HijackThis log

Hi!

I ran SpybotSD.

I found a number of music files stored on my computer. I think PERHAPS a hijacker also put an IP (for a discussion forum I use) in my Norton Personal Firewall blocked IP list, and possibly some image url file-string fragments (for logos on my website) in my Ad Blocker. I THINK this was done for retaliation for something I said on the forum. Nothing actually malicious was done as far as I know.

I am still climbing up the learning curve for Norton Internet Security and XP. So, except for the music files the rest MIGHT have been normal functions. No one else has access to my computer.

Logfile of HijackThis v1.97.7
Scan saved at 9:24:52 AM, on 1/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\3DTS\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Peter\Local Settings\Temp\Temporary Directory 1 for hijackthis-1.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37893.5855208333
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57BEF8EA-5432-4E1E-851A-E86C5D564828}: NameServer = 12.5.48.2 12.5.48.4

Thanks,

Peter

 

Hi urantiagate,

There is nothing malicious in your log.
Some unnecessary startups that I wouldn't fix with HijackThis (certainly not with HijackThis not unzipped to a folder of it's own).

Since the issue seems to boil down to the question if someone has tampered with your NIS settings, I'll move this to the "other firewalls forum"

Concerning the forum, I think chances are bigger that your IP was added to the blocklist there, in other words: you were banned.

But I"ll leave that up to the specialists.

Regards,

Pieter

 

Thanks Pieter!

I found the website's IP in my Norton Intrusion Detection block list. I wasn't banned. I did nothing but arouse some disagreement. I wasn't flaming or anything and am in good standing there.

The only way I could have put it there is if it sent a signal to one of my ports which the Firewall interpreted as a threat. Since I am having trouble I put all such IPs on the block list, blocking all access by such IPs.

I had no password on my Norton protection program. I guiess a hijacker could have put it in there with little trouble.

I also need to know if anything but a trojan could have put the music files on my computer. I am the only person with access.

Thanks,

Peter

 

Part of this is beyond my area of understanding, but if you found music files on your computer that you did not put there, I would suspect someone put them for others to download.
This could possibly be done by FTP I think, but this still indicates that your defenses have been bypassed. Have you checked all your firewall configuration to make sure FTP or some other "service" is not allowed free access? Also the issue of someone changing your settings is disturbing.
I would be sure to update both Nortons and TDS 3 and run full system scans with both. Also, do you have Execution Protection enabled with TDS 3?
I think there are ways to put files on your computer without a trojan present, possibly FTP, Telnet, ?, but most times a firewall and a good AV prevent this type of stuff.

 

Hi Root!

Thanks for the reply.

All the settings, scans, etc (except FTP -- I need help with this) you mention I have done. My security is considerably tighter than when I was first having trouble. Except for the music files everything which happened (that I thought was caused by a trojan) COULD have resulted from my own know-nothing bungling combined with the Norton Internet Security software. I am still not clear how that software operates and/or what its parameters are for blocking stuff.

That is not to say that I understand HOW my own bungling might have done it.

As to the music files, They were apparently downloaded on my computer by a program called "MUSICMATCH Jukebox". My computer is failly new and I really don't know if it was preloaded on it or not. One time, though, when I was having trouble with my Mozilla browser loading a seemingly infinite number copies of itself, the console for MUSICMATCH popped up on the screen. I had never previously accessed that program -- my speakers were not even hooked up. I had no audio.

Then it was some while later that I stumbled across the music files. Perhaps you or someone can tell me if MUSICMATCH can be used remotely to download music files, and how someone else might access my computer to get those files to download them.

I mean, it may not be a trojan but a hijacking of MUSICMATCH

I have cut off MUSICMATCH's access to the web (I think). Also the files are currently put in a new folder and it put into the Norton trash. But then, could MM have been put on my computer with a trojan, if it was not part of the software pkg.?

Peter

 

If you got a Dell, MusicMatch came installed on it probably. I can't imagine someone putting that on your box.
What was the folder name and what were the names of some of the tunes? Also, what format, like MP3 or wav? Are they large full length files? Trying to figure if they might be preinstalled samples maybe.

Second thought. If you are not comfortable with knowing how Nortons firewall works by now, please get some help or consider a different firewall. The only really bad firewall is the one that is configured improperly and gives you a false sense of security.
I don't use Norton, but many around here do.

 

Hi Peter

Just remember with recent versions of NIS/NPF the rules are in three different locations. Each section (Programs, General/System, Trojan) will have to be checked for anything out of the ordinary. We can help you with the FTP rules.

Make sure security is set to High:
Personal Firewall -> Configure -> Personal Firewall -> High

Turn off Automatic Program Control:
Personal Firewall -> Configure -> Program Control -> Disable (Uncheck) Turn on Automatic Program Control
This way you will be prompted for applications that NIS/NPF has automatic rules for instead of it just creating them silently for you. You will now be prompted for all rules that need to be created for network access.

You could have a look at this site for some tips on how NIS/NPF works.

I don't use the program myself. Some of these programs have options that, if selected (sometimes enabled by default), will track your listening habits. Any chance this is the case and does the program offer samples of downloads based on your preferences?

Quote from their site: "Personalized Recommendations
Get daily personalized artist, track and album download recommendations based on your unique tastes in music. Each day you open your Jukebox, Musicmatch displays up to 100 tracks, albums and artists that you're most likely to enjoy in the 'My Matches' folders. The more music you play, the broader your selection of recommended music will be each day. So listen and let the recommendations roll in!" Could this be what you are seeing?

Edit: Also noticed you registered, welcome to Wilders

Regards,

CrazyM