1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Firewall question xp

Discussion in 'Virus & Other Malware Removal' started by FrankB, Apr 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. FrankB

    FrankB Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    221
    Hi,
    I've been hacked. I saw my activity light on my dsl modem flashing twice a second for hours when I wasn't online. A new user profile was set up, 30 faxes were waiting to be sent, and they marked file sharing. Not good!! I deleted all cookies, and did a restore back a few days and the light stopped flashing.

    I set up logging on xp's firewall and don't see anyone getting in.

    It's my understanding that every site you go to is assumed safe and added to the list that the fire wall looks at. If I went to a site that was a hacker this would allow him to get through the firewall. Where is the list kept in XP and is there anything else I should check for. I ran Norton and Adaware but didn't find anything.
    thanks!!!!!!!!!!
     
  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Go to http://www.merijn.org/files/HijackThis.exe and download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log (in the security section)
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    If Merijn.org is still down due to the DDOS attack on it, the alternative download sites for Hijackthis are:
    http://www.oneknight.co.uk
    http://www.sherrylynn.us/HijackThis.exe
    http://mjc1.com/mirror/hjt/
    http://www.majorgeeks.com/downloads31.html
    http://www.spywareinfo.com/~merijn/downloads.html
     
  3. FrankB

    FrankB Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    221
    Can I email it to someone?
     
  4. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Yes it is safe to post on this board. If you have any 017 lines and want to x out the IP address you can do that before posting your log
     
  5. FrankB

    FrankB Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    221
    My pc was hacked on 4/1/2004. My modem activity light was blinking twice per second for many hours. I deleted cookies and did a restore back to 3/31/04 and the blinking stopped. I found a new user profile in XP and share files box checked. When I logged in the next day there were 30 faxes of different sizes waiting to be sent. Most were about 130 to 180k. They all vanished before my eyes. I turned on logging on the xp firewall and there doesn't seem to be anyone getting in right now. I am concerned that there is more I haven't seen. I'm attaching my hijackthis file below. I would greatly appreciate any advice. I ran Norton and Adaware. Thanks

    I xxxed out a few items.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:41:23 AM, on 4/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\xxxxxxxxx\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xxxxxxx R1 - HKCU\Software\...download.yahoo.com/games/clients/y/pos3_x.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37589.571724537
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/SysQuery.cab
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Firewall question
  1. Scytrope
    Replies:
    1
    Views:
    627
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217290

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice