Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
93 Posts
Discussion Starter · #1 ·
My computer is going really slow and I do not have any anti-virus protection so I ran a HiJackThis thing and this is what came up.

Logfile of HijackThis v1.97.7
Scan saved at 4:57:11 PM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37613.3968287037
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx

Anything wrong with it and anything there that I do not need? I don't know if I have any keyloggers, viruses, or trojans so can anyone help me?Thanks. :up:
 

·
Registered
Joined
·
93 Posts
Discussion Starter · #4 ·
How come no one is replying? :(

Anyways I did an online Trojan Test and it said:
Trojan 5000 OPEN Bubbel, Back Door Setup, Sockets de Troie

Can anyone tell me what that is? Thanks.
 

·
Registered
Joined
·
93 Posts
Discussion Starter · #6 ·
Ok thanks. Here is some other info. Thanks for the help.

Service - Ports - Status. Additional Information
FTP DATA - 20 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
FTP - 21 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
SSH - 22 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
TELNET - 23 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
SMTP - 25 - BLOCKED . This port has not responded to any of our probes. It appears to be completely stealthed.
DNS - 53 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
DCC - 59 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
FINGER - 79 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
WEB - 80 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
POP3 - 110 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
IDENT - 113 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
Location Service - 135 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
NetBIOS - 139 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
HTTPS - 443 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
Server Message Block - 445 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
SOCKS PROXY - 1080 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
UPnP - 5000 - OPEN. This is the port used by Universal Plug and Play (UPnP). If this port is open anyone on the Internet may be able to use your computer and run any malicious code on your computer.
WEB PROXY - 8080 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

Service Ports Status Possible Trojans
Trojan - 1243 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
Trojan - 1999 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
Trojan - 6776 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
Trojan - 7789 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
Trojan - 12345 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
Trojan - 31337 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
Trojan - 54320 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
Trojan - 54321 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

Protocol Type Status Additional Information
ICMP - 8 - BLOCKED. An ICMP ping request is usually used to test Internet access. However, an attacker can use it to determine if your computer is available and what OS you are running. This gives him valuable information when he is determining what type of attack to use against you.

Service Ports Status Additional Information
FTP DATA - 20 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
FTP - 21 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
SSH - 22 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
TELNET - 23 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
SMTP - 25 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
DNS 53 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
DCC 59 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
FINGER - 79 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
WEB 80 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
POP3 110 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
IDENT 113 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
NetBIOS - 139 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
HTTPS - 443 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
Server Message Block - 445 - BLOCKED. This port has not responded to any of our probes. It appears to be completely stealthed.
SOCKS PROXY - 1080 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
SOURCE PORT - 1888 - CLOSED. This is the port you are using to communicate to our Web Server. A firewall that uses Stateful Packet Inspection will show a 'BLOCKED' result for this port.
WEB PROXY - 8080 - CLOSED. This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.

DNS - 53 - OPEN. Domain Name Services are used to resolve host names to IP addresses.
Location Service - 135 - OPEN. Microsoft relies upon DCE Locator service (RPC) to remotely manage services like DHCP server, DNS server and WINS server.
NetBIOS-NS - 137 - OPEN. Windows/Samba file and print sharing.
NetBIOS-DGM - 138 - OPEN. Windows/Samba file and print sharing.
NetBIOS - 139 - OPEN. NetBios is used to share files through your Network Neighborhood. If you are connected to the internet with this open, you could be sharing your whole hard drive with the world! This is a very dangerous port to have open.
Server Message Block - 445 - OPEN. In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT.
UPnP - 1900 - OPEN. This is the port used by Universal Plug and Play (UPnP). If this port is open anyone on the Internet may be able to

Umm... :confused: :down:
 

·
Registered
Joined
·
2,367 Posts
run these on-line scans:
http://housecall.trendmicro.com/housecall/start_corp.asp

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

checkmark the auto-clean boxes.

GET SOME Anti-virus protection!

http://www.grisoft.com/us/us_dwnl_free.php

AVG's the most recommended on this forum for free anti-virus.

Also get a firewall. ZoneAlarm's free.

http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za

it says "ZoneAlarm"...that's the one to download. Not the other two...they're pay versions. Not that there's anything wrong with that, but you need some protection.
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top