Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 4 of 4 Posts

· Registered
Joined
·
17 Posts
Discussion Starter · #1 ·
i can generate a list of my ports and what has access to them as it stands now, but i am not sure if it would help. programs i guess assorted with various ports on my system.

it does have some suspicous looking things on, at least they look that way to me.

any idea what and how to get rid of?

thnks for any help.

Common Name

Master Paradise

DeepThroat

Dmsetup

FC Infector

RASmin

Stealth Spy

Bla, Attack FTP

Dark Shadow

DeepThroat

Silencer

Doly

Doly

Doly

Doly

Netspy

Unused Windows Services Block

Unused Windows Services Block

Unused Windows Services Block

Unused Windows Services Block

Unused Windows Services Block

Unused Windows Services Block

Bla

RASmin

Extreme

Ultor's

Backdoor/SubSeven

FTP99CMP

Shiva Burka

Spy Sender

ShockRave

Backdoor/SubSeven, TransScout

TransScout, Remote Explorer

TransScout, Trojan Cow

TransScout

TransScout

TransScout

TransScout

Trojan Ripper

Bugs

DeepThroat

Striker

WinCrash

Backdoor/SubSeven

SubSeven 2.1/2.2

Phinneas Phucker

WinCrash

Master Paradise

DeepThroat

Portal of Doom

WinCrash

SubSeven 2.1/2.2

Filenail

Sokets de Trois v1.

Sokets de Trois v1.

FireHotcker

Blade Runner

Blade Runner

Blade Runner

SERV-Me

BO-Facil

BO-Facil

Robo-Hack

WinCrash

'The Thing'

DeepThroat

DeepThroat

Backdoor/SubSeven

Indoctrination

GateCrasher, Priority

GateCrasher

Remote Grab

Backdoor/SubSeven

NetMonitor

NetMonitor

NetMonitor

NetMonitor

NetMonitor

QaZ

ICKiller

Portal of Doom

Portal of Doom

Portal of Doom

Portal of Doom

iNi Killer

Portal of Doom

Portal of Doom

Acid Shivers

COMA

Senna Spy

Progenic

GJammer

Keylogger

NetBus

NetBus

Whack-a-Mole

Whack-a-Mole

Whack-a-Mole

WhackJob

Senna Spy

SubSeven DEFCON8 2.1

NetBus

GirlFriend

Proziack

EvilFTP, UglyFTP

Donald Dick

Donald Dick

Delta Source

SubSeven 2.1/2.2

NetSphere

NetSphere

NetSphere

Back Orifice 2000

Hack 'A' Tack

Hack 'A' Tack

Hack 'A' Tack

Hack 'A' Tack

Hack 'A' Tack

Hack 'A' Tack

Master Paradise

Master Paradise

Master Paradise

Master Paradise

Master Paradise

Backdoor/SubSeven

Back Orifice 2000

Back Orifice 2000

DeepThroat
 

· Registered
Joined
·
9,520 Posts
http://forums.techguy.org/t110854.html

Post your HijackThis log.

Do this:
go to http://www.lurkhere.com/~nicefiles/ , and download 'Hijack This!'.....
Unzip it to its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

If you have anything disabled by MSConfig or any other startup manager, please re-enable it before scanning to post.

;)
 

· Registered
Joined
·
17 Posts
Discussion Starter · #4 ·
My HijackThis log is nice and purty clean like,at least for the most part, the things i listed above are somehow attached to my ports, i was wondering how i might find out where and what they are, i also have the port number to which each is attached.

some of them don't look to nice by the name, and if i could find out what, where, and how to get rid of it might be nice, or they might be harmless, since i have cleaned for spyware and adware and such.

just to put fears about my HijackThis log to rest here it is.

Logfile of HijackThis v1.97.7
Scan saved at 10:36:00 AM, on 4/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\AdSubtract\adsub.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Kazaa Lite Resurrection\kazaalite.kpp
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mark Johnson\Desktop\anti crap\HighjackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\copied\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.6413310185
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top