I'm hijacked?

Forums » Up and Running » Security » Security » I'm hijacked?


Uniqs: 156	Share Topic:	RSS topic:	toggle: flat / full normal / watch	Posting:	Post a:	Post a:

Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal

Extendia RAV update corrupt? »
« Inbound UDP packets (port 67) + Trojan?

squeek

@67.128.x.x

hijackthis.zip 180,933 bytes

Every 13-17 minutes I get a pop-up browser screen with
the following: www.pwned.freehomepage.com/pwn.html, then
a Security Warning Box from Media Tickets.
I have:

DL, ran CWShredder
DL, ran Spybot
Update, ran Ad-Aware
DL, ran TDS-3
DL, ran HJT, attached is log created
by HJT

permalink · 2004-07-03 17:22:01 · Print ·

NetFixer Freedom is NOT Free Premium join:2004-06-24 Murfreesboro, TN	Re: I'm hijacked? Your attachment is the HijackThis executable, not the log file. Next time just copy and paste the log contents into your forum post instead of including it as an attachment.
	permalink · 2004-07-03 17:55:42 ·

Sparrow Crystal Sky Premium join:2002-12-03 Sachakhand	You need to read through »Security »I think my computer is infected or hijacked. What should I do? The FAQ explains all the steps leading to posting a HJT log. Please follow them in the order they are given, and make sure to update any utilities you run. It's a long list, but it should help you. -- Security Forum FAQs .. ♥ .. "Raj karega Khalsa!" .. ♥ .. Starfire "5 in 4"
	permalink · 2004-07-03 18:00:51 · Print ·

squeek

@67.128.x.x

Re: I'm hijacked?

Okay, here's the contents of the
HJT Logfile.

I've downloaded and followed exactly
the contents of www.dslreports.clm/faq/8428
"I think my computer is infected or hijacked.
What should I do?"

See original post regarding the AV, AT, AS
programs already DL'd, updated, run.

Thanks for all the suggestions: (sorry
for post length)

Logfile of HijackThis v1.98.0
Scan saved at 1:25:09 PM, on 7/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\EZSP_PX.EXE
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\WINDOWS\System32\smss32.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Spy killer\hijackthis\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Update] smss32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] smss32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Update] smss32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - »us.dl1.yimg.com/download.yahoo.c···lete.cab

permalink · 2004-07-03 18:27:40 · Print ·

John2g Qui Tacet Consentit Premium join:2001-08-10 England	You didn't use the latest version of HJT. It is here. »HijackThis 1.98.0 - Hotfix Build -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	permalink · 2004-07-04 04:43:31 ·

paranoidxe Premium join:2002-03-29 Ogden, UT	Re: I'm hijacked? You may or may not be hijacked, but you do have malware on that machine. Download and run Lavasoft Adaware and Spybot..fix what it finds. -- "Its better to look stupid for 5 minutes and ask a question, than to be stupid for the rest of your life."4g63.20m.com (textsource.org)
	permalink · 2004-07-04 04:54:52 ·

John2g Qui Tacet Consentit Premium join:2001-08-10 England	It might pay you to read this »be.trendmicro-europe.com/enterpr···&VSect=T -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	permalink · 2004-07-04 05:00:37 ·

John2g Qui Tacet Consentit Premium join:2001-08-10 England	I would run this free AV first »www.mwti.net/antivirus/free_utilities.asp Make sure that the resident protection in your current AV (Symantec) is disabled first. -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	permalink · 2004-07-04 05:03:29 ·

NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN

·Vonage

·Cingular Wireless

·AT&T CallVantage

·AT&T Southeast

If you had actually gone to the link I think my computer is infected or hijacked. What should I do? and followed the instructions including going to the link Go to web based AV scanners, the link at the top of the list »housecall.trendmicro.com/ should have told you that 'C:\WINDOWS\System32\smss32.exe' was WORM_SPYBOT.FE as was pointed out by John2g. If you do not follow ALL of the steps, it wastes everyone's time.

permalink · 2004-07-04 14:58:24 · Print ·

your comment..

Forums » Up and Running » Security » Security	Extendia RAV update corrupt? » « Inbound UDP packets (port 67) + Trojan?


Wednesday, 25-Nov 03:34:44	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF