# I think I'm being hacked



## Kenneedshelp (Apr 11, 2010)

My reason for thinking I'm being hacked is I've been having problem with an e stalker this person managed to send out a copy of an instant message conversation I had, so he either hacked me or the other persons pc!! I have done a netstat and found a few not sure abouts, one is wy-in-f154, on looking this up some say it malware/rootkit?????? Below is the results from a netstat. Can someone please help??? I've tried a few anti rootkits but some won't work with Vista 64.

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\Ken>netstat
Active Connections
Proto Local Address Foreign Address State
TCP 192.168.1.2:49168 a88-221-88-51:http CLOSE_WAIT
TCP 192.168.1.2:49169 a88-221-88-51:http CLOSE_WAIT
TCP 192.168.1.2:49289 213.199.164.110:http ESTABLISHED
TCP 192.168.1.2:49291 65.55.149.121:http ESTABLISHED
TCP 192.168.1.2:49292 84.53.134.18:http ESTABLISHED
TCP 192.168.1.2:49293 213.199.141.139:http ESTABLISHED
TCP 192.168.1.2:49294 213.199.141.140:http ESTABLISHED
TCP 192.168.1.2:49296 213.199.141.140:http ESTABLISHED
TCP 192.168.1.2:49298 ww-in-f149:http ESTABLISHED
TCP 192.168.1.2:49302 ww-in-f149:http ESTABLISHED
TCP 192.168.1.2:49305 84.53.134.16:http ESTABLISHED
TCP 192.168.1.2:49309 gv-in-f105:http ESTABLISHED
TCP 192.168.1.2:49310 wy-in-f101:http ESTABLISHED
TCP 192.168.1.2:49311 ww-in-f101:http ESTABLISHED
TCP 192.168.1.2:49312 72.52.248.159:http ESTABLISHED
TCP 192.168.1.2:49313 72.52.248.159:http ESTABLISHED
TCP 192.168.1.2:49314 72.52.248.159:http ESTABLISHED
TCP 192.168.1.2:49315 72.52.248.159:http ESTABLISHED
TCP 192.168.1.2:49316 72.52.248.159:http ESTABLISHED
TCP 192.168.1.2:49317 72.52.248.159:http ESTABLISHED
TCP 192.168.1.2:49319 ww-in-f156:http ESTABLISHED
TCP 192.168.1.2:49320 ww-in-f165:http ESTABLISHED
TCP 192.168.1.2:49321 ww-in-f156:http ESTABLISHED
TCP 192.168.1.2:49323 cdce:http ESTABLISHED
TCP 192.168.1.2:49324 host:http ESTABLISHED
TCP 192.168.1.2:49326 mojofarm:http ESTABLISHED
TCP 192.168.1.2:49327 ww-in-f102:http ESTABLISHED
TCP 192.168.1.2:49328 img:http ESTABLISHED
TCP 192.168.1.2:49329 ww-in-f102:http ESTABLISHED
TCP 192.168.1.2:49331 img:http ESTABLISHED
TCP 192.168.1.2:49332 84.53.134.117:http ESTABLISHED


----------



## Cookiegal (Aug 27, 2003)

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under Attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.


Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.


----------



## Kenneedshelp (Apr 11, 2010)

Hi thank you for the reply, seemingly this program does not work with a 64 bit system?


----------



## Cookiegal (Aug 27, 2003)

Sorry, I thought it did.

Since you seem to know how to run netstat commands, can you run this command and post those results please?

*netstat -o*


----------



## Kenneedshelp (Apr 11, 2010)

Cookiegal,

just tried to run sysprot again after clicking the create log I get an error "failed to startstart service. sysprot need to be run with admin privileges!" I did right click selecting run as administrator!

Your requested netstat -o result:
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\Ken>netstat -o
Active Connections
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:49375 Ken-PC:49376 ESTABLISHED 3708
TCP 127.0.0.1:49376 Ken-PC:49375 ESTABLISHED 3708
TCP 192.168.1.2:2869 192.168.1.1:3210 ESTABLISHED 4
TCP 192.168.1.2:49166 a88-221-88-57:http CLOSE_WAIT 4092
TCP 192.168.1.2:49167 a88-221-88-57:http CLOSE_WAIT 4092
TCP 192.168.1.2:49176 spike9246:http CLOSE_WAIT 2856
TCP 192.168.1.2:49372 by2msg4010611:msnp ESTABLISHED 3708
TCP 192.168.1.2:49497 81.23.243.145:http ESTABLISHED 6104
TCP 192.168.1.2:49498 65.55.149.123:http ESTABLISHED 6104
TCP 192.168.1.2:49499 213.199.141.140:http ESTABLISHED 6104
TCP 192.168.1.2:49500 213.199.141.139:http ESTABLISHED 6104
TCP  192.168.1.2:49502 ww-in-f148:http ESTABLISHED 6104
TCP 192.168.1.2:49503 ww-in-f148:http ESTABLISHED 6104
TCP 192.168.1.2:49504 213.199.141.139:http ESTABLISHED 6104
C:\Users\Ken>


----------



## Kenneedshelp (Apr 11, 2010)

Cookiegal,
Managed to get the sysprot to run, please see log below:
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Processes found
******************************************************************************************
******************************************************************************************
No Kernel Modules found
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: KEN-PC:49517
Remote Address: LB2.COLLECTIVE-MEDIA.NET:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT
Local Address: KEN-PC:49372
Remote Address: BY2MSG4010611.PHX.GBL:MSNP
Type: TCP
Process: 3708 (PID)
State: ESTABLISHED
Local Address: KEN-PC:49176
Remote Address: SPIKE9246.MALWAREBYTES.ORG:HTTP
Type: TCP
Process: 2856 (PID)
State: CLOSE_WAIT
Local Address: KEN-PC:49167
Remote Address: A88-221-88-57.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: 4092 (PID)
State: CLOSE_WAIT
Local Address: KEN-PC:49166
Remote Address: A88-221-88-57.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: 4092 (PID)
State: CLOSE_WAIT
Local Address: KEN-PC:ICSLAP
Remote Address: 192.168.1.1:3210
Type: TCP
Process: 4 (PID)
State: ESTABLISHED
Local Address: KEN-PC:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING
Local Address: KEN-PC:49376
Remote Address: LOCALHOST:49375
Type: TCP
Process: 3708 (PID)
State: ESTABLISHED
Local Address: KEN-PC:49375
Remote Address: LOCALHOST:49376
Type: TCP
Process: 3708 (PID)
State: ESTABLISHED
Local Address: KEN-PC:49375
Remote Address: 0.0.0.0:0
Type: TCP
Process: 3708 (PID)
State: LISTENING
Local Address: KEN-PC:49158
Remote Address: 0.0.0.0:0
Type: TCP
Process: 488 (PID)
State: LISTENING
Local Address: KEN-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: 504 (PID)
State: LISTENING
Local Address: KEN-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1676 (PID)
State: LISTENING
Local Address: KEN-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1556 (PID)
State: LISTENING
Local Address: KEN-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1516 (PID)
State: LISTENING
Local Address: KEN-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: 960 (PID)
State: LISTENING
Local Address: KEN-PC:10243
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING
Local Address: KEN-PC:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING
Local Address: KEN-PC:ICSLAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING
Local Address: KEN-PC:RTSP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4536 (PID)
State: LISTENING
Local Address: KEN-PC:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING
Local Address: KEN-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1424 (PID)
State: LISTENING
Local Address: KEN-PC:59830
Remote Address: NA
Type: UDP
Process: 1752 (PID)
State: NA
Local Address: KEN-PC:SSDP
Remote Address: NA
Type: UDP
Process: 1752 (PID)
State: NA
Local Address: KEN-PC:138
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA
Local Address: KEN-PC:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA
Local Address: KEN-PCISCARD
Remote Address: NA
Type: UDP
Process: 3708 (PID)
State: NA
Local Address: KEN-PC:62143
Remote Address: NA
Type: UDP
Process: 3484 (PID)
State: NA
Local Address: KEN-PC:60821
Remote Address: NA
Type: UDP
Process: 3672 (PID)
State: NA
Local Address: KEN-PC:59831
Remote Address: NA
Type: UDP
Process: 1752 (PID)
State: NA
Local Address: KEN-PC:55951
Remote Address: NA
Type: UDP
Process: 1556 (PID)
State: NA
Local Address: KEN-PC:55200
Remote Address: NA
Type: UDP
Process: 5544 (PID)
State: NA
Local Address: KEN-PC:53435
Remote Address: NA
Type: UDP
Process: 6104 (PID)
State: NA
Local Address: KEN-PC:51930
Remote Address: NA
Type: UDP
Process: 3708 (PID)
State: NA
Local Address: KEN-PC:49475
Remote Address: NA
Type: UDP
Process: 3804 (PID)
State: NA
Local Address: KEN-PC:49286
Remote Address: NA
Type: UDP
Process: 3708 (PID)
State: NA
Local Address: KEN-PC:SSDP
Remote Address: NA
Type: UDP
Process: 1752 (PID)
State: NA
Local Address: KEN-PC:54207
Remote Address: NA
Type: UDP
Process: 1752 (PID)
State: NA
Local Address: KEN-PC:LLMNR
Remote Address: NA
Type: UDP
Process: 1924 (PID)
State: NA
Local Address: KEN-PC:5005
Remote Address: NA
Type: UDP
Process: 4536 (PID)
State: NA
Local Address: KEN-PC:5004
Remote Address: NA
Type: UDP
Process: 4536 (PID)
State: NA
Local Address: KEN-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: 1556 (PID)
State: NA
Local Address: KEN-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: 1752 (PID)
State: NA
Local Address: KEN-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: 1752 (PID)
State: NA
Local Address: KEN-PC:664
Remote Address: NA
Type: UDP
Process: 3352 (PID)
State: NA
Local Address: KEN-PC:623
Remote Address: NA
Type: UDP
Process: 3352 (PID)
State: NA
Local Address: KEN-PC:500
Remote Address: NA
Type: UDP
Process: 1556 (PID)
State: NA
Local Address: KEN-PC:123
Remote Address: NA
Type: UDP
Process: 1752 (PID)
State: NA
******************************************************************************************
******************************************************************************************
No hidden files/folders found


----------



## Cookiegal (Aug 27, 2003)

Please do the following command:

*netstat -an*

And post that log and also do the following please:

*Click here* to download *HJTsetup.exe*.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.	
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## Kenneedshelp (Apr 11, 2010)

netstat -an

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\Ken>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:554 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:10243 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
 TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING
TCP 127.0.0.1:49375 0.0.0.0:0 LISTENING
TCP 127.0.0.1:49375 127.0.0.1:49376 ESTABLISHED
TCP 127.0.0.1:49376 127.0.0.1:49375 ESTABLISHED
TCP 192.168.1.2:139 0.0.0.0:0 LISTENING
TCP 192.168.1.2:2869 192.168.1.1:3210 ESTABLISHED
TCP 192.168.1.2:49166 88.221.88.57:80 CLOSE_WAIT
TCP 192.168.1.2:49167 88.221.88.57:80 CLOSE_WAIT
TCP 192.168.1.2:49372 207.46.124.58:1863 ESTABLISHED
TCP 192.168.1.2:50022 94.127.75.60:80 CLOSE_WAIT
TCP 192.168.1.2:50231 216.239.59.103:80 CLOSE_WAIT
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:554 [::]:0 LISTENING
TCP [::]:2869 [::]:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING
TCP [::]:10243 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49156 [::]:0 LISTENING
TCP [::]:49158 [::]:0 LISTENING
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:623 *:*
UDP 0.0.0.0:664 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5004 *:*
UDP 0.0.0.0:5005 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:54207 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:49286 *:*
UDP 127.0.0.1:49475 *:*
UDP 127.0.0.1:51930 *:*
UDP 127.0.0.1:52939 *:*
UDP 127.0.0.1:53435 *:*
UDP 127.0.0.1:55200 *:*
UDP 127.0.0.1:55951 *:*
UDP 127.0.0.1:55972 *:*
UDP 127.0.0.1:57184 *:*
UDP 127.0.0.1:59831 *:*
UDP 127.0.0.1:60821 *:*
UDP 127.0.0.1:62143 *:*
UDP 192.168.1.2:9 *:*
UDP 192.168.1.2:137 *:*
UDP 192.168.1.2:138 *:*
UDP 192.168.1.2:1900 *:*
UDP 192.168.1.2:59830 *:*
UDP [::]:123 *:*
UDP [::]:500 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:5004 *:*
UDP [::]:5005 *:*
UDP [::]:5355 *:*
UDP [::]:54208 *:*
UDP [::1]:1900 *:*
UDP [::1]:59828 *:*
UDP [fe80::43b:3e3b:3f57:fefd%11]:1900 *:*
UDP [fe80::43b:3e3b:3f57:fefd%11]:59829 *:*
UDP [fe80::7db9:42ad:3a40:b632%10]:546 *:*
UDP [fe80::7db9:42ad:3a40:b632%10]:1900 *:*
UDP [fe80::7db9:42ad:3a40:b632%10]:59827 *:*
UDP [fe80::e5e1:d122:2be7:e442%13]:1900 *:*
UDP [fe80::e5e1:d122:2be7:e442%13]:59826 *:*
C:\Users\Ken>

HJT in a min


----------



## Kenneedshelp (Apr 11, 2010)

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:07:33, on 11/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Windows\vsnp2std.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Windows\FixCamera.exe
C:\Windows\tsnp2std.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\program files (x86)\avira\antivir desktop\avcenter.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files (x86)\Microsoft\Office Live\OfficeLiveSignIn.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [HDAudDeck] "C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" -r
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files (x86)\Corel\Corel MediaOne\Corel PhotoDownloader.exe" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [FixCamera] C:\Windows\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\Windows\tsnp2std.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [googletalk] "C:\Program Files (x86)\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files (x86)\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /nosplash
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O13 - Gopher Prefix: 
O15 - Trusted Zone: http://chat0.swingingheaven.co.uk
O15 - Trusted Zone: http://www.swingingheaven.co.uk
O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) - http://www.auctiva.com/Aurigma/ImageUploader57.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\SysWOW64\IoctlSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\SysWOW64\PSIService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ServiceLayer - Nokia - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 12822 bytes


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click *mbam-setup.exe* to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.*


----------



## Kenneedshelp (Apr 11, 2010)

As requested malwarebyte quick scan results:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3930
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
12/04/2010 11:12:52
mbam-log-2010-04-12 (11-12-52).txt
Scan type: Quick scan
Objects scanned: 107695
Time elapsed: 4 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## Kenneedshelp (Apr 11, 2010)

Cookiegall, I have kept the HJT open since sending you results, is it ok to close it down now?


----------



## Kenneedshelp (Apr 11, 2010)

Cookiegal,

I know you are busy people but how is things going?

Regards

Ken


----------



## TerryNet (Mar 23, 2005)

From first post:: "gv-in-f105" This site says that "Redirects to Exploit kit." Is that meaningful?


----------



## TerryNet (Mar 23, 2005)

Post #5 shows IP 213.199.141.139, which is on this Offensive IP database.

Also 213.199.141.140.


----------



## Cookiegal (Aug 27, 2003)

Thanks Terry. Something is definitely amiss.

Download *OTS.exe * to your Desktop and double-click on it to extract the files. It will create a folder named *OTS* on your desktop.

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Open the *OTS* folder and double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## Kenneedshelp (Apr 11, 2010)

Thanks Terry noen of what you ask means anything to me except redirect and exploit can only be bad!

Cookiegirl hi, as requested ots.txt

Do I need to keep the OTS prog open?


----------



## TerryNet (Mar 23, 2005)

> Thanks Terry noen of what you ask means anything to me except redirect and exploit can only be bad!


Sorry for my brevity. Cookiegal asked me to take a look at the netstat outputs, and that is what I found. Yeah, redirect and exploit and the "offensive" IPs seem to confirm your suspicions. Now I gotta be quiet and let Cookiegal do her magic.


----------



## Kenneedshelp (Apr 11, 2010)

No need for sorry's Terry as long as we can get it licked, I'm sure cookiegal will sort me out.


----------



## Cookiegal (Aug 27, 2003)

I see you have Acronis True Image installed. Do you have a recent back up?

If you do I would back up anything you need since your last back up and then restore the system from the Acrons image.


----------



## TerryNet (Mar 23, 2005)

Hey, that's *my *way of fixing malware problems!


----------



## Kenneedshelp (Apr 11, 2010)

Hi Cookiegirl,

Is it that bad? is there no way to clean this? I'd rather not use the back up as not sure how long this has been on the pc!! if this can't be clean maybe doing a fresh install would be better, would like to restore just to find its still there.

Regards Ken


----------



## Kenneedshelp (Apr 11, 2010)

Cookiegirl/Terry,

My main concern is stopping this happening again! would you have any Idea how this got on the machine? I was thinking via my IP someone had managed to get forom an email or something? what would you suggest as protection? an ip hiding agent? work via a proxy?

Ken


----------



## TerryNet (Mar 23, 2005)

I'll give my understanding from a network (not malware) perspective.

If you are being explicitly targeted then every defense, including using a proxy, helps. But generally the bad guys just have programs running that constantly scan all IP addresses and probe for vulnerabilities. They will definitely find you and me and everybody else that way. Those of us with vulnerabilities will suffer. At home I'm always behind my router, with no ports forwarded, so feel pretty safe from that kind of attack. (Secured wireless, of course.) When on a public network (including, say, at a hotel where I'm behind a router but don't know the other folks on the network) I try to remember to have Vista or Windows 7 designate the network "public," which blocks access.

Most danger is from downloading infected files or clicking on "bad" links in email messages.

In short, put up a router or firewall as a shield, and then don't help the bad guys find ways around it.


----------



## Cookiegal (Aug 27, 2003)

I was going to mention a router as well as these wouldn't get through if you had one. There are ports open that shouldn't be.

64-bit machines don't usually get infected that deeply but it's more difficult to clean them as not many tools will run on them.

That's why it would be much easier and more efficient to restore a clean image and install a router to block future attacks. But I understand you aren't sure that will fix the problem since you don't know how far back to go. Then if a reformat is an option, that might be the best solution.

Did you put those sites in the trusted zone intentionally? Those are the entries that show as O15 in the HijackThis log.

I haven't had a chance to go through the entire OTS log yet and won't until sometime tomorrow.

You also seem to be running two anti-virus programs, Avira and AVG. This can cause conflicts and you should uninstall one or the other. Personally, I would opt to keep Avira.


----------



## Kenneedshelp (Apr 11, 2010)

Terry.cookiegirl,

Thank to so much for your help, yes I am behind a router, which as you say would help but they have still managed to get through. The 2 trusted site i have usde since 2005 with no problem. yes I have been specificly targeted by an individaul who has been trying to do all they could to ruin my life.

I only recently put the 2nd anti virus on as was advised to try avirato see if it would find anything avg was missing. I have 2 machines running on my network so I think its going to be re-install all  for safety sake!

Kind regards

Ken


----------



## Kenneedshelp (Apr 11, 2010)

Cookiegal,

You mentioned that there are ports open that shouldn't be! which ports and how would I close then?


----------



## Cookiegal (Aug 27, 2003)

A reinstall of the operating system and resetting the router should take care of them.

But you could do a ShieldsUp! test here:

http://www.grc.com/intro.htm


----------



## Kenneedshelp (Apr 11, 2010)

Cookiegal, I forgot all about sheildsup I'll use it


----------



## Kenneedshelp (Apr 11, 2010)

cookiegal, I'd like to thank both you and Terry for your help. I'm planning to go back to XP i think if its ok with you I'll leave this open and let you know how thing are once i've installed tomorrow and ran the sheildsup as well as adding a new firewall too.

Regards 
Ken


----------



## Kenneedshelp (Apr 11, 2010)

Cookiegal can I ask one last bit of help? could you possibly see what you can find about.....t2compuf-a5ff58, it wasn't on my pc but my girlfriends there was 5 connections all established in her netstat the ports in use were 1032,1033,1035,1841,1844 and5152 the reason i'm concerned is that my own web site is compufix.co.uk an I fear this is trying to make it look like I am doing some medlings!!!!


----------



## Cookiegal (Aug 27, 2003)

Can you post her nestat report?

Is there any reason for that computer to connect to your site?


----------



## Kenneedshelp (Apr 11, 2010)

Hi cookiegirl.

No that computer had no reason and wasn't on my site at the time that the netstat was done! I just connected to my site and the netstat show the IP 207.46.222.11 which shows microsoft corp who is my host. done a whois on compufix.co.uk and it give the ip 207.46.222.11 so this has me more concerned!!!!!! Did you manage to find anything on the t2compuf-a5ff58 ?


----------



## Cookiegal (Aug 27, 2003)

I really don't know. Could t2compuf-a5ff58 be the name of one of the computers?


----------



## Kenneedshelp (Apr 11, 2010)

noen of my computers have that name or anything like it, but_ get where your coming from. Is there no way to trace this????_


----------



## Cookiegal (Aug 27, 2003)

Some of those ports can be used by malware but also legitimate connections but they do certainly look suspicious.

Can you post her netstat logs? Perhaps we shoudl see a HijackThis log from her computer as well.


----------

