0

Hi!I came home one day and I found a new account on the login screen {I use XP and Internet Explorer, btw}:(My Name)(My Roommate's Name)AdminestratorSomehow, someone hacked into my computer with a new admin account {I do have the default Admin account in Safe Mode, though.} So I assumed my settings MUST have been messed with. Sure enough!These are my computer's current problems:~ (Almost) NO Internet Access. Right now I'm on FastFreeProxy, desperately trying to fix my computer. For some reason I can access obscure sites that I never go to. However, the sites that I go on a daily basis load to a blank page with "Invalid syntax error" as a header.~ I can't downloading ANYTHING. I tried to download FireFox but instead I received this message-:"Your current security settings do not allow this file to be downloaded."Not only that but when I tried downloading FireFox off of LimeWire and opened .exe, I was blocked from even opening it! So I can use AIM/Limewire (which saved my life, btw.)Anyway, my HiJackThis:Logfile of HijackThis v1.99.1Scan saved at 00:47, on 07-04-19Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\csrss.exeC:\Program Files\AIM\aim.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cyborgsmoke.angelfire.com/O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

3
Contributors
17
Replies
18
Views
10 Years
Discussion Span
Last Post by gerbil
0

You're not going to get very far w/out Admin. priveleges. if you have the original setup disc then you have options which basically is to install over the current setup. once you have Admin. control delete ALL other accounts. you'll have to reinstall some drivers and apps. but you'll have your system back. copy wpa.* from system32 to a floppy just in case they get lost somehow.

0

Hey, thanks for the help. I actually do have Admin controls as I am the only one with those settings. The "Adminestrator" account was deleted because it looked to me like an obvious hacked incident.If you could (and I apologize for my awful formatting skills- for some reason I can't break sentences into paragraphs), could you explain a little better? My security settings and Internet are hacked but I have to reinstall EVERYTHING? Does that mean I have to save all my files, etc.?Thank-you!

0

...for unravelling that log format you owe me a beer. Go into safe mode cos I would like you to check if you still have this file:
C:\Windows\system32\csrss.exe
[Either go Control panel > folder options OR in an explorer window > tools>folder options; then view tab, and
-press Show hidden files and folders]..
If you do have it, and I'm pretty sure you must cos not a lot would happen without it being there so DON'T touch it, then the file:
C:\Windows\csrss.exe - is an imposter. It may be tricky to get rid of, it may not. Since you have hijackthis please start it and press Open the Misc tools Section, and then Delete a file on reboot. In the window that opens paste:
C:\Windows\csrss.exe
and press Open, and Yes.
Your pc will restart.
One more thing - since you have AVG FRE, why not run its email scanner?
Anyway, please post another hijackthis log, but this time with more of an eye to the formatting... :)
[your post is amazing! the script flows right off my page!]

0

I tried to format the text. I know it's horrific when I posted it. How DO I format my sentences? As the Enter key doesn't seem to work. =/

0

well, the HT log comes up in notepad. Just click format tab and uncheck wordwrap. CtrlA, CtrlC, into the postbox and CtrlV. Ought to work.

0

I tried to click the icons, but they don't seem to work for me. Go Proxy Server! I'll try and make my HiJackThis less-bad: Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HJT\HijackThis.exe . . . . . O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

0

There wasn't any change to my Internet/Download Restrictions. Er. I really don't want to reformat my partition/reboot XP. I would need lottts of DVDs to store my music, programs and plug-ins. Ack!

0

Check your hosts file for a start; it should look something like this unless you have added sites..... this is mine, an it's the default:-
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
_______________________________________________

..to see this go c:\windows\system32\drivers\etc. Open a notepad and drag hosts from the right pane into it. If there are entries below the localhost one that you do not recognise or did not put there, then you need to reset the hosts file.
=Please download Hoster: http://www.funkytoad.com/download/hoster.zip and extract it to your Desktop.
=Click the Restore MS Hosts Button and then click OK and exit Hoster.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.

0

that etc after drivers\ above is real, not me being lazy... :)
Check this too:
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
And if it does come to doing a windows REPAIR you won't lose your files...

0

I tried the "Network Connections"-thing, repaired my connection (selected "Obtain DNS Servers".) The websites you gave me, I can't er....download anything (because of the hack/virus that blocks me from downloading ANY FILE.) I need my security settings fixed first so I can even download a program. Though I do have AVG and will do a scan. :) I don't understand what you mean with the "C:/Windows/System32/Driver" part. There's "Host" that's an iCalendar file but it doesn't open or at least I don't know of the right program to open it with (it was trying to open with Outlook.) I'm a bit 'unsavvy' with computers. =/

0

There is a special file, hosts [no extension] that provides a shortcut or redirection service for your browser when you enter a URL , you know, the http://daniwe.... Your browser checks the hosts file for entries before it goes on the web [to a DNS server], to get the URL's IP which it then uses to go to the site. The hosts file can thus also be used to block sites by giving the address a local or internal address [internal to your pc], one of which is 127.0.0.1; there are others. So a bug can put google or antispyware sites in the hosts, give them the local address in which case they just don't open, or give them another IP entirely to a site where they want you to go.
So I wish you to check that file.
To show Special MS Files
===Either go Control panel > folder options OR in an explorer window > tools>folder options; then view tab, and
-press Show hidden files and folders, Apply and Ok.
C:\windows\system32\drivers\etc\hosts is it. If you lclick etc in the left pane tree you will see hosts listed in the right pane. Drag hosts into a notepad. It should be as above in previous post.
And Oops! they've updated hoster since i last checked; sorry about that! It is now HostsXpert, and it's even better.
If your hosts file is not like the one above then dl HostsXpert from http://www.funkytoad.com/content/view/13/31/ to a working pc, unzip the file and save the HostsXpert to a floppy. Load that into your bad pc, dclick the exe and when the pgm window opens press Restore MS hosts file.

0

As far as browsing goes, one of the messages you gave refers to your browser security settings - they are set too high, perhaps? Open an IE window, go tools, inet options, security tab, and press Default Level. [else instead of Default level go Custom level, and in the next window set to medium and press Reset.]
Then press the Privacy tab [next to security] and move the slider to medium, Apply and Ok.
I think now you should be able to get to Mozilla.com [DON'T get firefox from any other site!!]

0

Not even that works! I already tried to fix the security settings before. I feel so lost. =\ Do you know of any other alternative means?

0

First, please check to see if you have any of these files on your sys:
C:\WINDOWS\csrss.exe
C:\int_rem.bat
C:\WINDOWS\9129837.exe
C:\abcdefg.bat
C:\WINDOWS\new_drv.sys
c:\sample.exe

This next requires a dl, but at least you can fit it onto a floppy - it's to check for rootkits.
==Download the latest trial version of Blacklight beta from http://www.f-secure.com/blacklight/ [get it from the top, GUI mode button]
Copy the .exe [they change the name occasionally when they update it so I am not giving it here...], into your pc to C:\, dclick it to start, click Run, agree to the terms and Scan. Post the results if positive.
Something is hiding, it would seem. May as well use another rootkit detector, this dl will fit onto the same floppy:
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx -link is at foot of page. Copy the .exe into the same folder as above, dlick the .exe and press Scan. Do NOT use your mouse or keyboard while it runs.

If the rootkit scans were negative please do this to check some MS files, [IE ones are not included in this]... you need an XP install cd, either MS or OEM will do; go Start > run, type:
sfc /scannow -and Enter. Insert the cd, press enter as often as it takes.

Give me the results of those two, and change the name of hijackthis.exe to bunny.exe, and run it, post a new log.
I must warn you that this is shaping up to be a bad [sinister] infection, well hidden it would seem, and probably after your identity. Use another pc and change your banking, email, credit card passwords. I mean it. Better safe than sorry.
Please tell me all steps you take, and their results. eg, i am left guessing as to the hosts file issue...

0

Hi, Gerbil. As of now, my Internet/Security Settings are no longer a thing to worry about. I CAVED! I reformatted + reinstalled XP with the help of my roommate. I genuinely appreciate your help, though. Seriously. But the whole situation became far too frustrating and I need to make music!

There IS one concern I have. XP is rebooted and works perfectly and now I have rid myself of that horror "IE" and replaced it with FireFox. But! Whenever I try to play a song or sound file/video/anything. I'm prompted with a box explaining "There is no playback driver installed". I'm sure it's a bit more simpler than what I just tried to fix. Do you know how to install audio/video playback drivers?

0

ARRRGGHHhhhh.... .! Nope. That's fine. I quite understand. Really. Yep, I do. S'okay. True... .... :)
Actually if trojans get into explorer n winlogon you are never really sure if you get them out... a reinstall is the safest, surest option. It was going to be my next suggestion if the stuff in the last post didn work. Honest... Now, drivers n codecs for sightnsound - from the makers of your mobo should be a cd with drivers for your video and sound cards [sound is prob on-board the mobo]; you need to load those cos otherwise you have only XP defaults. No cd? Then knowing the make/model of your sound chipset [Run msinfo32 , check components..] go online to the manuf and get the latest drivers/codecs and install those. You can check what you actually have by going Run devmgmt.msc and checking for audio and video codecs. Dclick or rclick the audio n vid codec entries to expand them; update or check their properties, whether they are available.
Sigh...

0

Btw, so if you must one day reinstall XP now is the time to partition so that the XP OS lives in its own volume [about 8GB is good for home, give pro 10GB], apps in another, data in a third... Move out from the OS volume into data all the temp files, OE stores, My Docs.... This way the OS can stretch out and get comfortable, relatively undisturbed by additions and deletions. XP rearranges itself so that the bits it uses most are more convenient to access. Creepy. The payoff? Well, if you reinstall XP only the OS and the Apps volumes get broken; your data is undisturbed. Apps away from the OS? yep, cos you are always changing them...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.