Hijacked???
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Hijacked???

  1. #1
    Member
    Join Date
    Feb 2003
    Posts
    95

    Unhappy Hijacked???

    Hello Everyone,
    I'm having a strange problem... I'm on dial-up, running windows XP. I have Norton Virus scan and I keep my definitions constantly updated... Yet I noticed something a little strange today. Whenever i turn my computer on, it automatically tries to dial to the net... And it looks like a VB app that is trying to access the net. Also, Whenever i connect to the net, I get on average 2 pop ups everytime I open a new internet window.. or whenever the net is open for longer than approximatly 10 mins :S I just did a symantec online virus scan and it found nothing... I also ran the freeware version of AdAware, and it found nothing but the usual cookies I'm a little nervous about this problem now... Am I being hijacked??? Or is it just spyware? I've included a screen shot to show exactly what happens when i boot up my computer... I hope this helps to solve the problem.
    Please help! I need a solution fast

    Thanks, your input is much appreciated

  2. #2
    You forgot the screenshot, and post a "hijack this!" log for us to check out.

  3. #3
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Its late i should be in bed. So rather than go through the try this try that routine im just going to say read this thread.
    http://www.antionline.com/showthread...hreadid=257183
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  4. #4
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Turmoil, I would suggest following Soda's advice and downloading HiJack This and posting the results, as many people here are quite adept at translating all that garble into english.
    If you want to learn more about what HiJack entries mean, you can read over the HiJack Tutorial

    In addition to that, I would maybe recommend finding some freeware here or here that monitors your network traffic (an IDS and/or Firewall) and log it. This would help because you could see what ports and protocols this potentially malicious program is using.

    Lastly, I noticed you made no mention of a Trojan Scan. I would also recommend gettign a trojan scanner like The Cleaner and performing a trojan scan. This product is only a trial version for 30 days, but you can at least get a n idea if you have a trojan or not.

    Hopefully one of these can help you narrow down exactly what's going on.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  5. #5
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Whenever i turn my computer on, it automatically tries to dial to the net...
    You have a program or application that is trying to access the internet. This could be the work of a virus, trojan, or just an application that you use regularly.
    Do you have an IM like AIM, Yahoo, or Windows Messenger that starts when you open windows? Do you have an antivirual program that is set to auto update?
    Anything that you have set to automatically update or run when you open Windows could be the cause.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  6. #6
    Junior Member
    Join Date
    May 2004
    Posts
    7
    Run a scan with "SpyBot: Search and Destroy" (http://security.kolla.de/)

    What AdAware doesnt pick up, SpyBot will, and Vice Versa... how ever, uninstall AdAware before installing SpyBot, as they dont like each other :P, and I'm assuming that you have the latest AdAware reference file?

    IF that doesnt do anything, check the "Add/Remove Programs" Section in the control panel, and check for anything unusual that you didnt install on the system. Does anyone else use the system? If so, check if anyone has sent them programs through MSN, or any other chat client... remembering that whilst you're transfering a file over any IM program, you're directly connected to someone, so they can get your IP (If you're not running through a proxy of some sort, or a firewall)..

    oh yeah, also install a FireWall (SyGate is a good all rounder).. if you're getting any incomming or outgoing connections that dont look sus (Anything apart from the Internet, dont allow MSN or anything else AS YET), find the program, and get a copy of Norton System Works, and run the "Norton Uninstall" utility that comes with it.

    If that fails, resort to the simplest method... goto Start->Run->*type in* "msconfig", and wait for a window to open. Then click on the "Startup" TAB, and click the button "Disable All". If you install Norton, remember to re-check "ccApp" after clicking "Disable All", as "ccApp" is Norton Auto-Protect

    All be it, if you still have the problem after doing all of that, and it's not killing your system or lagging you to un-bearable consequences, you have 2 choices.

    a. Format your PC - A drastic, but 99.9% guaranteed way to kill the problem
    b. Leave it be - If it's not dangerous, and you're not getting abnormal connections through your firewall, dont worry about it.

    -Kez

  7. #7
    Member
    Join Date
    Feb 2003
    Posts
    95

    Thanks

    Thanks soo much for the ideas guys! I've just downloaded HijackThis, and I'm finishing Spy Bot S&D. Its taking an awful long time on dail up though

    I'll post my results from HiJackThis as soon as i get them!
    Why does AdAware malfunction when SpyBotS&D is running as well? I find that kinda odd...
    Oh well, I hope this helps


    Thanks again!
    ----------------------EDIT------------------------------------------------------------
    Ok, i just finished scaning with HiJackThis... and whoever said that you needed an interpreter to understand the logs was correct As far as i can see... all these are services running in the background, but I'm not sure if any of them are bad

    //May 18/04 Log//
    Logfile of HijackThis v1.97.7
    Scan saved at 10:13:36 PM, on 5/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Optimizer\actalert.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\pxroutei.exe
    C:\WINDOWS\System32\gmtapim.exe
    C:\WINDOWS\System32\pphelpa.exe
    C:\WINDOWS\System32\api32t.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Dee Bartens\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem216.dll
    O2 - BHO: (no name) - {FBED6A02-71FB-11D8-86B0-0002441A9695} - C:\WINDOWS\5_0_1browserhelper5.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [pxroutei] C:\WINDOWS\System32\pxroutei.exe
    O4 - HKLM\..\Run: [gmtapim] C:\WINDOWS\System32\gmtapim.exe
    O4 - HKLM\..\Run: [pphelpa] C:\WINDOWS\System32\pphelpa.exe
    O4 - HKLM\..\Run: [api32t] C:\WINDOWS\System32\api32t.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...930.5707175926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C9B26521-D693-4B2E-A9CF-11F297BADC5D}: NameServer = 216.113.192.3 216.113.192.4

    Thanks again!

  8. #8
    Senior Member
    Join Date
    May 2002
    Posts
    143
    Turmoil -
    I just wanted to add a quick note on the advice Kez posted regarding uninstalling AdAware before running SpyBot . . . IT IS NOT NECESSARY! Run the programs in Safe Mode - you should have no problem. If you activate the ActiveX and IE download blocker 'extra settings' for SpyBot, AdAware picks them up as "problems". If you choose to "ignore them" in AdAware - they no longer show up as current 'problem items' - but 'ignored items', which is what you want. Check out the threads for hijacking, hacked, start page, etc. and you will find even more great advice (especially posts by nihil). Good luck and pleasant hunting.

    V.
    All truths are easy to understand once they are discovered; the point is to discover them. What lies behind us and what lies before us are tiny matters compared to what lies within us.

  9. #9
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Originally posted here by moxnix
    You have a program or application that is trying to access the internet. This could be the work of a virus, trojan, or just an application that you use regularly.
    Do you have an IM like AIM, Yahoo, or Windows Messenger that starts when you open windows? Do you have an antivirual program that is set to auto update?
    Anything that you have set to automatically update or run when you open Windows could be the cause.
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    Do you have an IM like AIM, Yahoo, or Windows Messenger that starts when you open windows?
    And your original question --
    Yet I noticed something a little strange today. Whenever i turn my computer on, it automatically tries to dial to the net...
    Does that answer your question?

    Edit> You don't run AdAware and Spy bot S&D at the same time. You run them one after the other.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  10. #10
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Most obvious thing is it looks like your HP printer is trying to check for updated software.............HPWuschd2.

    I would let it have a go then go into your printer management software and turn it off. Updates for that sort of thing are not frequent, use resources and do not contribute to system stability.

    cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides