Thread: HELP: Infected System
View Single Post
Old 12-14-2007, 12:44 PM   #3 (permalink)
script.kiddie
 
Newb Techie

Join Date: Dec 2007

Posts: 10

script.kiddie is on a distinguished road
Question Re: HELP: Infected System
This log file is about 10 days old by never mind I hav'nt installed anything or downloaded anything after that date till now.

Log file of processes by HijackThis:

Process list saved on 10:13:43 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
572 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
672 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
716 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
728 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
884 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1052 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1088 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1440 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1820 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 7.5.1.36 GRISOFT s.r.o.
1872 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1900 C:\Program Files\Eset\nod32krn.exe 2.70.32.0 Eset
1988 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
172 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1120 C:\WINDOWS\Explorer.EXE 6.0.2900.3156 Microsoft Corporation
1612 C:\Program Files\Eset\nod32kui.exe 2.70.32.0 Eset
4076 C:\Program Files\Yahoo!\Messenger\YPager.exe 7.0.2.120
3260 C:\Program Files\Google\Google Talk\googletalk.exe 1.0.0.104 Google
3796 C:\PROGRA~1\MOZILL~1\FIREFOX.EXE 1.8.20071.12718 Mozilla Corporation
240 C:\WINDOWS\system32\taskmgr.exe 5.1.2600.2180 Microsoft Corporation
3432 C:\PROGRA~1\WINZIP\winzip32.exe 18.0.6224.0 WinZip Computing, Inc.
3640 C:\Documents and Settings\Akshay\Local Settings\Temp\HijackThis.exe 2.0.0.2 Trend Micro Inc.
2684 C:\WINDOWS\system32\NOTEPAD.EXE 5.1.2600.2180 Microsoft Corporation


DLLs loaded by process C:\WINDOWS\system32\svchost.exe:

[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\kernel32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USER32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\GDI32.dll 5.1.2600.3159 Microsoft Corporation
C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ole32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.3139 Microsoft Corporation
C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SHELL32.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\SHLWAPI.dll 6.0.2900.3157 Microsoft Corporation
C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\UxTheme.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\comctl32.dll 5.82.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\rpcss.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\WS2_32.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\WS2HELP.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\Secur32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.258 Microsoft Corporation
C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 Microsoft Corporation
c:\windows\system32\termsrv.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\ICAAPI.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\SETUPAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\AUTHZ.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\mstlsapi.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\ACTIVEDS.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\adsldpc.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\ATL.DLL 3.5.2284.0 Microsoft Corporation
C:\WINDOWS\system32\REGAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 Microsoft Corporation
C:\WINDOWS\system32\Apphelp.dll 5.1.2600.2180 Microsoft Corporation



and here is the log file of general scan done using HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:08 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Akshay\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D453ED8-EEDF-4FE8-80AA-6B8EBF8980D3}: NameServer = 61.1.96.71,61.1.64.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{A82F9EC1-05B6-43AD-979D-19079AC12C8C}: NameServer = 218.248.240.208 218.248.255.193
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
script.kiddie is offline