|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
|
|
LinkBack | Thread Tools |
10-08-2007, 10:00 AM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 17
OS: vista ultimate 32 sp1
|
Suspect hacker problem
Hi for the last 7 months i have been having comp problems. It started in march07 when i opened yahoo messanger then checked netstat-no and noticed 100 connections to yahoo on 203.59.140.xxx this was unusuall. Then my computer crashed and after reboot no internet connectivity so i did a restore point , still no internet connectivity so i did a format. After the reinstallation of xp i was updating xp and i noticed it coming down from 203.59.140.xxx, but the net worked. Then i noticed that my antivirus (bitdefender) was updating through 203.59.140.xxx. All was fine for a time except the some of my web pages routing through 203.59.140.xxx. Then i after an antivirus update the computer crashed and i had to reformat again during windows update traffic routing through 203.59.140.xxx as well as antivirus and some web pages. If I block this address my pages wont open and updates wont work. After the second format i installed windows defender and sometimes after an antivrus update(through 203.59.140.xxx)that error messages will popup about 10 of them saying something about an application was already in use or something its be awhile scince that error but i think it was windows defender protecting my system. Also at random my steam game team fortress sometimes looses connectivity to fix i retrain my comodo firewall and game connectivity resumes as normal and whenever i open steam (game client) my ports get scanned, the port scans have been going on scince the first crash. Before this problem my windows update would come down via a 207.xx.xx.xx also i now use avg and it also updates through 203.59.140.xxx. Recently when i open www.theaustralian.com.au web page it routes through 203.59.140.xx as usuall but there is about a 30 delay before the page opens. My instinct is this is an automated attack problem. During todays windows update 2 updates contiue not to update netframework1 and core services 4 security update i am sorry i did save their exact names but lost it all other netframewrok updated not probs just 1 continues not to update it installs but for some reason it continues to say on windows update that it needs to be done. Here is panda scan first followed by deckards system scanner
"Incident Status Location Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Gary\Cookies\gary@888[1].txt Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Gary\Cookies\gary@adultfriendfinder[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gary\Cookies\gary@atdmt[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gary\Cookies\gary@bs.serving-sys[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Gary\Cookies\gary@com[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Gary\Cookies\gary@doubleclick[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Gary\Cookies\gary@mediaplex[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Gary\Cookies\gary@overture[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Gary\Cookies\gary@perf.overture[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gary\Cookies\gary@serving-sys[2].txt Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Gary\Cookies\gary@toplist[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Gary\Cookies\gary@www3.addfreestats[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Gary\Cookies\gary@zedo[1].txt" deckards as follows*************************************************** Deckard's System Scanner v20070905.67 Run by Gary on 2007-10-08 23:16:02 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 33: 2007-10-08 15:16:06 UTC - RP125 - Deckard's System Scanner Restore Point 32: 2007-10-08 14:59:47 UTC - RP124 - Software Distribution Service 3.0 31: 2007-10-08 10:17:38 UTC - RP123 - Software Distribution Service 3.0 30: 2007-10-07 18:53:08 UTC - RP122 - Configured AVG 7.5 29: 2007-10-07 12:27:10 UTC - RP121 - System Checkpoint -- First Restore Point -- 1: 2007-09-16 09:11:52 UTC - RP93 - System Checkpoint Backed up registry hives. Performed disk cleanup. System Drive C: has 2.35 GiB (less than 15%) free. -- HijackThis (run as Gary.exe) ------------------------------------------------ Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-10-08 23:18:35 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16512) Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\explorer.exe C:\WINDOWS\soundman.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Comodo\Firewall\cpf.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Documents and Settings\Gary\Desktop\dss.exe D:\programs of dvd\Gary.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKEY_LOCAL_MACHINE\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKEY_LOCAL_MACHINE\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKEY_LOCAL_MACHINE\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: C:\Program Files\Bonjour\mdnsNSP.dll O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase2895.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187976327562 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - "C:\Program Files\Bonjour\mDNSResponder.exe" -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 sisidex - c:\windows\system32\drivers\sisidex.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver> R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> S1 bdpredir - c:\program files\softwin\bitdefender10\bdpredir.sys (file missing) S3 bdfdll - c:\program files\softwin\bitdefender10\bdfdll.sys (file missing) S3 Profos - c:\program files\softwin\bitdefender10\profos.sys (file missing) S3 Trufos - c:\program files\softwin\bitdefender10\trufos.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2007-10-08 19:54:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2007-10-08 14:38:46 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job -- Files created between 2007-09-08 and 2007-10-08 ----------------------------- 2007-10-08 22:41:36 0 d-------- C:\ie-spyad_zo 2007-10-08 03:05:50 0 d-------- C:\Program Files\SpywareGuard 2007-10-08 02:49:24 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library> 2007-10-08 02:49:23 0 d-------- C:\Program Files\SpywareBlaster 2007-10-06 02:02:53 0 d-------- C:\Program Files\PeerGuardian2 2007-09-19 16:15:23 0 d-------- C:\Program Files\uTorrent 2007-09-19 16:15:17 0 d-------- C:\Documents and Settings\Gary\Application Data\uTorrent 2007-09-15 22:25:30 0 d-------- C:\Downloads -- Find3M Report --------------------------------------------------------------- 2007-10-08 21:58:03 0 d-------- C:\Program Files\Windows Defender 2007-10-08 21:39:55 0 d-------- C:\Program Files\Bonjour 2007-10-08 20:49:24 0 d-------- C:\Program Files\Steam 2007-10-08 20:33:19 0 d-------- C:\Program Files\mIRC 2007-10-08 14:47:12 0 d-------- C:\Documents and Settings\Gary\Application Data\AVG7 2007-10-07 01:46:40 0 d-------- C:\Documents and Settings\Gary\Application Data\Vso 2007-10-06 18:27:28 0 d-------- C:\Program Files\Windows Live Safety Center 2007-09-30 21:07:56 0 d-------- C:\Program Files\America's Army 2007-09-17 23:28:55 0 d-------- C:\Program Files\Microchip 2007-09-17 22:48:30 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-09-07 21:59:24 0 d-------- C:\Program Files\QuickSFV 2007-09-03 19:55:05 0 d-------- C:\Program Files\Safari 2007-08-22 01:11:15 81984 --a------ C:\WINDOWS\system32\bdod.bin 2007-08-13 16:21:26 0 d-------- C:\Program Files\BitComet 2007-07-23 22:03:03 0 --a------ C:\WINDOWS\nsreg.dat 2007-07-18 03:51:00 34 --a------ C:\Documents and Settings\Gary\Application Data\pcouffin.log 2007-07-18 03:50:53 47360 --a------ C:\Documents and Settings\Gary\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> 2007-07-18 03:50:53 1144 --a------ C:\Documents and Settings\Gary\Application Data\pcouffin.inf 2007-07-18 03:50:53 7176 --a------ C:\Documents and Settings\Gary\Application Data\pcouffin.cat 2007-07-18 03:50:53 81920 --a------ C:\Documents and Settings\Gary\Application Data\ezpinst.exe 2007-07-17 21:45:32 13308 --ah----- C:\WINDOWS\system32\mlfcache.dat 2007-07-15 01:52:57 62 --ahs---- C:\Documents and Settings\Gary\Application Data\desktop.ini 2007-07-14 18:07:40 0 -rahs---- C:\MSDOS.SYS 2007-07-14 18:07:40 0 -rahs---- C:\IO.SYS 2007-07-14 18:07:40 0 --a------ C:\CONFIG.SYS 2007-07-14 18:07:40 0 --a------ C:\AUTOEXEC.BAT 2007-07-14 18:02:51 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [21/06/2006 05:42 AM C:\WINDOWS\soundman.exe] "SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [12/07/2002 06:15 PM] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [25/06/2003 03:30 PM] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 AM] "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [14/07/2007 07:18 PM] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [02/01/2006 04:41 PM] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29/06/2007 06:24 AM] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe" [15/01/2005 12:24 PM] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08/10/2007 02:55 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM] C:\Documents and Settings\Gary\Start Menu\Programs\Startup\ SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 7:05:35 PM] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" -- Hosts ----------------------------------------------------------------------- 127.0.0.1 update.bitdefender.com -- End of Deckard's System Scanner: finished at 2007-10-08 23:23:08 ------------ |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-11-2007, 11:44 AM
|
#2 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 17
OS: vista ultimate 32 sp1
|
Re: Suspect hacker problem
here are the exact names of the windows updates that didnt update
"Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB936181) Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)" I can make some wireshark logs if this can help diagnose my problem thanks |
|
|
|
| Thread Tools | |
|
|
