[Nykc]

run a hijack this and post it here.

Trend Micro - Hijack This

What did your AV claimed it removed?

[dan_ram]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:57 AM, on 1/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com...ts/reader/8to9/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1229601539390
O17 - HKLM\System\CCS\Services\Tcpip\..\{50FC13C1-8CC0-42B0-9FF9-4A3FEA2DC465}: NameServer = 203.187.244.66 203.187.244.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FE5CCAC-5826-4061-ACEC-5E5C28B5BD1E}: NameServer = 202.54.6.60,202.54.29.5
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4175 bytes

[skyhawk133]

I'm going to move this thread to Computer Support.

That hijack this log looks clean. I'll let others take a gander as well.

[Nykc]

I don't see anything unusual either.

I personally am not a fan of Yahoo Toolbar though.

[dan_ram]

hmm....
coming to think of it, i dont remember downloading it...and its not there in my browser!!

ohkk..yahoo toolbar is for IE which "i" rarely open..others use it(dunno why) wen there's firefox!!

This post has been edited by dan_ram: 13 January 2009 - 01:01 PM

[homemade-jam]

What are these...pretty non descript:

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

[Nykc]

@homemade-jam

nwiz.exe description

rthdcpl.exe info

alcmtr.exe

[homemade-jam]

Thanks, was too lazy to google - how should come with a description like the others.

[Nykc]

Yeah I know.

I was leary of the nwiz one myself at first.

[KYA]

AV doesn't always get rid of ad/spy/malware. OP

[Nykc]

Would be good to look into using Ad Aware on top of AV.

[ValPaliy]

I'd advice googling for a similar software, using it on him... that should make him stop. After that - change your password.

[no2pencil]

dan_ram, on 13 Jan, 2009 - 01:11 PM, said:

he does not have ill intentions but he seems to be reading all my chat messages with everyone whom i chat while he's online.

Is he on your network (subnet) or is this over the internet?

If he is on the same network (like a 192.168.x.x home subnet) then he's probably using arp poising to intercept non encrypted data on your network.

If you are using wireless, then setup encryption & don't let him know the key.

[lanec42]

After detailed analysis of the hijack this log and deep meditation about your problem, I have come to the conclusion that your friend (?!) was looking over your shoulder when you typed in the password. (or something similar: packet sniffing, keylogging) If you're looking for a good AV, avast! Antivirus is the best thing that's happened to my comp. (As far as my Winblows partition goes.)

[no2pencil]

All of the antivirus, good passwords, & hijackthis logs that the world has to offer will not protect this poster from ARP poisoning.

& if his friend is copy & pasting chat text... I'm willing to bet is what's happening.