1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

help with hijack log

Discussion in 'Virus & Other Malware Removal' started by chellemays, Sep 10, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. chellemays

    chellemays Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    16
    can someone help interpret this? trying to figure out if i've got a virus, or an intruder or what?

    Logfile of HijackThis v1.96.4
    Scan saved at 10:07:17 PM, on 9/9/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    C:\WINDOWS\System32\Smtray.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQInet.exe
    C:\WINDOWS\System32\hphmon03.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\HPHipm09.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\PROGRA~1\NORTON~3\NORTON~1\navw32.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Michelle Mays\My Documents\vr.exe
    C:\WINDOWS\System32\jview.exe
    C:\Documents and Settings\Michelle Mays\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.consolidated.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fastaccess.org
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer by ICTC
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Smapp] Smtray.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.fastaccess.org
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7870.9099652778
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tec.../ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1AD60A64-CACE-4037-900A-61D97296E8AB}: NameServer = 216.176.95.129 216.176.95.161
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1AD60A64-CACE-4037-900A-61D97296E8AB}: NameServer = 216.176.95.129 216.176.95.161
     
  2. chellemays

    chellemays Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    16
    also not sure if this is where my problem is or not, someone suggested we start here first. since it appears someone is using my pc as a launchpad in the evening.
     
  3. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    There doesn't appear to be anything amiss,

    "it appears someone is using my pc as a launchpad in the evening", what makes you believe this?
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Would you know what vr.exe is?

    C:\Documents and Settings\Michelle Mays\My Documents\vr.exe
    C:\WINDOWS\System32\jview.exe

    There does not appear to be any startup location for it, so it is either starting as a "service" or something you started manually.

    Also jview.exe would not normally be a running task unless it was called through a program using a java applet.

    And are these "start" pages associated with your ISP?

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.consolidated.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fastaccess.org
     
  5. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    vr.exe is Visualroute or at least it is on my computer, an internet tracker. I usually use it for checking up on bottlenecks, but that's me, incwedibly sad :D
     
  6. chellemays

    chellemays Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    16
    the start pages that are listed are my isp. and the it tech at my isp is the one who stated someone is possibly using my pc as a launchpad, every night for the last 6 months i get kicked off on dial up starting at 8:30pm central time, i can stay on all day long with no problems. we've done all the typical checks and nothing has worked i've switched isp's 3 times with no success and reformatted with no success, in the evening when im on my firewall will warn me that a remote system is trying to access my computer and shortly after that i will get kicked off this continues till about 6 am then i am fine.
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Thanks Putasolution, I'm sure that accounts for jview as well.

    I doubt whether the firewall warning has any relevance, as inbound attempts to connect are quite common. If it were an outbound attempt to connect to the internet -- then you'd have it.

    My suspicion is that there is something going on with the phone line at that hour causing you to lose your internet connection.

    However, have you checked the IP and port number of the attempted remote connect? The firewall report should indicate that.

    Knowing both the port it is trying to connect to, and where it is coming from can be instructive.
     
  8. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    I concur, something like a significant amount of noise on the line may cause your modem to give up the ghost , or drop the connection. Corroded telephone wires and antiquated relays & switches can also be a contributory factor

    Does it give any IP address for the incoming pings?
     
  9. chellemays

    chellemays Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    16
    well we checked with the phone company and checked for line noise, and neither showed up anything. the reason they dont think it's the phone line is because when i use my laptop i can stay connected only when im on my personal pc do i get kicked off. so i guess im back to square one here. i just hate to pay someone to come out and try to figure it out then them say the same thing that they have no idea what is causing it. the ip address that comes up when norton advices a remote access is trying to connect is different every time it's never the same address, and each time i choose to block which seems to get me nowhere. lastnight i ran the spyware and had it complete the fixes but i was still having the problem lastnite after doing that.
     
  10. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Have you tried another modem?
     
  11. chellemays

    chellemays Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    16
    no haven't tried that yet but i didn't call compaq regarding the modem it's a HSP56 micromodem. and they advised it wasn't a problem with the moedem
     
  12. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
  13. chellemays

    chellemays Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    16
    ok im still having my nightly disconnect problem after 8:30 I made all the changes suggested. and last nite and tonite i have received OVER 300 high risk tcp inbound udp attempts warnings from norton. all the remote addresses are different but the locals addresses are the same they are only from 2 different ip numbers. could this having have anything to do with my problem? I changed my alert level and now i am seeing all these requests? i removed all of what was suggested and no help still disconnected every few minutes after 8:30.
     
  14. chellemays

    chellemays Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    16
    i've changed the password and that didn't help, so it's normal to get that many inbound attempts i got so many it locked me up, close to 300 the night before last and last night and im assuming i'll have the same problem tonite. why are all of them from different remote address, but the local address is the same on all of them. they are all listed as high risk. i've tried everything to figure out the reason for the nightly disconnects and no-one can figure it out. i would think it was the phone line but when i use my lap top it doesn't disconnect me. also i've listened for line noise it's clear as a bell and my neighbor has no problems at all and i tried the contral panel thing to change my modem to put in extra settings and i don't see where to put that in on Windows XP. does anyone have any idea who i can contact to troubleshoot this problem. i use my computer for work in the evening at home and with this problem i cant do anything.
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/163684

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice