help with hijack log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

chellemays

Thread Starter
Joined
Sep 9, 2003
Messages
16
can someone help interpret this? trying to figure out if i've got a virus, or an intruder or what?

Logfile of HijackThis v1.96.4
Scan saved at 10:07:17 PM, on 9/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\Smtray.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~3\NORTON~1\navw32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Michelle Mays\My Documents\vr.exe
C:\WINDOWS\System32\jview.exe
C:\Documents and Settings\Michelle Mays\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.consolidated.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fastaccess.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer by ICTC
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fastaccess.org
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7870.9099652778
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tec.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AD60A64-CACE-4037-900A-61D97296E8AB}: NameServer = 216.176.95.129 216.176.95.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AD60A64-CACE-4037-900A-61D97296E8AB}: NameServer = 216.176.95.129 216.176.95.161
 

chellemays

Thread Starter
Joined
Sep 9, 2003
Messages
16
also not sure if this is where my problem is or not, someone suggested we start here first. since it appears someone is using my pc as a launchpad in the evening.
 
Joined
Mar 20, 2003
Messages
4,823
There doesn't appear to be anything amiss,

"it appears someone is using my pc as a launchpad in the evening", what makes you believe this?
 
Joined
Dec 9, 2000
Messages
45,855
Would you know what vr.exe is?

C:\Documents and Settings\Michelle Mays\My Documents\vr.exe
C:\WINDOWS\System32\jview.exe

There does not appear to be any startup location for it, so it is either starting as a "service" or something you started manually.

Also jview.exe would not normally be a running task unless it was called through a program using a java applet.

And are these "start" pages associated with your ISP?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.consolidated.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fastaccess.org
 
Joined
Mar 20, 2003
Messages
4,823
vr.exe is Visualroute or at least it is on my computer, an internet tracker. I usually use it for checking up on bottlenecks, but that's me, incwedibly sad :D
 

chellemays

Thread Starter
Joined
Sep 9, 2003
Messages
16
the start pages that are listed are my isp. and the it tech at my isp is the one who stated someone is possibly using my pc as a launchpad, every night for the last 6 months i get kicked off on dial up starting at 8:30pm central time, i can stay on all day long with no problems. we've done all the typical checks and nothing has worked i've switched isp's 3 times with no success and reformatted with no success, in the evening when im on my firewall will warn me that a remote system is trying to access my computer and shortly after that i will get kicked off this continues till about 6 am then i am fine.
 
Joined
Dec 9, 2000
Messages
45,855
Thanks Putasolution, I'm sure that accounts for jview as well.

I doubt whether the firewall warning has any relevance, as inbound attempts to connect are quite common. If it were an outbound attempt to connect to the internet -- then you'd have it.

My suspicion is that there is something going on with the phone line at that hour causing you to lose your internet connection.

However, have you checked the IP and port number of the attempted remote connect? The firewall report should indicate that.

Knowing both the port it is trying to connect to, and where it is coming from can be instructive.
 
Joined
Mar 20, 2003
Messages
4,823
I concur, something like a significant amount of noise on the line may cause your modem to give up the ghost , or drop the connection. Corroded telephone wires and antiquated relays & switches can also be a contributory factor

Does it give any IP address for the incoming pings?
 

chellemays

Thread Starter
Joined
Sep 9, 2003
Messages
16
well we checked with the phone company and checked for line noise, and neither showed up anything. the reason they dont think it's the phone line is because when i use my laptop i can stay connected only when im on my personal pc do i get kicked off. so i guess im back to square one here. i just hate to pay someone to come out and try to figure it out then them say the same thing that they have no idea what is causing it. the ip address that comes up when norton advices a remote access is trying to connect is different every time it's never the same address, and each time i choose to block which seems to get me nowhere. lastnight i ran the spyware and had it complete the fixes but i was still having the problem lastnite after doing that.
 

chellemays

Thread Starter
Joined
Sep 9, 2003
Messages
16
no haven't tried that yet but i didn't call compaq regarding the modem it's a HSP56 micromodem. and they advised it wasn't a problem with the moedem
 

chellemays

Thread Starter
Joined
Sep 9, 2003
Messages
16
ok im still having my nightly disconnect problem after 8:30 I made all the changes suggested. and last nite and tonite i have received OVER 300 high risk tcp inbound udp attempts warnings from norton. all the remote addresses are different but the locals addresses are the same they are only from 2 different ip numbers. could this having have anything to do with my problem? I changed my alert level and now i am seeing all these requests? i removed all of what was suggested and no help still disconnected every few minutes after 8:30.
 

chellemays

Thread Starter
Joined
Sep 9, 2003
Messages
16
i've changed the password and that didn't help, so it's normal to get that many inbound attempts i got so many it locked me up, close to 300 the night before last and last night and im assuming i'll have the same problem tonite. why are all of them from different remote address, but the local address is the same on all of them. they are all listed as high risk. i've tried everything to figure out the reason for the nightly disconnects and no-one can figure it out. i would think it was the phone line but when i use my lap top it doesn't disconnect me. also i've listened for line noise it's clear as a bell and my neighbor has no problems at all and i tried the contral panel thing to change my modem to put in extra settings and i don't see where to put that in on Windows XP. does anyone have any idea who i can contact to troubleshoot this problem. i use my computer for work in the evening at home and with this problem i cant do anything.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top