Invaded

**coldnorth** · 05-27-2005, 05:07 PM

Well once again my computer has been invaded. I'm getting better at knowing what to get rid of and what not too but I was wondering if someone might take a look at my HJT log and give me their opinion of what to dump. Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 12

29 PM, on 5/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\appiw.exe
C:\WINDOWS\ipqk.exe
C:\DOCUME~1\sd\LOCALS~1\Temp\Rar$EX00.766\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\WINDOWS\System32\msacmx.dll
O2 - BHO: Class - {E5A0EFED-3062-8A6A-0BA8-B76566990BAF} - C:\WINDOWS\appvq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [dllhostxp.exe] dllhostxp.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Microsoft Networking Agent For SP2] msnac32.exe
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ntee32.exe] C:\WINDOWS\system32\ntee32.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [appiw.exe] C:\WINDOWS\system32\appiw.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [yy5VGCm8] C:\WINDOWS\saqtlcje.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKLM\..\RunServices: [Microsoft Networking Agent For SP2] msnac32.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [msbl.exe] C:\WINDOWS\system32\msbl.exe
O4 - HKLM\..\RunOnce: [ipqk.exe] C:\WINDOWS\ipqk.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
O4 - HKCU\..\Run: [Microsoft Networking Agent For SP2] msnac32.exe
O4 - HKCU\..\Run: [SNInstall] C:\Documents and Settings\sd\sefe.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKCU\..\RunServices: [Microsoft Networking Agent For SP2] msnac32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B72A702-CF0B-4ACB-80D5-67AC95C0520D}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87EF268-E681-4022-B240-DCA1648CDF79}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D125DA-F8B3-4788-853A-991CD73239D0}: NameServer = 199.166.31.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B72A702-CF0B-4ACB-80D5-67AC95C0520D}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B72A702-CF0B-4ACB-80D5-67AC95C0520D}: NameServer = 199.166.31.3,199.5.157.128

**peat moss** · 05-27-2005, 05:09 PM

Go to this link and see what your up against. You have a few nasties.

http://www.hijackthis.de/

Here's anouther some one found .

http://hjt.iamnotageek.com/

**coldnorth** · 05-29-2005, 06:19 PM

Nice sites. Thanks Peat

**IronRanger** · 05-29-2005, 06:54 PM

coldnorth,

That's a CoolWebSearch infection. I've been outta the spyware-killing business for a few months, but that infection can be particularly involved...unless Symantec (or an individual) re-wrote a program to clean the infection...the last I'd heard though, they haven't. I'd post over at www.helponthe.net

Also...please avoid those automatic HiJackThis "interpretive" sites--They offer many false positives and don't provide a user any real information on infestations.

**coldnorth** · 05-30-2005, 07:00 PM

Thanks Iron. I have some nasties in there this time. HJT won't remove them. Most are not listed when I start the computer in safe mode. I have made a normal start and found and deleted them but in a very few minutes something has reinstalled them. I'm not sure what to do next. In particular I am having trouble getting rid of winsrv32.dll, desktop.exe, ffsearch.exe, edmond.exe, mfiltis.dll, and msdbhk.dll. Anyone have any ideas? Thanks.

**IronRanger** · 05-30-2005, 10:53 PM

Post at this site: www.helponthe.net

**peat moss** · 05-30-2005, 11:29 PM

Originally Posted by IronRanger

Post at this site: www.helponthe.net

That site looks like fun too, 1355 (128 members and 1227 guests) online at the moment . Same problem we seem to have.

**coldnorth** · 05-31-2005, 01:10 AM

Thanks Peat and Iron.

**fkdup74** · 05-31-2005, 02:41 AM

Originally Posted by coldnorth

Well once again my computer has been invaded. I'm getting better at knowing what to get rid of and what not too but I was wondering if someone might take a look at my HJT log and give me their opinion of what to dump. Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 12

29 PM, on 5/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

its teh

smilie in yer log! ohnoes!

I think I'd be takin a closer look at some of these:
(some of them may be legit, but it doesn't hurt to check into it)

Spoiler: Show

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\chlps.dll/sp.html#75034
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\WINDOWS\System32\msacmx.dll
O2 - BHO: Class - {E5A0EFED-3062-8A6A-0BA8-B76566990BAF} - C:\WINDOWS\appvq32.dll
O4 - HKLM\..\Run: [dllhostxp.exe] dllhostxp.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ntee32.exe] C:\WINDOWS\system32\ntee32.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [appiw.exe] C:\WINDOWS\system32\appiw.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [yy5VGCm8] C:\WINDOWS\saqtlcje.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [msbl.exe] C:\WINDOWS\system32\msbl.exe
O4 - HKLM\..\RunOnce: [ipqk.exe] C:\WINDOWS\ipqk.exe
O4 - HKCU\..\Run: [SNInstall] C:\Documents and Settings\sd\sefe.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -

I haven't used Adaware in forever,
but I dont remember it being put in the "RunOnce" section of the reg
(I could be wrong about that)

and all that junk in the Trusted Zone.....well, if you didn't put em there....
and I seem to remember a legit process called "ctfmon" but not "clfmon"
again, I could be wrong, but again, it doesnt hurt to check it out

**peat moss** · 06-01-2005, 01:58 AM

Goldnorth you proabably one of the politest people on this forum . Hope someone can help you. Get rid of of the porn dude . Hey it must be cold up there.

Pay no attention to IronRanger's comment about the helper programs. How else does one learn ?

They do give you an idea, about the problems your computer may be having. Have you checked out that site ? What a bunch of snots ! Hey if you have to format se la vie . But in all honesty some good advice there. But they don't tell you about removing nasty's and then you can't get on the internet with out fixing your Lsp. I would rather talk to some poor smuck like me .

Who' s been thru the trials and errors of computer security. And will take the time to PM you to help. Please don't take this as an insult Ironranger as it was not ment to be one.

Thread: Invaded

Thread Tools

Bookmarks

Bookmarks

Posting Permissions