Thread: HijackThis log plus NTRecycler folder too big
View Single Post
Old 01-10-2008, 08:21 AM   #4 (permalink)
pyanna7
Registered User
 
Join Date: Jan 2008
Posts: 7
OS: XP SP2


Re: HijackThis log plus NTRecycler folder too big
ok, here they are:

ComboFix 08-01-10.2 - Administrator 2008-01-10 16:59:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1032.18.281 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\C92M5WQ4\www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\{6C6CE~1
C:\Program Files\Common Files\{6C6CE~2
C:\Program Files\Common Files\companion wizard
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\network monitor
C:\WINDOWS\cHJhdGlz\
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\system32\cdggh.bak1
C:\WINDOWS\system32\cdggh.bak2
C:\WINDOWS\system32\cdggh.ini
C:\WINDOWS\system32\cdggh.ini2
C:\WINDOWS\system32\cdggh.tmp
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\p.exe
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_RDRIV
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\cmdService
-------\rdriv


((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 16:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 23:51 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\system32\el-gr
2008-01-09 23:43 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-09 23:16 . 2008-01-09 23:16 <DIR> d-------- C:\Program Files\uTorrent
2008-01-09 23:16 . 2008-01-09 23:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-01-09 22:44 . 2007-07-09 15:19 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-09 22:21 . 2008-01-10 00:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-09 22:06 . 2008-01-09 22:06 <DIR> d-------- C:\Program Files\SAGEM
2008-01-09 19:46 . 2008-01-09 23:51 3,352 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-09 19:44 . 2004-09-04 06:45 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-09 19:33 . 2008-01-09 19:33 <DIR> d-------- C:\WINDOWS\provisioning
2008-01-09 19:27 . 2008-01-09 19:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-09 19:18 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002181_.tmp
2008-01-09 19:17 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-09 19:12 . 2008-01-09 19:34 <DIR> d-------- C:\WINDOWS\EHome
2008-01-08 20:04 . 2008-01-08 20:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-08 19:12 . 2008-01-08 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-08 19:12 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-08 19:10 . 2008-01-10 00:15 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-08 19:10 . 2008-01-08 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-08 19:10 . 2008-01-10 00:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-01-08 17:10 . 2007-12-04 15:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-08 17:10 . 2004-01-09 11:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-08 17:10 . 2007-12-04 14:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-08 17:10 . 2007-12-04 16:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-08 17:10 . 2007-12-04 16:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-08 17:10 . 2007-12-04 16:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-08 17:10 . 2007-12-04 16:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-08 17:10 . 2007-12-04 16:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-07 22:58 . 1999-11-07 05:34 40,960 --a------ C:\WINDOWS\_detmp.2
2008-01-07 22:58 . 2006-10-06 16:07 6,823 --a------ C:\WINDOWS\_detmp.1
2008-01-07 22:19 . 2008-01-07 22:19 <DIR> d-------- C:\Program Files\ToniArts
2007-12-21 20:17 . 2007-12-21 20:17 <DIR> d-------- C:\WINDOWS\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 21:03 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 20:07 31 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-01-09 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 19:27 --------- d-----w C:\Program Files\mangeta
2008-01-08 19:27 --------- d-----w C:\Program Files\AtomixMP3
2008-01-08 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Simple Sudoku
2008-01-08 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-01-07 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-01-07 21:05 --------- d-----w C:\Program Files\Canon
2008-01-07 20:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-04 06:45 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 10:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"CnxDslTaskBar"="C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" [2004-06-16 07:55 233472]
"avast!"="C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-04 06:45 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{6C6CED07-09BB-1032-0530-02020321001e}"= "C:\Program Files\Common Files\{6C6CED07-09BB-1032-0530-02020321001e}\Update.exe" mc-110-12-0000229

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:55 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]
C:\Program Files\TClock\tclock_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-03-02 19:25]
S3 CnxEtP;Crypto F200 USB ADSL Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2004-06-16 07:51]
S3 CnxEtU;Crypto F200 USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2004-06-16 07:51]
S3 CnxTgNW;Crypto F200 USB ADSL WAN PPPoA Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgNW.sys [2004-06-16 07:51]
S3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-05-04 18:50]

.
Contents of the 'Scheduled Tasks' folder
"2006-12-06 14:33:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 17:07:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 17:12:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 15:12:15
.
2008-01-09 22:44:10 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:24 μμ, on 10/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800\dslmon.exe
C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" "Crypto SA\AccessRunner ADSL USB"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Policies\Explorer\Run: [{6C6CED07-09BB-1032-0530-02020321001e}] "C:\Program Files\Common Files\{6C6CED07-09BB-1032-0530-02020321001e}\Update.exe" mc-110-12-0000229
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm238YYGR
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O20 - Winlogon Notify: hggdc - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 4771 bytes
pyanna7 is offline