Re: hijack this startup - can someone tell me the hack i am experi

From: Pfused_the_Confused (PfusedtheConfused_at_discussions.microsoft.com)
Date: 01/28/05 

Date: Thu, 27 Jan 2005 16:31:02 -0800

Hi Carey,

I'm sorry - I am new here. Are the 'Experts' referred to in the title of the
forum employed by Microsoft? I thought is was a user-forum....can you refer
me to a public user-forum please? This hack is driving me insane!

Thanks in advance and my apologies to you and the forum..

"Carey Frisch [MVP]" wrote:

> I don't think anyone has the time to analyse your lengthy
> "Hijack This" log (a non-Microsoft supported program).
> I would suggest you perform the following:
>
> Symantec Security Check
> http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
>
> 3 Simple Steps to Help Ensure the Protection of Your PC
> http://www.microsoft.com/athome/security/protect/default.aspx
>
> Microsoft Windows AntiSpyware
> http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
>
> --
> Carey Frisch
> Microsoft MVP
> Windows XP - Shell/User
>
> Be Smart! Protect Your PC!
> http://www.microsoft.com/athome/security/protect/default.aspx
>
> ----------------------------------------------------------------------------
>
> "Pfused_the_Confused" wrote:
>
> | this is a Hijack This startup log - as you can see, i am being hacked but i
> | don't know how to interpret all the data. i believe they created a hidden
> | partition on my drive, have taken over admin rights and are impersonating the
> | one user (vince) on the machine.
> |
> | any help would be most appreciated!!!
> |
> | sorry for posting such a large log file - the remainder is in a second post
> | with the same title
> |
> | (config = winxp sp2 all udates - panasonic touchbook elite - broadband
> | access through shaw internet)
> |
> |
> | StartupList report, 1/27/2005, 3:33:50 PM
> | StartupList version: 1.52.2
> | Started from : C:\Program Files\hijack tmp\HijackThis.EXE
> | Detected: Windows XP SP2 (WinNT 5.01.2600)
> | Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
> | * Using default options
> | * Including empty and uninteresting sections
> | * Showing rarely important sections
> | ==================================================
> |
> | Running processes:
> |
> | C:\WINDOWS\System32\smss.exe
> | C:\WINDOWS\system32\winlogon.exe
> | C:\WINDOWS\system32\services.exe
> | C:\WINDOWS\system32\lsass.exe
> | C:\WINDOWS\system32\svchost.exe
> | C:\WINDOWS\System32\svchost.exe
> | C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
> | C:\WINDOWS\Explorer.EXE
> | C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> | C:\WINDOWS\system32\spoolsv.exe
> | C:\Program Files\Symantec AntiVirus\DefWatch.exe
> | C:\Program Files\Symantec AntiVirus\Rtvscan.exe
> | C:\Program Files\UPHClean\uphclean.exe
> | C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> | C:\PROGRA~1\SYMANT~1\VPTray.exe
> | C:\WINDOWS\system32\igfxtray.exe
> | C:\WINDOWS\system32\hkcmd.exe
> | C:\WINDOWS\system32\hkeyman.exe
> | C:\Program Files\QuickTime\qttask.exe
> | C:\PROGRA~1\Mizotec\xpnsbar.exe
> | C:\Program Files\WinZip\WZQKPICK.EXE
> | C:\WINDOWS\system32\mmc.exe
> | C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
> | C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
> | C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
> | C:\WINDOWS\system32\cmd.exe
> | C:\Program Files\Internet Explorer\iexplore.exe
> | C:\WINDOWS\system32\rundll32.exe
> | C:\Program Files\hijack tmp\HijackThis.exe
> | C:\WINDOWS\system32\NOTEPAD.EXE
> | C:\WINDOWS\system32\taskmgr.exe
> | C:\WINDOWS\notepad.exe
> |
> | --------------------------------------------------
> |
> | Listing of startup folders:
> |
> | Shell folders Startup:
> | [C:\Documents and Settings\Vince\Start Menu\Programs\Startup]
> | *No files*
> |
> | Shell folders AltStartup:
> | *Folder not found*
> |
> | User shell folders Startup:
> | *Folder not found*
> |
> | User shell folders AltStartup:
> | *Folder not found*
> |
> | Shell folders Common Startup:
> | [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
> | Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
> | 7.0\Reader\reader_sl.exe
> | WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
> |
> | Shell folders Common AltStartup:
> | *Folder not found*
> |
> | User shell folders Common Startup:
> | *Folder not found*
> |
> | User shell folders Alternate Common Startup:
> | *Folder not found*
> |
> | --------------------------------------------------
> |
> | Checking Windows NT UserInit:
> |
> | [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
> | UserInit = C:\WINDOWS\system32\userinit.exe,
> |
> | [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
> | *Registry key not found*
> |
> | [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
> | *Registry value not found*
> |
> | [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
> | *Registry key not found*
> |
> | --------------------------------------------------
> |
> | Autorun entries from Registry:
> | HKLM\Software\Microsoft\Windows\CurrentVersion\Run
> |
> | ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
> | vptray = C:\PROGRA~1\SYMANT~1\VPTray.exe
> | PCTVOICE = pctspk.exe
> | IgfxTray = C:\WINDOWS\system32\igfxtray.exe
> | HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
> | Hotkey = C:\WINDOWS\system32\hkeyman.exe
> | QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
> | Mizo - XP Netstats Bar = C:\PROGRA~1\Mizotec\xpnsbar.exe
> |
> | --------------------------------------------------
> |
> | Autorun entries from Registry:
> | HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
> |
> | *No values found*
> |
> | --------------------------------------------------
> |
> | Autorun entries from Registry:
> | HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
> |
> | *No values found*
> |
> | --------------------------------------------------
> |
> | Autorun entries from Registry:
> | HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
> |
> | *Registry key not found*
> |
> | --------------------------------------------------
> |
> | Autorun entries from Registry:
> | HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
> |
> | *Registry key not found*
> |
> | --------------------------------------------------
> |
> | Autorun entries from Registry:
> | HKCU\Software\Microsoft\Windows\CurrentVersion\Run
> |
> | *No values found*
> |
> | --------------------------------------------------
> |
> | Autorun entries from Registry:
> | HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
> |
> | *Registry key not found*
> |
> | --------------------------------------------------
> |
> | Autorun entries from Registry:
> | HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
> |
> | *Registry key not found*
> |
> | --------------------------------------------------
> |
> | Autorun entries from Registry:
> | HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
> |
> | *Registry key not found*
> |
> | --------------------------------------------------
> |
> | Autorun entries from Registry:
> | HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
> |
> | *Registry key not found*
> |
> | --------------------------------------------------
> |

Relevant Pages