# big problem with hacker, pls help me



## vanesa (Aug 27, 2005)

hi,
i am new here and i have big problem with one hacker,who embarassed me almost whole year
i dont know what could be do 
Can anybody help me to hide me and my PC of this hacker
He make more things of me in the my PC
He can stop my chat when i use yahoo messanger , he can change my setting and act....
i 3 times formated my hard disk and the end i change my net provider but nothing. He here and make bad thngs with my PC. He embarsassed me too many. PLease if anybody know how i clean my PC of him , please help me
My hard dics is separated in two part and i always formated only C- may be he put me tojan gen in D part couse there have one folder -with access in denied for me- System Volume Information
I really need of your help
Thanks

netstat -an
this show me when i am conected in net

TPC 0.0.0.0.:135 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:445 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:1025 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:1026 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:3001 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:3002 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:3003 0.0.0.0;0 LISTENING

this when i disconected of net
TPC 0.0.0.0.:135 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:445 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:1025 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:1026 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:58581 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:3001 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:3002 0.0.0.0;0 LISTENING
TPC 0.0.0.0.:3003 0.0.0.0;0 LISTENING
thanks


----------



## Terrister (Apr 18, 2005)

What have you done to try to remove this?

Run the Trend Online scan below. Also run Spybot and Ad-aware scans. Let's see what these find.


----------



## vanesa (Aug 27, 2005)

this first result of scan with Trend Mickro
http://housecall60.trendmicro.com/housecall/en/actionresult.htm


----------



## tetonbob (Jan 10, 2005)

vanesa -

Your link results in a blank page, for me at least. IE and FF. Can you copy and paste the results from the scan here, please?

Another effective online scan is Panda:

Perform an online scan with Internet Explorer with *Panda ActiveScan* - requires Internet Explorer 


 Click on the *Scan your PC* button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
 Click On 'Scan Now'
 Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB 
 Begin the scan by selecting *My Computer* 
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
 If it finds any malware, it will offer you a report. Click on *see report*
 Then click *Save report*
 Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


----------



## SirNtwrk (Aug 30, 2005)

*Hacker troubles*

Hey Vanesa, do you have any kind of firewall enabled? Either software (XP SP2, Norton,) or some kind of hardware firewall?

Is this your home machine or a machine on an office network?

I would personally start from scratch again and reinstall XP with service pack 2. Next, rename your local admin account to something other than Administrator and give it a complex password, 8 characters at least, upper and lower case with numbers, and make it something pretty random. Next, disable Guest accounts.

Make sure that your firewall does not allow ANYTHING through. That should keep you safe unless the hacker has had physical access to your computer or is sniffing your network directly. I would make sure that you log off or lock your machine whenever you are away from it, even if it is your home address. 

Are you on a wireless network? If so, make sure that you have disabled the broadcast SSID of your network, turn on WEP encryption and MAC filtering.

You may want to increase your physical security if the hacker has managed to get into your machine even AFTER a complete reformat. Look for anything attached between the keyboard and computer, some devices can log any keystroke and allow a hacker to get your personal information.

Please let me know if any of this helps and what you currently have in place in terms of network (wireless/dls/cable/dialup/office LAN)


----------



## vanesa (Aug 27, 2005)

*Tahks*

Hi 
Thanks for answer
i will try to attach file 
i scan with Panda but it say - PC is clear
And i really have problem with this hacker guy
Big thanks


----------



## vanesa (Aug 27, 2005)

This result of secand scan with Panda
Thanks
ncident Status Location 

Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET 
Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ  
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll


----------



## tetonbob (Jan 10, 2005)

From looking over your Trend log, it would appear you are operating an unpatched system....I would highly suggest you visit the *Microsoft's Windows Update Page* and install *ALL Critical Updates* for your system *(except service pack 2 [SP2]*). *SP2* should *only* be installed on a fully disinfected system. At the minimum install at least *SP1a* for both *XP* and *IE6*. Without these updates your system is wide open to re-infection.

Then, Please download HijackThis http://www.greyknight17.com/spy/HijackThis.exe - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.


----------



## vanesa (Aug 27, 2005)

Hi ,
Thanks again

Until i was waithing your replay i saw this link *http://www.greyknight17.com/spyware.htm#adaware *and start to followed him instruction andthe end of it write that we must send log in forum i send my HTJ log in this HijackThis Log Help forum couse i think that i must send there 
i so shame that i wrote in 2 forums for my problem but this happed by chanse- really
i bagl big excuse for this
and big thanks/so sorry that my englist so bad and i dont know rigth world to express my gratitude/
Now i update wy Windows and scan again PC with all this program and make new HTJ log and i paste here:

Logfile of HijackThis v1.99.1
Scan saved at 1:06:21 PM, on 9/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\FSGUI\fsguiexe.exe
D:\install\Messenger\YPager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\dictionary\Diction.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Servant Salamander 2.0\salamand.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\install\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - 
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4566/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE732B92-E0DA-4862-B9AA-B3141B5CE3B9}: NameServer = 195.149.255.86 195.149.248.177
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - BackWeb Technologies Inc. - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

i also attach and 3 files- onse of them is new trend scan
Big thanks
i am really so gratitude for your help


----------



## tetonbob (Jan 10, 2005)

Hi vanesa -

It appears you are receiving help from MicroBell in another thread, here:

http://www.techsupportforum.com/showthread.php?t=67575

Please keep all replies to your current issue in that thread, so that our efforts to assist you are not duplicated.

To help you find that thread again, you may wish to bookmark it (add it to your Favorites). Also, you may wish to subscribe to it via the Thread Tools submenu on the page. This will give you instant email notification when their has been a reply to your thread.

I am closing this thread to avoid any further duplication.


----------

