HELP: Infected System

script.kiddie · 12-14-2007, 10:32 AM

Hi,

I have XP professional with Service Pack 2 Installed. And from 5-6 months since i have installed my windows....the Windows Firewall that comes with SP2 is always on and I am using NOD32 anti-virus system which is always upto-date.

I have been made sure on BleepingComputer's forum(official forums of the software HijackThis) that the log file of my system saved by HijackThis scan that was posted on there forum
shows nothing suspicious and its clean. As written in there steps , I scanned my pc with NOD32 latest anti-virus system, AVG Anti-spyware latest, BitDefender Online scanner, Spyware Doctor, HijackThis, Registry Mechanic and Nothing was found. Still my gutt feeling say that some data is logged and is been sent to a remote computer, (may be undetectable trojan).

And also I am NOT experiencing any type of problem with my system.

How shld i confirm this that my system is free of any spyware/virus/worm/trojan??

Thanx

Osiris · 12-14-2007, 12:30 PM

Post a log and I will take a look

script.kiddie · 12-14-2007, 12:44 PM

This log file is about 10 days old by never mind I hav'nt installed anything or downloaded anything after that date till now.

Log file of processes by HijackThis:

Process list saved on 10:13:43 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
572 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
672 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
716 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
728 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
884 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1052 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1088 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1440 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1820 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 7.5.1.36 GRISOFT s.r.o.
1872 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1900 C:\Program Files\Eset\nod32krn.exe 2.70.32.0 Eset
1988 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
172 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1120 C:\WINDOWS\Explorer.EXE 6.0.2900.3156 Microsoft Corporation
1612 C:\Program Files\Eset\nod32kui.exe 2.70.32.0 Eset
4076 C:\Program Files\Yahoo!\Messenger\YPager.exe 7.0.2.120
3260 C:\Program Files\Google\Google Talk\googletalk.exe 1.0.0.104 Google
3796 C:\PROGRA~1\MOZILL~1\FIREFOX.EXE 1.8.20071.12718 Mozilla Corporation
240 C:\WINDOWS\system32\taskmgr.exe 5.1.2600.2180 Microsoft Corporation
3432 C:\PROGRA~1\WINZIP\winzip32.exe 18.0.6224.0 WinZip Computing, Inc.
3640 C:\Documents and Settings\Akshay\Local Settings\Temp\HijackThis.exe 2.0.0.2 Trend Micro Inc.
2684 C:\WINDOWS\system32\NOTEPAD.EXE 5.1.2600.2180 Microsoft Corporation

DLLs loaded by process C:\WINDOWS\system32\svchost.exe:

[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\kernel32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USER32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\GDI32.dll 5.1.2600.3159 Microsoft Corporation
C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ole32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.3139 Microsoft Corporation
C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SHELL32.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\SHLWAPI.dll 6.0.2900.3157 Microsoft Corporation
C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\UxTheme.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\comctl32.dll 5.82.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\rpcss.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\WS2_32.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\WS2HELP.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\Secur32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.258 Microsoft Corporation
C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 Microsoft Corporation
c:\windows\system32\termsrv.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\ICAAPI.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\SETUPAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\AUTHZ.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\mstlsapi.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\ACTIVEDS.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\adsldpc.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\ATL.DLL 3.5.2284.0 Microsoft Corporation
C:\WINDOWS\system32\REGAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 Microsoft Corporation
C:\WINDOWS\system32\Apphelp.dll 5.1.2600.2180 Microsoft Corporation

and here is the log file of general scan done using HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:08 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Akshay\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D453ED8-EEDF-4FE8-80AA-6B8EBF8980D3}: NameServer = 61.1.96.71,61.1.64.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{A82F9EC1-05B6-43AD-979D-19079AC12C8C}: NameServer = 218.248.240.208 218.248.255.193
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

Osiris · 12-14-2007, 01:32 PM

The only thing I see that might be an issue is this:

O17 - HKLM\System\CCS\Services\Tcpip\..\{6D453ED8-EEDF-4FE8-80AA-6B8EBF8980D3}: NameServer = 61.1.96.71,61.1.64.65

O17 - HKLM\System\CCS\Services\Tcpip\..\{A82F9EC1-05B6-43AD-979D-19079AC12C8C}: NameServer = 218.248.240.208 218.248.255.193

Do you have a static IP address?

If you remove these and you dont have an internet connection afterwards, you will need to reinstall your network card.

But if your not getting any popups, Its safe to say that you are clean.

qk232 · 12-14-2007, 10:22 PM

I don't think you mentioned it in your post, but try the same scans from safe mode. I've had a couple machines at work that were not quite right and would come up clean until I scanned with various programs in safe mode.

script.kiddie · 12-15-2007, 01:11 AM

Quote:

Originally Posted by Osiris

The only thing I see that might be an issue is this:

O17 - HKLM\System\CCS\Services\Tcpip\..\{6D453ED8-EEDF-4FE8-80AA-6B8EBF8980D3}: NameServer = 61.1.96.71,61.1.64.65

O17 - HKLM\System\CCS\Services\Tcpip\..\{A82F9EC1-05B6-43AD-979D-19079AC12C8C}: NameServer = 218.248.240.208 218.248.255.193
But if your not getting any popups, Its safe to say that you are clean.

These Addresses above are DNS, and I don't get any pop-ups.

Quote:

Originally Posted by Osiris

Do you have a static IP address?

No, I have Dynamic IP address and I am Behind ADSL router!!

Scanning so many times in safe mode and normal mode, can this result crashing the hard drive?? I mean its a general question just for my knowledge.

Osiris · 12-15-2007, 01:54 PM

Anything is a possibility.

Member Login