Firewall & AV programs reporting strange problems

Your original title, "Wow, I don't know .... " was not informative. I changed it for you but in the future you will need to follow the posting rules and especially the one calling for a meaningful title. Newt

Hello, I have a host of wierd things going on. McAfee firewall says I have Kuang2 at my port 17300, but nothing finds it there to remove or fix it. I have tried Norton, Etrust, Panda, Sophos, a2, McAfee antivirus, symantec security response, Trend sysclean, and Zone Labs, Ad-Aware -6 and Pest Patrol for starters.

XoftSpy states other infections, of course want more money to remove them...

Oh, and to top it off, Sophos anti-virus told me I have W95/Sledge-A in my activescan\imscan.dll, but it could not remove or disinfect it... sayis it was placed in 11/2003... I only bought this computer this past May so how the heck did I get that?...

I did a scan with TDS-3 and it came up negative.

Anyhow, here is my hijack this and XoftSpy logs, hopefully someone here can be helpful in correcting these problems, I would be ever so grateful.


D


Logfile of HijackThis v1.98.2
Scan saved at 4:16:50 PM, on 10/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PRISMSVR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\msvcmm32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\System32\msvcmm32.exe
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Manager.exe /WNDSTART /Tray
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe "
O4 - Startup: Head.txt
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaplancollege.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4388/mcfscan.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx


XoftSpy Log:

Starting Scanning (Smart Scan Mode)
Scanning running processes.
1) : -
2) : \SystemRoot\System32\smss.exe
3) : \??\C:\WINDOWS\system32\csrss.exe
4) : \??\C:\WINDOWS\system32\winlogon.exe
5) : C:\WINDOWS\system32\services.exe
6) : C:\WINDOWS\system32\lsass.exe
7) : C:\WINDOWS\system32\svchost.exe
8) : C:\WINDOWS\system32\svchost.exe
9) : C:\WINDOWS\System32\svchost.exe
10) : C:\WINDOWS\System32\svchost.exe
11) : C:\WINDOWS\System32\svchost.exe
12) : C:\WINDOWS\system32\spoolsv.exe
13) : C:\WINDOWS\System32\brss01a.exe
14) : C:\WINDOWS\SYSTEM32\Brmfrmps.exe
15) : C:\WINDOWS\system32\cisvc.exe
16) : c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
17) : C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
18) : C:\WINDOWS\System32\nvsvc32.exe
19) : C:\WINDOWS\System32\svchost.exe
20) : C:\WINDOWS\system32\wdfmgr.exe
21) : C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
22) : C:\WINDOWS\system32\BRMFRSMG.EXE
23) : C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
24) : c:\PROGRA~1\mcafee.com\vso\mcshield.exe
25) : C:\WINDOWS\System32\alg.exe
26) : C:\WINDOWS\Explorer.EXE
27) : C:\WINDOWS\System32\PRISMSVR.EXE
28) : C:\WINDOWS\system32\dla\tfswctrl.exe
29) : C:\WINDOWS\System32\DSentry.exe
30) : C:\Program Files\Dell\Media Experience\PCMService.exe
31) : C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
32) : C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
33) : C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
34) : C:\PROGRA~1\PESTPA~1\PPControl.exe
35) : C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
36) : C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
37) : C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
38) : C:\WINDOWS\System32\msvcmm32.exe
39) : C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
40) : C:\PROGRA~1\mcafee.com\agent\mcagent.exe
41) : C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
42) : C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
43) : C:\Program Files\Common Files\Real\Update_OB\realsched.exe
44) : C:\Program Files\Washer\washer.exe
45) : C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
46) : C:\Program Files\Digital Line Detect\DLG.exe
47) : c:\progra~1\mcafee.com\vso\mcvsescn.exe
48) : C:\Program Files\Microsoft Office\Office\OSA.EXE
49) : C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
50) : C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
51) : C:\WINDOWS\system32\cidaemon.exe
52) : C:\hijack\HijackThis.exe
53) : C:\WINDOWS\system32\NOTEPAD.EXE
54) : C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
55) : C:\Program Files\XoftSpy\XoftSpy.exe
1) IBIS Toolbar
Name: Software\wintools
Type: Registry Key
2) Troj/AnaFTP-01
Name: CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Type: Registry Key
3) CoolWebSearch
Name: software\microsoft\windows\currentversion\run\quicktime task
Type: Registry Value
4) Marketscore(Netsetter)
Name: C:\WINDOWS\nsreg.dat
Type: File
5) SaveNow
Name: C:\WINDOWS\system32\VBAR332.DLL
Type: File
Scan Finished

 

Wait for other ideas but I believe that it is possible that problem is that the items are being found in System Restore Files. And/or other types of backups.

After cleaning a system of a Virus make sure to shut down system restore, AV check again and then restart System Restore.

The above also applys to the RB00X.cab files In Win98.

BillyBob

 

?

Okay, but see the thing is, even though these various programs say I have these items, NONE of the anti-virus or anti-trojan programs detect them, so I cannot remove them. (at least I have no clue how to maually do so.


D

 

Again, Please wait for other ideas. But I believe that if the dirty files are in the backup files Virus claenaers WILL NOT remove them.

I believe you have to shut down system restore and then run the Viurs check.

BillyBob

 

Your firewall could be merely reporting a INCOMING port scan, to a port that is commonly used by Kuang2. This does not mean you are infected, but someone else is on the internet (big surprise!), and is looking for someone else. You are being notified about this, this tells you the firewall is working and doing it's job.
BTW, it is not good to have two firewalls installed and running.
I see nothing bad in the log.

 

Hi deedeekerfinkle,

Test your Firewall(s) at the Gibson site: https://grc.com/x/ne.dll?bh0bkyd2

As Mark wrote, that looks like a Port Scan. I get them everyday and they are minor annoyances, not a serious problem. The firewall handles them and is just telling you about it.

Is that McAffe's firewall in addition to ZA? Pick one or the other.

Regards - Charles

 

OK. I do need to ask ( nad maybe learn ) for my own benifit now.

If this is a case of the problem being a port scan not an AV. Refering to AV software threw me off.

And the Firewall is just reporting it ?

*Luckily I have not run into this YET *

BillyBob

 

BB,

Its McAffee's firewall Hello, I have a host of wierd things going on. McAfee firewall says I have Kuang2 at my port 17300

Yea, it is confusing, no distinctions made between AV's - AT's - and Firewalls.

Regards - Charles