Forum Home
Press F1
Thread ID: 81619	2007-08-02 00:13:00	Arrghhh - Network computer problem	Obelix (752)	Press F1

Post ID	Timestamp	Content	User
575382	2007-08-02 00:13:00	Okay, We have had our domain blacklisted at work, and I have been struggling for the last couple of days trying to find out which machine has possibly caused the problem. I have isolated the machine, and run HijackThis and Spybot on it and nothing sticks out like a sore thumb. The computer in question has Windows Xp Pro loaded, and we run Symantec Anti-virus corporate edition. My Sonicwall firewall report of Bandwidth per IP address, is showing this machine sending out approximately 2MB data every 5 minutes to the net. What I am thinking is that I do not know where to look next. I was thinking of maybe installing a packet sniffer, and having a look at the in/out bound packets from this computer, but not sure what packet sniffer to use. Has anyone got any other suggestions/ideas of things to look at before I need to reformat and start again. Thanks in advance	Obelix (752)
575383	2007-08-02 00:22:00	Well post the HJT log here, we'll see if u missed something.	Speedy Gonzales (78)
575384	2007-08-02 00:28:00	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:47:25 a.m., on 02/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Documents and Settings\bronwynw\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///H:/homepage.htm O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {038EE88B-DA99-45FA-9580-3539A7BCC0AF} (AccpacIC1630.AccpacIC1630UICtrl) - ubsterm O16 - DPF: {17116C1D-24CD-4C05-A789-EA645C767507} (AccpacPO5530.AccpacPO5530UICtrl) - ubsterm O16 - DPF: {1B67F724-093E-4936-8602-FA1E781983B8} (AccpacIC1640.AccpacIC1640UICtrl) - ubsterm O16 - DPF: {2AB120B4-B628-422B-9347-5F6202BB87ED} (AccpacIC1130.AccpacIC1130UICtrl) - ubsterm O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - ubsterm O16 - DPF: {31C7E2CB-BD7A-4A6E-8FEC-6D73F0FEDF21} (AccpacPO3030.AccpacPO3030UICtrl) - ubsterm O16 - DPF: {33FB2540-4519-4839-A5B8-F9AB31D10454} (AccpacOE1300.AccpacOE1300UICtrl) - ubsterm O16 - DPF: {367729B2-A324-4D57-94A7-21DDACE10175} (AccpacAP1200.ACCPACAP1200UICtrl) - ubsterm O16 - DPF: {3AE81EA8-4262-4E06-95D7-D09CBB764CFF} (AccpacIC6500.AccpacIC6500UICtrl) - ubsterm O16 - DPF: {3E237CAF-8714-4CFA-8867-EFAA80248D91} (AccpacPO5510.AccpacPO5510UICtrl) - ubsterm O16 - DPF: {43886B4C-9D8C-46A1-AE8E-3AA9B1B41D82} (AccpacCS5000.AccpacCS5000UICtrl) - ubsterm O16 - DPF: {4B8AC888-9599-49F0-A45C-434CF0E4F91C} (AccpacPO3010.AccpacPO3010UICtrl) - ubsterm O16 - DPF: {51E46FC6-C6C7-4157-AEFB-96B0ACF1C252} (AccpacAP1100.ACCPACAP1100UICtrl) - ubsterm O16 - DPF: {5B8C35BB-08AD-4C9A-8869-1BDEC0837B29} (AccpacPO1320.AccpacPO1320UICtrl) - ubsterm O16 - DPF: {5ECCAB1F-DCB9-49D7-BAB4-609C32B2E985} (AccpacPO3020.AccpacPO3020UICtrl) - ubsterm O16 - DPF: {6032A120-515E-4B47-A244-377F70CC806E} (AccpacAP7108.ACCPACAP7108UICtrl) - ubsterm O16 - DPF: {62A9081E-161A-4BD7-93D2-3515084992A2} (AccpacOE1200.AccpacOE1200UICtrl) - ubsterm O16 - DPF: {6CB2AB21-299E-4D46-BBC1-A91A9B8BEAE3} (AccpacOE1150.AccpacOE1150UICtrl) - ubsterm O16 - DPF: {6D8454CC-7D87-4286-9C1F-665672DE4A41} (AccpacIC1120.AccpacIC1120UICtrl) - ubsterm O16 - DPF: {73131FAC-9190-4EF2-B221-59F066295D95} (AccpacIC3310.AccpacIC3310UICtrl) - ubsterm O16 - DPF: {78FE0EA0-052C-4DD5-9F60-7F0E9AE3B6E4} (AccpacPO1310.AccpacPO1310UICtrl) - ubsterm O16 - DPF: {7D0E9463-D0F4-4A3D-AEEB-58FE1D9D20ED} (AccpacPO1210.AccpacPO1210UICtrl) - ubsterm O16 - DPF: {814CF7F1-D7A2-4485-AD9D-9C787158DD86} (AccpacPO3040.AccpacPO3040UICtrl) - ubsterm O16 - DPF: {846C0AB0-0A09-4DCF-8C42-2737EFF47CF4} (AccpacAS3000.ACCPACAS3000UICtrl) - ubsterm O16 - DPF: {8783E243-5A1A-4201-AC4D-403DC3808550} (AccpacPO1400.AccpacPO1400UICtrl) - ubsterm O16 - DPF: {8A176BFE-5C07-4633-8F3D-FA414A01DD95} (AccpacOE1400.AccpacOE1400UICtrl) - ubsterm O16 - DPF: {97A76000-2EAA-4E22-BC3F-135D45358600} (AccpacOE2400.AccpacOE2400UICtrl) - ubsterm O16 - DPF: {B6B35894-DD6F-11D3-84AC-00C04F0E1B46} (ACCPAC Signon Manager) - ubsterm O16 - DPF: {C01A9713-D81C-4366-9948-D5C79448EED4} (AccpacAS2000.AccpacAS2000UICtrl) - ubsterm O16 - DPF: {C24738D6-77AA-487A-B71A-EAC6604DA494} (AccpacIC1110.AccpacIC1110UICtrl) - ubsterm O16 - DPF: {C6CBF710-F301-4BA0-A71E-04AFC450F6FA} (AccpacOE2200.AccpacOE2200UICtrl) - ubsterm O16 - DPF: {CC5F6562-BF64-436C-898F-97BEBB5521DD} (AccpacIC1140.AccpacIC1140UICtrl) - ubsterm O16 - DPF: {D2B9B6AE-5BA4-413E-8C69-8F2A1C942B2A} (AccpacOE1600.AccpacOE1600UICtrl) - ubsterm O16 - DPF: {D44555E4-2447-41C4-9B66-ED4653EC925D} (ACCPAC Web Session Manager) - ubsterm O16 - DPF: {E79A4447-2ABB-4231-AE97-BD809D53FCC8} (AccpacIC1620.AccpacIC1620UICtrl) - ubsterm O16 - DPF: {EBBA3D12-2AD8-4872-9B85-16ED0A48D91A} (AccpacOE1900.AccpacOE1900UICtrl) - ubsterm O16 - DPF: {F370E47D-1A45-4DB9-8A3C-A19B384D3EA9} (AccpacOE3110.AccpacOE3110UICtrl) - ubsterm O16 - DPF: {F3E6B2AA-3670-4CA5-97C1-5F3EA9FCEB1D} (AccpacIC6600.AccpacIC6600UICtrl) - ubsterm O16 - DPF: {F6B6C55A-7183-4FD4-9E8D-3D0834CDC4B2} (AccpacOE1100.AccpacOE1100UICtrl) - ubsterm O16 - DPF: {FBB13A0F-5A97-48A6-BDCD-F7BD3AE7B785} (AccpacPO1110.AccpacPO1110UICtrl) - ubsterm O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = UBS.local O17 - HKLM\Software\..\Telephony: DomainName = UBS.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = UBS.local O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 8241 bytes	Obelix (752)
575385	2007-08-02 00:54:00	Do you know what these entries belongs to?? Are they part of the network?? O16 - DPF: {038EE88B-DA99-45FA-9580-3539A7BCC0AF} (AccpacIC1630.AccpacIC1630UICtrl) You dont need this, its safe. O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime I would use MSN Messenger. Windows Messenger is too buggy. Its most probably Windows Messenger sending out crap. I would also uninstall ALL versions of Sun Java, yours is out of date. Link is in my sig.	Speedy Gonzales (78)
575386	2007-08-02 00:57:00	The Accpac entries are all valid, and part of our internal network. I will do as you suggest but that still does not explain why this machine has sent out 29MB of data in 60 minutes	Obelix (752)
575387	2007-08-02 02:43:00	How about blocking all Internet access through your firewall and then seeing exactly what program/file etc is asking for access when it can't get through automatically. Could work.	beeswax34 (63)
575388	2007-08-02 02:47:00	At a command prompt try netstat -b or netstat -a it will give you a list of connections	snoopy (74)
575389	2007-08-02 02:59:00	O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe Why does a business machine need this sort of rubbish? Especially the Yahoo stuff. Yahoo is almost soyware itself. Also Nortons isnt an antivirus, it doesn't check for spyware. I'd run some anti-spyware programs over this too.	pctek (84)
575390	2007-08-02 03:22:00	Problem resolved. It turns our that the person using the computer had opened one of the new ecard email that I am sure is doind the rounds to most people out there. Problem wasn't found in any of the usual apps, as it installed a rootkit by the name of spooldr.exe. Rootkit found using Rootkit revealer. Rootkit removed with Regrun. Thanks all	Obelix (752)
575391	2007-08-02 03:23:00	Yahoo is almost soyware itself. Also Nortons isnt an antivirus Freudian slips ???? :lol:	snoopy (74)
1