Jump to content


Photo

HackerDefenderChecker


  • Please log in to reply
6 replies to this topic

#1 zxladie

zxladie

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 19 June 2004 - 11:19 PM

I was just about through cleaning up an extreme amount of spyware, adware, etc for a friend's 4 home-networked computers. None of them had a firewall or any protection except NAV2002 and one son was running Kazaa 24/7. While I was finishing up the dad's system, something pinged the modem, very quickly and then was gone. I went in and looked at the modem log and saw that it had answered the ping and was set to 'Waiting for a call'. This guy's network is wireless DSL. I downloaded the Hacker Defender Checker from here and ran it twice but it doesn't create a log, and runs so fast then terminates before I can see what it saw. I only saw one line item in red that was tracing a path then it terminates the program. I asked 'Dad' if he'd noticed the modem stuff before and he said yes but it sounded like a fax machine dialed in by accident so he ignored it.

The other thing that bothers me is that the task scheduler log had entries for 1:45am, and the computer had been turned off 3 hours before that and 'Dad' was in bed asleep. The only tasks listed is Symantec NetDetect that got there after I installed the firewall. For additional info, the stuff Spybot S&D took out were 2020Search with manual regsvr on the dlls, ShopNav Srng, ClockSync & Wild Tangent. CWS Shredder also took out stuff. I still have to run LSPfix before I could post anything because his files seem to be toast. Any help anybody has would be much appreciated. Thanks.

#2 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 19 June 2004 - 11:39 PM

Unless you know what you are doing, running LSPfix can cause more problems than it solves... What do you mean that the files are toast so that you would need LSPfix??
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#3 zxladie

zxladie

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 20 June 2004 - 01:02 AM

Thanks for telling me that. I thought this was because of the CWS that was removed, so I figured that would be the thing I might have to do but I'm not knowledgeable enough to do it without posting here first and was told to. The problem is that when I try to launch online, IE opens but it doesn't go any further than that. I don't get any message that anything isn't working correctly, either. It's like it hit lobotomy mode and just stops. The RJ45 is tight, but network connection icon to the 2Wire in the system tray is grayed out. The 2Wire passed all the diagnostic tests I ran on it and the other PCs are connecting fine. I ran IPconfig and it pinged right to the ISP, the properties for TCP/IP, Client for MS Network, etc are all set to default and show to be working correctly, the PC is 6-mos old but I'm fairly certain that it's not a hardware issue or the icon wouldn't be grayed out I wouldn't think. I removed and re-installed both the hardware and drivers from the Network in Control panel. And am still right where I started. I don't know if there's a virus in the machine because I just put on NIS2K4 and I can't get online to update the definitions. I ran the scan anyway but the defs are out of date and it came up clean. I didn't manually delete any files during the spyware cleanup, I just used CWS Shredder and Spybot to do the cleanup. So I'm at a loss.

#4 zxladie

zxladie

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 20 June 2004 - 01:08 AM

Okay, add to this issue, I just opened the Network connections in the PC's control panel and for the first time there is an 'Incoming Connections' icon in the control panel. I have never seen that before, and it was not in there until now. When I look at the properties, it shows the modem, and under the Users tab there are line items for HelpAssistant Remote Desktop, Owner, Support Microsoft and Support Hewlet Packard. Then there is a line item called Guest, which is the user name, no full name and the passwords are astericked in there, with do not allow callback. Ever seen this? Could the Hacker Defender Checker have repaired something that would cause this icon?

Edited by zxladie, 20 June 2004 - 01:20 AM.


#5 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 20 June 2004 - 09:51 AM

If you want help with this, you are going to need to run HJT and post a log... I have no idea why you think you may have HackerDefender or what else is going on.... There are a number of reasons that internet connections might be blocked and not all of them are malware....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 20 June 2004 - 10:57 AM

Moving this to public forum so you get maximum visibility.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#7 zxladie

zxladie

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 20 June 2004 - 03:24 PM

I think I've found the problems. I was running McAfee Uninstaller removal and cleanup to take out Backweb and the scan also came up with Desaware Spyworks. I let McAfee remove it and removed remnants of Incredifind, NewDotNet and the 2020 leftovers, then went into Add & Remove Windows Components and uninstalled Management & Network Monitoring components, Simple TCP/IP, reset the Internet Connection then reset the browser to default. Then I ran the Microsoft Security CD which installed the Rollup patch. The machine is at Windows Update right now. Here's the log I just ran if you could check it for me. Thanks in advance.


Logfile of HijackThis v1.97.7
Scan saved at 1:21:43 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\SETUPS INSTALLS\_anti-spyware\__SPYWARE KILLERS\Hijack This!\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1083634973093
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://F:\content\include\XPPatchInstaller.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7562.5538194444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button