Unsolved
This post is more than 5 years old
13 Posts
0
1038
July 5th, 2004 01:00
When will it ever end? - Picture
I think it was last week I posted this message - http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=17620 - and I had a Trojan that Trend detected as "Stilen", and Texruss helped me remove it...
Problems are back, and this time, it's even worse...
I went and installed SP1 and all of the updates last night. Took about 6 hours... I knew, that after that, there was no way that I could be hacked, trojaned, or any of that stuff. Someone proved me wrong. I think I may have just been hacked, and someone dropped a trojan that NAV actually caught. Bloodhound.Exploit.6 is what NAV told me it was. But right before, I was looking up reviews for a game I was thinking of purchasing, and from no where, I got a message which I will link from my host below... Right after I got this message, NAV told me I had a virus. I checked my logs for Zone Alarm, and within a 30 minute period, ZA has blocked 38 access attempts.
Advice... Anyone? I'm going to call my ISP tomorrow and see if there is some way that they can change my IP address so this psycho won't find me again.
Thanks for any help.
Jason
Message Edited by ResonantEngineering on 07-04-2004 09:37 PM
0 events found
ResonantEnginee
13 Posts
0
July 5th, 2004 02:00
BTW - Here is my HJT log... I'm almost positive it's clean, but if you'd double check for me, I'd appreciate it.
Logfile of HijackThis v1.97.7
Scan saved at 10:29:19 PM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\msiexec.exe
C:\HJT\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38142.7219907407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F6E741B-5840-4F30-B770-29DB3EFC8EDD}: NameServer = 216.41.128.73 216.41.128.200
Thanks
Jason
ResonantEnginee
13 Posts
0
July 5th, 2004 02:00
See... That's not what happened. I was setting at google.com, right after hitting the search button. I watched the screen load completely, then all activity ceased. I got up and went across the room for a tissue, came back, and all that stuff was on my screen. My only explanation for all of it is that someone, bypassed everything (Windows XP Firewall, ZA Firewall, SP1 Updates, and all Critical Updates), dropped a trojan, and was unsuccessful because of NAV catching it... I'm sure it'll happen again, but when, I don't know.
Do you think that if I changed my IP addy, that would solve my problem?
Thanks
Jason
Texruss
2 Intern
•
3.4K Posts
0
July 5th, 2004 02:00
Don't panic...I can make Norton false alarm for Bloodhound by clicking on a text file I create...it's not the greatest discriminator for that generic threat. Post a HJT log if you're concerned.
Texruss
Texruss
2 Intern
•
3.4K Posts
0
July 5th, 2004 02:00
Looks fine. I wouldn't worry so much about alerts of Bloodhound or even attacks detected by your firewall. It happens to me all the time and I'm still clean. *;-)
Texruss