Firewall question xp

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.
F

FrankB

Thread Starter
Joined
Mar 19, 2001
Messages
221
Hi,
I've been hacked. I saw my activity light on my dsl modem flashing twice a second for hours when I wasn't online. A new user profile was set up, 30 faxes were waiting to be sent, and they marked file sharing. Not good!! I deleted all cookies, and did a restore back a few days and the light stopped flashing.

I set up logging on xp's firewall and don't see anyone getting in.

It's my understanding that every site you go to is assumed safe and added to the list that the fire wall looks at. If I went to a site that was a hacker this would allow him to get through the firewall. Where is the list kept in XP and is there anything else I should check for. I ran Norton and Adaware but didn't find anything.
thanks!!!!!!!!!!
 
M

mjack547

Malware Specialist
Joined
Sep 1, 2003
Messages
3,181
Go to http://www.merijn.org/files/HijackThis.exe and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log (in the security section)
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

If Merijn.org is still down due to the DDOS attack on it, the alternative download sites for Hijackthis are:
http://www.oneknight.co.uk
http://www.sherrylynn.us/HijackThis.exe
http://mjc1.com/mirror/hjt/
http://www.majorgeeks.com/downloads31.html
http://www.spywareinfo.com/~merijn/downloads.html
 
M

mjack547

Malware Specialist
Joined
Sep 1, 2003
Messages
3,181
Yes it is safe to post on this board. If you have any 017 lines and want to x out the IP address you can do that before posting your log
 
F

FrankB

Thread Starter
Joined
Mar 19, 2001
Messages
221
My pc was hacked on 4/1/2004. My modem activity light was blinking twice per second for many hours. I deleted cookies and did a restore back to 3/31/04 and the blinking stopped. I found a new user profile in XP and share files box checked. When I logged in the next day there were 30 faxes of different sizes waiting to be sent. Most were about 130 to 180k. They all vanished before my eyes. I turned on logging on the xp firewall and there doesn't seem to be anyone getting in right now. I am concerned that there is more I haven't seen. I'm attaching my hijackthis file below. I would greatly appreciate any advice. I ran Norton and Adaware. Thanks

I xxxed out a few items.

Logfile of HijackThis v1.97.7
Scan saved at 11:41:23 AM, on 4/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\xxxxxxxxx\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xxxxxxx R1 - HKCU\Software\...download.yahoo.com/games/clients/y/pos3_x.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37589.571724537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/SysQuery.cab
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Total: 377 (members: 7, guests: 370)
Top