|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
May 12th, 2004, 10:13 PM
|
||||
|
||||
Hijacked?, help me please.
I use Norton Antivirus and Firewall, the Firewall keeps telling me that the netbios file sharing and print sharing is tring to send outbound to another computer. I have file sharing shut off. I am the only one who uses the computer. So I also have the firewall that comes with windows xp also turned on, Since recently someone had attempted to setup a msn passport using my email account that is connected to my other email. I don't publicize that one, so it had to found from within my computer including my password, so I changed passwords etc, and blocked the netbios warning that the firewall was telling me to let through. I have ran free microtrend virus check and it says that there is no viruses also. So I just downloaded your HijackThis and I am pasting my txt file that I have saved. I normally run Pest Patrol and Adaware and neither one is picking anything up.
Thank You Donna Logfile of HijackThis v1.97.7 Scan saved at 10:02:47 PM, on 12/05/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Paltalk\pnetaware.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Documents and Settings\Donna\Local Settings\Temp\Temporary Directory 2 for hijackthis1977.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnwl.igs.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Donna\LOCALS~1\Temp\200432116379_mcinfo.exe /insfin O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [Rosary Reminder] C:\Program Files\Virtual Rosary\reminder.exe O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe O4 - Global Startup: WinTasks.lnk = C:\Program Files\LIUtilities\WinTasks\wintasks.exe O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: TREND MICRO HouseCall (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1276113f...p/RdxIE601.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7...ll/xscan53.cab O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file...CallButton.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...942.8291898148 O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab Last edited by donna68ca : May 12th, 2004 at 11:10 PM. |
|
#2
May 15th, 2004, 05:21 AM
|
||||
|
||||
Re: I am sure I have been hijacked, help me please.
Hi donna68ca,
This is the only entry that looks a bit odd: O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Donna\LOCALS~1\Temp\200432116379_mcinfo.exe /insfin It looks like a McAfee related item,but I only see Norton processes on your computer. Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#3
May 28th, 2004, 12:16 AM
|
||||
|
||||
|
Re: I am sure I have been hijacked, help me please.
Well as it turned out, there was something strange going on in my computer, that I noticed later. There were logs that were logs that were never on my computer before. Originally when I installed Norton I would see something similar ( only once and that was it). But, this " thing" was changing files in my computer, and changing Norton files. The files were being logged as the following: just an example- Norton Anti Virus 2004051818h32m45secs. When you would open this up, you could see all the changes that happened. It was giving itself a new execution name each time (whole bunch of numbers and letters within {}.exe. Thought it was just Norton updating, so I sut down computer, restarted, and checked again. New file created.
So I copied that file to a CD. Copied one of the logs to a floppy disk, then gave up and reformated the hard drive since I had 32 of the logs and over a couple of hundred changes to the computer. No virus detection was picking anything up, since it was more or less blocking the accurasy I guess. I do not have the logs showing anymore, so I know now it was not my Norton, and have followed the advice here for protection on IE, and downloading some of the protection programs that you suggest in this forum. Have not scanned the floppy or the CD since I am to worried on getting the sucker back on my computer. Donna |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
