It is currently Mon Jul 16, 2018 11:53 am


IM OWNED

Discuss security related topics in here (Hacking, Cracking, and Protecting)
Do not post HJT Logs here

Moderator: PCguy

IM OWNED

Postby ComputerBOB » Fri May 14, 2004 3:03 am

205.188.146.146:11523 ESTABLISHED
205.188.146.146:11523 ESTABLISHED
152.163.13.205:13784 ESTABLISHED

hmmmm

can't seem to find out how D's 3 people are connecting to my computer

i ended everything in processes one by one, still connected.

205.188.146.146 connects to my computer as soon as i sign on and is connect 24/7(for as much as i know)

theres no trojan in processes that i can find. i did an online scan with norton antivirus and it said i was clean. but theres somone connting to my computer from aol and the other from adsl.

i just hope i ca find it b4 my i get owned even more so. :(
User avatar
ComputerBOB
Newbie
Newbie
 
Posts: 2
Joined: Fri May 14, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Postby Cactus » Fri May 14, 2004 3:24 am

The IP 205.188.146.146 belongs to AOL

Search results for: 205.188.146.146


OrgName: America Online, Inc
OrgID: AMERIC-59
Address: 22080 Pacific Blvd
City: Sterling
StateProv: VA
PostalCode: 20166
Country: US

NetRange: 205.188.0.0 - 205.188.255.255
CIDR: 205.188.0.0/16
NetName: AOL-DTC
NetHandle: NET-205-188-0-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Assignment
NameServer: DNS-01.NS.AOL.COM
NameServer: DNS-02.NS.AOL.COM
Comment:
RegDate: 1998-04-18
Updated: 1998-04-27

TechHandle: AOL-NOC-ARIN
TechName: America Online, Inc.
TechPhone: +1-703-265-4670
TechEmail: domains@aol.net


The IP 152.163.13.205 belongs to AOL

Search results for: 152.163.13.205


OrgName: America Online
OrgID: AOL
Address: 22000 AOL Way
City: Dulles
StateProv: VA
PostalCode: 20166
Country: US

NetRange: 152.163.0.0 - 152.163.255.255
CIDR: 152.163.0.0/16
NetName: AOL-BNET
NetHandle: NET-152-163-0-0-1
Parent: NET-152-0-0-0-0
NetType: Direct Assignment
NameServer: DNS-01.NS.AOL.COM
NameServer: DNS-02.NS.AOL.COM
Comment:
RegDate: 1992-04-01
Updated: 1999-12-02

TechHandle: AOL-NOC-ARIN
TechName: America Online, Inc.
TechPhone: +1-703-265-4670
TechEmail: domains@aol.net

OrgAbuseHandle: AOL382-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-265-4670
OrgAbuseEmail: abuse@aol.net

OrgNOCHandle: AOL236-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-703-265-4670
OrgNOCEmail: noc@aol.net

OrgTechHandle: AOL-NOC-ARIN
OrgTechName: America Online, Inc.
OrgTechPhone: +1-703-265-4670
OrgTechEmail: domains@aol.net
User avatar
Cactus
Geek Alumni
 
Posts: 1330
Joined: Sat Nov 30, 2002 1:00 am
Location: Somewhere...

Thanks given:0
Thanks received:0
Top

Postby brad » Fri May 14, 2004 3:29 am

Download and install HiJack This. Now Run it and post a copy of the Log File here.
brad
"Duty is a matter of the mind. Commitment is a matter of the heart".
brad
Geek Alumni
 
Posts: 2079
Joined: Sat Jul 19, 2003 1:00 am
Location: Charlotte, NC

Thanks given:0
Thanks received:0
Top

Postby ComputerBOB » Fri May 14, 2004 4:14 am

Logfile of HijackThis v1.97.7
Scan saved at 10:56:10 PM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\Owner\My Documents\p0ned owner tools\P0ned Owner Tool2.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Anti-Virus&Spyware\Anti-Virus&Spyware.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\America Online 8.0\waol.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\Common Files\Nullsoft\ActiveX\2.0\AOLMed~1.exe
C:\Documents and Settings\Owner\My Documents\tameclone.exe
C:\Documents and Settings\Owner\My Documents\AimRemix3.0\Aim Remix 3.0\Aim Remix 3.0.exe
C:\Documents and Settings\Owner\My Documents\AimRemix3.0\Aim Remix 3.0\Aim Remix 3.0.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qa63xu2x.slt\prefs.js)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
O2 - BHO: (no name) - {9ecf7c28-16d8-477d-8471-5fcb207205fe} - (no file)
O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - (no file)
O2 - BHO: (no name) - {C12E8968-4892-42FC-99B9-EF8E90CFA9EA} - C:\WINDOWS\System32\catsrvmps.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {3D19D956-AFC0-4E66-8D2E-06C406FDBE47} - (no file)
O3 - Toolbar: NewtonKnows - {E9407738-A996-421A-A309-5C93C699E10A} - c:\program files\newton knows\ntoolbar.dll (file missing)
O3 - Toolbar: Netster - {856D6A8E-A24C-498A-A55A-2B25C606A6B4} - C:\Documents and Settings\Owner\Netster.dll (file missing)
O3 - Toolbar: (no name) - {B4573818-8894-48D2-B89D-7DF37C781C88} - (no file)
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: PowerMenu.lnk = C:\Program Files\WCRobot\PowerMenu.exe
O4 - Startup: PowerMenu.lnk.disabled
O4 - Startup: WinPatrol 6.1.lnk = C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AVG Control Center.lnk = C:\Program Files\Grisoft\AVG6\avgcc32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
User avatar
ComputerBOB
Newbie
Newbie
 
Posts: 2
Joined: Fri May 14, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Postby Restek » Fri May 14, 2004 3:13 pm

If you run 'netstat -o' in a DOS box, it will give you the PID of the process which owns the connection. Use task manager to see which process this is - it may help you track down what's going on :)
User avatar
Restek
Geek Alumni
 
Posts: 1002
Joined: Tue Sep 18, 2001 1:00 am
Location: Uk

Thanks given:0
Thanks received:0
Top

Postby brad » Fri May 14, 2004 11:28 pm

As Castus stated and Restek told you how to investigate, you've got AIM and AOL running at the same time, for one thing.
Turn off System Restore. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qa63xu2x.slt\prefs.js)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
O2 - BHO: (no name) - {9ecf7c28-16d8-477d-8471-5fcb207205fe} - (no file)
O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - (no file)
O2 - BHO: (no name) - {C12E8968-4892-42FC-99B9-EF8E90CFA9EA} - C:\WINDOWS\System32\catsrvmps.dll (file missing)
O3 - Toolbar: (no name) - {3D19D956-AFC0-4E66-8D2E-06C406FDBE47} - (no file)
O3 - Toolbar: NewtonKnows - {E9407738-A996-421A-A309-5C93C699E10A} - c:\program files\newton knows\ntoolbar.dll (file missing)
O3 - Toolbar: Netster - {856D6A8E-A24C-498A-A55A-2B25C606A6B4} - C:\Documents and Settings\Owner\Netster.dll (file missing)
O3 - Toolbar: (no name) - {B4573818-8894-48D2-B89D-7DF37C781C88} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now delete these Folders or Files that are Highlighted then empty your "Recycle Bin" and reboot: (You may have to boot to "Safe Mode" in order to delete some Files/Folders)
WINDOWS\System32\catsrvmps.dll
c:\program files\newton knows\ntoolbar.dll
C:\Documents and Settings\Owner\Netster.dll

brad
"Duty is a matter of the mind. Commitment is a matter of the heart".
brad
Geek Alumni
 
Posts: 2079
Joined: Sat Jul 19, 2003 1:00 am
Location: Charlotte, NC

Thanks given:0
Thanks received:0
Top


Return to Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron