Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I've been hacked! (I think.)


  • This topic is locked This topic is locked
15 replies to this topic

#1 noonewouldlisten

noonewouldlisten

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 06 June 2005 - 11:34 PM

Hi,

I've always been apprehensive about posting a Hijackthis log, but it has come to a point of desperation. Someone recently hacked me and stole some great domain name ideas. I saw the ideas registered online last night, and this really upset me.

OK if I post my Hijackthis log here? Also have followed all the basics like enabling hidden files, scanning with Adaware, Spybot, CW Shredder, using CCleaner. Used the same advice "Oldtimer" gave someone, but got no results.

Also have Spystopper, SpywareBlaster, Microsoft Antispyware Beta, and NOD32 anti-virus.

Really in a quandary.

BC AdBot (Login to Remove)

 


#2 noonewouldlisten

noonewouldlisten
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 06 June 2005 - 11:57 PM

Forgot to mention, I use Zone Alarm free version and MSN Firewall, but the MSN gets shut off frequently. Just checked and my cookies had been set to the highest risk (no protection at all.) I've actually watched as my Spystopper and ZoneAlarm blinked off right before my eyes. Also wondering if there's a way to disable networking, or if that might be the source of security problem.

Edited by noonewouldlisten, 06 June 2005 - 11:59 PM.


#3 noonewouldlisten

noonewouldlisten
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 07 June 2005 - 03:12 AM

14 views, no replies...Ok, here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 2:07:44 AM, on 6/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SpyStopper\spystopper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [SpyStopper] C:\Program Files\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:24 AM

Posted 07 June 2005 - 08:21 PM

Hello noonewouldlisten and welcome to BleepingComputer.

I see no indication of any backdoors or keyloggers or such on your machine. There is a little bit of fixing that needs to be done though.


Configure Windows to enable viewing of Hidden and System files.

Boot into Safe Mode.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Reboot normally and post a new HJT log please.
Derfram
~~~~~~

#5 noonewouldlisten

noonewouldlisten
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 08 June 2005 - 01:12 AM

ddeerrff,
Thanks for your response.
OK,
I did it. I've tried this many times. No success, not even in safe mode.
Interestingly, when I boot up as Administrator instead of Owner, #15 doesn't appear in the HijackThis log. (have XP) But I can't switch user to Administrator unless I'm in safe mode.


Logfile of HijackThis v1.99.1
Scan saved at 12:03:10 AM, on 6/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesRoxioGoBackGBPoll.exe
C:Program FilesEset
od32krn.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32ZoneLabsvsmon.exe
C:Program FilesSpyStopperspystopper.exe
C:Program FilesZone LabsZoneAlarmzlclient.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesRoxioGoBackGBTray.exe
C:WINDOWSsystem32wuauclt.exe
C:Documents and SettingsOwnerDesktopHijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:Program FilesSiber SystemsAI RoboFormRoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:Program FilesSiber SystemsAI RoboFormRoboForm.dll
O4 - HKLM..Run: [SpyStopper] C:Program FilesSpyStopperspystopper.exe
O4 - HKLM..Run: [Zone Labs Client] C:Program FilesZone LabsZoneAlarmzlclient.exe
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - Global Startup: GoBack.lnk = C:Program FilesRoxioGoBackGBTray.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O8 - Extra context menu item: Customize Menu - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} -
O23 - Service: GBPoll - Roxio, Inc. - C:Program FilesRoxioGoBackGBPoll.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:Program FilesEset
od32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32
vsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSecurity CenterSymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:WINDOWSsystem32ZoneLabsvsmon.exe

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:24 AM

Posted 08 June 2005 - 10:19 AM

Let's try this while staying in your account in normal mode. We will need to disable Teatimer first:

You have Spybot's Teatimer running. While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as fix.reg. Close Notepad.

Then double-click on the fix.reg file saved to the desktop.
- When it prompts to add or merge, say yes.


Reboot and post a fresh log.
Derfram
~~~~~~

#7 noonewouldlisten

noonewouldlisten
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 09 June 2005 - 01:11 PM

Sorry for the delayed response. Have been very busy. Looks like we got rid of the problem! Thank you! Here's my HJT log. Is there anything else that looks suspicious? By the way, I installed a couple of things a while back that might have caused the problem. Not really that computer savvy so I wouldn't know.
One is Page Defrag v. 3.2 and the other is Anonymous Browsing Toolbar. Never completely got rid of either one, although I uninstalled both and looked for remainders.



Logfile of HijackThis v1.99.1
Scan saved at 11:58:50 AM, on 6/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesRoxioGoBackGBPoll.exe
C:WINDOWSExplorer.EXE
C:Program FilesEset
od32krn.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32ZoneLabsvsmon.exe
C:Program FilesSpyStopperspystopper.exe
C:Program FilesZone LabsZoneAlarmzlclient.exe
C:Program FilesRoxioGoBackGBTray.exe
C:Documents and SettingsOwnerDesktopHijackThis.exe
C:WINDOWSsystem32wuauclt.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:Program FilesSiber SystemsAI RoboFormRoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:Program FilesSiber SystemsAI RoboFormRoboForm.dll
O4 - HKLM..Run: [SpyStopper] C:Program FilesSpyStopperspystopper.exe
O4 - HKLM..Run: [Zone Labs Client] C:Program FilesZone LabsZoneAlarmzlclient.exe
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - Global Startup: GoBack.lnk = C:Program FilesRoxioGoBackGBTray.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O8 - Extra context menu item: Customize Menu - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:Program FilesSiber SystemsAI RoboFormRoboFormComShowToolbar.html
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} -
O23 - Service: GBPoll - Roxio, Inc. - C:Program FilesRoxioGoBackGBPoll.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:Program FilesEset
od32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32
vsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSecurity CenterSymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:WINDOWSsystem32ZoneLabsvsmon.exe

#8 noonewouldlisten

noonewouldlisten
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 09 June 2005 - 02:14 PM

Hi again,
I just ran Spybot and found Mysoft. This has happened on numerous occasions. When I Google Mysoft I find many forum posts saying it's a false positive, but I'm not convinced. Mysoft comes and goes, and it wasn't present when I started this thread. I think these guys have found a way to make it look like it's a false positive without it actually being one. Just a hunch.

By the way, I asked earlier if there's a way to disable networking. Is that possible? I connect through a wireless ISP and I have sharing disabled but I see that Symantec has shared files on my computer. When I click on Task Manager, it shows that networking is happening. Can this leave me open to hackers? Are sharing and networking related? Sorry if that's a stupid question.

#9 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:24 AM

Posted 09 June 2005 - 03:34 PM

The HJT log looks clean.

I'm finding very little info on MySoft, other than it might be related to a 'HOSTS' entry. We can try rebuilding your HOSTS file:

Download Hoster.zip.
- Unzip hoster.zip into it's own folder.

Navigate to and run Hoster.
- Press 'Restore Original Hosts' and press 'OK'
- Exit Program.


There is another scanner we can try. I usually hesitate to recommend this one because it finds almost *everything*, and most of what it finds are harmless remnants. Keep that in mind when you see the results.

Download MWAV.exe from MicroWorld, then:

- Double-click the mwav.exe icon to run it (it'll self extract).
- When it opens, check the following:Memory
Registry
Startup Folders
System Folders
Services
Drive
All local drives
Scan all files
- Then click on SCAN

When it completes, post back the results (copy and paste) from the 'Virus log information' pane. Do NOT copy and paste the entire mwav log, only the text from the lower pane!

We'll see if we can find any indication of MySoft, Page Defrag, or Anonymous Browsing Toolbar in that.


Networking...

By "connect through a wireless ISP" do you mean you have a direct wireless connection to the ISP or you connect through a wireless router?. What exactly is the entry in TaskManager?

You can disable sharing within your local LAN by disabling Netbios over TCP/IP.
- Open Control Panel, and click on 'Networking', then right click on your active connection and select 'Properties'.
- Highlight Internet Protocol (TCP/IP) and select 'Properties', then click on 'Advanced'.
- Under the 'WINS' tab, select "Disable NetBios over TCP/IP".

Edited by ddeerrff, 09 June 2005 - 03:35 PM.

Derfram
~~~~~~

#10 noonewouldlisten

noonewouldlisten
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 10 June 2005 - 12:05 AM

ddeerrff,
Thanks again for all the help. Just got back from work and will try all you told me.
Will post the results soon.

#11 noonewouldlisten

noonewouldlisten
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 10 June 2005 - 02:08 AM

Network settings were fine.
I have a direct wireless connection to the ISP (Ricochet.com).
Under Networking, Task Manager shows:
Adapter Name: Ricochet Network Utilization: graph shows use (goes up and down from 0-5% like a cardiograph). Link Speed: 460kbps State: Connected. Below it says, Processes: 25 CPU usages: 70-100% (while running MWAV).

As I'm watching, I see lots of instances of ocx (saw that earlier on my system somewhere). Even finds it on drive D, where I keep a Norton 2002 Disk most of the time, for Clean Sweep, Disk Doctor, and Win Doctor. (Used to have Norton installed, but it took too many resources. Now I just use the disk for cleanup and disk checks.) Wonder if the disk got corrupted somehow, from leaving it in there all the time, or if I'm getting false positives for ocx, whatever that is.

Mysoft showed a re-direct to Alta Vista or something and another one to (?) can't recall. ocx, perhaps. Didn't keep a Spybot log. Very sorry. Will enable Spybot's logging in the future. Still wonder why Windows Firewall keeps shutting off. Same thing happens on my parents' computer which also has XP. Every time I visit them, I try to tweak their system to make it faster and safer. I read about Kaspersky MWAV. Looks pretty good. Could use an all-in-one type of application, instead of 10 things at once, but I've read that there's no magic bullet, you need 2 or 3 things at least. Wouldn't give up Spystopper to save my life. Stops stuff that nothing else does, like scripts, bugs, scanners, ads, style sheets, cookies, websites, and worms. But obviously it can't stop everything. Stops the Blaster Worm and the Code Red Worm, which is nice. Also, couldn't live without Roxio's GoBack. Has restored me from several crashes, even the Blue Screen of Death!
(Sorry to go on and on, but I'm waiting for the scan to finish. You’re the first person I've ever talked to online about any of this stuff, so I'm kind of getting it all off my chest at once. )
Anyway, any recommendations?

#12 noonewouldlisten

noonewouldlisten
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 10 June 2005 - 06:01 PM

Wow, that was sloooowwww!

Great software though, evidently. Found 6 viruses. Took 3 hours, and had to re-scan so it took 6 hours altogether, but the good news is, it found a lot of garbage. Can't copy and paste the info (can't even copy) from MSWV, so I wrote it all down, which took another hour. They probably want me to buy it, I'm guessing, but not without your recommendation.

My scanner is down, so I may have to either type it all in, or borrow a scanner, or send the whole log.

Here's the basics, to start:
ocx is part of bitdefender, which I don't recall installing.
Re-ran Spybot, and it found Mysoft again. Saved the log this time. Will send on request, or email it to you. Said there were 2 redirected hosts. Altavista 127.0.0.1 and auto.search.msn.com Also 127.0.0.1.

Ran Adaware earlier and it found and deleted something, but I used Goback to try to recover the MWAV log and went back several hours, re-ran Adaware and it froze up on the deep scan of C-drive. May have to run it again. This happens a lot.

Here are the logged MWAV items. Hope I don't make any typos..

Object "Altnet Spyware/Adware" found in file system!

The following dlls all begin with:
HKLM\Software\Microsoft\Windows\\CurrentVersion\ModuleUsage refers to invalid object

DASAcf.dll
DAShp.dll
amp43.dll
avsniff.dll
bitdefender.ocx
bvnetio.dll
iSetup.dll
navpi32.dll
navpi32.vxd
atachk.dll
rufsi.dll
mssecadv.dll
UHDID.dll


D:\Program\32\mci.ocx{HKCR\CLSID\1EFD6A40-3999-11CF-9150-00AA0059F70D}REFERS TO AN INVALID OBJECT: bitdefender.ocx (downloaded Program)

D:\Program\32\mci.ocx{3375D2E0-7C5D-11CF-899E-899E-00AA00688B10}
REFERS TO AN INVALID OBJECT: bitdefender.ocx (downloaded Program)

HCKR\CLSID\{C1A8AF25-1257-101B-8FBO-OO2OAFO39CA3}
REFERS TO AN INVALID OBJECT:
Program Files\Eset\nodshex.dll HKCR D:\Program\mci32.ocx

HCKR\CLSID\{BO89FE88-FB52-11d3-BDF1-005DA34150D}
REFERS TO AN INVALID OBJECT: C:Program Files\eset\nodshex.dll

File C:\CoffeeZip20.exe
C:\LXKX63\scan\setup.LXKX63 (LEXMARK)
C:\LXKX63\scan\setup.x63PART2
C:\LXKX83\scan\setup.x83PART2.EXE
C:\Program Files\Coffee Cup Software\FreeZip\reassoc.exe


Please let me know if I got anything wrong in manually transfering this info.

#13 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:24 AM

Posted 10 June 2005 - 08:48 PM

Under Networking, Task Manager shows:
Adapter Name: Ricochet Network Utilization: graph shows use (goes up and down from 0-5% like a cardiograph). Link Speed: 460kbps State: Connected. Below it says, Processes: 25 CPU usages: 70-100% (while running MWAV).

That sounds reasonable. In this case, I think 'Networking' is a normal and required process.

Can't copy and paste the info (can't even copy) from MSWV, so I wrote it all down, which took another hour

Never had reports of that problem before. sorry 'bout that.

Re-ran Spybot, and it found Mysoft again. Saved the log this time. Will send on request, or email it to you. Said there were 2 redirected hosts. Altavista 127.0.0.1 and auto.search.msn.com Also 127.0.0.1.

Did you run Hoster? that should have cleared any HOSTS file redirect entries. If you did and Spybot is still seeing Mysoft, I think you will just need to recognize it as a false positive.

Object "Altnet Spyware/Adware" found in file system!

The following dlls all begin with:
HKLM\Software\Microsoft\Windows\\CurrentVersion\ModuleUsage refers to invalid object

DASAcf.dll
DAShp.dll
amp43.dll
avsniff.dll
bitdefender.ocx
bvnetio.dll
iSetup.dll
navpi32.dll
navpi32.vxd
atachk.dll
rufsi.dll
mssecadv.dll
UHDID.dll

Remember I told you MWAV finds everything, most being harmless. These would be orphaned registry entries. They are harmless and we don't usually recommend unnecessary editing or 'cleaning' of the registry. Doing so commonly causes more harm than good.

D:\Program\32\mci.ocx{HKCR\CLSID\1EFD6A40-3999-11CF-9150-00AA0059F70D}REFERS TO AN INVALID OBJECT: bitdefender.ocx (downloaded Program)

D:\Program\32\mci.ocx{3375D2E0-7C5D-11CF-899E-899E-00AA00688B10}
REFERS TO AN INVALID OBJECT: bitdefender.ocx (downloaded Program)

HCKR\CLSID\{C1A8AF25-1257-101B-8FBO-OO2OAFO39CA3}
REFERS TO AN INVALID OBJECT:
Program Files\Eset\nodshex.dll HKCR D:\Program\mci32.ocx

These look like registry entries related to that disk you have in drive D:\

Really see nothing there that needs to be fixed.

Are you running an Anti-Virus program? I see reference to Nod32 in your log, but it doesn't look like it's installed any resident protection. If you are looking for an AV program, AVG by Grisoft is well respected and free for personal use.

As for the firewall turning itself off - I really have no idea on that, it's a bit outside my area of knowledge. You might try posting that problem in the WindowsXP/NT/2000/2003 or the Networking forum.

Please post one more HJT log to be sure nothing new has slipped in while we weren't watching...
Derfram
~~~~~~

#14 noonewouldlisten

noonewouldlisten
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 10 June 2005 - 09:30 PM

:thumbsup:

Uninstalled NOD32 earlier. Took too many resources and wouldn't disable in Task Mgr when I asked it to.

Will try the one you recommended.

Thanks again for everything.

It's good to know I haven't been hacked after all.

I can only guess that the registrar (see my origianal post) of the domains stole the ideas after I entered them. ( buyer beware. )

One more HJT log per your request...

Logfile of HijackThis v1.99.1
Scan saved at 8:18:54 PM, on 6/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\SpyStopper\SpyStopper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [SpyStopper] C:\Program Files\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D5B24A4-C94C-45A9-AA0E-DE5D9859AFB2}: NameServer = 168.253.8.17 168.253.8.18
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#15 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:24 AM

Posted 10 June 2005 - 09:53 PM

The log is still clean.

Now that you are clean, please follow these steps in order to keep your computer safe and secure:

How did I get infected?, With steps so it does not happen again!
Simple and easy ways to keep your computer safe and secure on the Internet
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users