appalachianwino Posted June 18, 2008 Report Share Posted June 18, 2008 I lurked and read and used sdfix which found 2 dozen files that came in virtually at once when someone borrowed the computer to check her e-mail. at any rate - how clean does this look to you guys? thanks in advance. hijack this log first, then sdfixLogfile of Trend Micro HijackThis v2.0.2Scan saved at 2:28:15 PM, on 6/18/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\portsv.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\SiteAdvisor\6261\SAService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\SiteAdvisor\6261\SiteAdv.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exeC:\WINDOWS\system32\dlbxcoms.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\PVSW\bin\w3dbsmgr.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Outlook Express\msimn.exeC:\PROGRA~1\Mozilla Firefox\firefox.exeC:\Documents and Settings\Tasting Room\Desktop\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dllO2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkeyO4 - HKLM\..\Run: [siteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hideO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startupO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\bin\w3dbsmgr.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{067B17DC-BB9A-4AD3-A1DF-A1524EEC3F00}: NameServer = 66.37.69.241,66.37.69.242O23 - Service: McAfee Application Installer Cleanup (0313131213795957) (0313131213795957mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP31313~1.EXE (file missing)O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exeO23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 7618 bytes****SDFix: Version 1.194 Run by Tasting Room on Wed 06/18/2008 at 01:53 PMMicrosoft Windows XP [Version 5.1.2600]Running From: C:\SDFixChecking Services :Name : MsSecurity1.209.4Path :C:\WINDOWS\winself.exe serviceMsSecurity1.209.4 - DeletedRestoring Windows Registry ValuesRestoring Windows Default Hosts FileRestoring Default Desktop Wallpaper RebootingChecking Files : Trojan Files Found:C:\WINDOWS\x.exe - DeletedC:\WINDOWS\y.exe - DeletedC:\WINDOWS\accesss.exe - DeletedC:\WINDOWS\astctl32.ocx - DeletedC:\WINDOWS\avpcc.dll - DeletedC:\WINDOWS\clrssn.exe - DeletedC:\WINDOWS\cpan.dll - DeletedC:\WINDOWS\ctfmon32.exe - DeletedC:\WINDOWS\ctrlpan.dll - DeletedC:\WINDOWS\default.htm - DeletedC:\WINDOWS\directx32.exe - DeletedC:\WINDOWS\dnsrelay.dll - DeletedC:\WINDOWS\editpad.exe - DeletedC:\WINDOWS\explore.exe - DeletedC:\WINDOWS\explorer32.exe - DeletedC:\WINDOWS\funniest.exe - DeletedC:\WINDOWS\funny.exe - DeletedC:\WINDOWS\gfmnaaa.dll - DeletedC:\WINDOWS\helpcvs.exe - DeletedC:\WINDOWS\iedll.exe - DeletedC:\WINDOWS\iexplorer.exe - DeletedC:\WINDOWS\inetinf.exe - DeletedC:\WINDOWS\internet.exe - DeletedC:\WINDOWS\loader.exe - DeletedC:\WINDOWS\megavid.cdt - DeletedC:\WINDOWS\msconfd.dll - DeletedC:\WINDOWS\msspi.dll - DeletedC:\WINDOWS\mssys.exe - DeletedC:\WINDOWS\msupdate.exe - DeletedC:\WINDOWS\mswsc10.dll - DeletedC:\WINDOWS\mswsc20.dll - DeletedC:\WINDOWS\mtwirl32.dll - DeletedC:\WINDOWS\muotr.so - DeletedC:\WINDOWS\notepad32.exe - DeletedC:\WINDOWS\olehelp.exe - DeletedC:\WINDOWS\qttasks.exe - DeletedC:\WINDOWS\quicken.exe - DeletedC:\WINDOWS\rundll16.exe - DeletedC:\WINDOWS\rundll32.vbe - DeletedC:\WINDOWS\searchword.dll - DeletedC:\WINDOWS\sistem.exe - DeletedC:\WINDOWS\svchost32.exe - DeletedC:\WINDOWS\svcinit.exe - DeletedC:\WINDOWS\systeem.exe - DeletedC:\WINDOWS\systemcritical.exe - DeletedC:\WINDOWS\system32\hljwugsf.bin - DeletedC:\WINDOWS\system32\iftuyszv.exe - DeletedC:\WINDOWS\time.exe - DeletedC:\WINDOWS\users32.exe - DeletedC:\WINDOWS\waol.exe - DeletedC:\WINDOWS\win32e.exe - DeletedC:\WINDOWS\win64.exe - DeletedC:\WINDOWS\winajbm.dll - DeletedC:\WINDOWS\window.exe - DeletedC:\WINDOWS\winmgnt.exe - DeletedC:\WINDOWS\xplugin.dll - DeletedC:\WINDOWS\xxxvideo.hta - DeletedRemoving Temp FilesADS Check : Final Check :catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-18 14:09:19Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden services & system hive ...scanning hidden registry entries ...scanning hidden files ...scan completed successfullyhidden processes: 0hidden services: 0hidden files: 0Remaining Services :Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\PVSW\\bin\\w3dbsmgr.exe"="C:\\PVSW\\bin\\w3dbsmgr.exe:*:Enabled:Database Service Manager""C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger""C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server""C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader""C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe""C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe""C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe""C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"Remaining Files :File Backups: - C:\SDFix\backups\backups.zipFiles with Hidden Attributes :Mon 21 Jan 2008 195,403,816 A..H. --- "C:\RECYCLER\S-1-5-21-2000478354-413027322-839522115-1003\Dc18.bak"Mon 16 Jun 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"Mon 16 Jun 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"Wed 29 Sep 2004 15,360 A..HR --- "C:\WINDOWS\system32\drivers\NetMotCM.sys"Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT4.tmp"Thu 23 Aug 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cd41db5c2bdd95605f53e6da96f2b182\BIT44.tmp"Sun 9 Sep 2007 295,812 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download80070f6461c8001578e5e4cd4bb024b\download\BIT13.tmp"Fri 11 Apr 2008 8 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"Fri 11 Apr 2008 8 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"Fri 11 Apr 2008 8 A..H. --- "C:\Documents and Settings\Tasting Room\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"Fri 11 Apr 2008 8 A..H. --- "C:\Documents and Settings\Tasting Room\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"Finished! Link to post Share on other sites
rmurphy Posted June 29, 2008 Report Share Posted June 29, 2008 Sorry for the delay in getting to your post.If you still require assistance, please post a new HiJack This log.-Ryan Link to post Share on other sites
Recommended Posts