|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
backdoor?something is downloading..
|
Original Message
|
Name: jmer
Date: September 7, 2003 at 07:07:58 Pacific
Subject: backdoor?something is downloading..
OS: XP SP1
CPU/Ram: P3 533/128
|
Comment: For the past 10 days something on my computer has been downloading. Even when I block all traffic using norton firewall and block everything from accessing the internet there is still downloading activity. It is always downloading between 2 and 5kbps even though I have a cable connection. When I turn the connection off, every few seconds something still tries to access the internet. I've been updating Norton antivirus daily and scanning but nothing is being detected. Ive used many other online scanners with no luck either. If someone could please look at the hijackthis log below and let me know if anythings out of the ordinary it would be much appreciated:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~4\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\James\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache1.optusnet.com.au :80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab thanks again for any help.
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: capt
Date: September 7, 2003 at 07:49:14 Pacific
|
Reply: (edit)Have you checked to see if your NIS is set up and working correctly? Go to http://www.pcflank.com/ and run all their scans to see if your firewall is doing its job. You could also try one of their highly recommended ani-trojan programs on a trial basis to detect and clean your system. IF NIS is not set up or doing its job, I would uninstall it and get a free firewall at the PC Flank website that is highly recommneded.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: wawadave
Date: September 7, 2003 at 10:35:37 Pacific
|
Reply: (edit)hello
to help fine witch process is acessing the net goto,start,programs,asessories,command prompt, type: netstat.exe -a 9 click enter
and you will be able to see what is actually conecting to the net
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: Abnormal
Date: September 7, 2003 at 13:12:21 Pacific
|
Reply: (edit)Spyware
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll Removal
If you have the variant that installs into Program Files, open the 'NewDotNet' folder in Program Files and run the 'uninstall' program. If this folder does not exist, try opening the Control Panel and looking in the 'Add/Remove Programs' list. In the case of older versions where NewDotNet is not in the list, you could try installing a new version and then using the uninstall feature. Spybot S&D and Ad-Aware 6 also remove NewDotNet. http://www.doxdesk.com/parasite/NewDotNet.html All I can add.
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: suzi
Date: September 8, 2003 at 21:18:20 Pacific
|
Reply: (edit)This one looks suspicious to me: O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) Unless the HijackThis expert here, Tom41, checks your post, you might want to post your log at this forum at cexx.org: http://boards.cexx.org/ Lots of HijackThis experts there.
Report Offensive Follow Up For Removal
|
Post Locked
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
Go to Security and Virus Forum Home
|
|
|
