my pc is hacked!!

[Guest]

i m getting new prob nw..
in this my dialup connection is changed everytime i login. it is changed to dail some isd number.. every time i have to change it .. and during connection sent bits are more then recived bits even if nothing is being uploaded !!! help me in this fast plz

 

[siriusb]

There's more probablity of u having spyware/malware/dialler in ur comp than an external perpertrator. Sweep ur system for such wares before assuming that u have hacking activity. Chek for viral infection as well.

 

[raasm287]

I think you hv a problem of browser hijack. try using ad-aware or sybot-search and destroy.

 

[Vishal Gupta]

Instead of changing the phone no. every time in the Dialer, u can change the phone no. to be dialled in Connection's Properties.
Check whether it works or not?

 

[Guest]

i have created new connection as well..
i have used now hijack this and delete some suspicios enrty .. now log file is as followed

Logfile of HijackThis v1.99.1
Scan saved at 2:14:47 PM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost32.exe
C:\WINDOWS\system32\usbn.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\slrundll.exe
C:\PROGRA~1\NORTON~1\NORTON~3\navw32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\nik\My Documents\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_6_2_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SystemClock] C:\WINDOWS\System32\SysClock.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Automatic32Updater] svchost32.exe
O4 - HKLM\..\RunServices: [Windows Automatic32Updater] svchost32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

[sensationalboy]

hi nik. i can surely tell u that it is some kind of malware or spyware.even i had the same problem with my dialup.i used to change the number but while dialing it changed automatically to some crappy number.i even made new connections but of no use.i tried anti viruses like norton,avg,mcafee and anti spywares like spybot,lavasoft ad-aware.but none of them helped.eventually i had to format my c: drive.

 

[Guest]

ya ther were adware and dialer .. i deleted them using adaware and norton.. but net speed is very slow now . as i told earlier sent is very much more than recieved data!!! i suspect this is some problem ?? is it?

 

[siriusb]

Do a "netstat -abv" in dos prompt to see if any suspicious exe is running in a local port.
Or better yet, get a prog that will monitor ports and give you real-time feedback.

 

[Biplav]

well u can use symantec client security :
it comes with symantec antivirus corporate and frewall;
i use that and i must say it is pretty much easiler for a newbie to understand the ports on this.

 

[digen]

Till someone analyses that Hijackthis log file get TCPViews from sysinternals: *www.sysinternals.com/Utilities/TcpView.html

And no continuous sending & recieving isnt a modem problem most of the times now.It is malware or RAT[Remote access tool] phoning home giving a backdoor.
Post a screeny of the TCPView open ports.

Btw from when did this problem start?

EDIT:I just saw your hjt log again & from what it says,

Platform: Windows XP SP1 (WinNT 5.01.2600) 
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

I would suggest you update the OS with latest patches once this problem of yours has been sorted out.Rest is upto you.[/quote]

 

[anandk]

a related suggestion : DAP is said to have spyware. suggest u switch to getright or any other one.

 

[alib_i]

you have quite a few trojans in your comp !

delete the following entries ->

C:\WINDOWS\system32\usbn.exe

Adult content dialer, recognized by Kaspersky antivirus as Trojan-Downloader.Win32.Small.afa | More Info
Delete the file "usbn.exe" and remove it from startup
To remove from startup, either use any standard registry editor, or type "msconfig" in Run box, go to startup tab and uncheck its entry.

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

It's
Trojan-Clicker.Win32.Agent.ac | More Info
Delete the following files
c:\ied_s7m.cab
c:\ex.cab (if present)
C:\WINDOWS\System32\vbsys2.dll
You may have to unregister vbsys2.dll too .. look at the link I gave above.

Rest I think is clean ...
Just one thing .. you have IIS running in your computer .. ie you have a web-server running in your computer.
C:\WINDOWS\System32\inetsrv\inetinfo.exe
you can switch it off if you dont need it .. its not a spyware. just unnecessary
Remove it by "Add/Remove Programs" -> Add/Remove Windows Components -> Uncheck IIS -> OK


hope my time was spent in something useful for you

-----
alibi

 

[Guest]

i deleted usbn.exe . and downloading tcpview now. i found vbsys2.dll . but how to deregister it?

 

[siriusb]

Use "regsvr32 -u vbsys2.dll" in dos prompt or in run window to deregister.

 

[Guest]

it gives error like "vbsys2.dll was loaded but the dllunregisterserver entry point was not found this file can not be register"

 

[Guest]

i tried tcpview and find this . in this my pc is connected to ziv04.plus.sbg.ac at 7000 by svchost32.exe ?? is it suspicious??
*img.photobucket.com/albums/v188/nikunj/untitled2.jpg

 

[Guest]

and when i stoped this process from tcpview problem is solved means normal sending and recieving ..

now how can i fix this problem means each time i have to stop this as it starts each time automatically

 

[digen]

Oh yeah !
Svchost32.exe is a WORM !

W32.Mimail.J@mm is a mass-mailing worm that attempts to steal personal information. This worm displays a series of forms that ask users to enter their credit card information. (See the "Technical Details" for illustrations.) This information is saved and later emailed to several predetermined email addresses.

Read more about it here: *securityresponse.symantec.com/avcenter/venc/data/w32.mimail.j@mm.html

Read the removal instructions & tool here : *securityresponse.symantec.com/avcenter/venc/data/w32.mimail.removal.tool.html
Follow the instructions carefully & carry it out accordingly.I hope atleast for the time being you install a firewall,enable it & block that process.If you have any difficultly removing it then reply here.

More info bout the worm: *www.pchell.com/virus/mimaili.shtml

 

[whim_gen]

OMG
And all these days i thought it was a service coz i was using apache+PHP
Jeez

 

[digen]

huh? Sorry but dont get me wrong I said SVCHOST32.EXE is a WORM & not SVCHOST.EXE which is a windows process.
Though the latter can be infected & you will never know but dont confuse the two.