[Unoxis2002]

I'm being hacked. I think my pyscho ex installed a keylogger or something on my computer...Can you see by looking at my HJT log? :mad:


Logfile of HijackThis v1.99.0
Scan saved at 2:07:26 PM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\alyssa\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Advertisements]

Log looks clean here.

[therock247uk]

Log looks clean here.

[Unoxis2002]

Log looks clean here.

Grr...When I typed in msconfig then run, I found I had these running:

ccEvtMgr.exe
svchost.exe
lsass.exe
winlogon.exe
services.exe
csrss.exe
smss.exe

All of which could be worms...I'm running Norton now... :mad:

[therock247uk]

All of them files are legit windows files.

None of them are bad.

[Unoxis2002]

All of them files are legit windows files.

None of them are bad.

I looked it up on google. It said that they could have worms...?

[therock247uk]

They could of been worms but they are not worms on your PC as they are running from the right dir on your PC.

You have nothing to worry about.

[mpfeif101]

Like the rock247uk said, those files are legit. They can be bad if they are not running from the right location, however they are in the right, legitimate location.

I recommend you get a firewall, either Sygate or Zone Alarm.

[Besttechie]

Also, just want to add a quick thing in here. I do not recommend using MSConfig to disable any services or processes, as it can cause possible memory leaks. Which is a bad thing. If you want to disable any services in XP, go to start, run, type: services.msc That will bring up the services list in XP. To disable processes in Windows, I recommend using the task manager to do that. (Ctrl + Alt + Del)

Want to learn more about XP services look here.

Services Config for XP

Hope that helps.

B

[Unoxis2002]

They could of been worms but they are not worms on your PC as they are running from the right dir on your PC.

You have nothing to worry about.

I have Norton's Firewall. I think I know what happened. Either way I'm uber pissed. My ex is a nutjob, and I can't tell you how many times I've had to change my passwords, screen names, phone numbers etc. I'm constantly paranoid because he knows far more about PCs than me.. :mad:

Thanks for your input

[Unoxis2002]

Also, just want to add a quick thing in here.  I do not recommend using MSConfig to disable any services or processes, as it can cause possible memory leaks.  Which is a bad thing.  If you want to disable any services in XP, go to start, run, type: services.msc  That will bring up the services list in XP.  To disable processes in Windows, I recommend using the task manager to do that.  (Ctrl + Alt + Del)

Want to learn more about XP services look here.

Services Config for XP

Hope that helps. 

B

Ack...Really? That's what my ex always did to disable stuff. What little I know I learned from him

Thanks for the tip B, I will check it out.

[Besttechie]

No problem, glad to help.

That link I posted is full of information about XP services, etc. Make sure you check that out for more info. I'm sure it will be able to help a lot.

Have a great day!

B

Edited by Besttechie, 05 February 2005 - 03:01 PM.

[therock247uk]

No problem

[Unoxis2002]

OK....I've tried to run Norton twice and both times my computer rebooted itself...I don't have the time to sit here and monitor the whole scan. I'm trying again now.

Any guesses as to why Norton is causing my PC to reboot?

[Besttechie]

Ok,

Open Control Panel\System\Advanced tab\startup & recovery box\settings button, and take the check out of Automatically restart box. Then check the Write a system event, and the Admin alert boxes.
This will force a BSOD on the next crash (thats why it restarts...its crashing) that posts the Stop Error Code.

Post that here word-4-word including punctuation and letter case. We can research that.

Also, retick any entries you unticked with msconfig.

B

Edited by Besttechie, 05 February 2005 - 03:47 PM.

[Unoxis2002]

OK...I got the blue screen of death lol. Word for word, this is what it said:

A problem has been detected and Windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is identified in this Stop message, disable the driver or check with the maunfacturer for driver updates. Try changing the video adapters.

Check with your hardware vendor for and BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe MOde to remove or disable components, restart your computer, press F8 tp se;eved Advanced Startup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x0000008E (0xC0000005, 0x804E411C, 0xF33E5C8C, 0x000000)

Beginning dump of physical memory
Physical memory dump complete
Contact your system administrator or technical support group for further assistance