|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
09-07-2007, 09:41 PM
|
#1 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 1
OS: XP
|
Possible worm?
I've a hunch im being hacked... heres my hijackthis file.
Logfile of HijackThis v1.99.1 Scan saved at 11:40:53 PM, on 9/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\D-Link\Air Utility\AirCFG.exe C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\MySpace\IM\MySpaceIM.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\notepad.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?rs=1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ____________________________________ Heres the other required scan Deckard's System Scanner v20070905.67 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz Percentage of Memory in Use: 43% Physical Memory (total/avail): 1023.48 MiB / 580.55 MiB Pagefile Memory (total/avail): 2462.35 MiB / 1986.23 MiB Virtual Memory (total/avail): 2047.88 MiB / 1972.43 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 114.48 GiB total, 84.32 GiB free. D: is CDROM (No Media) E: is CDROM (No Media) \\.\PHYSICALDRIVE0 - Maxtor 6Y120P0 - 114.49 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 114.48 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. AntiVirusDisableNotify is set. FirewallDisableNotify is set. FW: ZoneAlarm Firewall v7.0.337.000 (Check Point, LTD.) Disabled [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Owner\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=DASMACHINE ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Owner LOGONSERVER=\\DASMACHINE NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\Program Files\Mozilla Firefox;C:\Program Files\Windows Media Player;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier" PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0209 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp tvdumpflags=8 USERDOMAIN=DASMACHINE USERNAME=Owner USERPROFILE=C:\Documents and Settings\Owner windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Owner (admin) Admin (admin) fff (new local, admin) fd (new local, admin) Das (new local, admin) Dddsa (new local, admin) Administrator.DASMACHINE.001 (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747} Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003} ADRIFT --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\ADRIFT\ST6UNST.LOG" AIM 6.0 --> C:\Program Files\AIM6\uninst.exe Air Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{67BB93E2-60DD-49F5-97CB-3187BAE9D4E6} America's Army --> MsiExec.exe /I{EF434C52-D882-43DB-8777-EC7B10D8943C} ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe" ANIWZCS Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74FCFEA6-7447-4BDB-BFEC-FF195AA62A13}\Setup.exe" AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM= ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe" C-Media 3D Audio --> C:\WINDOWS\CMIUnInstall.exe C-Media WDM Audio Driver --> C:\WINDOWS\system32\cmirmdrv.exe Earthsim --> "C:\Documents and Settings\All Users\Application Data\Earthsim\Channel\esuninst.exe" Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F} HijackThis 1.99.1 --> C:\Documents and Settings\Owner\Desktop\HijackThis.exe /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020} Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Mozilla Firefox (2.0.0.5) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan PC Alert 4 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MSI\PC Alert 4\Uninst.isu" RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly Security Task Manager 1.7e --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager" Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3} TADS 3 Author's Kit --> "C:\WINDOWS\TADSUINS.EXE" C:\Program Files\TADS 3\UnInst28BA.inf TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe" The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe The Sims 2 University --> C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F} Wal-Mart Digital Photo Manager --> MsiExec.exe /X{5ABB5D02-BBAA-41D4-BDED-A52DB89A2D2F} Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type903 / Error Event Submitted/Written: 09/04/2007 04:32:28 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type880 / Error Event Submitted/Written: 08/30/2007 10:23:54 PM Event ID/Source: 1000 / Application Error Event Description: Faulting application aim.exe, version 5.9.6089.0, faulting module unknown, version 0.0.0.0, fault address 0x1221254f. Processing media-specific event for [aim.exe!ws!] Event Record #/Type834 / Error Event Submitted/Written: 08/23/2007 10:22:05 PM Event ID/Source: 1000 / Application Error Event Description: Faulting application aim.exe, version 5.9.6089.0, faulting module unknown, version 0.0.0.0, fault address 0x1221254f. Processing media-specific event for [aim.exe!ws!] -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type8470 / Error Event Submitted/Written: 09/07/2007 11:07:31 PM Event ID/Source: 12294 / ati2mtag Event Description: CRT invalid display type Event Record #/Type8469 / Error Event Submitted/Written: 09/07/2007 11:07:29 PM Event ID/Source: 12294 / ati2mtag Event Description: CRT invalid display type Event Record #/Type8468 / Error Event Submitted/Written: 09/07/2007 11:07:28 PM Event ID/Source: 12294 / ati2mtag Event Description: CRT invalid display type Event Record #/Type8467 / Error Event Submitted/Written: 09/07/2007 11:05:39 PM Event ID/Source: 12294 / ati2mtag Event Description: CRT invalid display type Event Record #/Type8466 / Error Event Submitted/Written: 09/07/2007 11:05:29 PM Event ID/Source: 12294 / ati2mtag Event Description: CRT invalid display type -- End of Deckard's System Scanner: finished at 2007-09-07 23:39:20 ------------ If you can help me out, is there a place to donate? |
|
     
|
|
09-13-2007, 08:41 AM
|
#2 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,341
OS: xp
|
Re: Possible worm?
HI
"I've a hunch im being hacked" explain please Why dont we see an active antivirus program running ? Post a report from one or better yet both of these free online scans Kaspersky Lab - Free Online scan: http://www.kaspersky.com/virusscanner Click scan settings and place a check next to use [x]extended this database etc etc. Click ok. Then choose: my computer: scan all your hard drives and mapped disks. when finished click save as text and post that in your reply. Panda ActiveScan-Free online scanner, http://www.pandasoftware.com/products/activescan.htm Pess "scan your PC now" allow the active x to install (if prompted) Do a full scan > Click the my computer button After the scan click see report then Save the report and post it back here please. If you have problems read the FAQ http://www.pandasoftware.com/actives...q.asp?IdLang=2 |
|
|
|
|
| Thread Tools | |
|
|
