cleaning up a bit

Troncoso

Troncoso

VIP Member
okay, you guys on here helped me out really good when i had virus problems. now, the family computer seems to be infected(or so my mom says, i'm not sure whats going on with it). so i was just wondering if a couple of educated persons could look at this highjackthis log and combofix log and see if anything is up:
 
highjackthis:

Logfile of HijackThis v1.99.1
Scan saved at 4:16:48 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ASC\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm011YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O15 - Trusted Zone: http://www.adobe.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1010030484687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161117336468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup163.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe






combofix:

ComboFix 08-05-29.1 - ASC 2008-05-29 16:19:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -4:00]
Running from: C:\Documents and Settings\ASC\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 23:46 . 2008-05-28 23:46 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-28 23:46 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-28 21:56 . 2008-05-28 21:56 <DIR> d-------- C:\Program Files\IObit
2008-05-28 21:56 . 2008-05-28 21:56 <DIR> d-------- C:\Program Files\CCleaner
2008-05-28 21:35 . 2008-05-28 21:38 <DIR> d-------- C:\Program Files\Universal Extractor
2008-05-28 16:23 . 2008-05-28 16:23 <DIR> d-------- C:\Program Files\Ventrilo
2008-05-18 21:02 . 2008-05-18 21:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-18 21:02 . 2008-05-18 21:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-17 12:51 . 2008-05-22 18:53 <DIR> d-------- C:\Program Files\World of Warcraft
2008-05-04 08:22 . 2008-05-15 07:27 1,524 --a------ C:\WINDOWS\system32\CTSTATUS.FCS
2008-05-03 08:59 . 2008-05-03 08:59 <DIR> d-------- C:\Program Files\PureSight Technologies Ltd
2008-05-03 08:59 . 2006-10-15 15:26 10,870,784 --a------ C:\WINDOWS\cfgmng32.exe
2008-05-03 08:59 . 2008-05-03 08:59 2,064,384 --a------ C:\WINDOWS\system32\win32cpr.dll
2008-05-03 08:59 . 2006-10-15 14:48 1,822,720 --a------ C:\WINDOWS\system32\winsflte.dll
2008-05-03 08:59 . 2008-05-03 08:59 1,294,422 --a------ C:\WINDOWS\system32\winsflt.dll
2008-05-03 08:59 . 2006-10-15 15:08 1,032,192 --a------ C:\WINDOWS\system32\mdmcls32.exe
2008-05-03 08:58 . 2008-05-03 09:13 <DIR> d-------- C:\WINDOWS\rnapxs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 04:03 --------- d-----w C:\Program Files\QuickTime
2008-05-29 03:46 --------- d-----w C:\Program Files\Java
2008-05-29 01:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 01:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-29 01:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 17:22 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-05-16 03:21 --------- d-----w C:\Program Files\VentSrv
2008-05-16 03:13 --------- d-----w C:\Program Files\Shockwave.com
2008-05-09 21:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-03 12:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 03:25 --------- d-----w C:\Program Files\Coupons
2008-04-20 16:52 --------- d-----w C:\Program Files\Motorola
2008-04-20 16:45 24,192 -c--a-w C:\Documents and Settings\ASC\usbsermptxp.sys
2008-04-20 16:45 22,768 -c--a-w C:\Documents and Settings\ASC\usbsermpt.sys
2008-04-20 16:45 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2008-04-20 16:24 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-20 16:24 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-04-20 16:13 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2006-11-23 03:03 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-04-01 02:17 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_16.15.10.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 20:07:39 6,852,608 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat
+ 2008-05-29 20:17:15 6,860,800 ----a-w C:\WINDOWS\rnapxs\CSDK\urlcache\urlCacheDb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"dvHighMem"="C:\WINDOWS\cfgmng32.exe" [2006-10-15 15:26 10870784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.SP54"= SP5X_32.DLL
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Abacast\\Abaclient.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Documents and Settings\\All Users\\Documents\\World of Warcraft\\Repair.exe"=
"C:\\Documents and Settings\\ASC\\Desktop\\WoW-BurningCrusade-Trial-enUS-Installer-downloader.exe"=
"C:\\Documents and Settings\\ASC\\Desktop\\WoW-BurningCrusade-enUS-Installer-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-04 01:00]
R2 WinSock Extention Manager;WinSock Extention Manager;C:\WINDOWS\system32\mdmcls32.exe [2006-10-15 15:08]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 16:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\go.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 15:18:02 C:\WINDOWS\Tasks\Ad-Aware 2007.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\AD-AWA~1.EXE
"2008-02-08 03:17:53 C:\WINDOWS\Tasks\Ad-Aware Update Manager.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\LSUPDA~1.EXE
"2008-05-26 16:18:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-05 19:04:34 C:\WINDOWS\Tasks\monthly back up.job"
- C:\WINDOWS\system32\ntbackup.exeLbackup
"2008-02-08 03:15:48 C:\WINDOWS\Tasks\Symantec AntiVirus Client.job"
- C:\PROGRA~1\SYMANT~1\SYMANT~1\vpc32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 16:20:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-29 16:21:44
ComboFix-quarantined-files.txt 2008-05-29 20:21:35
ComboFix2.txt 2008-05-29 20:15:42

Pre-Run: 21,009,448,960 bytes free
Post-Run: 20,992,266,240 bytes free

124 --- E O F --- 2008-05-28 22:45:28
 
I am going to point out a few things for others to look into!

O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\


I also recommend that you dump norton. Norton does not pick up much and is a system hog. I recommend avg or nod32.
 
CCleaner??? Run it and then post a fresh hijackthis log.

P.S. - Don't do what g25racer says wait for punk or gamemaster or a moderator to post something.
 
^^ When did I say to fix those? I told someone else to look over them! Stop being so stuck up. Running CCleaner will do NOTHING!! Stop spamming CCleaner!!
 
cohen said:
CCleaner??? Run it and then post a fresh hijackthis log.

P.S. - Don't do what g25racer says wait for punk or gamemaster or a moderator to post something.
Click to expand...


so if i should way for them...does that mean i shouldnt listen to you either?
 
I was just pointing out some things for other people to look at. Wait for Gamemaster or a mod to look over it. Just be patient
 
CCleaner will do a clean....

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
 
Can you please describe the problems you're having, there's nothing obviously wrong in either of those logs, just a couple of leftover entries that can be removed.

To do so, please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

  • [*]R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    [*]O8 - Extra context menu item: &Search - ?p=ZKxdm011YYUS
Please close all open windows except for HijackThis and choose Fix checked
 
You must log in or register to reply here.
Back
Top