Your Ad Here Your Ad Here
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Invaded

  1. #1
    Well once again my computer has been invaded. I'm getting better at knowing what to get rid of and what not too but I was wondering if someone might take a look at my HJT log and give me their opinion of what to dump. Thanks.

    Logfile of HijackThis v1.98.2
    Scan saved at 1229 PM, on 5/27/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\appiw.exe
    C:\WINDOWS\ipqk.exe
    C:\DOCUME~1\sd\LOCALS~1\Temp\Rar$EX00.766\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\WINDOWS\System32\msacmx.dll
    O2 - BHO: Class - {E5A0EFED-3062-8A6A-0BA8-B76566990BAF} - C:\WINDOWS\appvq32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [dllhostxp.exe] dllhostxp.exe
    O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Microsoft Networking Agent For SP2] msnac32.exe
    O4 - HKLM\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
    O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
    O4 - HKLM\..\Run: [ntee32.exe] C:\WINDOWS\system32\ntee32.exe
    O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
    O4 - HKLM\..\Run: [appiw.exe] C:\WINDOWS\system32\appiw.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [yy5VGCm8] C:\WINDOWS\saqtlcje.exe
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
    O4 - HKLM\..\RunServices: [Microsoft Networking Agent For SP2] msnac32.exe
    O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
    O4 - HKLM\..\RunOnce: [msbl.exe] C:\WINDOWS\system32\msbl.exe
    O4 - HKLM\..\RunOnce: [ipqk.exe] C:\WINDOWS\ipqk.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
    O4 - HKCU\..\Run: [Microsoft Networking Agent For SP2] msnac32.exe
    O4 - HKCU\..\Run: [SNInstall] C:\Documents and Settings\sd\sefe.exe
    O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
    O4 - HKCU\..\RunServices: [Microsoft Networking Agent For SP2] msnac32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1B72A702-CF0B-4ACB-80D5-67AC95C0520D}: NameServer = 199.166.31.3,199.5.157.128
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C87EF268-E681-4022-B240-DCA1648CDF79}: NameServer = 199.166.31.3,199.5.157.128
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D125DA-F8B3-4788-853A-991CD73239D0}: NameServer = 199.166.31.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1B72A702-CF0B-4ACB-80D5-67AC95C0520D}: NameServer = 199.166.31.3,199.5.157.128
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1B72A702-CF0B-4ACB-80D5-67AC95C0520D}: NameServer = 199.166.31.3,199.5.157.128

  2. Software & Hardware   -   #2
    peat moss's Avatar Software Farmer BT Rep: +15BT Rep +15BT Rep +15
    Join Date
    May 2003
    Location
    Delta B.C. Canada
    Posts
    10,816
    Go to this link and see what your up against. You have a few nasties.



    http://www.hijackthis.de/


    Here's anouther some one found .

    http://hjt.iamnotageek.com/
    Last edited by peat moss; 05-27-2005 at 05:15 PM.

  3. Software & Hardware   -   #3
    Nice sites. Thanks Peat

  4. Software & Hardware   -   #4
    coldnorth,

    That's a CoolWebSearch infection. I've been outta the spyware-killing business for a few months, but that infection can be particularly involved...unless Symantec (or an individual) re-wrote a program to clean the infection...the last I'd heard though, they haven't. I'd post over at www.helponthe.net

    Also...please avoid those automatic HiJackThis "interpretive" sites--They offer many false positives and don't provide a user any real information on infestations.

  5. Software & Hardware   -   #5
    Thanks Iron. I have some nasties in there this time. HJT won't remove them. Most are not listed when I start the computer in safe mode. I have made a normal start and found and deleted them but in a very few minutes something has reinstalled them. I'm not sure what to do next. In particular I am having trouble getting rid of winsrv32.dll, desktop.exe, ffsearch.exe, edmond.exe, mfiltis.dll, and msdbhk.dll. Anyone have any ideas? Thanks.

  6. Software & Hardware   -   #6
    Post at this site: www.helponthe.net

  7. Software & Hardware   -   #7
    peat moss's Avatar Software Farmer BT Rep: +15BT Rep +15BT Rep +15
    Join Date
    May 2003
    Location
    Delta B.C. Canada
    Posts
    10,816
    Quote Originally Posted by IronRanger
    Post at this site: www.helponthe.net


    That site looks like fun too, 1355 (128 members and 1227 guests) online at the moment . Same problem we seem to have.

  8. Software & Hardware   -   #8
    Thanks Peat and Iron.

  9. Software & Hardware   -   #9
    fkdup74's Avatar Pneuberator.
    Join Date
    Sep 2003
    Posts
    3,616
    Quote Originally Posted by coldnorth
    Well once again my computer has been invaded. I'm getting better at knowing what to get rid of and what not too but I was wondering if someone might take a look at my HJT log and give me their opinion of what to dump. Thanks.

    Logfile of HijackThis v1.98.2
    Scan saved at 1229 PM, on 5/27/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    its teh smilie in yer log! ohnoes!

    I think I'd be takin a closer look at some of these:
    (some of them may be legit, but it doesn't hurt to check into it)
    Spoiler: Show


    I haven't used Adaware in forever,
    but I dont remember it being put in the "RunOnce" section of the reg
    (I could be wrong about that)

    and all that junk in the Trusted Zone.....well, if you didn't put em there....
    and I seem to remember a legit process called "ctfmon" but not "clfmon"
    again, I could be wrong, but again, it doesnt hurt to check it out
    Last edited by FKDUP74; 05-31-2005 at 02:46 AM.

  10. Software & Hardware   -   #10
    peat moss's Avatar Software Farmer BT Rep: +15BT Rep +15BT Rep +15
    Join Date
    May 2003
    Location
    Delta B.C. Canada
    Posts
    10,816
    Goldnorth you proabably one of the politest people on this forum . Hope someone can help you. Get rid of of the porn dude . Hey it must be cold up there. Pay no attention to IronRanger's comment about the helper programs. How else does one learn ?


    They do give you an idea, about the problems your computer may be having. Have you checked out that site ? What a bunch of snots ! Hey if you have to format se la vie . But in all honesty some good advice there. But they don't tell you about removing nasty's and then you can't get on the internet with out fixing your Lsp. I would rather talk to some poor smuck like me .


    Who' s been thru the trials and errors of computer security. And will take the time to PM you to help. Please don't take this as an insult Ironranger as it was not ment to be one.
    Last edited by peat moss; 06-01-2005 at 02:01 AM.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •