What's happening?

**coldnorth** · 04-12-2005, 11:04 PM

The kids visited a game site over the weekend and something is not right. I suspect I have a virus, among all the scumware they brought in, and something odd is happening with hijackthing. There are a couple items I see in the taskmanager that I do not recognize and it will not let me turn them off. They are mocih.exe, rundll32.exe, and dllhost.exe. When I scan with hijackthis I do not for the life of me see them in it but when I make the log there they are. What's going on? Thanks

Here is a current hjt log

Logfile of HijackThis v1.98.2
Scan saved at 5:45:24 PM, on 4/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\mocih.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\vlrrvk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\sd\LOCALS~1\Temp\Rar$EX01.265\HijackThis.exe
C:\WINDOWS\system32\aun_0099.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpages.com/svc/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DNSCacheBoost] C:\WINDOWS\System32\dnsping.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vlrrvk.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B72A702-CF0B-4ACB-80D5-67AC95C0520D}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87EF268-E681-4022-B240-DCA1648CDF79}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D125DA-F8B3-4788-853A-991CD73239D0}: NameServer = 69.50.188.180 195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B72A702-CF0B-4ACB-80D5-67AC95C0520D}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B72A702-CF0B-4ACB-80D5-67AC95C0520D}: NameServer = 69.50.188.180,195.225.176.31

**erRor67** · 04-13-2005, 12:03 AM

I would recommend using an automated remover such as spywareblaster and adaware. Then scan for viruses such as NOD32.

Hijact This only displays IE plugins. So its basically only going to help if IE is screwed up.

Well, it does show startup programs but they seem to be ok to me.

**peat moss** · 04-13-2005, 12:31 AM

Don't know why you have all the winsock LSP entries ? But they should be fixed. You may have ran a spyware remover and something went kicking and screaming before it was removed.

http://www.cexx.org/lspfix.htm

**Mïcrösöül°V³** · 04-13-2005, 12:58 AM

do what i do when someone other than you is going to use the pc........max out all the security settings, active x filters, etc. just set everything on the highest level. it seems to work pretty well. if you really wanna discourage them from using your pc, install windows server 2003, then you cant surf anywhere unless you add the sites to your trusted domains, then you can just tell them "oh well, it looks like the site you want isnt working, lol". it works, i have a 9 year old, and i am very familiar with their "click everything you see on the screen, and select yes" habits

But definitly run a few spyware scanners and check your add/remove programs section to see if they installed some weird shit. when kids are looking for game cheats and game related stuff, they think clicking "yes" on all the pop-ups is related to what they are looking for.

**tesco** · 04-13-2005, 01:15 AM

Fix these:

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
R3 - Default URLSearchHook is missing

and do the regular virus, spyware and trojan scans.

**coldnorth** · 04-13-2005, 04:07 PM

Thanks everyone

**fkdup74** · 04-13-2005, 04:48 PM

Originally Posted by Bishtawiman

I would recommend using an automated remover such as spywareblaster

I really wish poeple could reconcile themselves to the fact that....
spywareblaster does not remove anything

it sets a kill bit in the registry, so said activex files will not run
but it has no removal/deletion capabilities, whatsoever

**Izagaia** · 04-13-2005, 10:02 PM

Originally Posted by FKDUP74

I really wish poeple could reconcile themselves to the fact that....
spywareblaster does not remove anything

it sets a kill bit in the registry, so said activex files will not run
but it has no removal/deletion capabilities, whatsoever

I agree.

It was great during it's time, however times have changed and maliscious wares have become even more dominant. Spybot S&D is good. Yet it relies on someone updating a spyware database to run efficiently. Even then I have heard mixed stories so far as the results the application actually yields. Mind you, these are freeware alternatives so someone devoting 24/7 support is not exactly something that could be expected realistically.

My own personal recommendation however, is the use of Microsoft's Windows Antispyware aplication. Which is in a beta stage until july, yet it utilizes the exact same technology as the popular anti-spyware applications Counterspy from Sunbelt and Giant Antispyware. Essentially, the are pretty much all the same program- even down to the GUI. Of course it's freeware and benefits from Microsoft's known spy/adware database for updates. That being a good thing.

Then there is the issues of some saying that they cannot or will not run certain antispyware applications because it is too draining on their system resources. Well... IMO, those that I have rattled off above are not too bad in that department. At least I do not believe they are so take it for whatever it is worth. I just so happen to subscribe to the thought that if people are avoiding applications such as those because they claim they do not have the system resources or that they are too comsuming, in their own opinions, then they deserve to be hit with whatever they so happen to run across in their surfing habits. Add alittle memory or just update to a more powerful system. Because these days, not using a half-way decent application to combat malwares is the same as say not using an anti-virus/firewall solution... it is just plain stupidity, IMO, not to. And definitely worth commiting a few system resources to or a few $$$ or whatever it takes to keep your personal information/investment/system safe and private.

But that is just my two-cents.

**fkdup74** · 04-14-2005, 03:37 AM

Originally Posted by Izagaia

But that is just my two-cents.

hehe, i'll pitch in another two cents

i'll be honest, i was wary at first of M$ anti-spyware
but after a little looking through it, i really like it now

plus, i THINK it will end up free for "legitimate" windows users

*fkdup crosses fingers
i know that's a lot of prgram to offer for free,
but seeing as how M$ is always being bashed for its security holes,
maybe they will "do the right thing"

and nah, it isnt too bad on resources
CPU usage is next to nil in real time protection (havent checked during a scan)
this on a sempron 2200

and memory usage is only 20 MB for me

-edit-
and this praise is coming from a guy who was used to:
a 2 GHz Athlon XP and 1.25 GB RAM

so if i can DOWNgrade to a 1.5 GHz sempron and 512 MB RAM
and not bitch about resources....well.....no one should

that was a good point to bring up Iz

**Izagaia** · 04-14-2005, 09:31 PM

Originally Posted by FKDUP74

hehe, i'll pitch in another two cents

i'll be honest, i was wary at first of M$ anti-spyware
but after a little looking through it, i really like it now

plus, i THINK it will end up free for "legitimate" windows users

*fkdup crosses fingers
i know that's a lot of prgram to offer for free,
but seeing as how M$ is always being bashed for its security holes,
maybe they will "do the right thing"

and nah, it isnt too bad on resources
CPU usage is next to nil in real time protection (havent checked during a scan)
this on a sempron 2200

and memory usage is only 20 MB for me

-edit-
and this praise is coming from a guy who was used to:
a 2 GHz Athlon XP and 1.25 GB RAM

so if i can DOWNgrade to a 1.5 GHz sempron and 512 MB RAM
and not bitch about resources....well.....no one should

that was a good point to bring up Iz

A 2.2GHz AthlonXP (3200 series) and a gig of ram are what I am using now. My previous setup was a P4@ 1.7GHz and 256ram. I feel fortunate that I was in a position at the time I was in to actually afford my upgraded system.

Man, that P4 just out-right sucked.

I probably came off sounding like an asshole in my post. Sorry about that if anyone thought way.

I just really believe that in general, the internet is dangerous place considering the risks of identity theft and all the "what-nots" associated with it. Users just really need to be educated on what is out there and be ready to commit a few personal sacrifices in terms of money, altering surfing habits or whatever. The alternatives are scary to consider.

Thread: What's happening?

Thread Tools

Bookmarks

Bookmarks

Posting Permissions