Hey Today when I got home from school my mum asked did you somehow log into the computer. I answered no and asked why she then said. She was listening to the radio and then it just cut out when she wen to check my account was logged on and under her name there were 30 programs running. She then turned off the computer. Now I'm worried that we have been hacked and that it might happen again. Could someone please explain whats happening. Thank you Max
nobody can hack a computer without some "inside" help already on it. updated on windows patches? you have updated Antivirus, anti-malware apps? i suggest a online scan or a second anti-malware app and a hjt log. people have a habit of not replying back in this forum , so let me know if you want to proceed. echoreply
I downloaded Spybot 1.5 today and scanned my comp. It found 9 things. 3 of them were security settings changed, One said that my firewall ports were opened. So I'm worried that my computer is vulnerable. So any help I can get will be greatly appreciated. By the way I have Norton antivirus 2005. Thank you Max
ok, post a hjt log to help see whats going on: Download HiJackThis log - Trend Micro HijackThis 2.0.2 http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe * Save HJTInstall.exe to your desktop. * Doubleclick on the HJTInstall.exe icon on your desktop. * By default it will install to C:\Program Files\Trend Micro\HijackThis . * Click on Install. * It will create a HijackThis icon on the desktop. * Once installed, it will launch Hijackthis. * Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. * Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log in next reply.
Hey heres my log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:49:07 PM, on 11/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Microsoft LifeCam\MSCamSvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\Explorer.EXE C:\WINNT\vVX3000.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Symantec AntiVirus\DoScan.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINNT\vVX3000.exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\LUKA\Start Menu\Programs\IMVU\Run IMVU.lnk O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173487526953 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 6359 bytes Today I got another problem. When i turned on the computer my Norton Anti-Virus was turned off and in the bottom right of my screen where the mute and everything is there was a SpyBot icon and when I ran my mouse over it it said there were 56271 processes blacklisted. Whats that mean ? Thank you Max
hi, thanks for the info. hjt log looks ok as far as malware goes. that spybot icon in the tray is part of spybots real time protection running in the background (tea timer) right click on it for more info or check the help file from the main spybot window. not sure why your norton would be "turned off" its up to date? oks it looking on your end now?? echoreply
your welcome. if spybot and your av are coming up clean, good idea to make new restore points. like this: One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed. To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (winXP) 1. Turn off System Restore. (deletes old possibly infected restore points) On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore.(new restore point on a clean system) On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK, then reboot keep spybot and your av updated. echoreply
Hey Since I'm very paranoid I re-installed Windows just to be safe. But now I have this process called MU_LLogin.exe but when I type it in googl no one nows what it is.Any ideas ? Thank you Max
It was in Task Manager Process tab, but now its gone and I have another problem lol. Before I re-installed Windows. I made a backup of all the documents using the backup tool. I backed it up into my Ipod. But now when I go to restore the documents and folders the icon of that backup file has changed to the icon when theres no program assigned to it and theres no back up tool at all. I'm on SP2 and I don't know what to do. Thank you Max
hi, cant help you with the backup/ipod issue. have never used windows backup feature nor a ipod. as for malware; doing a reformat (not a reinstall)will wipe out any malware. you should also get anti-virus and anti-malware apps back on the computer as soon as possible and visit windows update. echoreply
Ok what I did is. I deleted the partition that was currently being used and made a new one and formatted it with FAT32 and then windows loaded some files and then I had to format that new partition again and then windows was installed but then I found out I was supposed to format it with NFTS so I converted it to NFTS using the cmd. Is that what I was supposed to do ? Thank you Max
hi, you have to boot from the original windows install cd or the recovery cd might work for a reformat, dont know-- i have never used a 'recovery cd'. you do want NFTS file system. i would pay a visit to your PC makers website and have a look around, most are very good at providing that kind of help. pull off what you want to keep first, as a reformat will wipe your hard drive. echoreply
Hey, Yeah thats what I done. I deleted the partition and made a new one and then formatted it with FAT32 but later converted to NFTS. Thank you for all your help. I was just wondering. If its not too much trouble could you teach me how to read those Hijack this logs ? Thank you again Max Kreeger
hi, glad to see its all good now. really all a hjt log does is display certain info in a nice log. its info you can find yourself on a computer if you spent time looking and know where to look. NOTE: hjt is not a stand-alone cleaning tool. It does not scan the entire system and only certain areas are scanned to help diagnose the presence of undetected malware in some places it might be hiding. never rely on hjt as a indication that your computer is clean without running updated antivirus and antimalware apps. heres some websites that provide info on hjt items: http://www.malwarehelp.org/understanding-and-interpreting-hjt2.html the guy that developed hjt: http://www.spywareinfo.com/~merijn/htlogtutorial.php echoreply
