Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 20th, 2008, 1:30am
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   Port 12346/TCP is open (matches Netbus.160)		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Port 12346/TCP is open (matches Netbus.160)  (Read 697 times)
KissableKate
Newbie
*





   


Posts: 8
Port 12346/TCP is open (matches Netbus.160)
« on: Dec 18th, 2007, 9:43am »		 Quote Quote  Modify Modify
Port 12346/TCP is open (matches Netbus.170)
 
Can someone please tell me what these mean and how I'm supposed to get rid of them?  The Trojan Hunter just said "no Trojan's found" but found these two errors.
 
I have been having problems with hackers so any help you can give would be most welcome!
 
Thanks,
 
Kate
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5517
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #1 on: Dec 18th, 2007, 11:29am »		 Quote Quote  Modify Modify
Welcome to the forum Kate  Cheesy
 
Port 12346 being open is quite suspicious in that you could be infected.  Does the port reopen following a reboot of your computer?
 
If so, I recommend that you follow the procedure in the link below to closely examine/scan your computer.
http://www.misec.net/forum/board/FAQ/1170863449
 
Please post back here the requested logs in the procedure above.
 
The link below discusses open ports:
 
http://www.misec.net/forum/board/FAQ/1139255619
 
And the link below discusses port 12346.
 
http://www.auditmypc.com/port/tcp-port-12346.asp
« Last Edit: Dec 18th, 2007, 12:13pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
KissableKate
Newbie
*





   


Posts: 8
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #2 on: Dec 19th, 2007, 6:56am »		 Quote Quote  Modify Modify
Hey Siliconman,
 
Right, I know nothing about this side of computers so I have no idea what I'm doing..  However, I've done most of what you've said and here is the log from HiJackThis:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:35, on 19/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\lxdacoms.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\APPS\Powercinema\PCMService.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCMService] "c:\APPS\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [1] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Kate&Jon\LOCALS~1\Temp\AcsUninstall.exe"
O4 - HKLM\..\RunOnce: [2] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Kate&Jon\LOCALS~1\Temp\AcsUninstallRes.dll"
O4 - HKLM\..\RunOnce: [3] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Kate&Jon\LOCALS~1\Temp\shfolder.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: JamLab Installer (JamLabInstallerService) - Unknown owner - C:\Program Files\M-Audio\JamLab\JamLabInst.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxda_device -   - C:\WINDOWS\system32\lxdacoms.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
--
End of file - 9772 bytes
 
The TrojanHunter scanner brought up this:
 
Port 12346/TCP is open (matches Netbus.160)
Port 12346/TCP is open (matches Netbus.170)
Found NTFS alternate data stream: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Thumbs.db:encryptable:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db:encryptable:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\avg75free_503a1205.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\ccsetup203.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\College work\Psych Cover Sheet 3-12-07.doc:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\HJTInstall.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\LimeWireWin.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\MUSIC\MP3 Drum Songs\audacity-win-1.2.6.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\MUSIC\MP3 Drum Songs\Guitar\KRISTAL_AE_Setup.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\MUSIC\MP3 Drum Songs\JamLab_WDM_5.10.00.5070.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\spyblock.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\spybotsd15.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\SUPERAntiSpyware.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\TrojanHunterSetup.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\WindowsDefender.msi:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Desktop\zasuiteSetup_en.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Favorites\TrojanHunter Scanner - Mischel Internet Security Forum.url:favicon:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\My Documents\My Received Files\Guns N' Roses - Madagascar.mp3:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\My Documents\My Received Files\Guns_N__Roses_-_The_Blues.mp3:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\My Documents\My Skype Pictures\free_kgb_keylogger-411.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\My Documents\Photos\Thumbs.db:encryptable:$DATA
Found NTFS alternate data stream: C:\Program Files\LimeWire\.NetworkShare\LimeWireWin4.14.10.exe:Zone.Identifier:$DAT A
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11 d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Micro soft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.X ML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_68556f3e\System.Xml.dll
Found NTFS alternate data stream: C:\WINDOWS\Fonts\Gabrielle.ttf:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\WINDOWS\Fonts\renaissance.ttf:Zone.Identifier:$DATA
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.d ll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\_000006_.tmp.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\_000007_.tmp.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\_000008_.tmp.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\_000009_.tmp.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\_000011_.tmp.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\_000012_.tmp.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\_000013_.tmp.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\_000014_.tmp.dll
Error: Directory not found: D:\
Error: Directory not found: D:\
Error: Directory not found: E:\
Error: Directory not found: E:\
Error: Directory not found: F:\
Error: Directory not found: F:\
Error: Directory not found: G:\
Error: Directory not found: G:\
Error: Directory not found: H:\
Error: Directory not found: H:\
 
I currently have just about EVERYTHING I can think of on this computer.  I have AVG Anti-Virus, SpyBot, Windows Defender, ZoneAlarm, CCleaner, TrojanHunter, HiJackThis and also have used Trend Micro complete scanner (which last week found a Trojan Keylogger but this week found nothing).
 
What else can I do to close these ports?  I am sat here watching my password to my e-mail account change - in the last hour my password has been changed at least 3 times and I have tried changing the security question/password to things as random as I can think of - there must be something getting this information.
 
PLEASE HELP ME!!  I don't know what else to do and the police aren't helpful.
 
(Nothing as yet found by SuperAntiSpyware - will post log if something found).
 
Kate
« Last Edit: Dec 19th, 2007, 6:57am by KissableKate » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5517
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #3 on: Dec 19th, 2007, 7:29am »		 Quote Quote  Modify Modify
Hmmm, your Hijackthis log is not showing anything that appears to be harmful.  
 
Please do the following:
 
1.  Download and install program TCPView from the link below.
 
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
 
2.  Run program TCPView.  It will show you what program on your system is using Port 12346.  The port number is under the "Local Address" column.  Once you find it in that column, look in the "Process" column to see the name of the program that is using the port.  
 
Please post back here what you find.
 
I will have another post shortly concerning the TH scan and what to do.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
KissableKate
Newbie
*





   


Posts: 8
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #4 on: Dec 19th, 2007, 7:36am »		 Quote Quote  Modify Modify
Ok I have just run that TCPView that you recommended and got this report:
 
 
[System Process]:0TCPinformationdesk:245478-33-6-34.no-dns-yet.enta.net:httpTIME _WAIT
[System Process]:0TCPinformationdesk:2468pop3.blueyonder.co.uk:pop3TIME_WAIT
[System Process]:0TCPinformationdesk:2466pop3.blueyonder.co.uk:pop3TIME_WAIT
[System Process]:0TCPinformationdesk:2469pop3.blueyonder.co.uk:pop3TIME_WAIT
[System Process]:0TCPinformationdesk:247278-33-6-34.no-dns-yet.enta.net:httpTIME _WAIT
CLMLServer.exe:1704UDPInformationDesk:1026*:*
iexplore.exe:3336UDPInformationDesk:2413*:*
lsass.exe:596UDPInformationDesk:isakmp*:*
lsass.exe:596UDPInformationDesk:4500*:*
msmsgs.exe:3384TCPinformationdesk:2244by1msg4146008.phx.gbl:1863ESTABLIS HED
msmsgs.exe:3384UDPInformationDesk:1067*:*
OUTLOOK.EXE:804TCPinformationdesk:2423204.212.170.225:httpCLOSE_WAIT
svchost.exe:1068UDPInformationDesk:1900*:*
svchost.exe:1068UDPinformationdesk:1900*:*
svchost.exe:916UDPInformationDesk:ntp*:*
svchost.exe:916UDPinformationdesk:ntp*:*
System:4TCPInformationDesk:microsoft-dsInformationDesk:0LISTENING
System:4TCPinformationdesk:netbios-ssnInformationDesk:0LISTENING
System:4UDPinformationdesk:netbios-ns*:*
System:4UDPinformationdesk:netbios-dgm*:*
System:4UDPInformationDesk:microsoft-ds*:*
 
I couldn't find Port 12346 - any suggestions?!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5517
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #5 on: Dec 19th, 2007, 8:04am »		 Quote Quote  Modify Modify
You may wish to print out these instructions so that you can close down your browser
 
Concerning the TrojanHunter scan log, please do the following.
 
1.  Open TrojanHunter scanner (the GUI).
 
2.  Click on View in the top menu bar and select "Advanced Mode" in the drop down menu.  A checkmark should appear next to "Advanced Mode."
 
3.  Click on the "Scan" icon in the left side icon bar.  
 
4.  Checkmark only the disk(s) that is/are active on your system.  It looks like the D, E, F, G, H disks are not active based on your posted TH scan.
 
5.  Be sure you have the latest updates for TrojanHunter.  Whereas you are using the trial version, the LiveUpdate feature does not function.  Therefore go to the link below and download/install the latest rulesets.  
 
http://www.misec.net/trojanhunter/updating/
 
6.  Now run a Trojan Hunter FULL scan of your system.  
 
7.  After the scan is completed, right click on each one of the items that is showing "Found NTFS alternate data stream:".  From the drop down menu, select Delete alternate data stream and let TrojanHunter delete the ADS.  
(Note:  This will take a little time because of the number of these that you have on your system.  However, once the alternate data stream is removed, it will not come back and will not show in subsequent scans.)
 
8.  Then, go to the link below and download ComboFix.exe and save it on your desktop.  Do NOT run it just yet.
 
http://forums.majorgeeks.com/showthread.php?t=134965
 
9.  Deactivate or close down all your security programs except your hardware firewall.  Close your browser and any other unnecessary program showing in your lower right notification tray.  
 
10.  Double click combofix.exe on your desktop & follow the prompts.  
 
Note:  
Do not mouseclick combofix's window while it is running. That may cause it to stall.
 
11.  When combofix.exe is finished, it will produce a log for you. PLEASE post that log back here on this thread.
 
12.  Run another HJT scan and post the log back here.  
 
13.  Run another TrojanHunter scan and post the scan results back here.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5517
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #6 on: Dec 19th, 2007, 8:07am »		 Quote Quote  Modify Modify
I looked at TCPView that you posted.  Please do the items I requested in my post above.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5517
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #7 on: Dec 19th, 2007, 9:05am »		 Quote Quote  Modify Modify
Are you behind a router and on a network with other computers?
 
Do you use Windows Messenger for live chat, instant messaging, or other purpose?
« Last Edit: Dec 19th, 2007, 9:07am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
KissableKate
Newbie
*





   


Posts: 8
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #8 on: Dec 19th, 2007, 10:50am »		 Quote Quote  Modify Modify
I am not on another network, I don't use a router and I only occasionally use MSN from this computer.
 
TH Scan Report:
 
Port 12346/TCP is open (matches Netbus.160)
Port 12346/TCP is open (matches Netbus.170)
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Favorites\TrojanHunter Scanner - Mischel Internet Security Forum.url:favicon:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Kate&Jon\Local Settings\Temporary Internet Files\Content.IE5\RA4JGPVW\342108393[1].pdf:Zone.Identifier:$DATA
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11 d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Micro soft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.X ML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_68556f3e\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.d ll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
 
TH Log:
 
Not scanning password-protected file sbRecovery.reg in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zi p
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zi p
Not scanning password-protected file sbRecovery.reg in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip  
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip  
Not scanning file C:\Documents and Settings\Kate&Jon\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt: Read access denied
Not scanning file C:\Documents and Settings\Kate&Jon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat: Read access denied
Not scanning file C:\Documents and Settings\Kate&Jon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG: Read access denied
Not scanning file C:\Documents and Settings\Kate&Jon\Local Settings\Temp\~DF372F.tmp: Read access denied
Not scanning file C:\Documents and Settings\Kate&Jon\Local Settings\Temp\~DF3755.tmp: Read access denied
Not scanning file C:\Documents and Settings\Kate&Jon\NTUSER.DAT: Read access denied
Not scanning file C:\Documents and Settings\Kate&Jon\ntuser.dat.LOG: Read access denied
Not scanning file C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat: Read access denied
Not scanning file C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG: Read access denied
Not scanning file C:\Documents and Settings\LocalService\NTUSER.DAT: Read access denied
Not scanning file C:\Documents and Settings\LocalService\ntuser.dat.LOG: Read access denied
Not scanning file C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat: Read access denied
Not scanning file C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG: Read access denied
Not scanning file C:\Documents and Settings\NetworkService\NTUSER.DAT: Read access denied
Not scanning file C:\Documents and Settings\NetworkService\ntuser.dat.LOG: Read access denied
Not scanning file C:\hiberfil.sys: Read access denied
Not scanning file C:\pagefile.sys: Read access denied
Not scanning file C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll: Read access denied
Not scanning file C:\WINDOWS\SoftwareDistribution\EventCache\{EDD76DB8-3440-42D0-83F5-7EB0 AB92E9D6}.bin: Read access denied
Not scanning file C:\WINDOWS\system32\config\default: Read access denied
Not scanning file C:\WINDOWS\system32\config\default.LOG: Read access denied
Not scanning file C:\WINDOWS\system32\config\SAM: Read access denied
Not scanning file C:\WINDOWS\system32\config\SAM.LOG: Read access denied
Not scanning file C:\WINDOWS\system32\config\SECURITY: Read access denied
Not scanning file C:\WINDOWS\system32\config\SECURITY.LOG: Read access denied
Not scanning file C:\WINDOWS\system32\config\software: Read access denied
Not scanning file C:\WINDOWS\system32\config\software.LOG: Read access denied
Not scanning file C:\WINDOWS\system32\config\system: Read access denied
Not scanning file C:\WINDOWS\system32\config\system.LOG: Read access denied
Not scanning file C:\WINDOWS\system32\drivers\fidbox.dat: Read access denied
Not scanning file C:\WINDOWS\system32\drivers\fidbox.idx: Read access denied
Not scanning file C:\WINDOWS\Temp\sqlite_M9KyHVGRXD3Shhd: Read access denied
Not scanning file C:\WINDOWS\Temp\ZLT04659.TMP: Read access denied
Not scanning file C:\WINDOWS\Temp\ZLT0465f.TMP: Read access denied
54798 files scanned in 2197 seconds
 
HJT log:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:43:10, on 19/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\lxdacoms.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\APPS\Powercinema\PCMService.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCMService] "c:\APPS\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: JamLab Installer (JamLabInstallerService) - Unknown owner - C:\Program Files\M-Audio\JamLab\JamLabInst.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxda_device -   - C:\WINDOWS\system32\lxdacoms.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
--
End of file - 8774 bytes
IP Logged
KissableKate
Newbie
*





   


Posts: 8
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #9 on: Dec 19th, 2007, 10:52am »		 Quote Quote  Modify Modify
ComboFix.Exe log:
 
ComboFix 07-12-19.2 - Kate&Jon 2007-12-19 15:33:18.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.110 [GMT 0:00]
Running from: C:\Documents and Settings\Kate&Jon\Desktop\ComboFix.exe
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000014_.tmp.dll
 
.
(((((((((((((((((((((((((   Files Created from 2007-11-19 to 2007-12-19  )))))))))))))))))))))))))))))))
.
 
2007-12-19 12:04 . 2007-12-19 12:04<DIR>d--------C:\Program Files\SonicWallES
2007-12-19 11:54 . 2007-12-19 11:59<DIR>d--------C:\Program Files\SUPERAntiSpyware
2007-12-19 11:54 . <DIR>C:\Documents and Settings\Kate2007-12-19  11:54    <DIR>     Jon\Application Data\SUPERAntiSpyware.com
2007-12-19 11:54 . 2007-12-19 11:54<DIR>d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-19 11:52 . 2007-12-19 11:52<DIR>d--------C:\Program Files\Common Files\Wise Installation Wizard
2007-12-19 11:34 . 2007-12-19 11:34<DIR>d--------C:\Program Files\Trend Micro
2007-12-19 11:33 . <DIR>C:\Documents and Settings\Kate2007-12-19  11:33    <DIR>     Jon\Recent
2007-12-19 11:28 . 2007-12-19 11:282--a------C:\WINDOWS\msoffice.ini
2007-12-19 11:16 . 2007-12-19 11:16<DIR>d--------C:\Program Files\CCleaner
2007-12-19 10:23 . <DIR>C:\Documents and Settings\Kate2007-12-19  10:23    <DIR>     Jon\Application Data\MailFrontier
2007-12-19 10:20 . 2007-12-19 15:36964,640--ahs----C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-19 10:20 . 2007-12-19 15:2712,116--ahs----C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-19 10:09 . 2007-12-19 10:33<DIR>d--------C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-19 10:08 . 2007-11-14 16:0575,248--a------C:\WINDOWS\zllsputility.exe
2007-12-19 10:08 . 2004-04-27 04:4011,264--a------C:\WINDOWS\system32\SpOrder.dll
2007-12-19 10:08 . 2007-12-19 15:284,212---h-----C:\WINDOWS\system32\zllictbl.dat
2007-12-19 10:03 . 2007-12-19 11:17<DIR>d--------C:\WINDOWS\Internet Logs
2007-12-18 16:09 . <DIR>C:\Documents and Settings\Kate2007-12-18  16:09    <DIR>     Jon\Application Data\TrojanHunter
2007-12-18 14:55 . 2007-12-19 11:43<DIR>d--------C:\Program Files\TrojanHunter 5.0
2007-12-18 14:42 . 2007-10-10 23:556,065,664-----c---C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-18 14:42 . 2007-07-01 03:312,455,488-----c---C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-18 14:42 . 2007-07-01 03:36991,232-----c---C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-18 14:42 . 2007-10-10 23:55459,264-----c---C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-18 14:42 . 2007-10-10 23:55383,488-----c---C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-18 14:42 . 2007-10-10 23:55267,776-----c---C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-18 14:42 . 2007-10-10 23:5563,488-----c---C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-18 14:42 . 2007-10-10 23:5552,224-----c---C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-18 14:42 . 2007-10-10 10:5913,824-----c---C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-10 17:06 . 2007-12-10 17:06<DIR>d--------C:\Program Files\Windows Defender
2007-12-10 14:47 . 2007-12-10 14:47<DIR>d--------C:\WINDOWS\Sun
2007-12-10 14:47 . <DIR>C:\Documents and Settings\Kate2007-12-10  14:47    <DIR>     Jon\Application Data\Sun
2007-12-10 14:47 . <DIR>C:\Documents and Settings\Kate2007-12-10  14:47    <DIR>     Jon\.housecall6.6
2007-12-09 10:53 . 2007-12-09 12:29<DIR>d--------C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 22:47 . <DIR>C:\Documents and Settings\Kate2007-12-03  22:47    <DIR>     Jon\Application Data\Help
2007-12-03 19:46 . 2007-12-03 19:4613--a------C:\WINDOWS\scode8.cfg
2007-12-03 17:42 . 2007-12-03 17:42<DIR>d--------C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-03 17:42 . <DIR>C:\Documents and Settings\Kate2007-12-03  17:42    <DIR>     Jon\Application Data\AVG7
2007-12-03 17:42 . 2007-12-19 15:25<DIR>d--------C:\Documents and Settings\All Users\Application Data\avg7
2007-12-03 17:40 . 2007-12-19 15:28<DIR>d--------C:\Program Files\SpyBlocker Software
2007-12-03 17:40 . 2007-12-03 17:40796,672--a------C:\WINDOWS\GPInstall.exe
2007-12-03 17:40 . 2002-07-08 18:097,878--a------C:\WINDOWS\Eng_UK.gpl
2007-11-26 18:36 . 2007-11-26 18:36<DIR>d--------C:\Program Files\LimeWire
2007-11-26 18:19 . 2007-11-26 18:19<DIR>d--h-----C:\WINDOWS\PIF
2007-11-26 17:45 . 2007-12-10 14:06<DIR>d--------C:\Program Files\Virgin Broadband
2007-11-26 17:45 . <DIR>C:\Documents and Settings\Kate2007-11-26  17:45    <DIR>     Jon\Application Data\Virgin Broadband
2007-11-26 17:45 . 2007-12-10 14:06<DIR>d--------C:\Documents and Settings\All Users\Application Data\Virgin Broadband
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 11:54---------d-----wC:\Documents and Settings\Kate&Jon\Application Data\SUPERAntiSpyware.com
2007-12-19 11:28---------d-----wC:\Program Files\Common Files\AOL
2007-12-19 11:28---------d-----wC:\Documents and Settings\All Users\Application Data\AOL
2007-12-19 11:26---------d-----wC:\Documents and Settings\packard bell\Application Data\AOL
2007-12-19 11:26---------d-----wC:\Documents and Settings\Kate&Jon\Application Data\AOL
2007-12-19 10:33---------d-----wC:\Documents and Settings\Kate&Jon\Application Data\MailFrontier
2007-12-19 09:48---------d-----wC:\Documents and Settings\Kate&Jon\Application Data\AVG7
2007-12-18 16:09---------d-----wC:\Documents and Settings\Kate&Jon\Application Data\TrojanHunter
2007-12-12 11:57---------d-----wC:\Documents and Settings\Kate&Jon\Application Data\LimeWire
2007-12-12 11:05---------d-sh--wC:\Program Files\KGB
2007-12-10 14:08---------d-----wC:\Program Files\InstallShield Installation Information
2007-12-10 14:06---------d-----wC:\Documents and Settings\Kate&Jon\Application Data\Virgin Broadband
2007-11-26 18:28---------d-----wC:\Program Files\Common Files\Symantec Shared
2007-11-26 18:28---------d-----wC:\Documents and Settings\All Users\Application Data\Symantec
2007-11-26 18:15---------d-----wC:\Program Files\Symantec
2007-11-14 16:051,086,952----a-wC:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:2520,480----a-wC:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:351,287,680----a-wC:\WINDOWS\system32\quartz.dll
2007-10-27 17:40222,720----a-wC:\WINDOWS\system32\wmasf.dll
2007-08-18 13:510----a-wC:\Documents and Settings\Kate&Jon\Application Data\wklnhst.dat
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 23:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-05 21:18]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 02:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 03:15 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 22:22 C:\WINDOWS\soundman.exe]
"PCMService"="c:\APPS\Powercinema\PCMService.exe" [2006-02-23 18:08]
"DetectorApp"="C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 12:15]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 22:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 22:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Vade Retro Outlook Express"="C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 19:03]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-04 10:25]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" []
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49]
"SpyBlocker"="C:\Program Files\SpyBlocker Software\spyblocker.exe" [2007-03-15 11:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 04:00]
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42212992--a------C:\WINDOWS\SMINST\RECGUARD.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized
 
R2 lxda_device;lxda_device;C:\WINDOWS\system32\lxdacoms.exe -service []
S2 JamLabInstallerService;JamLab Installer;C:\Program Files\M-Audio\JamLab\JamLabInst.exe []
S3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);C:\WINDOWS\system32\DRIVERS\mausbjl.sys []
 
*Newly Created Service* - CATCHME  
*Newly Created Service* - PROCEXP90  
.
Contents of the 'Scheduled Tasks' folder
"2007-12-19 15:30:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************************************ **
 
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 15:36:08
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ...
 
scanning hidden files ...  
 
scan completed successfully  
hidden files: 0  
 
************************************************************************ **
.
Completion time: 2007-12-19 15:36:55
.
2007-12-19 09:58:08--- E O F ---
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5517
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #10 on: Dec 19th, 2007, 11:24am »		 Quote Quote  Modify Modify
Okay, Combofix got rid of some files that I was concerned about.  I think these may have been left over from a previous infection cleaning.    
 
Quote:
C:\WINDOWS\system32\_000006_.tmp.dll  
C:\WINDOWS\system32\_000007_.tmp.dll  
C:\WINDOWS\system32\_000008_.tmp.dll  
C:\WINDOWS\system32\_000009_.tmp.dll  
C:\WINDOWS\system32\_000011_.tmp.dll  
C:\WINDOWS\system32\_000012_.tmp.dll  
C:\WINDOWS\system32\_000013_.tmp.dll  
C:\WINDOWS\system32\_000014_.tmp.dll  
 

 
Plus Combofix detected no rootkits which is great.  
 
HOWEVER, we are still not seeing any indication of a current infection that is opening 12346 or what may be changing your email password.  It may be that something has infected a normally legitimate program.  So, let's call on the big guns of Kaspersky to scan your computer.
 
1.  Disable all your security programs except your software firewall.  Close down programs that are in your lower right notification tray.
 
2.  Please go to the link below and run a REMOTE scan with Kaspersky.  You will need to use IE7 to access the Kaspersky remote scanner.  It needs to download and install an ActiveX component for the remote scan.  Please let it do so.  You may have to add   Http://*.kaspersky.com   to your Trusted Sites in IE7>Internet Options>Security tab>Trusted Sites if the ActiveX will not download.
 
http://www.kaspersky.com/virusscanner
 
-  Be sure to run a FULL computer scan with Kaspersky.  It will not remove an infection but it will tell us what is infected.  
 
-  Please post back here the results of the Kaspersky scan.  
 
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5517
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #11 on: Dec 19th, 2007, 11:56am »		 Quote Quote  Modify Modify
Here is what is using port 12346 on your system
 
It's the Cyberlink "Powercinema" software that you have.  It is nothing malicious.  
 
Quote:
Application supplied with TV/DTV card in system
 
POWERCINEMA:
1. TCP to localhost:loopback, port 12346
2. UDP to localhost:loopback (dynamic ports)

 
This does not, however, have anything to do with whatever is changing your OUTLOOK password.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
KissableKate
Newbie
*





   


Posts: 8
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #12 on: Dec 19th, 2007, 1:22pm »		 Quote Quote  Modify Modify
Would you recommend getting rid of the PowerCinema so that the port can be closed?  I don't think I've ever used it - it came with the PC!
 
Kaspersky wouldn't let me scan "entire computer" so I picked my computer instead.
 
Log from Kaspersky:
 
------------------------------------------------------------------------ -------
 KASPERSKY ONLINE SCANNER REPORT
 Wednesday, December 19, 2007 7:19:07 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 19/12/2007
 Kaspersky Anti-Virus database records: 489182
------------------------------------------------------------------------ -------
 
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
 
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
 
Scan Statistics:
Total number of scanned objects: 57555
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:31:51
 
Infected Object Name / Virus Name / Last Action
C:\APPS\Powercinema\Kernel\CLML_NTService\CLML_MAIN\CLML.dbObject is lockedskipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.logObject is lockedskipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lckObject is lockedskipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12102007-170656.logObject is lockedskipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-12-19_Log.ALUSchedulerSvc.LiveUpdateObject  is lockedskipped
C:\Documents and Settings\Kate&Jon\.housecall6.6\Quarantine\kgb_keylogger_spy-411.exe.bac _a00672/file38Infected: not-a-virus:Monitor.Win32.KeyLogger.acskipped
C:\Documents and Settings\Kate&Jon\.housecall6.6\Quarantine\kgb_keylogger_spy-411.exe.bac _a00672Inno: infected - 1skipped
C:\Documents and Settings\Kate&Jon\.housecall6.6\Quarantine\kgb_keylogger_spy-411.exe.bac _a00672CryptFF.b: infected - 1skipped
C:\Documents and Settings\Kate&Jon\Application Data\MailFrontier\ASD.logObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Application Data\MailFrontier\ASD_OT.logObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Application Data\MailFrontier\logger\all\20071219.txtObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Application Data\Microsoft\Outlook\Outlook.srsObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Application Data\Microsoft\Templates\Normal.dotObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Application Data\Virgin Broadband\advisor\client_gateway.logObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Cookies\index.datObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\Application Data\Microsoft\Outlook\Outlook.pstObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\History\History.IE5\index.datObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\History\History.IE5\MSHist012007121920071220\index.datObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\Temp\~DF161D.tmpObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\Temp\~DF372F.tmpObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\Temp\~DF3755.tmpObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\Temp\~DFB204.tmpObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.datObject is lockedskipped
C:\Documents and Settings\Kate&Jon\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskipped
C:\Documents and Settings\Kate&Jon\NTUSER.DATObject is lockedskipped
C:\Documents and Settings\Kate&Jon\ntuser.dat.LOGObject is lockedskipped
C:\Documents and Settings\LocalService\Cookies\index.datObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.datObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.datObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.datObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.datObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskipped
C:\Documents and Settings\LocalService\NTUSER.DATObject is lockedskipped
C:\Documents and Settings\LocalService\ntuser.dat.LOGObject is lockedskipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskipped
C:\Documents and Settings\NetworkService\Local Settings\temp\MpCmdRun-6-421CFC91-A93E-42AB-A35C-F06F127FCC44.lockObject  is lockedskipped
C:\Documents and Settings\NetworkService\Local Settings\temp\MpCmdRun.logObject is lockedskipped
C:\Documents and Settings\NetworkService\NTUSER.DATObject is lockedskipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOGObject is lockedskipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dllObject is lockedskipped
C:\System Volume Information\MountPointManagerRemoteDatabaseObject is lockedskipped
C:\System Volume Information\_restore{0504F5F0-DB7C-4B3F-9E77-AFAFC317F8CF}\RP73\change.l ogObject is lockedskipped
C:\WINDOWS\Debug\PASSWD.LOGObject is lockedskipped
C:\WINDOWS\Internet Logs\fwdbglog.txtObject is lockedskipped
C:\WINDOWS\Internet Logs\fwpktlog.txtObject is lockedskipped
C:\WINDOWS\Internet Logs\IAMDB.RDBObject is lockedskipped
C:\WINDOWS\Internet Logs\INFORMATIONDESK.ldbObject is lockedskipped
C:\WINDOWS\Internet Logs\tvDebug.logObject is lockedskipped
C:\WINDOWS\SchedLgU.TxtObject is lockedskipped
C:\WINDOWS\SoftwareDistribution\EventCache\{EDD76DB8-3440-42D0-83F5-7EB0 AB92E9D6}.binObject is lockedskipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.logObject is lockedskipped
C:\WINDOWS\Sti_Trace.logObject is lockedskipped
C:\WINDOWS\system32\CatRoot2\edb.logObject is lockedskipped
C:\WINDOWS\system32\CatRoot2\tmp.edbObject is lockedskipped
C:\WINDOWS\system32\config\AppEvent.EvtObject is lockedskipped
C:\WINDOWS\system32\config\defaultObject is lockedskipped
C:\WINDOWS\system32\config\default.LOGObject is lockedskipped
C:\WINDOWS\system32\config\Internet.evtObject is lockedskipped
C:\WINDOWS\system32\config\SAMObject is lockedskipped
C:\WINDOWS\system32\config\SAM.LOGObject is lockedskipped
C:\WINDOWS\system32\config\SecEvent.EvtObject is lockedskipped
C:\WINDOWS\system32\config\SECURITYObject is lockedskipped
C:\WINDOWS\system32\config\SECURITY.LOGObject is lockedskipped
C:\WINDOWS\system32\config\softwareObject is lockedskipped
C:\WINDOWS\system32\config\software.LOGObject is lockedskipped
C:\WINDOWS\system32\config\SysEvent.EvtObject is lockedskipped
C:\WINDOWS\system32\config\systemObject is lockedskipped
C:\WINDOWS\system32\config\system.LOGObject is lockedskipped
C:\WINDOWS\system32\drivers\fidbox.datObject is lockedskipped
C:\WINDOWS\system32\drivers\fidbox.idxObject is lockedskipped
C:\WINDOWS\system32\h323log.txtObject is lockedskipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etlObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTRObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAPObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VERObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAPObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAPObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATAObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAPObject is lockedskipped
C:\WINDOWS\Temp\CLML_AGENT_LOG1.txtObject is lockedskipped
C:\WINDOWS\Temp\sqlite_M9KyHVGRXD3ShhdObject is lockedskipped
C:\WINDOWS\Temp\ZLT04659.TMPObject is lockedskipped
C:\WINDOWS\Temp\ZLT0465f.TMPObject is lockedskipped
C:\WINDOWS\wiadebug.logObject is lockedskipped
C:\WINDOWS\wiaservc.logObject is lockedskipped
C:\WINDOWS\WindowsUpdate.logObject is lockedskipped
 
Scan process completed.
 
Kate
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5517
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #13 on: Dec 19th, 2007, 2:51pm »		 Quote Quote  Modify Modify
Quote:
Would you recommend getting rid of the PowerCinema so that the port can be closed?  I don't think I've ever used it - it came with the PC

 
Yes, I feel that would be a wise step.  You should be able to remove it through Control Panel>Add/Remove Programs.  
 
It looks like what Kaspersky is detecting as infected are 3 files that are in quarantine from your keylogger bout.  You should be able to empty your Quarantine folder for Trend Micro and get rid of them.  
 
Quote:
C:\Documents and Settings\Kate&Jon\.housecall6.6\Quarantine\kgb_keylogger_spy-411.exe.bac  _a00672/file38Infected: not-a-virus:Monitor.Win32.KeyLogger.acskipped  
C:\Documents and Settings\Kate&Jon\.housecall6.6\Quarantine\kgb_keylogger_spy-411.exe.bac  _a00672Inno: infected - 1skipped  
C:\Documents and Settings\Kate&Jon\.housecall6.6\Quarantine\kgb_keylogger_spy-411.exe.bac  _a00672CryptFF.b: infected - 1skipped

 
That's all it is detecting...harmless because they are in Quarantine.  You should delete them, however.  
 
NOTE:  You may need to make all your files and folders visible to find that Quarantine folder.  You can do this by following the procedure in the link below:
 
http://www.misec.net/forum/board/FAQ/1139610900
 
Is your Outlook password still getting changed ?  It certainly does not "look" like your system is infected.  
« Last Edit: Dec 19th, 2007, 3:11pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
KissableKate
Newbie
*





   


Posts: 8
Re: Port 12346/TCP is open (matches Netbus.160)
« Reply #14 on: Dec 19th, 2007, 3:19pm »		 Quote Quote  Modify Modify
As of this moment, no, my outlook password has not been changed since this afternoon (it is now gone 9pm).
 
I will try and find and delete the things you have recommended I get rid of.
 
I want to thank you so much for your help today!  You've taken an awful lot