Page 1 of 2
Something rotten afoot...
Posted: June 24th, 2007, 18:36
by Dog Pants
I've been noticing that in my processes I've got two incidents of IEXPLORE.EXE running, both under my profile and taking up 156,472k and 8,552k. Now generally I don't use IE, only when I've logged on to Steam usually, so I'm puzzled as to why it's there and why it's taking up so much memory. Probably related, whenever I open Steam I get popups for poker sites. Now, malware or spyware immediately springs to mind, but I've scanned my entire system with an up-to-date version of McAfee and with Spybot, and apart from a couple of cookies and one virus (that was deleted) it appears to be clean. I've done all this before though so I don't think it was any of those as they didn't show up last time.
So, is this just Windows pissing about, or is it something more sinister? Anybody know?
Posted: June 24th, 2007, 18:42
by Dr. kitteny berk
sounds iffy.
grab a free trial of sophos and any other random any spyware.
also, hijackthis.
Posted: June 24th, 2007, 18:57
by deject
sounds bad to me.
run HijackThis!, a squared anti-spyware, and SUPERantispyware.
Posted: June 24th, 2007, 19:40
by cheeseandham
HijackThis
run a system-scan and save a log file.
Post said logfile here. (put it in [code] and [/code] tags for readability)
wait
Posted: June 24th, 2007, 19:45
by Dog Pants
This should earn me a few 5perm...
Code: Select all
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:44:08, on 24/06/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Xfire\Xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Simon Naylor\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.5punk.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Dvd Proc] C:\DOCUME~1\SIMONN~1\APPLIC~1\ROAMME~1\DataDoes.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DATA - Unknown owner - C:\WINDOWS\data.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 6639 bytes
Posted: June 24th, 2007, 19:51
by Dr. kitteny berk
Only thing that really jumps out at me is.
Code: Select all
O4 - HKCU\..\Run: [Dvd Proc] C:\DOCUME~1\SIMONN~1\APPLIC~1\ROAMME~1\DataDoes.exe
O23 - Service: DATA - Unknown owner - C:\WINDOWS\data.exe (file missing)
Posted: June 24th, 2007, 19:59
by buzzmong
Simple something, try renaming the proper IE "C:\Program Files\Internet Explorer\iexplore.exe" to something slightly different.
See what happens.
But I'd agree, with the pop ups it sounds iffy.
Posted: June 24th, 2007, 20:03
by Dog Pants
Well, I've manually deleted the registry entry for that and the files. Fuck knows what they were, but if I need it I can always re-install it.
Posted: June 24th, 2007, 20:07
by cheeseandham
I do this a lot so a quick looksee shows me:-
(you're compromised)
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
http://www.ca.com/us/securityadvisor/pe ... x?id=20983
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
http://www.ca.com/us/securityadvisor/pe ... x?id=20983
O23 - Service: DATA - Unknown owner - C:\WINDOWS\data.exe (file missing)
http://www.symantec.com/security_respon ... 10-3226-99
(note that "file missing" doesn't necessarily mean that)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
http://www.punksbusted.com/forums/index ... opic=35677
O4 - HKCU\..\Run: [Dvd Proc] C:\DOCUME~1\SIMONN~1\APPLIC~1\ROAMME~1\DataDoes.exe
research shows nothing, so delete as the position it is in shows it's trying to hide. possibly a new trojan.
Go into safe mode and use Hijack this to delete these values.
Then scan with a decent spyware/av program
P.S. I recommend
NOD32 as an AV over McAfee and Norton any day of the week. It classes spyware as a threat, so very little need for spyware programs.
Also is
very resource friendly compared to others.
But don't just take my word for it, research it and don't buy it from us when you've found it's the best
(just so you know it's not self interest I'm saying this)
Posted: June 24th, 2007, 20:14
by cheeseandham
BTW,
Services - either disable or delete from the registry (HKLM/System/CurrentControlSet/Services)
and another point on NOD32, there are others that have better file access times, but check out the
Virus Bulletin website for it's In The Wild capture rates compared to the others.
Posted: June 24th, 2007, 21:33
by deject
DO NOT get rid of PnkBstrA.exe, that's a PunkBuster file used by BF2142.
data.exe and DataDoes.exe are definite bad guys, and should be terminated.
unregmp2.exe appears to be Windows Media Player related, but I'm not quite sure about it. I'd say leave it unless the problem persists after dumping the other ones.
Posted: June 24th, 2007, 21:40
by Dog Pants
Cheers guys. Not very impressed with McAfee after this, but I bought it because it was a tenner for MOD employees. I'll check out NOD32, and delete it all manually in a minute.
Posted: June 24th, 2007, 23:19
by Fear
deject wrote:DO NOT get rid of PnkBstrA.exe, that's a PunkBuster file used by BF2142.
I have no idea if it is really a bad guy or not, but wtf is it doing in the windows folder? If legitimate (which I'm not convinced) that is really stupid place to put it. It certainly shouldn't be running unless a game is. Steam doesn't use it for sure.
In past experience PB sits in with the game folder itself.
Also might be worth looking at the calling process. If it is explorer.exe then I'd kill it, if it is some legitimate application like a game I'd leave it.
Posted: June 24th, 2007, 23:22
by Dr. kitteny berk
Afaik they (PnkBstrA.exe & PnkBstrb.exe) are fine, my machine is totally clean (apart from a nasty 2142 infection) and has them, they do live in system32 too.
Posted: June 25th, 2007, 2:30
by deject
PnkBstrA.exe and PnkBstrB.exe are totally legitimate, as I've been told by PunkBuster support when I was having my problems before. As for why they're in system32, I think it's because they're run as a service. For some reason it's running all the time though. Stupid, but that's how it works.
Posted: June 25th, 2007, 7:22
by Dog Pants
Okies, last night I went through and purged my system. I think I got the culprits but I'll check again tonight, so fingers crossed.
Posted: June 25th, 2007, 7:40
by cheeseandham
deject wrote:As for why they're in system32, I think it's because they're run as a service. For some reason it's running all the time though. Stupid, but that's how it works.
Fair enough if they're legitimate. But....
Services don't need to run from system32, that's just very bad programming on their part..
And an anti-cheat system for a game running
all the time consuming my systems resources? Call me old fashioned but that's just shit, and even worse than Steam. I'm glad it's not running on my system.
Posted: June 25th, 2007, 8:23
by Dog Pants
That's Punkbuster though isn't it? It's never been very good. Also, I've just looked at a few independent AV comparisons and they all indicate that NOD32 is the best on the market at the moment. Unless it's stupidly expensive I think I'll be changing over.
EDIT: £46+VAT for three years. I think that's me sold.
Posted: June 25th, 2007, 11:29
by Fear
One day I shall write a real-time virus scanning engine for
ClamAV that runs on windows. One for assembler I think tho, and I cba just yet. :-)
Edit: Oooooo looks like the ClamWin team are working on it. Pikey Virus Scanner commeth!
Posted: June 25th, 2007, 12:13
by Dog Pants
Fear wrote:Pikey Virus Scanner commeth!
Doesn't AVG hold that title?