NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
 ·AT&T Southeast
| reply to squeek
Re: I'm hijacked?
If you had actually gone to the link I think my computer is infected or hijacked. What should I do? and followed the instructions including going to the link Go to web based AV scanners, the link at the top of the list »housecall.trendmicro.com/ should have told you that 'C:\WINDOWS\System32\smss32.exe' was WORM_SPYBOT.FE as was pointed out by John2g. If you do not follow ALL of the steps, it wastes everyone's time. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| reply to squeek
I would run this free AV first
»www.mwti.net/antivirus/free_utilities.asp
Make sure that the resident protection in your current AV (Symantec) is disabled first.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| reply to squeek
It might pay you to read this
»be.trendmicro-europe.com/enterpr···&VSect=T
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
paranoidxe
Premium
join:2002-03-29
Ogden, UT
| reply to John2g
You may or may not be hijacked, but you do have malware on that machine. Download and run Lavasoft Adaware and Spybot..fix what it finds.
--
"Its better to look stupid for 5 minutes and ask a question, than to be stupid for the rest of your life."4g63.20m.com (textsource.org) |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| reply to squeek
You didn't use the latest version of HJT. It is here.
»HijackThis 1.98.0 - Hotfix Build
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
squeek
@67.128.x.x
| reply to Sparrow
Okay, here's the contents of the
HJT Logfile.
I've downloaded and followed exactly
the contents of www.dslreports.clm/faq/8428
"I think my computer is infected or hijacked.
What should I do?"
See original post regarding the AV, AT, AS
programs already DL'd, updated, run.
Thanks for all the suggestions: (sorry
for post length)
Logfile of HijackThis v1.98.0
Scan saved at 1:25:09 PM, on 7/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\EZSP_PX.EXE
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\WINDOWS\System32\smss32.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Spy killer\hijackthis\HijackThis.exe
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Update] smss32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] smss32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Update] smss32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - »us.dl1.yimg.com/download.yahoo.c···lete.cab |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| reply to squeek
You need to read through »Security »I think my computer is infected or hijacked. What should I do?
The FAQ explains all the steps leading to posting a HJT log. Please follow them in the order they are given, and make sure to update any utilities you run. It's a long list, but it should help you. 
--
Security Forum FAQs .. ♥ .. "Raj karega Khalsa!" .. ♥ .. Starfire "5 in 4" |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN | reply to squeek
Your attachment is the HijackThis executable, not the log file. Next time just copy and paste the log contents into your forum post instead of including it as an attachment. |
|
squeek
@67.128.x.x
|  Every 13-17 minutes I get a pop-up browser screen with
the following: www.pwned.freehomepage.com/pwn.html, then
a Security Warning Box from Media Tickets.
I have:
DL, ran CWShredder
DL, ran Spybot
Update, ran Ad-Aware
DL, ran TDS-3
DL, ran HJT, attached is log created
by HJT |
|
