Marili
asked on
Hacker Is Alive and Well AFTER Reformat, New Firewall, Etc....
I'm back. So is the hacker. Never left, actually. A month ago I wrote in about these people - one calls the other Sneely. (I've been out of commission, hence the delay in solving this problem) I have followed your advise to reformat (system recovery) on Windows XP Home. It has not been successful. They are still there, in System 32, and have again taken over my system boot up password, Norton, CD RW drive, scandisk, and the printer (probably the floppy drive, too, didn't check). I was able to get some data on CD before they found out, and printed one file. Not sure if any of it could help catch them. This all started quite awhile ago, and I was the perfect victim who knew nothing.
So, before going online, I installed Zone Alarm Pro4 Firewall, Spy Subtract (this program is excellent!). Norton's firewall seems to be worthless. All my programs are up-to-date. I am NOT on wireless, my PC is stand alone now (no roommate PC linkage for DSL), I moved my residence and now have ComCast cable (was SBC DSL at last reformat). I was on my PC a few hours only, mainly searching through the System files, trying to get info about these people. When I found out they were operating in System 32, that's when everything came to a halt.
So, I learned that system recovery reformat did nothing, as all the hacker's files and programs were still there on boot up. There are a couple hundred files including notepad notes to each other about what to do. I believe they are bootlegging software on my PC. Found a certificate program that creates a digitally signed certificate with a date valid from 5/13/04 to 7/13/05 (I bought the PC on 8/25/03). There is everything in there for making all kinds of programs. They have installed lots of programs I didn't buy with the PC or since: Photo Shop, Python, Wild Tanget, Softex, FunWeb, tons of Active X's, Java, PS2, Don't really understand why they can't do this on their own PCs - could you explain?
Why did recovery not work??? I got the usual alerts (3 times) that all data would be lost. Not so. I have still not re-installed any of my document files since the LAST recovery a month ago.
I have literally watched a file name change to another one while I just sat there! This is all with NO CONNECTION TO THE INTERNET.
I already had Adaware, Norton anti virus, Hijack This, and Spy Bot on my PC, still there after reformat. Why?
What I did: Before going online: System Recovery. Installed Zone Alarm and configured. Installed SpySubtract and configured. Ran Adaware, Spy Bot, HiJack This. Disabled almost every single Service. They use ctfmonConnected to internet and proceeded to update Norton antivirus - it had problems doing this, probably becuase the hackers' pre-set programs were trying to stop it.
I found out that they change a file's name in order to make it look like a SpySubtract or other good program's component - and fooled me into accepting an active network that I can't delete with the IP address of 169.254.0.0./255.255.0.0 This was through SpySubtract, which I was refusing access to everything I thought was bad. These people have set up programs that run themselves and anticipate and stop anything I do. They are using Remote Procedure Call and Remote Access Connection Manager, which I was unable to disable in Services.
Also, back on 7/20/04, I wrote down something that may be important:
There were 6 logon process names:
RASMAN
K Sec DD
Winlogon\MSGina
Winlogon
LAN Manager Workstation Service
CHAP
And, received a message:
"a notification package has been loaded by the Security Account Mgr. This package will be notified of any account or password changes. Not. Pak Name: scecli"
"a trusted logon process has registered with the local security authority. Logon Processname: Winlogon\MsGina"
"authentication package loaded - name: c:\WINDOWS\SYSTEM32\MSV1-0
Plus, 6 more additional ones were sent that I didn't write down.... (printer disabled)
What can I do now? Reformat does nothing. How can I get my PC back? I am afraid to contact the company with my service agreement because I am suspcious that they might have installed this on the PC before I even got it home. I had problems soon after purchase and I was (mostly still am) totally unknowledgeable about this stuff. Thought Norton firewall and virus and a spam program was all one needed. Ha! BestBuy sold me the PC and, dumb me, I let them install and set up the system for a meer $20. Never again. Could one of their employee's be doing this???
A few possible indentifying things to help find these people (all found on my PC):
The Terminator (software made by Matt Gerrans of Key Concepts, Inc)
Sleep (also by Gerrans) DOES ANYONE KNOW OF HIM?
The URL: http://us8.hpwis.com (they redirected my IE to that)
RASMAN is now the administrator of my PC (probably means nothing, just a code)
Sneely gets notebook files sent to him.
Another IP: 24.7.91.0/255.255.255./28
And another: 169.254.0.0./255.255.0.0
redirected home page: www.microsoft.com/isapi/redir.dll?prd=ie8clcid=0x0409&pver=6.0&ar=home
I have 100 or so files saved on a CD. No idea what, I was saving as fast as I could anything I could. I can look later when don't have to PAY to be online at Kinkos.
I have one 36-page file called ims, saved on CD and printed out. Here is a sample of this file:
"the list of shared files to uninstall in the event of remove all or uninstalling the last component..."
"Sneely, uninstall obsolete files"
"this is a section containing all the destination directories" (with list following"
"[k2. iis_smtp_k2_files_mail_doc
"This is a section containing all the registry to metabase operations. The format of the paramenters are as follows: (with long list following this)"
"This section contains a list of all controls that have to be registered.....files like:
%_INETSRV%\smtpadm.dll"
"sneely: changed to add media strings here. Note that [strings] must be the last section in this file
cdname = "windows XP Home Edition CD-ROM"
productname = "Windows XP Home Edition"
bootname1 = "Windows XP Home Edition SP1 Setup Book Disk"
etc...etc...
I could print out some of the other files I have on CD. Should I do this? Any possible hope of getting these people? I am so pissed. There must be a way!
Sorry for the very long message - was trying to give as much info as possible and also perhaps some will learn something from this mess. I want my PC back. What do you recommend?
P.S. SpySubtract kicks butt. I highly recommend it. Sorry, folks, but Adaware didn't help me too much. And Zone Alarm firewall appears to leave Norton in the dust.
Thanks once again for all that you can do to help.
Li
So, before going online, I installed Zone Alarm Pro4 Firewall, Spy Subtract (this program is excellent!). Norton's firewall seems to be worthless. All my programs are up-to-date. I am NOT on wireless, my PC is stand alone now (no roommate PC linkage for DSL), I moved my residence and now have ComCast cable (was SBC DSL at last reformat). I was on my PC a few hours only, mainly searching through the System files, trying to get info about these people. When I found out they were operating in System 32, that's when everything came to a halt.
So, I learned that system recovery reformat did nothing, as all the hacker's files and programs were still there on boot up. There are a couple hundred files including notepad notes to each other about what to do. I believe they are bootlegging software on my PC. Found a certificate program that creates a digitally signed certificate with a date valid from 5/13/04 to 7/13/05 (I bought the PC on 8/25/03). There is everything in there for making all kinds of programs. They have installed lots of programs I didn't buy with the PC or since: Photo Shop, Python, Wild Tanget, Softex, FunWeb, tons of Active X's, Java, PS2, Don't really understand why they can't do this on their own PCs - could you explain?
Why did recovery not work??? I got the usual alerts (3 times) that all data would be lost. Not so. I have still not re-installed any of my document files since the LAST recovery a month ago.
I have literally watched a file name change to another one while I just sat there! This is all with NO CONNECTION TO THE INTERNET.
I already had Adaware, Norton anti virus, Hijack This, and Spy Bot on my PC, still there after reformat. Why?
What I did: Before going online: System Recovery. Installed Zone Alarm and configured. Installed SpySubtract and configured. Ran Adaware, Spy Bot, HiJack This. Disabled almost every single Service. They use ctfmonConnected to internet and proceeded to update Norton antivirus - it had problems doing this, probably becuase the hackers' pre-set programs were trying to stop it.
I found out that they change a file's name in order to make it look like a SpySubtract or other good program's component - and fooled me into accepting an active network that I can't delete with the IP address of 169.254.0.0./255.255.0.0 This was through SpySubtract, which I was refusing access to everything I thought was bad. These people have set up programs that run themselves and anticipate and stop anything I do. They are using Remote Procedure Call and Remote Access Connection Manager, which I was unable to disable in Services.
Also, back on 7/20/04, I wrote down something that may be important:
There were 6 logon process names:
RASMAN
K Sec DD
Winlogon\MSGina
Winlogon
LAN Manager Workstation Service
CHAP
And, received a message:
"a notification package has been loaded by the Security Account Mgr. This package will be notified of any account or password changes. Not. Pak Name: scecli"
"a trusted logon process has registered with the local security authority. Logon Processname: Winlogon\MsGina"
"authentication package loaded - name: c:\WINDOWS\SYSTEM32\MSV1-0
Plus, 6 more additional ones were sent that I didn't write down.... (printer disabled)
What can I do now? Reformat does nothing. How can I get my PC back? I am afraid to contact the company with my service agreement because I am suspcious that they might have installed this on the PC before I even got it home. I had problems soon after purchase and I was (mostly still am) totally unknowledgeable about this stuff. Thought Norton firewall and virus and a spam program was all one needed. Ha! BestBuy sold me the PC and, dumb me, I let them install and set up the system for a meer $20. Never again. Could one of their employee's be doing this???
A few possible indentifying things to help find these people (all found on my PC):
The Terminator (software made by Matt Gerrans of Key Concepts, Inc)
Sleep (also by Gerrans) DOES ANYONE KNOW OF HIM?
The URL: http://us8.hpwis.com (they redirected my IE to that)
RASMAN is now the administrator of my PC (probably means nothing, just a code)
Sneely gets notebook files sent to him.
Another IP: 24.7.91.0/255.255.255./28
And another: 169.254.0.0./255.255.0.0
redirected home page: www.microsoft.com/isapi/redir.dll?prd=ie8clcid=0x0409&pver=6.0&ar=home
I have 100 or so files saved on a CD. No idea what, I was saving as fast as I could anything I could. I can look later when don't have to PAY to be online at Kinkos.
I have one 36-page file called ims, saved on CD and printed out. Here is a sample of this file:
"the list of shared files to uninstall in the event of remove all or uninstalling the last component..."
"Sneely, uninstall obsolete files"
"this is a section containing all the destination directories" (with list following"
"[k2. iis_smtp_k2_files_mail_doc
"This is a section containing all the registry to metabase operations. The format of the paramenters are as follows: (with long list following this)"
"This section contains a list of all controls that have to be registered.....files like:
%_INETSRV%\smtpadm.dll"
"sneely: changed to add media strings here. Note that [strings] must be the last section in this file
cdname = "windows XP Home Edition CD-ROM"
productname = "Windows XP Home Edition"
bootname1 = "Windows XP Home Edition SP1 Setup Book Disk"
etc...etc...
I could print out some of the other files I have on CD. Should I do this? Any possible hope of getting these people? I am so pissed. There must be a way!
Sorry for the very long message - was trying to give as much info as possible and also perhaps some will learn something from this mess. I want my PC back. What do you recommend?
P.S. SpySubtract kicks butt. I highly recommend it. Sorry, folks, but Adaware didn't help me too much. And Zone Alarm firewall appears to leave Norton in the dust.
Thanks once again for all that you can do to help.
Li
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
additionaly I'd also run netstat to grab any connection information available
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would suggest you to real format from the boot disk and do not ever connect to internet till you applied all patches and firewall.
I think you were infected by some worms or viruses.
I think you were infected by some worms or viruses.
ASKER
Thank you, first of all, for the compassion. I appreciate it very much. It helps dry up a few of the tears. I feel so helpless at this point, I have tried everything and I don't understand why this is happening when everyone I talk to seems to think it is impossible. However, now I get a white screen, I can right click on it to do a few measly things, both CD drives are totally disfunctional, was able to load only one CD - Zone Alarm, before they disabled everything, worse than before. They have control of Zone Alarm - the buttons are "lightened" and unclickable.
I was and still am 100% guaranteed disconnected from the internet - the electrical connection and the other one into the modem - both unhooked, laying on the floor. My service is with ComCast cable. No DSL, no dialup, I don't even have a phone line into my place! I reformated using the 6 CD's I made after I bought the PC (it didn't come with any). It took about an hour to do this. All my stuff was gone. But not these guys, they have preprogramed programs HIDING somewhere on my PC.
COULD THEY BE IN DRIVE D?
They then proceeded to disable my RW drive so I can't install any other spy programs, nor can I install my internet provider CD - so I can't even go online if I wanted to.
What I don't get is....they can't go online either....right? .... so they are doing "all this stuff" on my PC, waiting for me to go online, so they can download it - even if they have to wait for months, or forever. It makes no sense to me either. But believe me, I am not imagining what is happening.
Is it possible for them to get their stuff from my PC remotely, without internet? This is what seems to be the case.
rossfingal, I have no idea how to do the low level format idea, I'm sure to mess that up badly. Scares me.
QUESTION: Even though I was blocked from doing this, if I could have, how am I supposed to apply the patches and virus updates WITHOUT GOING ONLINE?? The minute I do, even if a miracle occurs to lose they guys, won't they just be right back? Doesn't Microsoft have to be on your computer to figure out what updates you need?
QUESTION: Can I reformat Drive D? Also, could my PC have been infected from the place I bought it?
QUESTION: Would it be cheaper to buy a new harddrive? Do I have to buy two? One for C and one for D? Would this get rid of them for sure? Except that I wouldn't have an operating system, right? It seems like my computer is just garbage...
Thanks for your help.
Li
I was and still am 100% guaranteed disconnected from the internet - the electrical connection and the other one into the modem - both unhooked, laying on the floor. My service is with ComCast cable. No DSL, no dialup, I don't even have a phone line into my place! I reformated using the 6 CD's I made after I bought the PC (it didn't come with any). It took about an hour to do this. All my stuff was gone. But not these guys, they have preprogramed programs HIDING somewhere on my PC.
COULD THEY BE IN DRIVE D?
They then proceeded to disable my RW drive so I can't install any other spy programs, nor can I install my internet provider CD - so I can't even go online if I wanted to.
What I don't get is....they can't go online either....right? .... so they are doing "all this stuff" on my PC, waiting for me to go online, so they can download it - even if they have to wait for months, or forever. It makes no sense to me either. But believe me, I am not imagining what is happening.
Is it possible for them to get their stuff from my PC remotely, without internet? This is what seems to be the case.
rossfingal, I have no idea how to do the low level format idea, I'm sure to mess that up badly. Scares me.
QUESTION: Even though I was blocked from doing this, if I could have, how am I supposed to apply the patches and virus updates WITHOUT GOING ONLINE?? The minute I do, even if a miracle occurs to lose they guys, won't they just be right back? Doesn't Microsoft have to be on your computer to figure out what updates you need?
QUESTION: Can I reformat Drive D? Also, could my PC have been infected from the place I bought it?
QUESTION: Would it be cheaper to buy a new harddrive? Do I have to buy two? One for C and one for D? Would this get rid of them for sure? Except that I wouldn't have an operating system, right? It seems like my computer is just garbage...
Thanks for your help.
Li
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
has this worked? Did this solution fix your problem?
do you need any more help on this? Did my solution work for you? Were any of the apps infected?
ASKER
Scorp888, this is an excellently-written, detailed plan. I'm so sorry to be so long in responding, please don't think I'm a total flake. I had to move twice in 2 months (is that absurd or what?) my father is dying and have to help my mom. And been waiting for 4 weeks for new CDs from HP that NEVER ARRIVED, still haven't.
Finally found out the problem - my restore CDs were corrupt - I made them 3 days after bought the PC. The trojans got in fast. Had Norton virus and firewall loaded AT THE STORE where I bought it. Grrr!
Recently a trusted source gave me a pirated CD, and at this point, what the h--l else am I to do? I completely re-formated drive C and D and then installed it on C. It was nice and clean and wonderful - for a few days.
I might still have to use your instructions because this stupid virus/trojan/hacker is back! I think I might really be insane now.
The way I know, but want to be sure and check with you, is that the light is flashing like crazy ALL THE TIME, when I'm doing nothing. Some flashes are really bright, and also makes the noises that you hear when telling PC to do something. That is not normal, right??
I printed Hijack This and the Faber Toys reports below.
What I did: formatted C and D; installed Windows XP with SP2. Looked at the Program, System, and System 32 files to see what was there and hopefully NOT there. Was way less stuff than before and seemed clean. Installed Zone Alarm Firewall; Norton firewall and virus; Adaware; Spy Subtract; PC Powerwash.
Configured to max security on all and ran them all. Hooked up printer and installed MS Word. Installed horrible AOL via free CD to get online, installed Norton virus updates(lots) and Microsoft updates(few) Ordered DSL service (will be hooked up Oct 6)
Checked Windows firewall, it works fine. Seems to be no problem with 2 firewalls. Someone told me they have 2 with no prob. Downloaded Hijack this and Faber Toys. Heard IE was bad, so downloaded Opera, but haven't been able to get it to work. Cleaned up services a lot via run/services.msc (per blackviper.com's XP configurations for happier computer user). I have not loaded any documents or CDs that I burned, only purchased CDs except the XP. I think that's it. Been going online with AOL dialup. Not using IE.
Do you think I need to reformat and re-install again? What is hphmon04.exe? It's always on with a bright green light icon. Thanks.
Logfile of HijackThis v1.98.2
Scan saved at 2:47:08 PM, on 10/2/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hphmon
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\A
C:\PROGRA~1\PCPOWE~1\PopUp
C:\Program Files\interMute\SpySubtrac
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\hijackthis\HijackThi
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-0
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\PCPOWE~1\PopUp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtrac
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O17 - HKLM\System\CCS\Services\T
....
File generated by FABER TOYS (Version 2.6 - Build 50)
Date: Saturday, October 02, 2004 - 1:24:49 PM
Program created by Faber
--------------------------
Dependencies of winlogon.exe - Memory: 10.69 MB - Priority: High
Windows NT Logon Application
Version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
(C:\WINDOWS\system32\winlo
--------------------------
69 Modules loaded by winlogon.exe
--------------------------
Name Date Size ActiveX Version Description
--------------------------
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\Apphel
C:\WINDOWS\system32\AUTHZ.
C:\WINDOWS\system32\Cabine
C:\WINDOWS\system32\CLBCAT
C:\WINDOWS\system32\COMCTL
C:\WINDOWS\system32\comdlg
C:\WINDOWS\system32\COMRes
C:\WINDOWS\system32\CRYPT3
C:\WINDOWS\system32\cscdll
C:\WINDOWS\system32\cscui.
C:\WINDOWS\system32\DNSAPI
C:\WINDOWS\system32\GDI32.
C:\WINDOWS\system32\IMAGEH
C:\WINDOWS\system32\iphlpa
C:\WINDOWS\system32\kernel
C:\WINDOWS\system32\MPR.dl
C:\WINDOWS\system32\MSASN1
C:\WINDOWS\system32\MSGINA
C:\WINDOWS\system32\msv1_0
C:\WINDOWS\system32\MSVCP6
C:\WINDOWS\system32\msvcrt
C:\WINDOWS\system32\NDdeAp
C:\WINDOWS\system32\NETAPI
C:\WINDOWS\system32\ntdll.
C:\WINDOWS\system32\NTDSAP
C:\WINDOWS\system32\NTMART
C:\WINDOWS\system32\ODBC32
C:\WINDOWS\system32\odbcin
C:\WINDOWS\system32\ole32.
C:\WINDOWS\system32\OLEAUT
C:\WINDOWS\system32\PROFMA
C:\WINDOWS\system32\PSAPI.
C:\WINDOWS\system32\RASAPI
C:\WINDOWS\system32\rasman
C:\WINDOWS\system32\REGAPI
C:\WINDOWS\system32\RPCRT4
C:\WINDOWS\system32\rsaenh
C:\WINDOWS\system32\rtutil
C:\WINDOWS\system32\SAMLIB
C:\WINDOWS\system32\Secur3
C:\WINDOWS\system32\SETUPA
C:\WINDOWS\system32\sfc.dl
C:\WINDOWS\system32\sfc_os
C:\WINDOWS\system32\SHELL3
C:\WINDOWS\system32\SHLWAP
C:\WINDOWS\system32\SHSVCS
C:\WINDOWS\system32\sxs.dl
C:\WINDOWS\system32\TAPI32
C:\WINDOWS\system32\USER32
C:\WINDOWS\system32\USEREN
C:\WINDOWS\system32\uxthem
C:\WINDOWS\system32\VERSIO
C:\WINDOWS\system32\wbem\f
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\system32\WINMM.
C:\WINDOWS\system32\WINSCA
C:\WINDOWS\system32\WINSPO
C:\WINDOWS\system32\WINSTA
C:\WINDOWS\system32\WINTRU
C:\WINDOWS\system32\wldap3
C:\WINDOWS\system32\WlNoti
C:\WINDOWS\system32\WS2_32
C:\WINDOWS\system32\WS2HEL
C:\WINDOWS\system32\WTSAPI
C:\WINDOWS\system32\xpsp2r
C:\WINDOWS\WinSxS\x86_Micr
MODULES NOT LISTED ABOVE
--------------------------
C:\WINDOWS\system32\winlog
Finally found out the problem - my restore CDs were corrupt - I made them 3 days after bought the PC. The trojans got in fast. Had Norton virus and firewall loaded AT THE STORE where I bought it. Grrr!
Recently a trusted source gave me a pirated CD, and at this point, what the h--l else am I to do? I completely re-formated drive C and D and then installed it on C. It was nice and clean and wonderful - for a few days.
I might still have to use your instructions because this stupid virus/trojan/hacker is back! I think I might really be insane now.
The way I know, but want to be sure and check with you, is that the light is flashing like crazy ALL THE TIME, when I'm doing nothing. Some flashes are really bright, and also makes the noises that you hear when telling PC to do something. That is not normal, right??
I printed Hijack This and the Faber Toys reports below.
What I did: formatted C and D; installed Windows XP with SP2. Looked at the Program, System, and System 32 files to see what was there and hopefully NOT there. Was way less stuff than before and seemed clean. Installed Zone Alarm Firewall; Norton firewall and virus; Adaware; Spy Subtract; PC Powerwash.
Configured to max security on all and ran them all. Hooked up printer and installed MS Word. Installed horrible AOL via free CD to get online, installed Norton virus updates(lots) and Microsoft updates(few) Ordered DSL service (will be hooked up Oct 6)
Checked Windows firewall, it works fine. Seems to be no problem with 2 firewalls. Someone told me they have 2 with no prob. Downloaded Hijack this and Faber Toys. Heard IE was bad, so downloaded Opera, but haven't been able to get it to work. Cleaned up services a lot via run/services.msc (per blackviper.com's XP configurations for happier computer user). I have not loaded any documents or CDs that I burned, only purchased CDs except the XP. I think that's it. Been going online with AOL dialup. Not using IE.
Do you think I need to reformat and re-install again? What is hphmon04.exe? It's always on with a bright green light icon. Thanks.
Logfile of HijackThis v1.98.2
Scan saved at 2:47:08 PM, on 10/2/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hphmon
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\A
C:\PROGRA~1\PCPOWE~1\PopUp
C:\Program Files\interMute\SpySubtrac
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\hijackthis\HijackThi
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-0
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\PCPOWE~1\PopUp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtrac
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O17 - HKLM\System\CCS\Services\T
....
File generated by FABER TOYS (Version 2.6 - Build 50)
Date: Saturday, October 02, 2004 - 1:24:49 PM
Program created by Faber
--------------------------
Dependencies of winlogon.exe - Memory: 10.69 MB - Priority: High
Windows NT Logon Application
Version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
(C:\WINDOWS\system32\winlo
--------------------------
69 Modules loaded by winlogon.exe
--------------------------
Name Date Size ActiveX Version Description
--------------------------
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\Apphel
C:\WINDOWS\system32\AUTHZ.
C:\WINDOWS\system32\Cabine
C:\WINDOWS\system32\CLBCAT
C:\WINDOWS\system32\COMCTL
C:\WINDOWS\system32\comdlg
C:\WINDOWS\system32\COMRes
C:\WINDOWS\system32\CRYPT3
C:\WINDOWS\system32\cscdll
C:\WINDOWS\system32\cscui.
C:\WINDOWS\system32\DNSAPI
C:\WINDOWS\system32\GDI32.
C:\WINDOWS\system32\IMAGEH
C:\WINDOWS\system32\iphlpa
C:\WINDOWS\system32\kernel
C:\WINDOWS\system32\MPR.dl
C:\WINDOWS\system32\MSASN1
C:\WINDOWS\system32\MSGINA
C:\WINDOWS\system32\msv1_0
C:\WINDOWS\system32\MSVCP6
C:\WINDOWS\system32\msvcrt
C:\WINDOWS\system32\NDdeAp
C:\WINDOWS\system32\NETAPI
C:\WINDOWS\system32\ntdll.
C:\WINDOWS\system32\NTDSAP
C:\WINDOWS\system32\NTMART
C:\WINDOWS\system32\ODBC32
C:\WINDOWS\system32\odbcin
C:\WINDOWS\system32\ole32.
C:\WINDOWS\system32\OLEAUT
C:\WINDOWS\system32\PROFMA
C:\WINDOWS\system32\PSAPI.
C:\WINDOWS\system32\RASAPI
C:\WINDOWS\system32\rasman
C:\WINDOWS\system32\REGAPI
C:\WINDOWS\system32\RPCRT4
C:\WINDOWS\system32\rsaenh
C:\WINDOWS\system32\rtutil
C:\WINDOWS\system32\SAMLIB
C:\WINDOWS\system32\Secur3
C:\WINDOWS\system32\SETUPA
C:\WINDOWS\system32\sfc.dl
C:\WINDOWS\system32\sfc_os
C:\WINDOWS\system32\SHELL3
C:\WINDOWS\system32\SHLWAP
C:\WINDOWS\system32\SHSVCS
C:\WINDOWS\system32\sxs.dl
C:\WINDOWS\system32\TAPI32
C:\WINDOWS\system32\USER32
C:\WINDOWS\system32\USEREN
C:\WINDOWS\system32\uxthem
C:\WINDOWS\system32\VERSIO
C:\WINDOWS\system32\wbem\f
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\system32\WINMM.
C:\WINDOWS\system32\WINSCA
C:\WINDOWS\system32\WINSPO
C:\WINDOWS\system32\WINSTA
C:\WINDOWS\system32\WINTRU
C:\WINDOWS\system32\wldap3
C:\WINDOWS\system32\WlNoti
C:\WINDOWS\system32\WS2_32
C:\WINDOWS\system32\WS2HEL
C:\WINDOWS\system32\WTSAPI
C:\WINDOWS\system32\xpsp2r
C:\WINDOWS\WinSxS\x86_Micr
MODULES NOT LISTED ABOVE
--------------------------
C:\WINDOWS\system32\winlog
Hi! Marili
Sorry to hear about you're father - been through that.
What can I say?!?
This line shows that you've got Msconfig going under what's called "Selective Startup" -
run Msconfig and choose "Normal" startup, reboot then -
post a new HJT log
This line -> O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
So we can see what's really going on (hopefully!)
Any questions - just ask.
Regards..
RF
Sorry to hear about you're father - been through that.
What can I say?!?
This line shows that you've got Msconfig going under what's called "Selective Startup" -
run Msconfig and choose "Normal" startup, reboot then -
post a new HJT log
This line -> O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
So we can see what's really going on (hopefully!)
Any questions - just ask.
Regards..
RF
Oops - that might be "Diagnostic Startup"??!!
ASKER
Here is my Hijack This run after changing startup. The light on the PC runs ALL THE TIME, when I am doing nothing. I didn't request Java, Quicktime qt task, messenger, spool\drivers\hpztsbo7, hphmon04 to run. Towards the end is extra button CD67F990-D8E9. What is THAT? I thought I turned messenger off.
Logfile of HijackThis v1.98.2
Scan saved at 6:39:17 PM, on 10/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
C:\Program Files\Java\j2re1.4.2_04\bi
C:\WINDOWS\system32\hphmon
C:\WINDOWS\system32\spool\
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\PCPOWE~1\PopUp
C:\Program Files\interMute\SpySubtrac
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\hijackthis\HijackThi
C:\Program Files\Messenger\msmsgs.exe
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-0
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bi
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORT
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\PCPOWE~1\PopUp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtrac
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtrac
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8
O17 - HKLM\System\CCS\Services\T
Logfile of HijackThis v1.98.2
Scan saved at 6:39:17 PM, on 10/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
C:\Program Files\Java\j2re1.4.2_04\bi
C:\WINDOWS\system32\hphmon
C:\WINDOWS\system32\spool\
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\PCPOWE~1\PopUp
C:\Program Files\interMute\SpySubtrac
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\hijackthis\HijackThi
C:\Program Files\Messenger\msmsgs.exe
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-0
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bi
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORT
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\PCPOWE~1\PopUp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtrac
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtrac
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8
O17 - HKLM\System\CCS\Services\T
Good to hear you're back online, sorry to hear about your problems.
Ok, it sounds like you've done the first part of my suggestion.
Have you done a system restore (save) so you can go back to that if things don't work out? That would be my next suggestion.
Also when you say flashing light, what exactly do you mean, on your screen, or a light on the pc?
Ok, it sounds like you've done the first part of my suggestion.
Have you done a system restore (save) so you can go back to that if things don't work out? That would be my next suggestion.
Also when you say flashing light, what exactly do you mean, on your screen, or a light on the pc?
ASKER
Hi again, and thanks. I was thinking, this is getting very long and drawn out, should I start a new question so I can give you the points?
Haven't done system save, I will try to do that. The partitions got changed, not sure if I know how to now. The light is on the PC (it's orange) not the screen. The light that indicates the PC is "doing something."
What did you think of the HijackThis file?
I'm barely online - actually not really. The AOL is giving me major problems and almost never will go to the website I want. I'm losing my time at the library...bytee
Haven't done system save, I will try to do that. The partitions got changed, not sure if I know how to now. The light is on the PC (it's orange) not the screen. The light that indicates the PC is "doing something."
What did you think of the HijackThis file?
I'm barely online - actually not really. The AOL is giving me major problems and almost never will go to the website I want. I'm losing my time at the library...bytee
Ok.
If the problems are not related to your original question, or are fairly specific, then I'd ask them as seperate questions.
If you feel that they are still under your original question, then ask away here.
If the problems are not related to your original question, or are fairly specific, then I'd ask them as seperate questions.
If you feel that they are still under your original question, then ask away here.
Does this mean you were not on a website, or that your computer was not connected period.
What type of connection do you have.
If broadband/DSL is there a phone line plugged into your modem?
When this happens, and "IF" there is a phone line connected to your PC , plug the line into a phone and do a *66 and see if you can get a number. But only "after" it happens, or is happening.