1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Is this a security issue ?

Discussion in 'Virus & Other Malware Removal' started by Sooky 47, Sep 9, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Sooky 47

    Sooky 47 Gone and dearly missed Thread Starter

    Joined:
    Nov 6, 2001
    Messages:
    7,281
    I am really parinoide now ....
    I shut down my computer at approx 11:00 last night and I'm 99 percent sure it shut down ....
    I got up after 6:20 am this morning and the computer is on .....
    the Windows logon is being displayed and there is ........ six or eight black dots displayed in the password box >>> I did not have a password entered ?
    I had to use the floppy to access the computer again !!!!!
    I am very confused about this =
    I checked the Event Log and found
    the attatched report info ?
    These activities started after 12:00 am.

    Spybot , Adaware show nothing ! Clean !

    Any help or suggestions will be appreciated
    Thanks, Lu[​IMG]
     

    Attached Files:

  2. Sooky 47

    Sooky 47 Gone and dearly missed Thread Starter

    Joined:
    Nov 6, 2001
    Messages:
    7,281
    this shows th e stopping activity ?[​IMG]
     

    Attached Files:

  3. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    This would get my attention too! I think I would do a trojan scan and antivirus scan. I don't think this is acting like spyware so Spybot and Ad-Aware, while good programs, are not helping now.

    You can get free tools here

    TrendMicro's free virus scan
     
  4. Sooky 47

    Sooky 47 Gone and dearly missed Thread Starter

    Joined:
    Nov 6, 2001
    Messages:
    7,281
    Hi BillC,
    Thank - you for takeing time to give these suggestions,

    - took a bit to do these scans so here is what i have :


    http://housecall.trendmicro.com/

    TrendMicro's free virus scan showed - " clean "
    ..........................................
    http://www.trojanscan.com/
    Trojen scan :
    Starting scan at 13:16:31:728...
    Scan Memory
    Memory not infected
    Scan folder: 'C:\', recursive
    Unable to scan C:\System Volume Information - Access is denied.
    Scan folder: 'C:\Documents and Settings\All Users\Documents', recursive
    Scan folder: 'C:\Documents and Settings\HOME\My Documents', recursive
    Finished scan at 13:28:14:788
    Total number of files is 29146, number of infected files is 0
    Average files per second is 41, average file size is 67341967http://housecall.

    trendmicro.com/
     
  5. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,915
    Sooky47,

    In addition to the links BillC posted, consider downloading a trial copy of an anti trojan like The Cleaner or Trojan Remover and see if they find anything. What other security tools have you got?.

    If you're using XP it does 'phone home' a lot but I don't think even MS go so far as to boot up the computer first! Are you sure that you or someone else with access to the computer haven't set up some automatic routine and that your computer was not 'in hibernation' rather than shut down?

    Have you checked with your 'phone company to see if their records show a four hour call from your number? It would be a good idea to let them know that there may be problems on your machine and you might think about taking it offline (assuming you have an 'always on' connection) until this mystery is cleared up.

    There are nasty programs that go under the general title of 'backdoors' and, if you have one of those, someone else can control your computer remotely and do anything on it that you can do. Let's hope there is a more innocent explanation for this.

    http://www.moosoft.com/index.php

    http://www.simplysup.com/tremover/
     
  6. Sooky 47

    Sooky 47 Gone and dearly missed Thread Starter

    Joined:
    Nov 6, 2001
    Messages:
    7,281
    Thank=you Togg,
    I will try this link and post back ... just heading out again .
    I never even thought to call the phone company, but I will !
     
  7. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,915
    If you do decide to try Trojan Remover you should be aware that the 'Scan' option on the first screen you see only triggers a quick scan of the Registry and startup files.

    To be sure, you should probably click on the icon that looks like an electric torch and scan your Program files, if not your whole Hard Drive. This may take some time!!

    Also, if you decide to use either program (or any other trojan 'cleaner') you should be aware that, if they find anything and you allow them to clean or fix it, some files could get renamed or otherwise amended. As a result of that some things might not work and have to be reinstalled. The lesser of two evils I suppose.

    Standard advice here would also be to download and run 'HiJack This'. Details on how to do that are pinned at the top of this Forum in 'Security Help Tools'.
     
  8. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Calling the local phone company and explaining your findings is a good idea. You have the start and end times of the call. They should be able to tell you WHAT number was dialed. And also the charges. Let's hope it wasn't a toll call.

    Sometimes the first level customer service reps you encounter at the local phone company are either not knowledgeable of things like this or are unwilling to help. IF this happens INSIST on talking to the security dept manager.

    In the mean time, here is another security tool you can d/l and run. This look for trojans that are commonly called 'bots'. These are used for using your computer as part of a denial of service attack (Dos, DDoS and RDDoS).

    As with any program of this type, update the definitions before running.

    SWAT IT a free trojan program and free updates for life. Checks for bots used in DoS attacks. http://lockdowncorp.com/bots/downloadswatit.html
     
  9. Sooky 47

    Sooky 47 Gone and dearly missed Thread Starter

    Joined:
    Nov 6, 2001
    Messages:
    7,281
    Since I am uneducated to such computer issues ....... I am on cable ,
    I called the cable company and they could tell me nothing accept it didn't seem like there has been any access usage !

    Since I am on cable and not a phone line modem > Do I still call the phone company ? Telephony is that actually usage via my computer?

    I have listed the trojan remover question , then I will do another scan.

    thanks Lu
     

    Attached Files:

  10. Sooky 47

    Sooky 47 Gone and dearly missed Thread Starter

    Joined:
    Nov 6, 2001
    Messages:
    7,281
    Hijack this scan:

    Logfile of HijackThis v1.93.0
    Scan saved at 8:12:54 PM, on 9/9/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.ca/search?q=APOD&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search&meta=
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

    I will check back in alittle bit.
    Thanks
    Lu
     
  11. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    IF you have no phone line connected to the PC, then forget calling the phone company. It's just that from what you pasted into your post it said, "The telephony service" started and stopped at the times indicated. Is there a phone line attached to the PC?
     
  12. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Looking at your HJT log I don't see anything to be concerned about.

    I would still d/l and run SWAT IT from the link I gave you above.
     
  13. Sooky 47

    Sooky 47 Gone and dearly missed Thread Starter

    Joined:
    Nov 6, 2001
    Messages:
    7,281
    NiteHawk thanks for responding ....... I am green at this , and no there is no phone line connected to the computer ...... I am trying to figure out the strange activity that occured today .....
    The event viewer showed this activity between 12:44am - 4:22 am ....
    just trying to figure out why ! since there is no phone line to the computer = why would this show?
    Is there file sharing going on ?

    LU

    ps . I will d/l and run Swat It now

    thanks again:)
     
  14. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    At this point, I really don't know :(

    Let's see what all the scans produce.
    As good as HJT is, it doean't show all. That's why we also use other scans.
     
  15. Sooky 47

    Sooky 47 Gone and dearly missed Thread Starter

    Joined:
    Nov 6, 2001
    Messages:
    7,281
    I'm Back ....... Swat it scan
    Thanks for all your into NiteHawk much appreciated.
     

    Attached Files:

  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/163431

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice