Need help!

[jabi]

HI everyone, i am new here. In past weeks i have unusal internet activitys.
There is a higher need for internet conection by my computer.
I try'd Nod32, Spybot, ADawere,Spyware doctor and some other programs but nothing important was found.
Then i come hire and try HJ autoanalyzer.He come with few red-flagged signatures.I'm now not shure should I delete that and how to do that (with HJ maybe??) Please help. One more thing, in unregular time intervals i see clearly
that my comp downloading about 100-200 bytes. This happening few(7-8) times per hour. On dayly basis---this preocuppies me. A "lot" of info come and goes and i dont know nothing about where and what for. Few week's earlyer this problem didn't exist.Obviously,i'd picked bad web sites
When transacton happen only aplication that is active (i can see this on my new comodo firewall) is svchost.exe or firefox or both!
Please can someone analyze my log for me. (Sorry for my engleze(english) )

04 ctfmon.exe----What is this??

My log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:13:34 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Dassault Systemes\B10\intel_a\code\bin\CATSysDemon.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\SYSTEM32\USRshutA.exe
D:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\hjthis\analyze.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [USRpdA] D:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Girder3.lnk = D:\Program Files\girder\Girder.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://D:\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://D:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://D:\Program Files\MDT6\AcPreview.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - D:\Program Files\Dassault Systemes\B10\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - D:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5483 bytes

[jholland1964]

Ctfmon.exe is part of Microsoft Office and runs in the background monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies. It is fine.
May I recommend that you go to this link
Follow the steps given there and then post back here with the AVG Anti-spy log and a new HiJackThis log.

Also don't use the analyzer, it does occasionally red flag some programs that are perfectly fine.

[jabi]

Ok here is the logs that you request!

I follow the procedure from the link above.Antivirus scans didn't found anything,spybot also.Nothing suspicious when i look in add/remove programs tab. Everything there is familiar to me.

I am supriced with the search result that avg come with. I found my self hard to believe that he mark that(you can see witch from log file) file from dassault systems CATIA program as trojan.After fixing my problem,unusual activitys when i'm connected on internet continue,so we(you )must check my hj log file to solve this problem.

At end please note that i'm runing my XP from d: drive of my hard disc.Because of that i put hj in program files folder on d: drive instead recommended c:

[jholland1964]

I honestly don't see anything in your HJT log that is bad. The file found by AVG is noted on several other sites as Trojan.Runner.i
This doesn't mean the whole program is bad, just that one file within the program. Have you had this installed for a long time?
You say this internet activity you see has just begun recently, have you installed something new just prior to this? If you say that something is installing without your permission then I would question the firewall, I wouldn't think it should be allowing this access. But you also say it seems to be Firefox, is it possible that this is just pages refreshing?

[jabi]

Yes, i was installed that program (dassoult...) maybe 1 year ago.
I install few programs like ANYDVD,ultimate defragmenter,google earth,spyware doctor,comodo(my new firewall instead my old version of Zone Alarm few days ago and now AVG,HJ,atf cleaner and cwshredder. Maybe somtimes mozila refresh pages,but i'm pretty sure that there is something else.Because this continue when mozila is turned off.


I noted one small thing now. When i was connecting to internet today and start mozilla,i check IMON (internet monitor) protection module of my NOD 32 antivirus (with new def. and set to max) and he was procesing data from site:
http://fxfeeds.mozilla.com/rss20.xml
and then from site:
http://newsrss.bbc.co.uk/rss/newsonl...t_page/sps.xml and http://akamaifree.ewido.net/3777.dat
(i hope that i didn't make typeing errors for this link ) Note: my mozilla is still on blank page and i did not click on anything yet.
There is no data in mozila hisory about this,and i don't remember that i ever visit this web site in my life(no one else use this comp).
2nd thing that i noted when my monitors from trey start to blink is that svchost.exe try to go on net (udp out protocol,destination 255.255.255.255::bootp(67)) This destination have something with local network that my adsl provider have in my neighbourhood,i think,and i'm ofcourse connected to that.Only that network is not operational yet.
Something else that my firewall block regulary is some packets witch try to access from 83.53.178.55 to 88.150.130.50(protocol icmp incoming) but this does'nt go through svchoust.exe Somthing else with network i think.
The application that is active also sometime when i connect is "System"
Is there a chance that this activitys have something with network refreshing(maybe comp try to access the network witch is not operetional yet ,and then retrying again-this come from my not so powerfull "computer" side of brain so keep that in mind.)

That few tings that i noted are active and i think that's the place where the problem must be found.

[jholland1964]

I am really somewhat puzzled by your question really. How do you KNOW that your computer is actually DOWNLOADING about 100-200 bytes 7 to 8 times per hour?
You are on DSL, correct? This means the computer actually is ALWAYS online when it is turned on, you don't have to have a browser open.
It is very possible that you have a number of programs set to auto-update, if this is the case then those programs will check to see if updates are available and may do so a number of times a day and many programs have updates several times a day...especially anti-virus programs and some anti-spy programs. So it will send out "are there any updates?" and the answer will come back...yes or no. If the answer is yes and whatever program it is will then download the auto update.

You can configure Firefox to actually SHOW a box when a download is taking place, this way you will know what is being downloaded. See my attached. My anti-virus program is the only one I have set to auto update, all the other programs I do manually. There are some days I may get 4 or 5 updates to my anti-virus program AND my Firefox shows this when it happens with a download box.

The sites you note in your post are perfectly legitimate sites;
The first two

http://fxfeeds.mozilla.com/rss20.xml
and then from site:
http://newsrss.bbc.co.uk/rss/newsonl...t_page/sps.xml

are RSS feeds from firefox. An RSS Feed is actually something firefox calls Live Bookmarks. Go to this page for an explanation. They are not actually downloading anything to the computer.
The last one you note

http://akamaifree.ewido.net/3777.dat

is definitely associated with the AVG Anti-spy program and probably an update. Note ewido.net this is the address for the AVG Anti spy program so it was probably either checking for updates and probably receiving one.

This you note

udp out protocol,destination 255.255.255.255

is also perfectly legitimate. Read this link

Now as far as your firewall blocking something regularly, this is what it is SUPPOSED to do. This doesn't mean you have ever been to these sites it just means these sites are trying to access the computer...in other words these sites, which your firewall blocks, are sites which sort of use automatic dialers...sort of like automatic telephone dialers which just dial-up random sets of telephone numbers in hopes of hitting a legitimate telephone number so that they can sell you something. Many businesses use this in their advertising, just as many websites do the same thing. The firewall is doing it's job.

[jabi]

I'm on adsl! I'm connected only when i click on connect button from my connection shortcut (from control panel).

And i'm assigned to dinamic IP adress. Now i'm perfectly understand whay svchost.exe try to access to 255.255.255.255 (thanks to your link)but why my firewall block that every time by itself and give me no option to alow or deny? Same was with Zone alarm and now comodo firewall. I know how to work with this programs,but on this case it's their free will only.
Should i alow that interaction when i learn how? -I think i must alow server to check my IP. Please confirm to me?

About firefox "activitys" ,it's evrything clearly now in my mind.

How i know that my comp downloading??
-- Actually i sow frequently blinking of two monitors in tray and after evry blink i check sum of received and sent bytes. Then i go on firewall options and sow that svchost.exe or system aplication is/are active on internet and bytes comes and goes.
Somtimes it just try to access 255.255.255.255 and that seems ok now,but sometimes is something different(like system aplication).
Frequency of "blinking" is much higher now than before and that make my suspicious.
I have to say that 80% of "blinking"(sent datas) are caused by svchost.exe sending info to 255.255....Maybe if i find the way to alow my firewall to let "backinfo" from server(about ip check) to my comp...maybe this can help hmm?

And i forget to say that i alow only nod32 to update automaticly. Everything else that i'm aware of- i'm updating manualy.I think i know to recognize when my nod updating by simple look on his update status and that's not what make me suspicious in first place.

Thank you very much for links.

[jabi]

Apparently in my country this work's in different way. I must enter username and password to proceed.I try your way few minutes ago and it didn't work.

Anyway:

And i'm assigned to dinamic IP adress. Now i'm perfectly understand whay svchost.exe try to access to 255.255.255.255 (thanks to your link)but why my firewall block that every time by itself and give me no option to alow or deny? Same was with Zone alarm and now comodo firewall. I know how to work with this programs,but on this case it's their free will only.
Should i alow that interaction when i learn how? -I think i must alow server to check my IP. Please confirm to me?

Can you confirm this to me please?? Am I right??

[TurcoLoco]

I'm on adsl! I'm connected only when i click on connect button from my connection shortcut (from control panel).

And i'm assigned to dinamic IP adress. Now i'm perfectly understand whay svchost.exe try to access to 255.255.255.255 (thanks to your link)but why my firewall block that every time by itself and give me no option to alow or deny? Same was with Zone alarm and now comodo firewall. I know how to work with this programs,but on this case it's their free will only.
Should i alow that interaction when i learn how? -I think i must alow server to check my IP. Please confirm to me?

About firefox "activitys" ,it's evrything clearly now in my mind.

How i know that my comp downloading??
-- Actually i sow frequently blinking of two monitors in tray and after evry blink i check sum of received and sent bytes. Then i go on firewall options and sow that svchost.exe or system aplication is/are active on internet and bytes comes and goes.
Somtimes it just try to access 255.255.255.255 and that seems ok now,but sometimes is something different(like system aplication).
Frequency of "blinking" is much higher now than before and that make my suspicious.
I have to say that 80% of "blinking"(sent datas) are caused by svchost.exe sending info to 255.255....Maybe if i find the way to alow my firewall to let "backinfo" from server(about ip check) to my comp...maybe this can help hmm?

And i forget to say that i alow only nod32 to update automaticly. Everything else that i'm aware of- i'm updating manualy.I think i know to recognize when my nod updating by simple look on his update status and that's not what make me suspicious in first place.

Thank you very much for links.

All of the above activities are normal, happens on all Windows platforms but more so on XP and Vista! These two "Phone Home" at regular intervals at the very least! Also if you have Automatic Updates enabled, that will be another reason for almost regular, minimal background network activity with occasional file downloads during the times when it is receiving the available/applicable updates.

Your Firewall utilities either configured incorrectly (during setup or later by you) or simply not working right for some reason (program corruption or conflict with the system or even another program).

Of course all these are possibilities that I could only suggest, since your logs looked clean per Jholland, there is not much to say other than:

A) Please provide a log file showing all network activity during one of those "odd times" using a security program or your firewall's own internal monitoring.

or

B) Reformat the system if you can't give us anything to go on yet you are confident something is wrong.

or

C) If none of the other logs indicate a problem, continue using the system as is till some identifiable issue occurs.

It is really odd that your so called always on ADSL connection is requiring you to enter username/password everything you want to surf the net. Are you getting billed by the time you spend online or per connection/day? What icon do you click on in Control Panel?

Curious...

~TL

[jholland1964]

I'm on adsl! I'm connected only when i click on connect button from my connection shortcut (from control panel).

You shouldn't have to do this...just open a browser and you will see you ARE online.