Author Topic: Is this list clean? (Read 2937 times)

Briguy · « **on:** July 18, 2008, 06:12:25 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:02 PM, on 7/18/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216423689200
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3809 bytes

ComboFix 08-07-14.2 - Owner 2008-07-18 17:01:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.557 [GMT -7:00]
Running from: G:\ComboFix-1.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\MabryObj.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-18 16:59 . 2008-07-18 16:59   <DIR>   d--------   C:\WINDOWS\LastGood
2008-07-18 16:59 . 2001-08-17 14:03   21,760   --a--c---   C:\WINDOWS\system32\dllcache\usbstor.sys
2008-07-18 16:52 . 2008-07-18 16:52   <DIR>   d--------   C:\537fdaca90ccbb4a92ec3c1c
2008-07-18 16:06 . 2001-08-17 22:24   57,472   --a------   C:\WINDOWS\system32\drivers\sysaudio.sys
2008-07-18 16:06 . 2001-08-17 13:59   50,048   --a------   C:\WINDOWS\system32\drivers\DMusic.sys
2008-07-18 16:06 . 2001-08-17 14:03   24,960   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-18 16:06 . 2001-08-17 22:36   19,456   --a------   C:\WINDOWS\system32\hidserv.dll
2008-07-18 16:06 . 2001-08-17 13:48   13,952   --a------   C:\WINDOWS\system32\drivers\kbdhid.sys
2008-07-18 16:06 . 2001-08-17 13:48   6,400   --a------   C:\WINDOWS\system32\drivers\MSKSSRV.sys
2008-07-18 16:06 . 2001-08-17 13:48   5,120   --a------   C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2008-07-18 16:06 . 2001-08-17 13:48   4,608   --a------   C:\WINDOWS\system32\drivers\MSPQM.sys
2008-07-18 16:06 . 2001-08-17 14:01   2,816   --a------   C:\WINDOWS\system32\drivers\drmkaud.sys
2008-07-18 16:05 . 2001-08-17 22:24   135,040   --a------   C:\WINDOWS\system32\drivers\portcls.sys
2008-07-18 16:05 . 2001-08-17 22:37   117,248   --a------   C:\WINDOWS\system32\ksproxy.ax
2008-07-18 16:05 . 2001-08-17 14:01   57,344   --a------   C:\WINDOWS\system32\drivers\drmk.sys
2008-07-18 16:05 . 2001-08-17 12:11   34,112   --a------   C:\WINDOWS\system32\drivers\an983.sys
2008-07-18 16:05 . 2001-08-17 12:12   23,070   --a------   C:\WINDOWS\system32\drivers\RTL8139.sys
2008-07-18 16:05 . 2001-08-17 14:02   9,728   --a------   C:\WINDOWS\system32\drivers\gameenum.sys
2008-07-18 16:05 . 2001-08-17 22:36   4,096   --a------   C:\WINDOWS\system32\ksuser.dll
2008-07-16 10:19 . 2008-07-16 11:22   <DIR>   d--------   C:\WINDOWS\tmp
2008-07-15 19:20 . 2008-07-15 19:20   <DIR>   d--------   C:\Program Files\RORweb
2008-07-05 18:13 . 2008-07-15 14:56   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-07-02 14:53 . 2008-07-02 14:53   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll.prepare
2008-06-26 10:48 . 2008-06-26 10:48   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 23:11   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-07-18 23:11   ---------   d-----w   C:\Program Files\Arcsoft
2008-07-16 02:04   ---------   d-----w   C:\Program Files\Mozilla Thunderbird
2008-07-15 23:13   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-07-15 20:25   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\StumbleUpon
2008-07-15 18:20   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-06 05:57   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\avg8
2008-07-02 21:54   76,040   ----a-w   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-02 21:53   96,520   ----a-w   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-26 17:48   ---------   d-----w   C:\Program Files\Lavasoft
2008-06-26 17:48   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-18 13:10   ---------   d-----w   C:\Program Files\Sun
2008-06-18 13:09   ---------   d-----w   C:\Program Files\Java
2008-06-16 23:27   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-06-16 18:21   10,520   ----a-w   C:\WINDOWS\system32\avgrsstx.dll
2008-06-16 18:21   ---------   d-----w   C:\Program Files\AVG
2008-06-16 18:19   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 18:19   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-16 14:38   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-06-16 14:35   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\avg8(3)
2008-06-16 14:33   ---------   d-----w   C:\Program Files\PC Tools AntiVirus
2008-06-16 14:33   ---------   d-----w   C:\Program Files\MozBackup
2008-06-16 14:33   ---------   d-----w   C:\Program Files\Google
2008-06-15 18:01   10,520   ----a-w   C:\WINDOWS\system32\avgrsstx(2)(2).dll
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 14:06   ---------   d-----w   C:\Program Files\Alwil Software
2008-05-31 16:37   13   -c-h--w   C:\Documents and Settings\All Users\Application Data\ÐÒÝÃÄ3113›˜.sys
2008-05-21 00:09   ---------   d-----w   C:\Program Files\Microsoft Silverlight
2008-05-16 18:58   12,632   ----a-w   C:\WINDOWS\system32\lsdelete.exe
2008-04-23 04:16   826,368   ----a-w   C:\WINDOWS\system32\wininet(2)(2).dll
2008-04-23 04:16   267,776   ----a-w   C:\WINDOWS\system32\iertutil(2)(2).dll
2008-04-23 04:16   105,984   ----a-w   C:\WINDOWS\system32\url(2)(2).dll
2008-04-23 04:16   1,159,680   ----a-w   C:\WINDOWS\system32\urlmon(2)(2).dll
2005-11-02 17:46   554   -c--a-w   C:\Documents and Settings\Owner\DMOrganizer.dat
2004-12-27 02:47   836   -c--a-w   C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
2004-11-14 21:24   476   -c-ha-w   C:\Documents and Settings\Owner\hpothb07.dat
2003-01-13 18:20   278,528   -c----w   C:\Program Files\internet explorer\plugins\PanoViewer.dll
1999-04-30 23:00   98,304   -c----w   C:\Program Files\internet explorer\plugins\UPjpeg.dll
2005-01-25 21:56   220   -csha-w   C:\WINDOWS\system32\ss.drv
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855   C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855   C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855   C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 14:14 1077277]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-17 23:11 69632]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 21:56 61440]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 08:01 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-18 23:39 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 03:29 155648]
"NAV CfgWiz"="c:\PROGRA~1\NORTON~1\Cfgwiz.exe" [2002-02-27 18:28 407160]
"NAV Agent"="c:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 18:27 75384]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoTBar.exe [2002-05-30 02:58:02 40960]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Secunia PSI (RC1).lnk - C:\Program Files\Secunia\PSI (RC1)\psi.exe [2008-02-05 03:36:24 610304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 06:00:46 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
--a------ 2002-06-08 01:20 86016 C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
--a------ 2002-06-08 01:18 122880 C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2002-07-16 08:03 106549 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-05-15 03:20 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-06-14 16:39 81920 C:\WINDOWS\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-05-03 17:06 364544 C:\WINDOWS\system32\nwiz.exe

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2001-08-17 12:11]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-09 21:37:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-07-27 03:33:50 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 17:06:57
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-18 17:09:39
ComboFix-quarantined-files.txt 2008-07-19 00:09:28

Pre-Run: 12,427,825,152 bytes free
Post-Run: 12,519,976,960 bytes free

144

evilfantasy · « **Reply #1 on:** July 18, 2008, 10:09:03 PM »

Quote

Is this list clean?

I don't know what am I looking for?

That isn't the steps from here > http://www.computerhope.com/forum/index.php/topic,46313.0.html

Combofix shouldn't be run unless requested.

Computer Hope Forum

News:

Author Topic: Is this list clean? (Read 2937 times)

Briguy

Is this list clean?

evilfantasy

Re: Is this list clean?