Results 1 to 5 of 5

Thread: Hi, Please kindly analyze this HIJACKTHIS log

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    6

    Default Hi, Please kindly analyze this HIJACKTHIS log

    Hi, first i need to be clear about my situation:

    I am using NPF 2006, NOD32, Ad-aware, Spybot...NOT on any LAN or Network connection.
    did all the online scan but nothing found...

    1. Last few days, I notice something weird in my Norton Personal Firewall's log which stated as:

    Local IP address: local host
    Local Service Port: backdoor**(forgot name but it start with backdoor)
    Remote IP address: Local Host
    Remote Service Port: *forgot which number

    can you pls tell me whats the meaning of the log?

    2. Under "Computer Management" > "Security"
    there is a few of wierd logs too...

    Policy Change:

    a. A port was listed as an exception when the Windows Firewall started.
    Policy origin: Local Policy
    Profile used: Standard
    Interface: All interfaces
    Name: Remote Desktop
    Port number: 3389
    Protocol: TCP
    State: Disabled
    Scope: All subnets

    b. A port was listed as an exception when the Windows Firewall started.
    Policy origin: Local Policy
    Profile used: Standard
    Interface: All interfaces
    Name: UPnP Framework over TCP
    Port number: 2869
    Protocol: TCP
    State: Disabled
    Scope: Local subnet only

    c.A port was listed as an exception when the Windows Firewall started.
    Policy origin: Local Policy
    Profile used: Standard
    Interface: All interfaces
    Name: NetBIOS Session Service
    Port number: 139
    Protocol: TCP
    State: Disabled
    Scope: Local subnet only

    d.An application was listed as an exception when the Windows Firewall started.
    Policy origin: Local Policy
    Profile used: Standard
    Name: Remote Assistance
    Path: C:\WINDOWS\system32\sessmgr.exe
    State: Disabled
    Scope: All subnets

    and so on...i DID NOT CHANGE any of the settings at all...
    sorry about the long post but just want to be clear...

    alright so this is my HIJACKTHIS log...

    Logfile of HijackThis v1.99.1
    Scan saved at 6:05:25 AM, on 11/22/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
    C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\mmc.exe
    C:\AntiSpyWare\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.flowerpod.com.sg/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.flowerpod.com.sg/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Norton Personal Firewall 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton Personal Firewall 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e3\Disk_Monitor.exe
    O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...30/mcfscan.cab
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    pls comments...thanks in advance!

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi mimijo
    Since you use Nortons firewall the windows built in firewall should be disabled
    http://www.utmem.edu/helpdesk/sp2/sp2firewall.htm

    Since you use Nod32 I suggest disabling all nortons various options except its firewall
    j2re1.4.2_01 < update the java plugin
    Sun Java V1.5.0_04 is Available
    http://java.com/en/index.jsp

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Posts
    6

    Default

    Hi LonnyRJones,

    as for the windows firewall issue, yes i know that i need to off the windows firewall since i am using norton...and its off by default, but i am just feeling weird bcos i didn't even ALLOW all those ports in windows firewall before....
    and why is it that its stated as "Exception"? could it be possible that someone hacked into my comp and adjust the settings in window firewall?

    as for the Java, well, i am using firefox with java turn off...
    so i don't intend to update it...

    BTW, can someone please kindly check my HiJACKTHIS log?
    I am feeling very insecure since i saw the log entry in NPF regarding the "Backdoor***.... : (

    thanx!

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Your log looks fine

    As for what Norton reported Try another opinion, ShieldsUP
    https://www.grc.com/x/ne.dll?bh0bkyd2

  5. #5
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,491

    Default

    As the problem appears to be resolved this topic will be archived.
    If you need the topic reopened please pm me.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •