Need help with a hijackthis log

I think I have picked up some kind of malware, but can't seem to find out what it is. For the last two days when I boot up, ZoneAlarm pops up a message saying Svchost.exe is trying to access the internet, and provides an IP of 0.0.0.0 with these ports 135, 1025, and 5000. It also has popped up a message saying Svchost.exe is trying to establish a server and shows this address "63.240.76.4: DNS ". I've scanned with Spybot and it found something called popupper.com and removed it. Adaware scans clean as does AVG. I've also run an online scan with RAV which came up clean. I'm attaching an HJT log hoping someone will see something I haven't. I didn't see anything obvious. I have been telling ZA to deny the requests but I would like to find out what this is and delete it.

Logfile of HijackThis v1.99.1
Scan saved at 5:44:27 PM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Msoffice.exe
C:\Program Files\Linksys\LogViewer\LogViewer.exe
C:\Quickenw\Qwdlls.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Software\Spyware_Firewall_Antivirus stuff\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.ce1.attbb.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: LogViewer.lnk = C:\Program Files\Linksys\LogViewer\LogViewer.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

 

TonyT,

Thanks for the quick response. The only Systray.exe entries I found were in C:\windows\system32 and C:\windows\system32\dllcache and one file in the Prefecth folder called SYSTRACE.EXE-013C30DF.pf. I've downloaded the welchia tool but I have to go offline to run it. Will report back with the results.

 

TonyT,

Welchia tool reports no welchia infection found.

 

Are you using XP Home or Pro? Zone Alarm>program Control>Programs tab should show svchost in the list. Click it and look at the filepath below in entry details to verify it's origin.

The address 63.240.76.4 appears to belong to AT&T in San Diego. Is that valid?

 

Hi Dave,

I'm using XP Pro, the Svchost showed up in ZA programs list as Generic Host Process and the path was c:\windows\system32\svchost.exe.

I'm not sure what's going on here. This just started Thursday, I've been denying the access with ZA. I'm not sure if that IP is legit. It's certainly not something that I have sought out, so I can't figure what's on my pc that would be trying to get to it.

Bill

 

Copy the command below, open a command window and paste this in, then hit enter. Open C:\services.txt and post the contents.

tasklist /svc > c:\services.txt

 

Here ya go Dave;

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 416 N/A
CSRSS.EXE 464 N/A
WINLOGON.EXE 492 N/A
SERVICES.EXE 536 Eventlog, PlugPlay
LSASS.EXE 548 PolicyAgent, ProtectedStorage, SamSs
SVCHOST.EXE 700 RpcSs
SVCHOST.EXE 724 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Messenger,
Netman, Nla, Schedule, seclogon, SENS,
ShellHWDetection, srservice, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
W32Time, winmgmt, wuauserv, WZCSVC
SVCHOST.EXE 896 Dnscache
SVCHOST.EXE 912 LmHosts, RemoteRegistry, SSDPSRV, WebClient
SPOOLSV.EXE 1012 Spooler
AVGAMSVR.EXE 1148 Avg7Alrt
AVGUPSVC.EXE 1160 Avg7UpdSvc
CTSVCCDA.EXE 1172 Creative Service for CDROM Access
NVSVC32.EXE 1212 NVSvc
SVCHOST.EXE 1320 stisvc
WDFMGR.EXE 1380 UMWdf
VSMON.EXE 1444 vsmon
MsPMSPSv.exe 1468 WMDM PMSP Service
FXSSVC.EXE 1488 Fax
EXPLORER.EXE 2004 N/A
Directcd.exe 432 N/A
HPGS2WND.EXE 460 N/A
HpqCmon.exe 456 N/A
AVGCC.EXE 396 N/A
AVGEMC.EXE 648 N/A
ZLCLIENT.EXE 764 N/A
CTNotify.exe 788 N/A
CTHELPER.EXE 860 N/A
HPGS2WNF.EXE 796 N/A
RUNDLL32.EXE 1100 N/A
OSA.EXE 868 N/A
MSOFFICE.EXE 1316 N/A
LogViewer.exe 1208 N/A
QWDLLS.EXE 1560 N/A
HPOTDD01.EXE 1636 N/A
HPOBNZ08.EXE 1672 N/A
Mediadet.exe 1760 N/A
HPOEVM08.EXE 2100 N/A
HPOSTS08.EXE 2244 N/A
iexplore.exe 2480 N/A
CMD.EXE 4068 N/A
tasklist.exe 4076 N/A
wmiprvse.exe 148 N/A

 

The plot thickens....

Dave,

I mentioned the problem to my wife and she said the same thing is happening on her PC and it started about the same time as mine. I checked and sure enough it looks the same. Using ZA to deny it there too.

 

There are plenty of things running that might cause svchost to want access, and they all appear valid. My first guess is that an updater of some sort is what's trying to get to that addy, and you may have to catch it in the act. Rename that services.txt file so it doesn't get overwritten and the next time ZA pops up asking to allow svchost, before answering, run that command again, then compare the logs to see if there's anything different.

Did you install any new software on both machines? Update/upgrade anything?

 

The only recent update on both machines is the new release of Adaware, but that's been a week ago. I'll try your suggestion with the services list and see if I can catch it.

 

Here's the services log from the time it was happening. I don't any difference.

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 416 N/A
CSRSS.EXE 464 N/A
WINLOGON.EXE 488 N/A
SERVICES.EXE 532 Eventlog, PlugPlay
LSASS.EXE 544 PolicyAgent, ProtectedStorage, SamSs
SVCHOST.EXE 696 RpcSs
SVCHOST.EXE 720 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Messenger,
Netman, Nla, Schedule, seclogon, SENS,
ShellHWDetection, srservice, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
W32Time, winmgmt, wuauserv, WZCSVC
SVCHOST.EXE 844 Dnscache
SVCHOST.EXE 880 LmHosts, RemoteRegistry, SSDPSRV, WebClient
SPOOLSV.EXE 1016 Spooler
EXPLORER.EXE 1280 N/A
Directcd.exe 1424 N/A
HPGS2WND.EXE 1440 N/A
HpqCmon.exe 1448 N/A
AVGCC.EXE 1456 N/A
AVGEMC.EXE 1464 N/A
ZLCLIENT.EXE 1472 N/A
CTNotify.exe 1488 N/A
HPGS2WNF.EXE 1524 N/A
CTHELPER.EXE 1532 N/A
RUNDLL32.EXE 1556 N/A
OSA.EXE 1592 N/A
MSOFFICE.EXE 1600 N/A
LogViewer.exe 1616 N/A
QWDLLS.EXE 1624 N/A
HPOTDD01.EXE 1632 N/A
HPOBNZ08.EXE 1640 N/A
reader_sl.exe 1648 N/A
AVGAMSVR.EXE 1760 Avg7Alrt
HPOEVM08.EXE 1764 N/A
Mediadet.exe 1804 N/A
AVGUPSVC.EXE 1824 Avg7UpdSvc
CTSVCCDA.EXE 1844 Creative Service for CDROM Access
NVSVC32.EXE 1944 NVSvc
SVCHOST.EXE 2008 stisvc
WDFMGR.EXE 856 UMWdf
VSMON.EXE 1128 vsmon
MsPMSPSv.exe 1212 WMDM PMSP Service
FXSSVC.EXE 1248 Fax
HPOSTS08.EXE 2240 N/A
NOTEPAD.EXE 2408 N/A
NOTEPAD.EXE 2420 N/A
CMD.EXE 2500 N/A
NOTEPAD.EXE 2616 N/A
tasklist.exe 2632 N/A
wmiprvse.exe 2660 N/A

 

Open ZA, go to the Program Control>Programs tab, scroll down and look for Generic Host Process for Win32. Right click on it and choose remove, answer yes, then reboot. Then allow it access to the internet and to the trusted zone (click remember) but do not allow it Server Rights (click remember). Generic Host Process is the SVCHOST.EXE process and it may ask for access more than once, even after remembering. SERVER rights to the trusted zone is OK, its the SERVER request for the Internet you should deny.

 

TonyT,

I know I should update to SP2, I can't seem to find the time to read up on 'things to do before applying' it. I know the PC should be clean and problem free before updating, but I'm sure there are more "should do's" out there to ensure a successful update.

I'm running the latest version of ZA Pro that's available. Just put on an update about a month or so ago. I'll go read through the postings in the forum link you provided.

Dave,

I followed your suggestion about removing the Generic Host Process in ZA and letting it rediscover it. It seems to have fixed the problem for now. Hopefully the ZA forum will provide some clue as to what may have precipitated the warnings all of a sudden.

Thanks for the help guys, as usual it has been superb.

 

Glad to help Bill.

RE:SP2.........make sure you have a good restore point (as well as backups) and update, update, update

 

Thanks for the advice guys, I have the SP2 download, now I just need to find the time to apply it across all my PC's.