[fourspdtom]

hi again

windows xp, webroot spy sweeper, tend micro antivirus-spyware, recently webroot desktop firewall, spybot s&d, etc etc

i had some problems a couple months ago, cookie gal help me out quite well. everything has been fine, recently installed spybot [which seems to conflict with webroot a bit] and the webroot desktop firewall. a couple days ago the pc started locking up during restart, lots of cpu usage, wife said it started after a game download, the game installed but wouldnt run, she uninstalled and restarted, problems started.

i disconnected from the net, turned off the webroot firewall from startup [that seemed to be where the pc locked at first], got it restarted [barely] , ran atf cleaner, all three scans, trend micro did show a win 32 dialer something in spyware quarentine as well as adware memwatcher [which is from spybots immunize ?]. while disconnected, and webroot spysweeper and firewall off, i noticed spysweeper and a couple svchost processes using cpu off and on, one svchost spiking occasionally. it seemed to subside as i got evreything turned back on and reconnected.

once all the scans were run, atf run, reconnected, webroot firewall on [didnt know xp firewall was off at the time], things seem ok now, hjt log shows same as usual. a couple svchost processes are using cpu sometimes but not like it was.

to the firewall port questions,,, i noticed tonight the xp firewall was turned off, and a new exception listed and checked, dcom (135),, ok or not? i turned xp firewall on and unchecked it for now. also while looking through the webroot firewall log i saw some incoming packets from odd ports and i dont know much [at all] about that stuff other than google listings, some of which didnt look good. are those just incoming trys or how do i know whcih to worry about? probably a dozen or more numbers if you need me to list them. also i see multiple svchost entries in the port tracking section, four to as many as ten at a time,, should there be that many? is it possible we got infected or am i seeing normal activity?

any advice or direction is very much appreciated

[wk2000]

If you're using webroot firewall, then the XP own firewall should be turned off. Svchost entries listed in a firewall should be fine, but, Svchost is a service which multiple programs can attach to and use for sending / receiving. So you need to know which programs are using the svchost to communicate in order to be really sure that all is ok. I think HJT' startup list can list those out.

[fourspdtom]

thanx for the reply wk2000

from what i understood the webroot firewall ran along with or over the xp firewall. to be honest before yesterday i hadnt checked to see if xp firewall was running while the webroot firewall was running. i also noticed after a restart earlier today,, the xp firewall off again and the DCOM (135) rechecked in the exceptions. could that be from the webroot firewall?

also about all the different ports showing incoming packets,, sometimes i see quite a few in ascending order,, are those failed attempts ? alot of odd numbers at times. the only outgoing packets are 137 and 138. are these anything to worry about??

[TOGG]

Have a look at the IANA port numbers list ;http://www.iana.org/assignments/port-numbers to see what processes ports 135, 137 and 138 are officially assigned to. Wikipedia provides this information about NetBios; http://en.wikipedia.org/wiki/NetBIOS (note that there is something with the same name that wasn't much used after Win 2K).

The bad news is that malware can be set up to use just about any port number it wants so, if the affected computer is not on a network, you may need to run a new HJT scan and get this thread transferred to the Malware Removal Forum.

[fourspdtom]

thanx togg

im beginning to think i do have an infection again. the dcom (135) keeps getting rechecked, going to maybe set webroot firewall to not start at restart, see if xp firewall does same thing again. the last couple games the wife downloaded caused problems, seem to each have 3 or 4 process and app entries in webroot firewall, sometimes an app or process shows up again after removal.

i noticed windows hasnt updated sine 1-9-08, took couple trys to get updates installed. now i have a .net runtime optimization service? frrom latest updates? also just saw windows messenger in programs list? i nor the wife installed it, doesnt show uninstall in list nor does it even show up in add remove programs.

sooooooo,,, do i close this thread, start another in malware, explaining the current symptoms and such,, or can someone move this one there , maybe cookiegal can walk me thru this one too?

thanx once again guys

[TOGG]

Click on the red triangle at top right of your post and ask a Moderator to transfer this to Malware Removal.

[fourspdtom]

will do togg

i want to look into a couple things first, make sure the xp firewall setting and the dcom135 exception dont have to do with webroot firewall, see if the .net item and the windows messenger didnt come with that last update, etc. the info on the .net framework update said it may eat cpu usage "while it compiles frameworks" or something, would be ok after done and restart, which it has.

on the other hand. wife said she had a problem with i.e. yesterday, and looking at the 016 entries in hjt, some are associated with games weve used and uninstalled, in the dpf file they show the dependancy files as "damaged"? might be causing problems? few other little things.

anyway, let me get my ducks in a row and ill have this moved

thanx for your help

[fourspdtom]

just to let ya know whats up,,,

asked a mod to move this to malware removal. still not sure thats source of problem though. last couple restarts were locking up, and turns out the webroot spysweeper and desktop firewall were going nuts, the ssu.exe of spysweeper showing 10+ times in processes. did a restore point to 1 week ago, set spysweeper and desktop firewall to not load at startup. everything seems smooth now. i do have trendmicro anti-virus/spyware running for protection.

little research found webroot has some issues with the latest vista update [i have xp] , says there is a fix from microsoft , and latest spysweeper download should fix it also. did say that WDF does turn off xp firewall , and turns it back on if shutdown. still dont know about the dcom(135) exception though. just noticed also,, since the restore point, that windows messenger is gone, but the latest windows update .net framework whatever 2.0 and 3.0 are still there [thought maybe the windows messenger came from one?]

thanx once again

[fourspdtom]

hi again,

sorry i've not closed or finished the thread. i have uninstalled the webroot firewall and done a clean install of the webroot spysweeper. the dcom135 exception in xp firewall no longer gets rechecked, must have been connected. i have trend micro and windows defender set to load at startup, and spysweeper i start after,, startups seem to be smooth and normal now.

other than a couple alternate data streams that show up occassionally and my usual worries,, things are running normally

thanx,, marking closed