean (apart from a nasty 2142 infection) and has them, they do live in system32 too.

Post by **deject** » June 25th, 2007, 2:30

PnkBstrA.exe and PnkBstrB.exe are totally legitimate, as I've been told by PunkBuster support when I was having my problems before. As for why they're in system32, I think it's because they're run as a service. For some reason it's running all the time though. Stupid, but that's how it works.

Post by **Dog Pants** » June 25th, 2007, 7:22

Okies, last night I went through and purged my system. I think I got the culprits but I'll check again tonight, so fingers crossed.

cheeseandham · Post by **cheeseandham** » June 25th, 2007, 7:40

deject wrote:As for why they're in system32, I think it's because they're run as a service. For some reason it's running all the time though. Stupid, but that's how it works.

Fair enough if they're legitimate. But....
Services don't need to run from system32, that's just very bad programming on their part..
And an anti-cheat system for a game running all the time consuming my systems resources? Call me old fashioned but that's just shit, and even worse than Steam. I'm glad it's not running on my system.

Post by **Dog Pants** » June 25th, 2007, 8:23

That's Punkbuster though isn't it? It's never been very good. Also, I've just looked at a few independent AV comparisons and they all indicate that NOD32 is the best on the market at the moment. Unless it's stupidly expensive I think I'll be changing over.

EDIT: £46+VAT for three years. I think that's me sold.

Fear · Post by **Fear** » June 25th, 2007, 11:29

One day I shall write a real-time virus scanning engine for ClamAV that runs on windows. One for assembler I think tho, and I cba just yet. :-)

Edit: Oooooo looks like the ClamWin team are working on it. Pikey Virus Scanner commeth!

Post by **Dog Pants** » June 25th, 2007, 12:13

Fear wrote:Pikey Virus Scanner commeth!

Doesn't AVG hold that title?