|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-30-2008, 10:47 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 9
OS: XP
|
HijackThis Logfile
I am having some trouble with a trojan - the trojan is - Trojan horse generic2.atn, trojanhorsegeneric2.avs, trojanhorsedownloader.generic2.avs
, please see my logfile below. Any info is much appreciated. Thanks Logfile of HijackThis v1.99.1 Scan saved at 18:35:19, on 30/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgui.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Documents and Settings\Cathy McBride\Local Settings\Temporary Internet Files\Content.IE5\YZEJYTAJ\hijackthis_sfx[1].exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.virgin.com:8080;http=http://www-cache.virgin.com:8080 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE Last edited by smokey10; 07-30-2008 at 10:56 AM. |
|
     |
| Sponsored Links |
|
08-04-2008, 03:29 AM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: HijackThis Logfile
Hello and welcome to TSF.
You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version. Next, download HijackThis to your desktop Alternate link Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you. Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Do not post that log, instead, do this next: --------------------------------------------------------------------------------------------- Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
__________________
My services are free. However, you can donate to TSF to help keep it running.   Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
08-04-2008, 10:50 AM
|
#3 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 9
OS: XP
|
Re: HijackThis Logfile
Hi amateur and many thanks
Deckard's System Scanner v20071014.68 Run by Cathy McBride on 2008-08-04 18:41:19 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 19: 2008-08-04 17:41:27 UTC - RP61 - Deckard's System Scanner Restore Point 18: 2008-08-03 09:52:51 UTC - RP60 - System Checkpoint 17: 2008-08-01 18:18:47 UTC - RP59 - Installed Google Toolbar for Internet Explorer 16: 2008-08-01 18:13:58 UTC - RP58 - Installed Java(TM) 6 Update 7 15: 2008-07-30 22:21:35 UTC - RP57 - System Checkpoint -- First Restore Point -- 1: 2008-06-28 16:37:19 UTC - RP43 - System Checkpoint Backed up registry hives. Performed disk cleanup. Total Physical Memory: 511 MiB (512 MiB recommended). -- HijackThis (run as Cathy McBride.exe) --------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:42:51, on 04/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Documents and Settings\Cathy McBride\Local Settings\Temporary Internet Files\Content.IE5\JEQYS64V\dss[1].exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Cathy McBride.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.virgin.com:8080;http=http://www-cache.virgin.com:8080 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 6320 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- All drivers whitelisted. -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Files created between 2008-07-04 and 2008-08-04 ----------------------------- 2008-08-04 18:37:32 0 d-------- C:\Program Files\Trend Micro 2008-08-01 19:21:30 0 d-------- C:\Documents and Settings\Cathy McBride\Application Data\Google 2008-08-01 19:18:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Google 2008-08-01 19:18:50 0 d-------- C:\Program Files\Google 2008-07-30 22:36:28 587808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-07-30 22:34:35 0 d-------- C:\Program Files\ZoneAlarmSB 2008-07-30 22:32:58 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-07-30 22:32:19 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2008-07-30 22:31:44 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System> 2008-07-30 22:30:20 0 d-------- C:\WINDOWS\system32\ZoneLabs 2008-07-30 22:28:52 0 d-------- C:\WINDOWS\Internet Logs 2008-07-26 13:37:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy -- Find3M Report --------------------------------------------------------------- 2008-08-01 19:18:08 0 d-------- C:\Program Files\Java 2008-06-28 23:11:47 0 d-------- C:\Documents and Settings\Cathy McBride\Application Data\Adobe 2008-06-28 23:10:10 0 d-------- C:\Program Files\Common Files\Adobe 2008-06-28 23:09:50 0 d-------- C:\Program Files\Common Files 2008-06-28 19:44:54 0 d-------- C:\Documents and Settings\Cathy McBride\Application Data\AVGTOOLBAR 2008-06-28 19:39:09 0 d-------- C:\Program Files\AVG -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}] 18/07/2008 16:25 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}] 30/07/2008 22:34 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [18/07/2008 16:25 2055960] "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [30/07/2008 22:34 262144] [-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}] [HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR] [-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32] "gwiz"="C:\WINDOWS\system32\ntsystem.exe" [] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [18/07/2008 16:25] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/07/2008 09:05] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [01/08/2008 19:21] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [18/02/1999 04:05:56] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"=0 (0x0) "NoToolbarCustomize"=0 (0x0) "NoBandCustomize"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "Btn_Back"=0 (0x0) "Btn_Forward"=0 (0x0) "Btn_Stop"=0 (0x0) "Btn_Refresh"=0 (0x0) "Btn_Home"=0 (0x0) "Btn_Search"=0 (0x0) "Btn_History"=0 (0x0) "Btn_Favorites"=0 (0x0) "Btn_Media"=0 (0x0) "Btn_Folders"=0 (0x0) "Btn_Fullscreen"=0 (0x0) "Btn_Tools"=0 (0x0) "Btn_MailNews"=0 (0x0) "Btn_Size"=0 (0x0) "Btn_Print"=0 (0x0) "Btn_Edit"=0 (0x0) "Btn_Discussions"=0 (0x0) "Btn_Cut"=0 (0x0) "Btn_Copy"=0 (0x0) "Btn_Paste"=0 (0x0) "Btn_Encoding"=0 (0x0) "Btn_PrintPreview"=0 (0x0) "NoActiveDesktop"=0 (0x0) "NoActiveDesktopChanges"=0 (0x0) "NoInternetIcon"=0 (0x0) "NoDesktop"=0 (0x0) "NoFavoritesMenu"=0 (0x0) "NoFind"=0 (0x0) "NoRun"=0 (0x0) "NoSetActiveDesktop"=0 (0x0) "NoWindowsUpdate"=0 (0x0) "NoChangeStartMenu"=0 (0x0) "NoFolderOptions"=0 (0x0) "NoRecentDocsMenu"=0 (0x0) "NoRecentDocsHistory"=0 (0x0) "ClearRecentDocsOnExit"=0 (0x0) "NoLogoff"=0 (0x0) "NoClose"=0 (0x0) "NoSetFolders"=0 (0x0) "NoSetTaskbar"=0 (0x0) "NoTrayContextMenu"=0 (0x0) "NoFileMenu"=0 (0x0) "NoViewContextMenu"=0 (0x0) "EnforceShellExtensionSecurity"=0 (0x0) "LinkResolveIgnoreLinkInfo"=0 (0x0) "NoNetConnectDisconnect"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll -- Hosts ----------------------------------------------------------------------- 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 8910 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-08-04 18:45:15 ------------ |
|
|
|
|
08-04-2008, 10:53 AM
|
#4 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 9
OS: XP
|
Re: HijackThis Logfile
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel Pentium III processor Percentage of Memory in Use: 59% Physical Memory (total/avail): 510.48 MiB / 208.02 MiB Pagefile Memory (total/avail): 865.36 MiB / 535.1 MiB Virtual Memory (total/avail): 2047.88 MiB / 1932.76 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 38.28 GiB total, 33.54 GiB free. D: is CDROM (No Media) \\.\PHYSICALDRIVE0 - Maxtor 6E040L0 - 38.29 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 38.28 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. FirstRunDisabled is set. FW: ZoneAlarm Firewall v7.0.483.000 (Check Point, LTD.) AV: AVG Anti-Virus Free v8.0 (AVG Technologies) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Cathy McBride\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=UU-C9219EB3F829 ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Cathy McBride LOGONSERVER=\\UU-C9219EB3F829 NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=080a ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\CATHYM~1\LOCALS~1\Temp TMP=C:\DOCUME~1\CATHYM~1\LOCALS~1\Temp tvdumpflags=8 USERDOMAIN=UU-C9219EB3F829 USERNAME=Cathy McBride USERPROFILE=C:\Documents and Settings\Cathy McBride windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Cathy McBride (admin) -- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Adobe Reader 8.1.2 Security Update 1 (KB403742) --> AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL FinePixViewer Ver.4.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE" FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE" Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29} Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll" High Definition Audio Driver Package - KB835221 --> HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050} Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} Lexmark Photo Center --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{523BD5B6-E904-493C-B902-1BC9B7D44DF4} /l1033 Lexmark Z700-P700 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBLUN5C.EXE -dLexmark Z700-P700 Series Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5 Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7} Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O -- Application Event Log ------------------------------------------------------- Event Record #/Type336 / Error Event Submitted/Written: 07/18/2008 05:37:21 PM Event ID/Source: 11 / crypt32 Event Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. Event Record #/Type335 / Error Event Submitted/Written: 07/18/2008 05:37:21 PM Event ID/Source: 11 / crypt32 Event Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ No Errors/Warnings found. -- End of Deckard's System Scanner: finished at 2008-08-04 18:45:15 ------------ |
|
|
|
|
08-04-2008, 11:48 AM
|
#5 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: HijackThis Logfile
Hi,
Please download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix Link 1 Link 2 Link 3 **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on ComboFix.exe & follow the prompts.
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
08-05-2008, 03:14 PM
|
#6 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 9
OS: XP
|
Re: Combofix log and new hijackthis log
ComboFix 08-08-04.08 - Cathy McBride 2008-08-05 23:01:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.245 [GMT 1:00] Running from: C:\Documents and Settings\Cathy McBride\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Cathy McBride\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Cathy McBride\Application Data\Install.dat . ((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 ))))))))))))))))))))))))))))))) . 2008-08-04 18:40 . 2008-08-04 18:40 <DIR> d-------- C:\Deckard 2008-08-04 18:37 . 2008-08-04 18:37 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-01 19:18 . 2008-08-03 10:13 <DIR> d-------- C:\Program Files\Google 2008-08-01 19:18 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-07-30 22:36 . 2008-08-05 23:05 700,448 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-07-30 22:36 . 2008-08-04 23:00 8,348 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-07-30 22:34 . 2008-07-30 22:34 <DIR> d-------- C:\Program Files\ZoneAlarmSB 2008-07-30 22:32 . 2008-07-30 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-07-30 22:32 . 2008-07-30 22:34 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2008-07-30 22:31 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe 2008-07-30 22:31 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll 2008-07-30 22:30 . 2008-07-30 22:30 <DIR> d-------- C:\Program Files\Zone Labs 2008-07-30 22:28 . 2008-08-05 22:47 <DIR> d-------- C:\WINDOWS\Internet Logs 2008-07-26 13:37 . 2008-07-26 13:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-26 13:37 . 2008-08-05 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-01 18:18 --------- d-----w C:\Program Files\Java 2008-07-18 15:25 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-07-18 15:25 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys 2008-07-18 15:25 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll 2008-07-09 08:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2008-06-28 22:10 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-28 18:44 --------- d-----w C:\Documents and Settings\Cathy McBride\Application Data\AVGTOOLBAR 2008-06-28 18:39 --------- d-----w C:\Program Files\AVG 2008-06-28 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-01 19:21 171448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-18 16:25 1232152] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 0 (0x0) "NoBandCustomize"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "Btn_Back"= 0 (0x0) "Btn_Forward"= 0 (0x0) "Btn_Stop"= 0 (0x0) "Btn_Refresh"= 0 (0x0) "Btn_Home"= 0 (0x0) "Btn_Search"= 0 (0x0) "Btn_History"= 0 (0x0) "Btn_Favorites"= 0 (0x0) "Btn_Media"= 0 (0x0) "Btn_Folders"= 0 (0x0) "Btn_Fullscreen"= 0 (0x0) "Btn_Tools"= 0 (0x0) "Btn_MailNews"= 0 (0x0) "Btn_Size"= 0 (0x0) "Btn_Print"= 0 (0x0) "Btn_Edit"= 0 (0x0) "Btn_Discussions"= 0 (0x0) "Btn_Cut"= 0 (0x0) "Btn_Copy"= 0 (0x0) "Btn_Paste"= 0 (0x0) "Btn_Encoding"= 0 (0x0) "Btn_PrintPreview"= 0 (0x0) "NoFavoritesMenu"= 0 (0x0) "NoLogoff"= 0 (0x0) "EnforceShellExtensionSecurity"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\LEXPPS.EXE"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-18 16:25] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-18 16:25] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-18 16:25] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-18 16:25] S3 ADM851x;ADMtek ADM8513 USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ADM851x.SYS [2002-04-04 04:14] *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.co.uk/ R1 -: HKCU-Internet Settings,ProxyServer = ftp=hxxp://www-cache.virgin.com:8080;http=http://www-cache.virgin.com:8080 R1 -: HKCU-Internet Settings,ProxyOverride = <local> O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-05 23:05:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-05 23:07:41 ComboFix-quarantined-files.txt 2008-08-05 22:07:35 Pre-Run: 35,891,269,632 bytes free Post-Run: 35,919,704,064 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 144 --- E O F --- 2008-07-26 16:44:49 Hijackthis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:14:05, on 05/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.virgin.com:8080;http=http://www-cache.virgin.com:8080 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/ge...sh/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 5992 bytes |
|
|
|
|
08-05-2008, 10:13 PM
|
#7 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: HijackThis Logfile
Hi,
It's looking good. How is the computer running?
Code:
SkipFix:: Registry:: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"  Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ======================= Let's run an online scanner for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
**Note** To optimize scanning time and produce a more sensible report for review:
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 Last edited by amateur; 08-06-2008 at 12:16 PM. |
|
|
|
|
08-06-2008, 11:48 AM
|
#8 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 9
OS: XP
|
Re: HijackThis Logfile
Hi Amateur,
Greetings from a very cold, wet Ireland - well it is supposed to be summer...Thanks again for your help - the computer is running ok - a little slow but nothing major. See the log below.. Cathy ComboFix 08-08-04.08 - Cathy McBride 2008-08-06 19:39:10.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.243 [GMT 1:00] Running from: C:\Documents and Settings\Cathy McBride\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Cathy McBride\Desktop\CFScript.txt * Created a new restore point . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 ))))))))))))))))))))))))))))))) . 2008-08-04 18:40 . 2008-08-04 18:40 <DIR> d-------- C:\Deckard 2008-08-04 18:37 . 2008-08-04 18:37 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-01 19:18 . 2008-08-03 10:13 <DIR> d-------- C:\Program Files\Google 2008-08-01 19:18 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-07-30 22:36 . 2008-08-06 19:40 792,608 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-07-30 22:36 . 2008-08-05 23:41 9,956 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-07-30 22:34 . 2008-07-30 22:34 <DIR> d-------- C:\Program Files\ZoneAlarmSB 2008-07-30 22:32 . 2008-07-30 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-07-30 22:32 . 2008-07-30 22:34 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2008-07-30 22:31 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe 2008-07-30 22:31 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll 2008-07-30 22:30 . 2008-07-30 22:30 <DIR> d-------- C:\Program Files\Zone Labs 2008-07-30 22:28 . 2008-08-06 19:33 <DIR> d-------- C:\WINDOWS\Internet Logs 2008-07-26 13:37 . 2008-07-26 13:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-26 13:37 . 2008-08-05 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-01 18:18 --------- d-----w C:\Program Files\Java 2008-07-18 15:25 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-07-18 15:25 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys 2008-07-18 15:25 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll 2008-07-09 08:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2008-06-28 22:10 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-28 18:44 --------- d-----w C:\Documents and Settings\Cathy McBride\Application Data\AVGTOOLBAR 2008-06-28 18:39 --------- d-----w C:\Program Files\AVG 2008-06-28 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-01 19:21 171448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-18 16:25 1232152] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 0 (0x0) "NoBandCustomize"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "Btn_Back"= 0 (0x0) "Btn_Forward"= 0 (0x0) "Btn_Stop"= 0 (0x0) "Btn_Refresh"= 0 (0x0) "Btn_Home"= 0 (0x0) "Btn_Search"= 0 (0x0) "Btn_History"= 0 (0x0) "Btn_Favorites"= 0 (0x0) "Btn_Media"= 0 (0x0) "Btn_Folders"= 0 (0x0) "Btn_Fullscreen"= 0 (0x0) "Btn_Tools"= 0 (0x0) "Btn_MailNews"= 0 (0x0) "Btn_Size"= 0 (0x0) "Btn_Print"= 0 (0x0) "Btn_Edit"= 0 (0x0) "Btn_Discussions"= 0 (0x0) "Btn_Cut"= 0 (0x0) "Btn_Copy"= 0 (0x0) "Btn_Paste"= 0 (0x0) "Btn_Encoding"= 0 (0x0) "Btn_PrintPreview"= 0 (0x0) "NoFavoritesMenu"= 0 (0x0) "NoLogoff"= 0 (0x0) "EnforceShellExtensionSecurity"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\LEXPPS.EXE"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-18 16:25] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-18 16:25] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-18 16:25] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-18 16:25] S3 ADM851x;ADMtek ADM8513 USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ADM851x.SYS [2002-04-04 04:14] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-06 19:40:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-06 19:44:08 ComboFix-quarantined-files.txt 2008-08-06 18:43:56 ComboFix2.txt 2008-08-05 22:07:44 Pre-Run: 35,896,758,272 bytes free Post-Run: 35,898,761,216 bytes free 127 --- E O F --- 2008-07-26 16:44:49 |
|
|
|
|
08-06-2008, 12:17 PM
|
#9 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: HijackThis Logfile
Hi,
Hope it gets warmer soon. May I have the Kaspersky report too please?
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
08-06-2008, 01:00 PM
|
#10 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 9
OS: XP
|
Re: HijackThis Logfile
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT Wednesday, August 06, 2008 8:58:25 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 6/08/2008 Kaspersky Anti-Virus database records: 1062741 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 23352 Number of viruses found: 1 Number of infected objects: 3 Number of suspicious objects: 0 Duration of the scan process: 00:49:55 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\Cathy McBride\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Cathy McBride\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Cathy McBride\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Cathy McBride\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Cathy McBride\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Cathy McBride\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Cathy McBride\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Cathy McBride\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{B1697485-9F0A-4531-AC10-CA5FD7C066C2}\RP48\A0087318.exe Infected: Trojan-Downloader.Win32.Small.cpg skipped C:\System Volume Information\_restore{B1697485-9F0A-4531-AC10-CA5FD7C066C2}\RP48\A0087319.exe Infected: Trojan-Downloader.Win32.Small.cpg skipped C:\System Volume Information\_restore{B1697485-9F0A-4531-AC10-CA5FD7C066C2}\RP48\A0087320.exe Infected: Trojan-Downloader.Win32.Small.cpg skipped C:\System Volume Information\_restore{B1697485-9F0A-4531-AC10-CA5FD7C066C2}\RP63\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\Internet Logs\UU-C9219EB3F829.ldb Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{F2207A03-4DB5-4F41-97FE-1E649380BB59}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\ZLT052e7.TMP Object is locked skipped C:\WINDOWS\Temp\ZLT052ea.TMP Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. |
|
|
|
|
08-07-2008, 12:43 AM
|
#11 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: HijackThis Logfile
Hi,
Would you mind repeating this please:
Code:
SkipFix:: Registry:: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply.
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
08-07-2008, 10:46 AM
|
#12 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 9
OS: XP
|
Re: HijackThis Logfile
ComboFix 08-08-06.04 - Cathy McBride 2008-08-07 18:28:57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239 [GMT 1:00] Running from: C:\Documents and Settings\Cathy McBride\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Cathy McBride\Desktop\CFScript.txt * Created a new restore point . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 ))))))))))))))))))))))))))))))) . 2008-08-06 19:55 . 2008-08-06 19:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-08-06 19:55 . 2008-08-06 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-08-04 18:40 . 2008-08-04 18:40 <DIR> d-------- C:\Deckard 2008-08-04 18:37 . 2008-08-04 18:37 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-01 19:18 . 2008-08-03 10:13 <DIR> d-------- C:\Program Files\Google 2008-08-01 19:18 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-07-30 22:36 . 2008-08-07 18:30 989,216 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-07-30 22:36 . 2008-08-06 22:24 12,116 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-07-30 22:34 . 2008-07-30 22:34 <DIR> d-------- C:\Program Files\ZoneAlarmSB 2008-07-30 22:32 . 2008-07-30 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-07-30 22:32 . 2008-07-30 22:34 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2008-07-30 22:31 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe 2008-07-30 22:31 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll 2008-07-30 22:30 . 2008-07-30 22:30 <DIR> d-------- C:\Program Files\Zone Labs 2008-07-30 22:28 . 2008-08-07 18:23 <DIR> d-------- C:\WINDOWS\Internet Logs 2008-07-26 13:37 . 2008-07-26 13:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-26 13:37 . 2008-08-05 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-01 18:18 --------- d-----w C:\Program Files\Java 2008-07-18 15:25 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-07-18 15:25 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys 2008-07-18 15:25 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll 2008-07-09 08:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2008-06-28 22:10 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-28 18:44 --------- d-----w C:\Documents and Settings\Cathy McBride\Application Data\AVGTOOLBAR 2008-06-28 18:39 --------- d-----w C:\Program Files\AVG 2008-06-28 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll . ((((((((((((((((((((((((((((( snapshot@2008-08-05_23.06.41.37 ))))))))))))))))))))))))))))))))))))))))) . + 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-01 19:21 171448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-18 16:25 1232152] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 0 (0x0) "NoBandCustomize"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "Btn_Back"= 0 (0x0) "Btn_Forward"= 0 (0x0) "Btn_Stop"= 0 (0x0) "Btn_Refresh"= 0 (0x0) "Btn_Home"= 0 (0x0) "Btn_Search"= 0 (0x0) "Btn_History"= 0 (0x0) "Btn_Favorites"= 0 (0x0) "Btn_Media"= 0 (0x0) "Btn_Folders"= 0 (0x0) "Btn_Fullscreen"= 0 (0x0) "Btn_Tools"= 0 (0x0) "Btn_MailNews"= 0 (0x0) "Btn_Size"= 0 (0x0) "Btn_Print"= 0 (0x0) "Btn_Edit"= 0 (0x0) "Btn_Discussions"= 0 (0x0) "Btn_Cut"= 0 (0x0) "Btn_Copy"= 0 (0x0) "Btn_Paste"= 0 (0x0) "Btn_Encoding"= 0 (0x0) "Btn_PrintPreview"= 0 (0x0) "NoFavoritesMenu"= 0 (0x0) "NoLogoff"= 0 (0x0) "EnforceShellExtensionSecurity"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\LEXPPS.EXE"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-18 16:25] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-18 16:25] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-18 16:25] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-18 16:25] S3 ADM851x;ADMtek ADM8513 USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ADM851x.SYS [2002-04-04 04:14] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-07 18:29:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-07 18:32:41 ComboFix-quarantined-files.txt 2008-08-07 17:32:28 ComboFix2.txt 2008-08-06 18:44:11 ComboFix3.txt 2008-08-05 22:07:44 Pre-Run: 35,764,781,056 bytes free Post-Run: 35,755,073,536 bytes free 136 --- E O F --- 2008-07-26 16:44:49 |
|
|
|
|
08-07-2008, 11:35 AM
|
#14 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: HijackThis Logfile
Hi,
All is looking good. Let me know if you still receive notification from AVG after this next step.
Have a look at the excellent information and tips on the prevention of malware here by a colleague of ours.
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
08-10-2008, 01:05 AM
|
#16 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: HijackThis Logfile
Hi Cathy,
You're welcome. Take care and surf safely! 
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
| Thread Tools | |
|
|
