General Question Regarding Hijacking

[nwyllie]

I'm seeing some odd errors/warnings in my event logs and am wondering if they can be related to someone trying to hack my computer.

I'm seeing a lot of MRxSmb 3019 warnings, and periodic System Error 1003's. I'm running a number of protection programs (Windows firewall, Norton Protect, and Previx1) and none have come up with anything unusual, although I did discover recently backdoor.sdbot on the PC (not detected during any scans) and have removed the three programs (winupsrv.exe,winsrvup.exe, and one other) that were associated with it and scanned my registry and removed anything that referenced these programs. I've also seen Remote Desktop to this computer freeze up quite often (the most recent showing the MRxSmb 3019 errors).

So, does anyone think these things can add up to a hacker attack of some sort?

 

[howard_hopkinso]

Hello and welcome to Techspot.

I think it`s entirely possible that your system is infected with something nasty.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of nwyllie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nwyllie]

Thanks, I'll try to get that done tonight. One thing, "Trojan Pakes and other nasties preliminary removal instructions" says to boot in safe mode to my user, not the administrator user. Does it matter that I'm in the administrator group?

Thanks for your suggestion.

 

[howard_hopkinso]

That`s the second time today someone has queried that.

You should boot into safe mode under your usual username. This so you have access to your normal programmes etc.

Regards Howard

This thread is for the use of nwyllie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nwyllie]

Will probably not get the logs posted tonight. The scans are taking a very long time (lots of data). Hope to post them tomorrow evening. Am dowing two other computers at the same time just to be safe.

 

[howard_hopkinso]

Ok mate, no problem.

Regards Howard

This thread is for the use of nwyllie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nwyllie]

OK, scans finally got done. Here are the logs you requested.

 

[howard_hopkinso]

Your HJT log appears to be clean.

You can delete all files in AVG Antispyware quarantine.

How`s your system running and are you still having any problems?

Regards Howard

This thread is for the use of nwyllie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nwyllie]

I had none of the restart problems during this whole process. I just now had problems bringing up web pages so I'm rebooting. I was checking in Windows XP Inside-Out to see is there was any security advantage to hiding the system files (I ususally don't) and saw where they should not be compressed. I uncompressed the folder and at the end of the process I was informed that the versions of some files was not recognized and wanted the install CD (which I gave it). Not sure what that was about or what was changed (might have been my tcpip.sys since I'd patched it for uTorrent to handle 50 rather than 10 connections). So I'll leave it up today and see if there are anymore re-starts.

As I mentioned I'm running the same cleanup process on two other computers and will post their logs here when done.

Thanks for your help.