|
|
|
trojan? remote access??
Tuesday, December 2, 2003 at 6:40 am
Windows Me Annoyances Discussion Forum
Posted by allegro
(2 messages posted)
This sucks. I think I'm being hacked/accessed.
Here's my hijackthis log:
StartupList report, 12/2/2003, 6:41:44 AM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS1.9.7.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\THUNT\THGUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\WINHLP32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\THUNT\TOOLS\AUTOSTART EXPLORER\AUTOSTARTEXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\THUNT\TROJANHUNTER.EXE
C:\PROGRAM FILES\THUNT\TOOLS\PROCESS VIEWER\PROCESSVIEWER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1.9.7.EXE
C:\WINDOWS\NOTEPAD.EXE
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Hidserv = Hidserv.exe run
HPScanPatch = C:\WINDOWS\SYSTEM\HPScanFix.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
Delay = C:\WINDOWS\delayrun.exe
THGuard = "C:\PROGRAM FILES\THUNT\THGUARD.EXE"
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe
[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L
[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
C:\WINDOWS\WININIT.BAK listing:
(Created 26/11/2003, 18:6:40)
[rename]
C:\WINDOWS\SYSTEM\ssdpapi.dll=C:\WINDOWS\SYSTEM\ssdpapi.001
C:\WINDOWS\SYSTEM\ssdpsrv.exe=C:\WINDOWS\SYSTEM\ssdpsrv.001
C:\WINDOWS\SYSTEM\upnp.dll=C:\WINDOWS\SYSTEM\upnp.001
--------------------------------------------------
C:\AUTOEXEC.BAT listing:
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
--------------------------------------------------
C:\WINDOWS\DOSSTART.BAT listing:
mscdex.exe /d:IDECD000 /L:M
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Enumerating Task Scheduler jobs:
PCHealth Scheduler for Data Collection.job
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
--------------------------------------------------
End of report, 5,906 bytes
Report generated in 0.046 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
|
Responses to this message:
|
|
All messages in this thread [show all]
 | trojan? remote access?? (allegro: Tue, Dec 2, 2003, 6:40 am) |
| |
| |
Return to the Windows Me Discussion Forum
|
|
|
|
