Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Logfile of HijackThis-Bambit's home computer


  • Please log in to reply
3 replies to this topic

#1 bambit

bambit

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 19 January 2005 - 07:55 AM

i've run spybot & sophos both detecting nothing amiss, but i still have an icky feeling. am i paranoid?

Logfile of HijackThis v1.98.2
Scan saved at 8:51:06 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Shortcuts\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2F66348-3CAB-4152-BFDC-E4CB1DBF48C8}: NameServer = 203.172.17.202 210.5.68.148
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

Attached Files


Edited by bambit, 19 January 2005 - 06:02 PM.

just coz i'm paranoid doesn't mean no one's after me
http://bambit.kusangpalo.com
http://accidentalgeek.wordpress.com

BC AdBot (Login to Remove)

 


#2 bambit

bambit
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 19 January 2005 - 08:18 AM

in addition, i paste here the log from the RESOLVE i downloaded from sophos (as i am using their anti-virus program). i do hope someone can help clear my mind about these "error opening file" instances, which is what fuels my paranoia

:thumbsup:

RESOLVE Version 1.06
Copyright © 2004, Sophos Plc, www.sophos.com

System disinfection for W32/Bagle

Data Version 1.11

System scan started at 18:42 on 19 January 2005

Checking for W32/Bagle in memory

Checking for files affected by W32/Bagle

Scanning C:

Error opening file C:\Documents and Settings\Administrator\Cookies\index.dat

Error opening file C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Error opening file C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

Error opening file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat

Error opening file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012005011920050120\index.dat

Error opening file C:\Documents and Settings\Administrator\Local Settings\Temp\hpotdd282.log

Error opening file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Error opening file C:\Documents and Settings\Administrator\NTUSER.DAT

Error opening file C:\Documents and Settings\Administrator\ntuser.dat.LOG

Error opening file C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

Error opening file C:\Documents and Settings\LocalService\Cookies\index.dat

Error opening file C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Error opening file C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

Error opening file C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat

Error opening file C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Error opening file C:\Documents and Settings\LocalService\NTUSER.DAT

Error opening file C:\Documents and Settings\LocalService\ntuser.dat.LOG

Error opening file C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Error opening file C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

Error opening file C:\Documents and Settings\NetworkService\NTUSER.DAT

Error opening file C:\Documents and Settings\NetworkService\ntuser.dat.LOG

Error opening file C:\Documents and Settings\xp\NTUSER.DAT

Error opening file C:\kodak\Kodak EasyShare software\Catalog\EasyShare.me

Error opening file C:\kodak\Kodak EasyShare software\Catalog\EasyShare.mm

Error opening file C:\pagefile.sys

Error opening file C:\Program Files\HP\hpcoretech\hpcmerr.log

Error opening file C:\Program Files\Sophos SWEEP for NT\INTERCHK.CHK

Error opening file C:\Program Files\Yahoo!\Messenger\ypager.log

Error opening file C:\RECYCLER\S-1-5-21-448539723-1935655697-725345543-1003\Dc6.lnk

Error opening file C:\RECYCLER\S-1-5-21-448539723-1935655697-725345543-1003\Dc7.lnk

Error opening file C:\resolve.log

Error opening file C:\WINDOWS\Debug\PASSWD.LOG

Error opening file C:\WINDOWS\SchedLgU.Txt

Error opening file C:\WINDOWS\SoftwareDistribution\EventCache\{41A6C58A-2FBF-48A5-A152-5BD43F4459E4}.bin

Error opening file C:\WINDOWS\SoftwareDistribution\ReportingEvents.log

Error opening file C:\WINDOWS\Sti_Trace.log

Error opening file C:\WINDOWS\system32\config\AppEvent.Evt

Error opening file C:\WINDOWS\system32\config\default

Error opening file C:\WINDOWS\system32\config\DEFAULT.LOG

Error opening file C:\WINDOWS\system32\config\DriverIn.evt

Error opening file C:\WINDOWS\system32\config\SAM

Error opening file C:\WINDOWS\system32\config\SAM.LOG

Error opening file C:\WINDOWS\system32\config\SecEvent.Evt

Error opening file C:\WINDOWS\system32\config\security

Error opening file C:\WINDOWS\system32\config\SECURITY.LOG

Error opening file C:\WINDOWS\system32\config\software

Error opening file C:\WINDOWS\system32\config\SOFTWARE.LOG

Error opening file C:\WINDOWS\system32\config\SysEvent.Evt

Error opening file C:\WINDOWS\system32\config\system

Error opening file C:\WINDOWS\system32\config\SYSTEM.LOG

Error opening file C:\WINDOWS\system32\h323log.txt

Error opening file C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

Error opening file C:\WINDOWS\wiadebug.log

Error opening file C:\WINDOWS\wiaservc.log

Error opening file C:\WINDOWS\WindowsUpdate.log


Scanning E:


Checking for registry keys affected by W32/Bagle


System scan finished at 18:56 on 19 January 2005

Infected processes found : 0
Processes terminated or disinfected : 0
Registry keys affected : 0
Registry keys changed : 0
Infected files found : 0
Infected files deleted : 0


RESOLVE Version 1.06
Copyright © 2004, Sophos Plc, www.sophos.com

System disinfection for W32/Bagle

Data Version 1.11

System scan started at 19:08 on 19 January 2005

Checking for W32/Bagle in memory

Checking for files affected by W32/Bagle

Scanning C:

Error opening file C:\Documents and Settings\Administrator\Cookies\index.dat

Error opening file C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Error opening file C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

Error opening file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat

Error opening file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012005011920050120\index.dat

Error opening file C:\Documents and Settings\Administrator\Local Settings\Temp\hpotdd282.log

Error opening file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Error opening file C:\Documents and Settings\Administrator\NTUSER.DAT

Error opening file C:\Documents and Settings\Administrator\ntuser.dat.LOG

Error opening file C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

Error opening file C:\Documents and Settings\LocalService\Cookies\index.dat

Error opening file C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Error opening file C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

Error opening file C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat

Error opening file C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Error opening file C:\Documents and Settings\LocalService\NTUSER.DAT

Error opening file C:\Documents and Settings\LocalService\ntuser.dat.LOG

Error opening file C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Error opening file C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

Error opening file C:\Documents and Settings\NetworkService\NTUSER.DAT

Error opening file C:\Documents and Settings\NetworkService\ntuser.dat.LOG

Error opening file C:\Documents and Settings\xp\NTUSER.DAT

Error opening file C:\kodak\Kodak EasyShare software\Catalog\EasyShare.me

Error opening file C:\kodak\Kodak EasyShare software\Catalog\EasyShare.mm

Error opening file C:\pagefile.sys

Error opening file C:\Program Files\HP\hpcoretech\hpcmerr.log

Error opening file C:\Program Files\Sophos SWEEP for NT\INTERCHK.CHK

Error opening file C:\Program Files\Yahoo!\Messenger\ypager.log

Error opening file C:\RECYCLER\S-1-5-21-448539723-1935655697-725345543-1003\Dc6.lnk

Error opening file C:\RECYCLER\S-1-5-21-448539723-1935655697-725345543-1003\Dc7.lnk

Error opening file C:\resolve.log

Error opening file C:\WINDOWS\Debug\PASSWD.LOG

Error opening file C:\WINDOWS\SchedLgU.Txt

Error opening file C:\WINDOWS\SoftwareDistribution\EventCache\{41A6C58A-2FBF-48A5-A152-5BD43F4459E4}.bin

Error opening file C:\WINDOWS\SoftwareDistribution\ReportingEvents.log

Error opening file C:\WINDOWS\Sti_Trace.log

Error opening file C:\WINDOWS\system32\config\AppEvent.Evt

Error opening file C:\WINDOWS\system32\config\default

Error opening file C:\WINDOWS\system32\config\DEFAULT.LOG

Error opening file C:\WINDOWS\system32\config\DriverIn.evt

Error opening file C:\WINDOWS\system32\config\SAM

Error opening file C:\WINDOWS\system32\config\SAM.LOG

Error opening file C:\WINDOWS\system32\config\SecEvent.Evt

Error opening file C:\WINDOWS\system32\config\security

Error opening file C:\WINDOWS\system32\config\SECURITY.LOG

Error opening file C:\WINDOWS\system32\config\software

Error opening file C:\WINDOWS\system32\config\SOFTWARE.LOG

Error opening file C:\WINDOWS\system32\config\SysEvent.Evt

Error opening file C:\WINDOWS\system32\config\system

Error opening file C:\WINDOWS\system32\config\SYSTEM.LOG

Error opening file C:\WINDOWS\system32\h323log.txt

Error opening file C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

Error opening file C:\WINDOWS\wiadebug.log

Error opening file C:\WINDOWS\wiaservc.log

Error opening file C:\WINDOWS\WindowsUpdate.log


Scanning E:


Checking for registry keys affected by W32/Bagle


System scan finished at 19:20 on 19 January 2005

Infected processes found : 0
Processes terminated or disinfected : 0
Registry keys affected : 0
Registry keys changed : 0
Infected files found : 0
Infected files deleted : 0
just coz i'm paranoid doesn't mean no one's after me
http://bambit.kusangpalo.com
http://accidentalgeek.wordpress.com

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:00 PM

Posted 19 January 2005 - 07:28 PM

Your paranoid :thumbsup: Rest easy... your log is spotless

#4 bambit

bambit
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 20 January 2005 - 08:52 AM

Your paranoid :thumbsup: Rest easy... your log is spotless

oh thank you thank you thank you! :flowers:
just coz i'm paranoid doesn't mean no one's after me
http://bambit.kusangpalo.com
http://accidentalgeek.wordpress.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users