Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help, my computer is being hacked


  • Please log in to reply
3 replies to this topic

#1 huyhoangnguyen

huyhoangnguyen

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 01 November 2004 - 03:38 PM

Could someone please review the log file below. It seems that every time I connect to internet there is a program running background and tries to send the information constantly (I think my computer is seriously being hacked). I have tried to run CWShredder and Ad-aware 6.0, but the problem is still the same. I looked in my C drive and see the following files are generated wusssnaoo.exe, lkddkkiiahfs.exe, kkasssafs.exe, fs.bat, even I deleted them but they still come back when I next connect to internet.

Thanks in adavance for your help.



Logfile of HijackThis v1.98.0
Scan saved at 20:26:31, on 01/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\System32\ibmpmsvc.exe
C:\WIN\system32\svchost.exe
C:\WIN\System32\svchost.exe
C:\WIN\system32\spoolsv.exe
C:\WIN\system32\regsvc.exe
C:\WIN\system32\MSTask.exe
C:\WIN\System32\WBEM\WinMgmt.exe
C:\WIN\system32\svchost.exe
C:\WIN\Explorer.EXE
C:\WIN\system32\tp4mon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\Saga\Super Popup Blocker\popkill.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\WIN\system32\internat.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WIN\system32\wuauclt.exe
C:\WIN\system32\qtask.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WIN\explorer.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Super Popup Blocker - {F1C0FAF2-E52F-4370-BC75-2C828C027B9E} - C:\WIN\System32\popkill.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Windows Compliant] mqlqdm.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\Run: [Super Popup Blocker] C:\Saga\Super Popup Blocker\popkill.exe
O4 - HKLM\..\Run: [Start Upping] qtask.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] system32.exe
O4 - HKLM\..\RunServices: [Windows Compliant] mqlqdm.exe
O4 - HKLM\..\RunServices: [Start Upping] qtask.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] system32.exe
O4 - HKCU\..\Run: [Windows Compliant] mqlqdm.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] system32.exe
O4 - HKCU\..\Run: [Start Upping] qtask.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperHeroBugSwat.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperHeroSlapdown.dll
O12 - Plugin for .cfm: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D6DBCF-E600-4EFB-A679-1DC094B4534A}: NameServer = 194.72.9.39 194.74.65.87

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,622 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 AM

Posted 01 November 2004 - 04:48 PM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log

#3 huyhoangnguyen

huyhoangnguyen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 01 November 2004 - 04:53 PM

As requested, please see the new log file.

Logfile of HijackThis v1.98.2
Scan saved at 21:51:21, on 01/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\System32\ibmpmsvc.exe
C:\WIN\system32\svchost.exe
C:\WIN\System32\svchost.exe
C:\WIN\system32\spoolsv.exe
C:\WIN\system32\regsvc.exe
C:\WIN\system32\MSTask.exe
C:\WIN\System32\WBEM\WinMgmt.exe
C:\WIN\Explorer.EXE
C:\WIN\system32\tp4mon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\Saga\Super Popup Blocker\popkill.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\WIN\system32\internat.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WIN\system32\qtask.exe
C:\WIN\explorer.exe
C:\WIN\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WIN\system32\taskmgr.exe
C:\WIN\System32\svchost.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Super Popup Blocker - {F1C0FAF2-E52F-4370-BC75-2C828C027B9E} - C:\WIN\System32\popkill.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Windows Compliant] mqlqdm.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\Run: [Super Popup Blocker] C:\Saga\Super Popup Blocker\popkill.exe
O4 - HKLM\..\Run: [Start Upping] qtask.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] system32.exe
O4 - HKLM\..\RunServices: [Windows Compliant] mqlqdm.exe
O4 - HKLM\..\RunServices: [Start Upping] qtask.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] system32.exe
O4 - HKCU\..\Run: [Windows Compliant] mqlqdm.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] system32.exe
O4 - HKCU\..\Run: [Start Upping] qtask.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperHeroBugSwat.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperHeroSlapdown.dll
O12 - Plugin for .cfm: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D6DBCF-E600-4EFB-A679-1DC094B4534A}: NameServer = 194.72.9.39 194.74.65.87

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,622 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 AM

Posted 01 November 2004 - 05:45 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [Windows Compliant] mqlqdm.exe
O4 - HKLM\..\Run: [Start Upping] qtask.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] system32.exe
O4 - HKLM\..\RunServices: [Windows Compliant] mqlqdm.exe
O4 - HKLM\..\RunServices: [Start Upping] qtask.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] system32.exe
O4 - HKCU\..\Run: [Windows Compliant] mqlqdm.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] system32.exe
O4 - HKCU\..\Run: [Start Upping] qtask.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


c:\windows\system32\mqlqdm.exe
c:\windows\system32\qtask.exe
c:\windows\system32\system32.exe


Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users