Thread: trojan and hijack log
View Single Post
Old 12-16-2007, 08:54 AM   #21 (permalink)
john123
Registered User
 
Join Date: Dec 2007
Posts: 15
OS: xp


Re: trojan and hijack log
Okay,

here is the next log from combofix.
Thanks


ComboFix 07-12-15.5 - John 2007-12-17 10:36:17.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.524 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\22.tmp
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\2291350389.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\22.tmp
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\2291350389.dat

.
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-16 20:25 . 2007-12-16 20:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-16 18:15 . 2007-12-04 20:31 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-13 21:49 . 2007-12-16 23:40 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-12 19:28 . 2007-12-16 22:52 <DIR> d-------- C:\Program Files\iTunes
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-05 15:32 . 2007-12-05 15:32 <DIR> d-------- C:\Deckard
2007-12-05 15:01 . 2007-12-05 15:01 <DIR> d-------- C:\New Folder (2)
2007-12-04 23:57 . 2007-12-04 23:57 <DIR> d-------- C:\KAV
2007-12-04 20:26 . 2007-12-04 20:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 20:26 . 2007-12-04 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 20:19 . 2007-12-04 20:19 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-03 22:04 . 2007-12-03 22:10 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-03 21:59 . 2007-12-03 21:59 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-03 19:25 . 2007-12-03 19:25 <DIR> d-------- C:\Program Files\New Folder 1
2007-12-03 19:24 . 2007-12-03 19:24 <DIR> d-------- C:\Documents and Settings\John\Application Data\DivX
2007-12-03 19:23 . 2007-10-19 19:56 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-12-03 19:23 . 2007-10-19 19:56 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-03 19:23 . 2007-10-19 19:56 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-03 19:09 . 2007-12-03 19:09 <DIR> d-------- C:\XRAYS
2007-12-03 19:09 . 1993-05-12 00:00 398,416 --a------ C:\WINDOWS\system\VBRUN300.DLL
2007-12-03 19:09 . 1993-04-28 00:00 7,008 --a------ C:\WINDOWS\system\SETUPKIT.DLL
2007-12-03 18:26 . 2007-12-03 18:26 <DIR> d-------- C:\finalburner
2007-12-03 18:26 . 2007-12-03 18:26 <DIR> d-------- C:\Documents and Settings\John\Application Data\FinalBurner Video DVD
2007-12-03 17:12 . 2007-12-03 17:12 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-03 17:12 . 2007-12-03 17:12 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-03 17:11 . 2007-12-03 18:53 <DIR> d-------- C:\Program Files\Gabest
2007-12-03 17:07 . 2007-12-03 17:07 <DIR> d-------- C:\New Folder
2007-12-02 12:40 . 2007-12-02 12:40 <DIR> d-------- C:\WINDOWS\ASYM
2007-12-02 12:40 . 2007-12-02 12:40 <DIR> d-------- C:\CLINATLS
2007-12-02 12:40 . 1998-08-24 16:24 109 --a------ C:\WINDOWS\TB50.INI
2007-12-02 12:40 . 2007-12-02 12:40 0 --a------ C:\WINDOWS\asym.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 15:35 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent DNA
2007-12-17 03:54 --------- d-----w C:\Program Files\MSN Messenger
2007-12-17 03:53 --------- d-----w C:\Program Files\ltmoh
2007-12-17 03:50 --------- d-----w C:\Program Files\Google
2007-12-17 03:49 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-17 03:47 --------- d-----w C:\Program Files\Apoint2K
2007-12-17 03:09 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent
2007-12-16 22:00 --------- d-----w C:\Program Files\Eraser
2007-12-16 20:04 --------- d-----w C:\Documents and Settings\John\Application Data\Skype
2007-12-14 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-13 00:28 --------- d-----w C:\Program Files\QuickTime
2007-12-13 00:28 --------- d-----w C:\Program Files\iPod
2007-12-13 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-06 22:40 --------- d-----w C:\Documents and Settings\John\Application Data\AVG7
2007-12-04 00:43 --------- d-----w C:\Program Files\DivX
2007-12-03 21:02 --------- d-----w C:\Program Files\TVU Player
2007-11-14 14:57 --------- d-----w C:\Program Files\PokerStars
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-03 23:35 --------- d-----w C:\Program Files\Full Tilt Poker
2007-11-03 18:39 --------- d-----w C:\Program Files\BitTorrent
2007-10-20 00:56 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-10-08 19:14 737,280 ----a-w C:\WINDOWS\iun6002.exe
2006-11-28 02:13 6,440,983 ----a-w C:\Program Files\VideoraiPodConverter_Install.exe
2006-11-21 05:20 2,017,280 ----a-w C:\Program Files\ewpwin264en.exe
2006-10-13 01:32 22,616 ----a-w C:\Documents and Settings\John\Application Data\GDIPFONTCACHEV1.DAT
2006-02-28 01:15 2,509,704 ----a-w C:\Program Files\fgf171.exe
2006-02-27 23:08 2,417,824 ----a-w C:\Program Files\winzip90sr1.exe
2007-03-09 07:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-16_20.29.55.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 13:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2003-08-01 19:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2003-08-01 16:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2007-11-12 14:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2007-11-26 16:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2007-06-04 16:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2007-10-30 15:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
- 2006-08-23 2108 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-11-21 15:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 18:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2007-10-18 14:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 19:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 14:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 16:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 13:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 20:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 13:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 13:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 20:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 16:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 16:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-06-08 14:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 15:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 2007-09-17 14:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 23:46]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"Eraser"="C:\Program Files\Eraser\eraser.exe" [2006-08-07 16:07]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-03 13:39]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 15:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 00:55]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 00:52]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 00:55]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 02:49 C:\WINDOWS\RTHDCPL.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 09:40]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 19:28]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 14:13]
"NDSTray.exe"="NDSTray.exe" []
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 08:20]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 12:58 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 16:45]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 15:25]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 16:45]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 17:50 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-12-27 19:34 C:\WINDOWS\system32\TDispVol.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 20:16 C:\WINDOWS\system32\TPSMain.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-17 14:37]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 17:29 C:\WINDOWS\agrsmmsg.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 15:37]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 14:41]
"CFSServ.exe"="CFSServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-26 16:30]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2005-12-13 01:18]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-08 22:09]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 16:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-21 21:00:05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys
S3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;C:\WINDOWS\system32\DRIVERS\DLKRCB.SYS
S4 WMPNetworkSvcaspnet_state;Windows Media Player Network Sharing Service WMPNetworkSvcaspnet_state;C:\WINDOWS\system32\w32drv10.exe srv

.
Contents of the 'Scheduled Tasks' folder
"2007-12-16 20:18:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2006-02-13 13:42:32 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-02-13 13:42:33 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 10:42:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

Thanks


PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\TDispVol.dll
.
Completion time: 2007-12-17 10:43:16 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-16 20:30
.
2007-12-14 23:18:26 --- E O F ---
john123 is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here