Possible hacker attempt

OK i did a scan with Avast and AVG and nothing but zone alarms picked this up

^X^A^L^CŽ1^D is trying to connect to the Internet or your local network

with a destination ip

said the application was ↑r♀└Ž1┘

so i did a search for the application…and found none…whats going on ?

download hijackthis http://www.merijn.org/files/hijackthis.zip
click “do a system scan and save a logfile” copy & paste it
anyway i always claimed there is no good free av

ok here is the log
Logfile of HijackThis v1.99.1
Scan saved at 9:16:18 AM, on 8/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\MATCO\DirmsService\DirmsService.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\apsi\wtta.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Support.com\bin gcmd.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - (no file)
O4 - HKLM…\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM…\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM…\Run: [HPHUPD05] c:\Program Files\HP{45B6180B-DCAB-4093-8EE8-6164457517F0}

O4 - HKLM…\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM…\Run: [VTTimer] VTTimer.exe
O4 - HKLM…\Run: [ccApp] “c:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM…\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM…\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM…\Run: [ccRegVfy] “c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”
O4 - HKLM…\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM…\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT

O4 - HKLM…\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM…\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM…\Run: [MMTray] “C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe”
O4 - HKLM…\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM…\Run: [UpdateManager] “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe”

O4 - HKLM…\Run: [TkBellExe] "C:\Program Files\ACE Mega CoDecS

Pack\SystemS\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKLM…\Run: [tgcmd] “C:\Program Files\Support.com\BellSouth\hcenter.exe” /starthidden

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM…\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM…\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM…\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU…\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU…\Run: [Kvmpjkoa] C:\WINDOWS\system32??anregw.exe
O4 - HKCU…\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU…\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU…\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program

O9 - Extra ‘Tools’ menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} -

C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program

O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program

Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program

ewdotnet6_38.dll’ missing
O15 - Trusted Zone: http://groups.msn.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4

\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4

\ashWebSv.exe" /service (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton

Personal Firewall\ccPxySvc.exe
O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Program

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation -

c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -


you got 3 adwares and possibly another one too

download lspfix http://www.cexx.org/lspfix.htm
start windows in safe mode , run lspfix and remove newdotnet6_38.dll
run hijackthis click “do a system scan only” check these items click “fix checked” and “yes” (do it while internet explorer is closed as some items are related to it)

R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - (no file)
O4 - HKCU…\Run: [Kvmpjkoa] C:\WINDOWS\system32??anregw.exe
O4 - HKCU…\Run: [Notn] C:\Program Files\apsi\wtta.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

do you recognize this C:\Program Files\MATCO\DirmsService\DirmsService.exe ? google only had 1 result for that file it might also be adware/spyware check this item too if you dont recognize it
O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Program Files\MATCO\DirmsService\DirmsService.exe

when all done with hijackthis search & delete ??anregw.exe
also goto C:\Program Files and delete the folder “apsi” and maybe also “MATCO” if you dont recognize it , when done restart and make a new hijackthis log and copy & paste it

you may also want to remove the RealTek monitoring app;
Realtek -
O4 - HKLM…\Run: [AlcxMonitor] ALCXMNTR.EXE

“Realtek AC97 Audio - Event Monitor. “Sypware” file used surreptitiously monitor one’s actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers”

and also the RealPlayer nonsense;
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Update_OB\realsched.exe” -osboot

still using your Winmodem for anything ? (evcen though I have Cable internet, I still use my USR 3Com PCI winmodem for Faxing and Answering system - perhaps skype is still using your modem ?)

Perhaps HP’s Deskjet is reaching out for an update
or it’s an AIM / MSN messenger exploit, since those ports related are open

Have you disabled Windows Messenger Service ?

btw - those are some funky mathematical font characters you posted - I don’t know how you could search your HDD for those easily.

I never like the idea of having multiple resident AntiVirus scanners loaded and running at the same time, as you seem to have – but using HouseCall, or Online scanners is Ok as a supplement …Avert Stinger http://vil.nai.com/vil/averttools.asp is another one that comes to mind (standalone app and downloable, then run)

Check your IE Internet Options | Security Tab | Trusted Zones, and make sure AOL (or others) haven’t added their sites in there - e.g. free.aol.com

are you using ZA free personal version ?
and how many PC’s on your LAN ?

good point bout ALCXMNTR.EXE i missed that , at the liutilities processlibary it appeared as a legitmate file i guess ill check few other sites next time

btw i noticed your using giant anti spyware that is old and no longer being devolped not sure but maybe not even getting updates aswell i suggest youll uninstall it and get counterspy or microsoft antispyware instead they are both based on giant and both get definition updates from microsoft however counterspy also have its own definitions so you have extra protection with it but its not free as microsoft antispyware anyway heres some more info bout it http://www.sunbelt-software.com/CounterSpy-FAQ.cfm

I think you did fine in your earlier post :wink:

what i hate most about deciphering HJT logs is you really need to keep current on everyone else’s software (sometimes real weird stuff), that you may not have even heard of before - let alone ever used. Also the related Manu devices update/monitoring apps …ugh! :a :eek:

…so - I use This to help speed up the process and minimize my headaches :smiley:

also note my edits in my previous post

ok I do have windows messenger disabled
Yes I am using the personal version of Zone Alarm
I have 1 pc on my LAN
and I still get updates from Giant…

heres the newest log

And if you used Bellsouth’s setup cd for adsl, it has some weird programs installed as well.
You might try Blacklight’s rootkit detection program, it is free until October.
F-Secure Blacklight

"What is a rootkit?

The term rootkit is very old and is dated back to the days when UNIX ruled the world. Rootkits for the UNIX operating system were typically used to elevate the privileges of a user to the root level (=administrator). This explains the name of this category of tools.

Rootkits for Windows work in a different way and are typically used to hide malicious software from for example an antivirus scanner. Rootkits are typically not malicious by themselves but are used for malicious purposes by viruses, worms, backdoors and spyware. A virus combined with a rootkit produces what was known as full stealth viruses in the MS-DOS environment.

How dangerous is a rootkit?

The rootkit itself does typically not cause deliberate damage. Its purpose is to hide software. But rootkits are used to hide malicious code. A virus, worm, backdoor or spyware program could remain active and undetected in a system for a long time if it uses a rootkit.

The malware may remain undetected even if the computer is protected with state-of-the-art antivirus. And the antivirus can’t remove something that it can’t see. The threat from modern malware combined with rootkits is very similar to full stealth viruses that caused a lot of headache during the MS-DOS era. All this makes rootkits a significant threat.

How common is the problem?

There are currently several spyware programs and viruses that use rootkits to hide. There are also a couple of publicly reported intrusions where rootkits have been used (for example the theft of the Half-Life 2 source code).

Rootkits are already quite common in spyware programs but not as common in viruses. There is clear evidence that rootkits is a technique that works in practice. But the actual threat is still small compared to the potential of this technique.

What malware uses rootkit techniques?

First of all, “real” rootkits such as Hacker Defender and FU, of course. Then some spyware/adware programs such as EliteToolbar, ProAgent, and Probot SE. Some Trojans such as Berbew/Padodor and Feutel/Hupigon, and also some worms e.g. Myfip.h and the Maslan-family."

Nothing like making sure.

the log is clean

heres the screen shot with all those mathmetacial and latin figures…http://img284.imageshack.us/my.php?image=attackscreen20tj.jpg

Thanks a bunch Phil…i greatly appreciate it

all i can say is get afew programs form foundstone
they are the best in anti-hack cus the tool they have are for the home user to be jusst abit more safe cus everyone over time know’s that firewalls can do so much then it is up to the user.
and just to add alittle more the firewalls you are useing are good but just alittle behide in the time’s http://www.agnitum.com/ they are very hard to get used to cus lets just say you wanted to look at your email’s then outpost will tell you that the email client is trying to get on the net but then also tell you that the hidden program that most firewwalls wont and most firewalls say blocked IP:352.678.87.7 and wont say what they blocked outpost will if someone has are keyloger on you that you didnt even know it will tell you that IP:232.323.2.32 try to open vegeta as it is your computer you should know what file’s you have installed and what ones you havent. even if you dont know if you have or havent you can just google it and find out what it is and were it came from.

P.S hope this help’s

I’m still not sure what’s going on, but from your screen shot - I can presume/surmise this perhaps;

  • it’s a Domain Name Server (…are you using a Router as well ? - with 1 PC, you can easily disable many addresses / close off any other subnets entirely, use it’s built-in firewall (if it has SPI capabilities),

In ZA’s control panel - click Security Tab, then Advanced - post screenie

  • the ^X^A type letters may be/are indicative of CMD (Command prompt) type CTRL key characters - try Start | Run CMD (a command prompt window opens) – now type CTRL+X and you’ll see what I mean – what exactly that tells us …? I’m not sure yet.

  • the mathematical characters may be indicative of an application that normally has access and uses those types of fonts (any CAD, or 3D drawing app, etc)

  • it doesn’t seem necesary for you to have/use xxx.xxx.1.254 for anything, except perhaps your DSL(?) Modem may have that address assigned automatically – many Cable/DSL modems use xxx.xxx.1.100 or .1.101 or other similar for their reserved base address, for accessing their configuration options and status (web interface to config)
    (type into your Address Bar)

and if your Router is acting as the DHCP Server for your 1 PC LAN, then it’s obtaining the DNS’s from your ISP

Start | Run CMD then Netstat -a and /or ipconfig /all for some general netwrk connections info (forgive me, but you’ll need to look up specific 2K/XP commands, as I’m not using those OSes)

PLZ - empty you entire JAVA cache and disable it
Control Panel | Java Plug-in | Cache Tab
click Clear – then Untick “Enable Cache”

running CrapCleaner www.ccleaner.com will delete all those stupid win caches / history / index.dat / recent / cookies nonsense

post back and keep us informed after this, and let us know what steps you’ve taken and naturally if it’s still occuring