Hello,
Before explaining my situation, my system information is in my profile, except for this: Antivirus - AVG Internet Security; Internet Connection - 5 Gbps DSL
For the past several weeks, my system has been running very slowly. I have run several complete scans - AVG, ESET, Trend Micro, Spybot Search & Destroy and F-Prot - with nothing more than tracking cookies found. I have cleaned temporary folders using CCleaner, scanned the hard drive for errors and updated all my drivers. Still, the problem persists. I decided to use Process Monitor to see if I could find anything running that was unfamiliar to me. While viewing processes during startup, I noticed regedit that began to run beneath bcmwltry.exe, as if bcmwltry was calling on regedit. I used bcmwltry (a Broadcom utility) to monitor my home wireless LAN (since I have a Broadcom wireless adapter). Because of this activity, even after multiple scans, I decided to simply do a visual scan of files and folders on my C drive to see if I could locate anything unusual. The only thing I noticed was a folder in my Documents and Settings folder called "Misc" which I could not access. This was rather odd because I have folders and files set so that I can view everything. When I checked the properties of the folder, I learned that the folder was owned by S-1-5-21-343818398-573735546-725345543-1003 with inherited security traits from "System." After taking ownership of the folder, I found 3 copies of my Microsoft Money file, and files with suspicious names like "databasemigration.log" "PC Tools.txt" (which contained only my username and software id for PC Tools Internet Security), "SetNet.txt" (containing 3 short lines of info about my Broadcom adapter), 2 pdf manuals for my computer, and "Settings File 01_06.OPS" (with cryptic characters, but I could make out some Microsoft software information).
When I opened regedit to find "S-1-5-21-343818398-573735546-725345543-1003" it was listed under HKEY USERS. There was no "Login User Name" associated with the entry. Under the key, I found two entries (01 & 02) with information referencing Vista. I run XP Pro, SP 3.
"D:\vista_5536.16385.060821-1900_vista_rc1_x86fre_client-lr1cfre_en_dvd.iso"
My questions are:
Am I being paranoid?
Are there valid reasons for the existance of "Misc" and it's subfolders and files?
If I have been hacked, what are my next steps? I have already changed my login information for my bank and credit card accounts. I have also stopped using bcmwltry.exe and switched back to the windows wireless LAN tool.
I am including my Hijack This results will follow this message.
Thank you very much in advance. I look forward to your responses.
Regards,
Diffie
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:34 AM, on 10/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\tcpsvcs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
C:\Program Files\Global Graphics\PDF Suite\Jaws PDF Creator\PDFClient.exe
C:\WINDOWS\system32\PDFCreatorMessages.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Plaxo\3.23.0.5\PlaxoHelper_en.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\hpq\Shared\HpqToaster.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Lon\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\regedit.exe
C:\Program Files\ZipGenius 6\zipgenius.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Edit* Post was too long... I had to put the rest of the Hijack This information in a following post.
Before explaining my situation, my system information is in my profile, except for this: Antivirus - AVG Internet Security; Internet Connection - 5 Gbps DSL
For the past several weeks, my system has been running very slowly. I have run several complete scans - AVG, ESET, Trend Micro, Spybot Search & Destroy and F-Prot - with nothing more than tracking cookies found. I have cleaned temporary folders using CCleaner, scanned the hard drive for errors and updated all my drivers. Still, the problem persists. I decided to use Process Monitor to see if I could find anything running that was unfamiliar to me. While viewing processes during startup, I noticed regedit that began to run beneath bcmwltry.exe, as if bcmwltry was calling on regedit. I used bcmwltry (a Broadcom utility) to monitor my home wireless LAN (since I have a Broadcom wireless adapter). Because of this activity, even after multiple scans, I decided to simply do a visual scan of files and folders on my C drive to see if I could locate anything unusual. The only thing I noticed was a folder in my Documents and Settings folder called "Misc" which I could not access. This was rather odd because I have folders and files set so that I can view everything. When I checked the properties of the folder, I learned that the folder was owned by S-1-5-21-343818398-573735546-725345543-1003 with inherited security traits from "System." After taking ownership of the folder, I found 3 copies of my Microsoft Money file, and files with suspicious names like "databasemigration.log" "PC Tools.txt" (which contained only my username and software id for PC Tools Internet Security), "SetNet.txt" (containing 3 short lines of info about my Broadcom adapter), 2 pdf manuals for my computer, and "Settings File 01_06.OPS" (with cryptic characters, but I could make out some Microsoft software information).
When I opened regedit to find "S-1-5-21-343818398-573735546-725345543-1003" it was listed under HKEY USERS. There was no "Login User Name" associated with the entry. Under the key, I found two entries (01 & 02) with information referencing Vista. I run XP Pro, SP 3.
"D:\vista_5536.16385.060821-1900_vista_rc1_x86fre_client-lr1cfre_en_dvd.iso"
My questions are:
Am I being paranoid?
Are there valid reasons for the existance of "Misc" and it's subfolders and files?
If I have been hacked, what are my next steps? I have already changed my login information for my bank and credit card accounts. I have also stopped using bcmwltry.exe and switched back to the windows wireless LAN tool.
I am including my Hijack This results will follow this message.
Thank you very much in advance. I look forward to your responses.
Regards,
Diffie
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:34 AM, on 10/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\tcpsvcs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
C:\Program Files\Global Graphics\PDF Suite\Jaws PDF Creator\PDFClient.exe
C:\WINDOWS\system32\PDFCreatorMessages.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Plaxo\3.23.0.5\PlaxoHelper_en.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\hpq\Shared\HpqToaster.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Lon\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\regedit.exe
C:\Program Files\ZipGenius 6\zipgenius.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Edit* Post was too long... I had to put the rest of the Hijack This information in a following post.
Last edited: