Jump to content


Photo

Please help. Computer Acting Funny. Log Inside.


  • Please log in to reply
4 replies to this topic

#1 LoXeN

LoXeN

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 June 2004 - 05:08 PM

Ran Ad-ware and Spy-ware. Virus programs and trojan programs ran.

My mouse will be fine then start moving around faster then I can see clicking and moving. Then it will stop all together then start working again.

Please help if you can.


Thanks!



Logfile of HijackThis v1.97.7
Scan saved at 5:44:55 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Administrator\Desktop\Hijack this\HijackThis.exe

O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Soto] C:\Documents and Settings\Administrator\Application Data\cuhu.exe
O4 - Global Startup: Loadout Manager.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewizzle.com/installfiles/popblocker.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38027.7475
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Also this scan
Starting aČ Online-Check for IP xx.x.xxx.xx on 6/7/2004 12:11:03 AM

Portscan:
You computer is scanned for open ports now.

6711: closed
4711: closed
2140: closed
5000: open!
5001: closed
456: closed
12346: closed
6000: closed
8080: closed
6666: closed
443: closed
2115: closed
9999: closed
20034: closed
11000: closed
2583: closed
8989: closed
6667: closed
666: closed
421: closed
4000: closed
170: closed
2080: closed
1047: closed
9000: closed
2002: closed
12345: closed
389: closed
2001: closed
143: closed
146: closed
1033: closed
1100: closed
1099: closed
4444: closed
1090: closed
133: closed
3000: closed
445: closed
1243: closed
1081: closed
1080: closed
123: closed
121: closed
119: closed
118: closed
113: closed
111: closed
110: closed
54321: closed
54320: closed
99: closed
1050: closed
2005: closed
2004: closed
2003: closed
1524: closed
139: closed
1045: closed
135: closed
2000: closed
1042: closed
80: closed
79: closed
555: closed
1025: open!
315: closed
6767: closed
1029: closed
2023: closed
59: closed
1024: closed
58: closed
2208: closed
53: closed
50: closed
1000: closed
48: closed
999: closed
1234: closed
37: closed
514: closed
41: closed
27374: closed
40421: closed
31337: closed
31: closed
25: closed
21: closed
22: closed
23: closed
3129: closed
3128: closed
19: closed
17: closed
13: closed
7000: closed
7: closed
5742: closed
2: closed

The following ports were identified as open on your PC:


Port 5000

These programs or services use this port by default:
Windows ME, XP and 2003 Network Plug & Play

These Trojans or Malware files use this port by default:
Bubbel, Back Door Setup, Blazer 5, Socket 23, Sockets de Troie


Port 1025

These programs or services use this port by default:
Windows RPC, Scheduled Tasks

These Trojans or Malware files use this port by default:
NetSpy, Maverick's Matrix, RemoteStorm



Security-Test:
Public available information about your PC resp. your network are collected.

Your IP address: xxx.xx.xxx.xx
Your operating system: Windows XP
Your browser: MS Internet Explorer
Full browser identification: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {3DA; .NET CLR 1.1.4322)
Browser languages: en-us

You did run the Online-Check 2 times before.

Public information for your IP address from the whois server:


Your PC resp. your network is contacted now and public information will be collected.
Note: This check may take up to a minute.

No public information about your PC resp. your network could be determined.


Exploit-Test:
Your browser will be checked for installed ActiveX components of Dialers, etc. now.

IEAccess2 not found.
BCVoicePlugin not found.
TSCPlugin not found.
MoneyTreeDialer not found.
D9Dialer not found.
CABDialer not found.
SunInfoConnect.snConnect not found.
eConnect.eConn not found.
VLoading not found.
WebInstall not found.
Uloader not found.
ActiveInstall not found.
ActiveXDownload not found.
NTools.ActiveInstaller not found.
MaConnect not found.
xDiver not found.
WebPlugin_Class not found.
WebUpdate not found.
WSD not found.
IELoader not found.
Acceler8or not found.

No harmful ActiveX components were detected. 


Browser-Check:
Your browser configuration will be checked for risks now.

Visual Basic Script (VBScript) Test: VBScript is activated!
VBScript is not dangerous in general. But it is used by worm virus authors to embed harmful code in HTML emails. Ensure to have the latest security updates of your browser installed to stay protected against harmful VBScripts.

Secure ActiveX Test: Invocation of secure ActiveX controls is activated.
ActiveX controls are a kind of enhancement plugins for the browser (as e.g. the Flash plugin). The classification if an ActiveX control is secure or not is done by the developer of the control. So it is also possible that a secure control can contain insecure code. Please notice, that the online Windows-Update doesn't work without ActiveX controls.

Insecure ActiveX Test: Invocation of insecure ActiveX controls is deactivated.
Insecure ActiveX controls may contain harmful code and therefore they should be deactivated or set to prompt the user before running to block controls of Dialers, etc.

Internet Explorer makes a difference between signed and unsigned ActiveX controls. Always check controls with invalid signatures before you accept them and let them install on your computer.
aČ Online-Check finished on 6/7/2004 12:13:12 AM

Edited by LoXeN, 06 June 2004 - 05:11 PM.


#2 Nemesis6

Nemesis6

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 06 June 2004 - 05:09 PM

Nothing wrong with a bit of humor ;-)

Anyway, looking at your log now.

Alright, one thing at a time - NewDotNet first. Go here - http://www.newdotnet.com/

Now, follow procedure 4. After that, post a new HijackThis log.

Edited by Nemesis6, 06 June 2004 - 05:22 PM.


#3 LoXeN

LoXeN

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 June 2004 - 10:13 AM

Logfile of HijackThis v1.97.7
Scan saved at 11:13:15 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Desktop\Hijack this\HijackThis.exe

O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - Global Startup: Loadout Manager.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by LoXeN, 07 June 2004 - 10:15 AM.


#4 LoXeN

LoXeN

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 08 June 2004 - 01:24 PM

did you give up on me?

#5 Nemesis6

Nemesis6

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 08 June 2004 - 06:18 PM

I'm sorry, I had some issues with the forum regulations. You are almost clean. I will get back to you soon.

Edited by Nemesis6, 08 June 2004 - 06:20 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button