Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I've been hit [resolved]

Started by joyfulgirl72 , Feb 11 2005 10:00 PM

This topic is locked

#16
joyfulgirl72

Posted 14 March 2005 - 12:02 PM

Member

Topic Starter
Member
29 posts

Well, it's just not going very well.

I deleted the C:\ Partition, then formatted it and reinstalled XP Pro, installled only my spyware/virus programs and was able to get online to update things for about 1 hour. The connection just crawled, less than 100 bytes (not Kb or Mb, bytes) per second... Now I can't even ping my router or anything...

Most interesting thing though was that I had to do a restart after installing one of the programs and upon the restart, I got a Program not Responding box for something called 'should not see me' I chose End Now (before I really thought about it, dangit, I should have seen if I could see where it was runing from, etc, but nothing I have Not Itty Bitty Process Manager or anything saw anything abnormal running on my machine... So I have a few more tricks I've located to show hidden processes, and port information also, so I will not plug it into my router and try to get online again until I can figure out what's up... :tazz:

#17
Guest_thatman_*

Posted 14 March 2005 - 12:21 PM

Guest

Hi joyfulgirl72

Please post a Hijacklog

Kc :tazz:

#18
joyfulgirl72

Posted 18 March 2005 - 12:03 AM

Member

Topic Starter
Member
29 posts

Logfile of HijackThis v1.99.0
Scan saved at 11:48:39 PM, on 3/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B83929BD-8FA0-4796-8529-137BE79CD62E}: NameServer = 216.165.129.157,134.215.200.126
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

Also I ran the netstat command and these are the open ports, this computer has not been reconnected to the internet at all since reinstall...

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\James>fport
'fport' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\James>cd c:\

C:\>fport
'fport' is not recognized as an internal or external command,
operable program or batch file.

C:\>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*

C:\>

And one more thing I got processfinder fron systeminternals and this is what it shows is currently running...

Process PID CPU Description Company Name
System Idle Process 0 100.00
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 396 Windows NT Session Manager Microsoft Corporation
csrss.exe 444 Client Server Runtime Process Microsoft Corporation
winlogon.exe 468 Windows NT Logon Application Microsoft Corporation
services.exe 512 Services and Controller app Microsoft Corporation
svchost.exe 680 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 748 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 784 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 828 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 852 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1040 Spooler SubSystem App Microsoft Corporation
avgamsvr.exe 1204 AVG Alert Manager GRISOFT, s.r.o.
avgupsvc.exe 1292 AVG Update Service GRISOFT, s.r.o.
DKService.exe 1328 DKSERVICE.EXE Executive Software International, Inc.
alg.exe 112 Application Layer Gateway Service Microsoft Corporation
lsass.exe 524 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1168 Windows Explorer Microsoft Corporation
avgcc.exe 1488 AVG Control Center GRISOFT, s.r.o.
avgemc.exe 1524 AVG E-Mail Scanner GRISOFT, s.r.o.
SOUNDMAN.EXE 1532 Realtek Sound Manager Realtek Semiconductor Corp.
TeaTimer.exe 1540 System settings protector Safer Networking Limited
SpySweeper.exe 1552 Spy Sweeper Webroot Software, Inc.
procexp.exe 1912 Sysinternals Process Explorer Sysinternals

Process: Procexp Pid: -2

Type Name

My concern is that I again had to shutdown and saw the 'should not see me' program that had the end now window come up, but I did not get an option to look at it closer because windows closed it at shutdown... :tazz:

#19
Guest_thatman_*

Posted 18 March 2005 - 03:24 AM

Guest

Hi joyfulgirl72

Welcome to geekstogo!

You are running an out-of-date version of HijackThis; can you please download a new copy (there is a link in my signature), unzip it, and replace your existing copy with the new version.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:

#20
joyfulgirl72

Posted 18 March 2005 - 07:52 AM

Member

Topic Starter
Member
29 posts

Is there a way to run those scans without getting online? I can download and burn updates, that's how I've been getting my other antivirus/spyware removal tools updated... :tazz:

#21
Guest_thatman_*

Posted 18 March 2005 - 08:09 AM

Guest

Hi joyfulgirl72

Sorry but both the anti-virus scan need to be directly connected to your system.

The panda scan is very good and will give you a lot off information if you save the log.

Kc :tazz:

#22
joyfulgirl72

Posted 01 April 2005 - 06:37 PM

Member

Topic Starter
Member
29 posts

Sorry for taking so long, I finally just had to get an ethernet card and install it to get online. It appears that my onboard ethernet card had driver issues I could not resolve. So I am running the scans as we speak. I believe this machine is now clean, but want to make sure. I ran KillDisk on the partition that was giving me problems and have since run clean scans with AdAware, SpyBot, AVG Free and SpySweeper... Boy, after all this I think I should share what I've learned by becoming a Geek In Training... I feel great having learned so much, however frustrating it was! :tazz:

#23
joyfulgirl72

Posted 01 April 2005 - 07:14 PM

Member

Topic Starter
Member
29 posts

Alrighty!! Got HouseCall and Panda Scans run and both came back clean!!! Whee! So here is my HJT Log for the final OK... Fingers crossed!! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 8:09:11 PM, on 4/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112403248390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27C58115-5112-48AD-9CEA-0BEEEF3392C3}: NameServer = 216.165.129.157,134.215.200.126
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2BE7EEA-9754-42BC-A11C-916787B16684}: NameServer = 216.165.129.157,134.215.200.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{27C58115-5112-48AD-9CEA-0BEEEF3392C3}: NameServer = 216.165.129.157,134.215.200.126
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

#24
joyfulgirl72

Posted 01 April 2005 - 07:16 PM

Member

Topic Starter
Member
29 posts

Oh and as a sidenote, that 'should not see me' program I was seeing upon restart at times is supposedly "Sloppy Microsoft Code" after doing some research about it... Whew, I surely hope that's true!

#25
Guest_thatman_*

Posted 01 April 2005 - 08:17 PM

Guest

Hi joyfulgirl72

Congratulations! Your system is CLEAN :tazz:

Download the Microsoft Antispyware

Download the CCleaner unzip the file to install.
Open CCleaner.
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
Run the ccleaner

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

Turn of system restore
Disabling or enabling Windows XP System Restore

Turn system restore back on and create a new restore point. Defrag your hard drive

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

After doing all these, your system will be thoroughly protected from future threats.

#26
joyfulgirl72

Posted 01 April 2005 - 09:09 PM

Member

Topic Starter
Member
29 posts

WHOOO HOOOO!!! :tazz:

I followed all your instructions except I hate to say it, but since this is my boyfriend's computer and he is not quite as handy with a computer (hence this nasty infection), I can't switch to Mozilla just yet without showing him a thing or three about it... This has definitely been an experience and I am signing up as we speak to be a Geek In Training so I can help others!!!

Thanks so much thatman, you rock!!!