Is this a security issue ?

[Sooky 47]

I am really parinoide now ....
I shut down my computer at approx 11:00 last night and I'm 99 percent sure it shut down ....
I got up after 6:20 am this morning and the computer is on .....
the Windows logon is being displayed and there is ........ six or eight black dots displayed in the password box >>> I did not have a password entered ?
I had to use the floppy to access the computer again !!!!!
I am very confused about this =
I checked the Event Log and found
the attatched report info ?
These activities started after 12:00 am.

Spybot , Adaware show nothing ! Clean !

Any help or suggestions will be appreciated
Thanks, Lu

 

[Sooky 47]

this shows th e stopping activity ?

 

[BillC]

This would get my attention too! I think I would do a trojan scan and antivirus scan. I don't think this is acting like spyware so Spybot and Ad-Aware, while good programs, are not helping now.

You can get free tools here

TrendMicro's free virus scan

 

[Sooky 47]

Hi BillC,
Thank - you for takeing time to give these suggestions,

- took a bit to do these scans so here is what i have :


http://housecall.trendmicro.com/

TrendMicro's free virus scan showed - " clean "
..........................................
http://www.trojanscan.com/
Trojen scan :
Starting scan at 13:16:31:728...
Scan Memory
Memory not infected
Scan folder: 'C:\', recursive
Unable to scan C:\System Volume Information - Access is denied.
Scan folder: 'C:\Documents and Settings\All Users\Documents', recursive
Scan folder: 'C:\Documents and Settings\HOME\My Documents', recursive
Finished scan at 13:28:14:788
Total number of files is 29146, number of infected files is 0
Average files per second is 41, average file size is 67341967http://housecall.

trendmicro.com/

 

[TOGG]

Sooky47,

In addition to the links BillC posted, consider downloading a trial copy of an anti trojan like The Cleaner or Trojan Remover and see if they find anything. What other security tools have you got?.

If you're using XP it does 'phone home' a lot but I don't think even MS go so far as to boot up the computer first! Are you sure that you or someone else with access to the computer haven't set up some automatic routine and that your computer was not 'in hibernation' rather than shut down?

Have you checked with your 'phone company to see if their records show a four hour call from your number? It would be a good idea to let them know that there may be problems on your machine and you might think about taking it offline (assuming you have an 'always on' connection) until this mystery is cleared up.

There are nasty programs that go under the general title of 'backdoors' and, if you have one of those, someone else can control your computer remotely and do anything on it that you can do. Let's hope there is a more innocent explanation for this.

http://www.moosoft.com/index.php

http://www.simplysup.com/tremover/

 

[Sooky 47]

Thank=you Togg,
I will try this link and post back ... just heading out again .
I never even thought to call the phone company, but I will !

 

[TOGG]

If you do decide to try Trojan Remover you should be aware that the 'Scan' option on the first screen you see only triggers a quick scan of the Registry and startup files.

To be sure, you should probably click on the icon that looks like an electric torch and scan your Program files, if not your whole Hard Drive. This may take some time!!

Also, if you decide to use either program (or any other trojan 'cleaner') you should be aware that, if they find anything and you allow them to clean or fix it, some files could get renamed or otherwise amended. As a result of that some things might not work and have to be reinstalled. The lesser of two evils I suppose.

Standard advice here would also be to download and run 'HiJack This'. Details on how to do that are pinned at the top of this Forum in 'Security Help Tools'.

 

[NiteHawk]

Calling the local phone company and explaining your findings is a good idea. You have the start and end times of the call. They should be able to tell you WHAT number was dialed. And also the charges. Let's hope it wasn't a toll call.

Sometimes the first level customer service reps you encounter at the local phone company are either not knowledgeable of things like this or are unwilling to help. IF this happens INSIST on talking to the security dept manager.

In the mean time, here is another security tool you can d/l and run. This look for trojans that are commonly called 'bots'. These are used for using your computer as part of a denial of service attack (Dos, DDoS and RDDoS).

As with any program of this type, update the definitions before running.

SWAT IT a free trojan program and free updates for life. Checks for bots used in DoS attacks. http://lockdowncorp.com/bots/downloadswatit.html

 

[Sooky 47]

Since I am uneducated to such computer issues ....... I am on cable ,
I called the cable company and they could tell me nothing accept it didn't seem like there has been any access usage !

Since I am on cable and not a phone line modem > Do I still call the phone company ? Telephony is that actually usage via my computer?

I have listed the trojan remover question , then I will do another scan.

thanks Lu

 

[Sooky 47]

Hijack this scan:

Logfile of HijackThis v1.93.0
Scan saved at 8:12:54 PM, on 9/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.ca/search?q=APOD&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search&meta=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

I will check back in alittle bit.
Thanks
Lu

 

[NiteHawk]

IF you have no phone line connected to the PC, then forget calling the phone company. It's just that from what you pasted into your post it said, "The telephony service" started and stopped at the times indicated. Is there a phone line attached to the PC?

 

[NiteHawk]

Looking at your HJT log I don't see anything to be concerned about.

I would still d/l and run SWAT IT from the link I gave you above.

 

[Sooky 47]

NiteHawk thanks for responding ....... I am green at this , and no there is no phone line connected to the computer ...... I am trying to figure out the strange activity that occured today .....
The event viewer showed this activity between 12:44am - 4:22 am ....
just trying to figure out why ! since there is no phone line to the computer = why would this show?
Is there file sharing going on ?

LU

ps . I will d/l and run Swat It now

thanks again

 

[NiteHawk]

At this point, I really don't know

Let's see what all the scans produce.
As good as HJT is, it doean't show all. That's why we also use other scans.

 

[Sooky 47]

I'm Back ....... Swat it scan
Thanks for all your into NiteHawk much appreciated.