Home   News  Product reviews  Website reviews  Forums   Competitions  Subscribe 
Search
You are not logged in.
Login | New user registration 		Main Index | Search | Active Topics | Who's Online | FAQ / HELP

Security >> HijackThis logs help and analysis
Previous thread Previous   View all threads Index   Next thread Next   Flat Mode Flat  

 |  Print Thread
aquilotta
new user


Reg'd: Thu
Posts: 8
Re: HijackThis log (where's the worm?)
      Sun Jun 01 2008 12:03 AM
Reply to this post Reply   Reply to this post Quote  

Hi Bricat! This evening I succeeded in saving it without probs and without changing the name - I suspect that my mistake last night was in trying to "RUN" it instead of "SAVE" it?
At any rate, herewith now the new ComboFix log. The HijackThis one is below it. Thanks again soooo much for all your help, Bricat: really appreciate it. Does this mean that my system is now sparkly clean from EVERYthing potentially nasty??

ComboFix 08-05-29.1 - Owner 2008-06-01 0:30:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.56 [GMT 2:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 01:24 . 2008-05-30 01:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 01:24 . 2008-05-30 01:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-30 01:24 . 2008-05-30 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 01:24 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-30 01:24 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-27 14:59 . 2008-05-27 14:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 08:20 . 2008-05-27 08:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 22:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\SlipStream
2008-05-27 07:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-15 17:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-04-09 09:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2001-11-23 04:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A66AA08A-9BF0-4e87-99E6-6972731D6B99}]
2007-10-19 06:49 602112 --a------ C:\Program Files\ONSPEED\Prefetch.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"HijackThis startup scan"="C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" [2008-05-27 14:59 396288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"VTTimer"="VTTimer.exe" [2004-10-22 05:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"CAPON"="C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE" [2001-02-05 17:00 22528]
"ISDN Monitor"="Linksts.exe" [2000-12-11 04:23 53248 C:\WINDOWS\system32\linksts.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-05-01 20:30 262401]
"SlipStream"="C:\Program Files\ONSPEED\onspeedcore.exe" [2007-10-19 06:49 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-01-19 11:29 67264]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-21 09:00:00 51984]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Canon LBP-810 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE [2002-09-05 17:00:00 113664]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2006-11-20 00:30:45 73728]
ONSPEED.lnk - C:\Program Files\ONSPEED\onspeedgui.exe [2007-11-01 23:05:41 229376]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 BTMgr;Bluelet Device Manager Service;C:\WINDOWS\system32\Drivers\BTMgr.sys [2002-08-21 23:53]
R0 isdnlink;isdnlink;C:\WINDOWS\system32\DRIVERS\linkisdn.sys [2000-12-11 10:31]
R2 RapidPort;RapidPort;C:\WINDOWS\System32\Drivers\CAPLPTN.SYS [2001-02-05 17:00]
R3 wanlink;wanlink;C:\WINDOWS\system32\DRIVERS\wanlink.sys [2000-12-11 04:43]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 18:18:00 C:\WINDOWS\Tasks\preupd.job"
- C:\Program Files\AntiVir PersonalEdition Classic\preupd.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 00:35:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 0:39:46
ComboFix-quarantined-files.txt 2008-05-31 22:39:41

Pre-Run: 71,740,440,576 bytes free
Post-Run: 72,154,275,840 bytes free

88 --- E O F --- 2008-05-28 20:41:38

***************** **********************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:58:57, on 01/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\Linksts.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ONSPEED\onspeedcore.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\CAPRPCSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\ONSPEED\onspeedgui.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/nature/animals/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: ONSPEED Toolbar - {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ONSPEED\components\NOWImaging.dll
O2 - BHO: Prefetch - {A66AA08A-9BF0-4e87-99E6-6972731D6B99} - C:\Program Files\ONSPEED\Prefetch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ONSPEED\Toolband.dll (file missing)
O3 - Toolbar: ONSPEED Toolbar - {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{728E77BE-560F-471A-A948-74A4387FBA27}: NameServer = 192.168.110.254
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

--
End of file - 6793 bytes

Post Extras Print Post   Remind Me!     Notify Moderator
Rate this thread

Jump to


Entire topic
Subject Posted by Posted on
* HijackThis log (where's the worm?) aquilotta Thu May 29 2008 02:49 AM
. * * Re: HijackThis log (where's the worm?) bricatModerator   Thu May 29 2008 06:58 PM
. * * Re: HijackThis log (where's the worm?) aquilotta   Fri May 30 2008 12:44 AM
. * * Re: HijackThis log (where's the worm?) bricatModerator   Fri May 30 2008 08:50 AM
. * * Re: HijackThis log (where's the worm?) aquilotta   Sat May 31 2008 12:17 AM
. * * Re: HijackThis log (where's the worm?) bricatModerator   Sat May 31 2008 01:51 PM
. * * Re: HijackThis log (where's the worm?) aquilotta   Sun Jun 01 2008 12:03 AM
. * * Re: HijackThis log (where's the worm?) bricatModerator   Sun Jun 01 2008 12:15 AM
. * * Re: HijackThis log (where's the worm?) aquilotta   Mon Jun 02 2008 10:54 PM
. * * Re: HijackThis log (where's the worm?) bricatModerator   Tue Jun 03 2008 12:08 AM
. * * Re: HijackThis log (where's the worm?) aquilotta   Mon Jun 09 2008 12:26 AM
. * * Re: HijackThis log (where's the worm?) bricatModerator   Mon Jun 09 2008 08:04 AM
. * * Re: HijackThis log (where's the worm?) aquilotta   Mon Jun 09 2008 11:28 PM
. * * Re: HijackThis log (where's the worm?) bricatModerator   Tue Jun 10 2008 10:24 AM
. * * Re: HijackThis log (where's the worm?) aquilotta   Fri May 30 2008 12:35 AM

Extra information
0 registered and 15 anonymous users are browsing this forum.

Moderator:  putasolutions, greysts, bricat, AndrewC, Joe_London, John_McKenna, Mouse, Hello_There, TheFatControlleR, Nanook, Noviciate 


Print Thread
Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      Mark-up is enabled

Rating:
Thread views: 0

Contact Us | Privacy statement Main website
Hitwise Top 10 Award Winner - Jan-Mar 2005

About us | Contact us | Link to us | Terms & Conditions | Privacy Policy
© Copyright IPC Media Limited, All rights reserved