Hoping someone can provide some assistance here.... need system analyzed. Have compiled logs & data for troubleshooting...
Windows XP Home v 2002, SP 3
Intel Celeron 2.4 GHz
2.39 GHz , 256 MB RAM
Hard wired to : Arris Modem #TM502G---->Buffalo High Power AirStation A&G: (NAT enabled & PNP disabled, Intrusion detector enabled, etc... MAC filtered, not broadcasting SSID, etc...) ---->Motorola VT1005 (set statically)---->PC (Broadcom 440x 10/100 Integrated Controller w/TCP/IP set statically, and NetBios disabled)
Agnitum Outpost Firewall Pro ver. 4.0.971.7030 (584): (Stealthed as much as I could without sacrificing connectivity)
Avast! v. 4.8 Home Addition Build Dec. '08 (4.8.1296) : (Stealthed)
ProtoWall : (need to update lists, there are a few certain sites I have to disable ProtoWall to visit...)
Wondering if all my PC issues aren't due to my system being compromised. Have been running extensive scans. Are you familiar with analyzing any of the following logs: DrWeb, FPort, HijackThis, RootkitRevealer, StartDreck, SpyBot S&D?
Strange thing that occured though, right after I started noticing these issues, I received an email from my web host provider, stating that one of my websites had been compromised and my web page had changed, here is what they said:
"Recently, we noticed that your username and password for your ftp account hosting has been used by someone to alter your main index.html (or index.htm, index.php) file for your website. Their purpose in doing so was to re-direct your traffic to a host of spam related websites. We have determined that they obtained your username/password from software installed on your client machine - likely some malware that can capture typed information. We have restored your original index file so that your site is back to normal. In order to prevent this issue from happening again, we have deleted your affected ftp accounts. You will need to recreate new ones. You should NOT use the same username and password as before. Use a strong password that does not match your account password. We also recommend updating your virus scanner software and running a full system scan. If you have any further questions or concerns please contact our support department. We will be in touch again shortly."
Funny, the first time in a LONG time, I had just recently used FTP to upload/manage web pages.
Couple strange occurrences took place around this time. I had DOS screen open, and had toggled to another application... when I toggled back to DOS screen, this was typed on screen (don't remember specifically, but close to this:) limewire.com . Now, even if I had been typing in the other application, and it somehow had gotten entered into the DOS screen accidentally, no where did I ever type limewire.com, and if it was accidentally keyed, couldn't have been perfect in spelling, etc.. as this was. This really spooked me, as I was currently researching different things to determine what was going on with my system, so it was like someone there watching me search my issues, files, etc... and gave me a "clue/hint". FREAKY!
Also, amongst all of this, lots of start up, system dragging issues, etc....
So I went ahead and ran Personal AntiSpy, which indicates there are no keyloggers on my system.
DrWeb scan indicated some issues. I've resolved them all: To resolve the 2 trojans found in System Restore files, I created a new restore point & deleted all previous restore points. The ipscan entry has been deleted. The FPort.20 's have been deleted as well, as the real file/application names for FPort are FPort 2.0 .
FPort had at times been revealing around 10++ open local ports, around 2000-4000 range. Not sure if this is normal, and was not able to recreate for log. Haven't really seen them at all lately now, though. 2 nights ago, when I went to my Buffalo Router Page, the page kept loading & reloading, wouldn't load properly. I've never had an issue accessing before. So I made some adjustments with Firewall settings, and all is ok and accessible now, and I have been on there and made sure all of my settings were correct, stealthed, etc...
I have Hijackthis logs for 12-2-08 & 12-4-08. 12-2-08 is before any system revisions in attempting to resolve issues. 12-4-08 is current. (Didn't compare to see if they contained the same info or not...) Also including a Hijackthis ADS Spy log scan results as well.
Can anyone shed some light or help me out? I really appreciate any assistance that can be provided! I have a lot more in depth logs & documentation I could provide... such as :
manage attachments »
* DrWeb Scan 12-02-08.csv (614 Bytes)
* fport open ports 12-4-08.txt (1.8 KB)
* hijackthis 12-02-08.txt (5.9 KB)
* hijackthis log 12-4-08.txt (6.2 KB)
* hijackthis ads spy log 12-4-08.txt (174 Bytes)
* Outpost Firewall Open Port List 12-4-08.html (670 Bytes)
* Services Settings 12-4-08.html (1.1 KB)
* RootkitReveal 12-4-08.txt (12.1 KB) RootkitReveal
* ODQHCCWT PopUp 12-4-08.html (869 Bytes)