Firewall question xp

Hi,
I've been hacked. I saw my activity light on my dsl modem flashing twice a second for hours when I wasn't online. A new user profile was set up, 30 faxes were waiting to be sent, and they marked file sharing. Not good!! I deleted all cookies, and did a restore back a few days and the light stopped flashing.

I set up logging on xp's firewall and don't see anyone getting in.

It's my understanding that every site you go to is assumed safe and added to the list that the fire wall looks at. If I went to a site that was a hacker this would allow him to get through the firewall. Where is the list kept in XP and is there anything else I should check for. I ran Norton and Adaware but didn't find anything.
thanks!!!!!!!!!!

 

Go to http://www.merijn.org/files/HijackThis.exe and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log (in the security section)
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

If Merijn.org is still down due to the DDOS attack on it, the alternative download sites for Hijackthis are:
http://www.oneknight.co.uk
http://www.sherrylynn.us/HijackThis.exe
http://mjc1.com/mirror/hjt/
http://www.majorgeeks.com/downloads31.html
http://www.spywareinfo.com/~merijn/downloads.html

 

Can I email it to someone?

 

Yes it is safe to post on this board. If you have any 017 lines and want to x out the IP address you can do that before posting your log

 

My pc was hacked on 4/1/2004. My modem activity light was blinking twice per second for many hours. I deleted cookies and did a restore back to 3/31/04 and the blinking stopped. I found a new user profile in XP and share files box checked. When I logged in the next day there were 30 faxes of different sizes waiting to be sent. Most were about 130 to 180k. They all vanished before my eyes. I turned on logging on the xp firewall and there doesn't seem to be anyone getting in right now. I am concerned that there is more I haven't seen. I'm attaching my hijackthis file below. I would greatly appreciate any advice. I ran Norton and Adaware. Thanks

I xxxed out a few items.

Logfile of HijackThis v1.97.7
Scan saved at 11:41:23 AM, on 4/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\xxxxxxxxx\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xxxxxxx R1 - HKCU\Software\...download.yahoo.com/games/clients/y/pos3_x.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37589.571724537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/SysQuery.cab