HijackThis log plus NTRecycler folder too big

pyanna7 · 01-09-2008, 11:58 AM

Hello all!

I have, in the past 3 days, fixed a dreadful XP laptop laden with viruses of all kinds, added SP2 and cleaned it with av and antispyware. It works fine except:
1. The firewall settings are greyed out (cannot turn it on or off)
2. There IS a Recycler folder (about 10 kB!) and a NTRecycler folder (about 7,5 GB!!!!).
3. Below is the logfile from HJT. (some letters are in greek - it's a greek installation, nevertheless you get the picture)

Before giving it back and before hooking it up on the net to download every MS windows update out there, i thought i should give you guys a chance to suggest anything more. I really am tired now and i won't look into it any more! :) Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:27 μμ, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe
C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {99B3001C-1D0E-42FC-A16B-9C51780534C2} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" "Crypto SA\AccessRunner ADSL USB"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [{6C6CED07-09BB-1032-0530-02020321001e}] "C:\Program Files\Common Files\{6C6CED07-09BB-1032-0530-02020321001e}\Update.exe" mc-110-12-0000229
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm238YYGR
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\
O20 - Winlogon Notify: hggdc - C:\WINDOWS\
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\cHJhdGlz\command.exe (file missing)

--
End of file - 4097 bytes

pyanna7 · 01-09-2008, 11:30 PM

Just an update, I reset the windows firewall by deleting a branch in the registry. Instructions here:
http://windowsxp.mvps.org/resetfwpol.htm

Ried · 01-09-2008, 11:45 PM

Hello pyanna7,

This system is still quite infected. This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

pyanna7 · 01-10-2008, 07:21 AM

ok, here they are:

ComboFix 08-01-10.2 - Administrator 2008-01-10 16:59:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1032.18.281 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\C92M5WQ4\www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\{6C6CE~1
C:\Program Files\Common Files\{6C6CE~2
C:\Program Files\Common Files\companion wizard
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\network monitor
C:\WINDOWS\cHJhdGlz\
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\system32\cdggh.bak1
C:\WINDOWS\system32\cdggh.bak2
C:\WINDOWS\system32\cdggh.ini
C:\WINDOWS\system32\cdggh.ini2
C:\WINDOWS\system32\cdggh.tmp
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\p.exe
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_RDRIV
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\cmdService
-------\rdriv

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 16:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 23:51 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\system32\el-gr
2008-01-09 23:43 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-09 23:16 . 2008-01-09 23:16 <DIR> d-------- C:\Program Files\uTorrent
2008-01-09 23:16 . 2008-01-09 23:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-01-09 22:44 . 2007-07-09 15:19 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-09 22:21 . 2008-01-10 00:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-09 22:06 . 2008-01-09 22:06 <DIR> d-------- C:\Program Files\SAGEM
2008-01-09 19:46 . 2008-01-09 23:51 3,352 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-09 19:44 . 2004-09-04 06:45 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-09 19:33 . 2008-01-09 19:33 <DIR> d-------- C:\WINDOWS\provisioning
2008-01-09 19:27 . 2008-01-09 19:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-09 19:18 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002181_.tmp
2008-01-09 19:17 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-09 19:12 . 2008-01-09 19:34 <DIR> d-------- C:\WINDOWS\EHome
2008-01-08 20:04 . 2008-01-08 20:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-08 19:12 . 2008-01-08 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-08 19:12 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-08 19:10 . 2008-01-10 00:15 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-08 19:10 . 2008-01-08 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-08 19:10 . 2008-01-10 00:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-01-08 17:10 . 2007-12-04 15:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-08 17:10 . 2004-01-09 11:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-08 17:10 . 2007-12-04 14:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-08 17:10 . 2007-12-04 16:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-08 17:10 . 2007-12-04 16:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-08 17:10 . 2007-12-04 16:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-08 17:10 . 2007-12-04 16:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-08 17:10 . 2007-12-04 16:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-07 22:58 . 1999-11-07 05:34 40,960 --a------ C:\WINDOWS\_detmp.2
2008-01-07 22:58 . 2006-10-06 16:07 6,823 --a------ C:\WINDOWS\_detmp.1
2008-01-07 22:19 . 2008-01-07 22:19 <DIR> d-------- C:\Program Files\ToniArts
2007-12-21 20:17 . 2007-12-21 20:17 <DIR> d-------- C:\WINDOWS\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 21:03 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 20:07 31 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-01-09 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 19:27 --------- d-----w C:\Program Files\mangeta
2008-01-08 19:27 --------- d-----w C:\Program Files\AtomixMP3
2008-01-08 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Simple Sudoku
2008-01-08 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-01-07 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-01-07 21:05 --------- d-----w C:\Program Files\Canon
2008-01-07 20:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-04 06:45 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 10:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"CnxDslTaskBar"="C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" [2004-06-16 07:55 233472]
"avast!"="C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-04 06:45 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{6C6CED07-09BB-1032-0530-02020321001e}"= "C:\Program Files\Common Files\{6C6CED07-09BB-1032-0530-02020321001e}\Update.exe" mc-110-12-0000229

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:55 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]
C:\Program Files\TClock\tclock_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-03-02 19:25]
S3 CnxEtP;Crypto F200 USB ADSL Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2004-06-16 07:51]
S3 CnxEtU;Crypto F200 USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2004-06-16 07:51]
S3 CnxTgNW;Crypto F200 USB ADSL WAN PPPoA Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgNW.sys [2004-06-16 07:51]
S3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-05-04 18:50]

.
Contents of the 'Scheduled Tasks' folder
"2006-12-06 14:33:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 17:07:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 17:12:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 15:12:15
.
2008-01-09 22:44:10 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:24 μμ, on 10/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800\dslmon.exe
C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" "Crypto SA\AccessRunner ADSL USB"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Policies\Explorer\Run: [{6C6CED07-09BB-1032-0530-02020321001e}] "C:\Program Files\Common Files\{6C6CED07-09BB-1032-0530-02020321001e}\Update.exe" mc-110-12-0000229
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm238YYGR
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O20 - Winlogon Notify: hggdc - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 4771 bytes

Ried · 01-10-2008, 07:46 AM

Hello pyanna7,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry:

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm238YYGR

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

File::
Folder::
C:\Program Files\Spyware Terminator
C:\Documents and Settings\All Users\Application Data\Spyware Terminator
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{6C6CED07-09BB-1032-0530-02020321001e}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior

pyanna7 · 01-10-2008, 01:12 PM

haha this is getting bigger and bigger! well... here goes! overall perfomance is very good right from the start (before posting here) and remains good.

ComboFix 08-01-10.2 - Administrator 2008-01-10 20:42:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1032.18.294 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\BIN_RSDATA.SPT
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\info.htm
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\appguard0.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\appguard1.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\appguard2.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\appguard3.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\appguard4.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\bg01.gif
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\bg02.gif
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\bg07.gif
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\clamguard0.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\clamguard1.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\intguard0.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\intguard1.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\intguard2.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\intguard3.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\intguard4.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\intguard5.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\language.changes.txt
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\language.inf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\language.txt
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\language.txt.changes
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\li.gif
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\li2.gif
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\offlinehelp.html
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\scancustom.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\scanfast.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\scanfull.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\sysguard0.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\sysguard1.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\sysguard2.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\sysguard3.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\top.gif
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\util01.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\util02.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\util03.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\LanguageAct\util04.rtf
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\Reports\reports.dat
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\Reports\scan_0001.dat
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\Reports\scan_0002.dat
C:\Documents and Settings\Administrator\Application Data\Spyware Terminator\scanConfig.xml
C:\Documents and Settings\All Users\Application Data\Spyware Terminator
C:\Documents and Settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
C:\Documents and Settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
C:\Program Files\Spyware Terminator
C:\Program Files\Spyware Terminator\BIN_RSCSDA.SPF
C:\Program Files\Spyware Terminator\BIN_STDATA.SPT
C:\Program Files\Spyware Terminator\BIN_STDATA_DIF.SPT
C:\Program Files\Spyware Terminator\BIN_STUIUS.SPT
C:\Program Files\Spyware Terminator\history.txt
C:\Program Files\Spyware Terminator\languages\brazilians.cab
C:\Program Files\Spyware Terminator\languages\brazilians.inf
C:\Program Files\Spyware Terminator\languages\czech.cab
C:\Program Files\Spyware Terminator\languages\czech.inf
C:\Program Files\Spyware Terminator\languages\english.cab
C:\Program Files\Spyware Terminator\languages\english.inf
C:\Program Files\Spyware Terminator\languages\french.cab
C:\Program Files\Spyware Terminator\languages\french.inf
C:\Program Files\Spyware Terminator\languages\german.cab
C:\Program Files\Spyware Terminator\languages\german.inf
C:\Program Files\Spyware Terminator\languages\hungarian.cab
C:\Program Files\Spyware Terminator\languages\hungarian.inf
C:\Program Files\Spyware Terminator\languages\italiano.cab
C:\Program Files\Spyware Terminator\languages\italiano.inf
C:\Program Files\Spyware Terminator\languages\korean.cab
C:\Program Files\Spyware Terminator\languages\korean.inf
C:\Program Files\Spyware Terminator\languages\polish.cab
C:\Program Files\Spyware Terminator\languages\polish.inf
C:\Program Files\Spyware Terminator\languages\portuguese.cab
C:\Program Files\Spyware Terminator\languages\portuguese.inf
C:\Program Files\Spyware Terminator\languages\russian.cab
C:\Program Files\Spyware Terminator\languages\russian.inf
C:\Program Files\Spyware Terminator\languages\serbian.cab
C:\Program Files\Spyware Terminator\languages\serbian.inf
C:\Program Files\Spyware Terminator\languages\spanish.cab
C:\Program Files\Spyware Terminator\languages\spanish.inf
C:\Program Files\Spyware Terminator\languages\swedish.cab
C:\Program Files\Spyware Terminator\languages\swedish.inf
C:\Program Files\Spyware Terminator\languages\turkish.cab
C:\Program Files\Spyware Terminator\languages\turkish.inf
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware Terminator\sptcontmenu.dll
C:\Program Files\Spyware Terminator\SpywareTerminator.exe
C:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe
C:\Program Files\Spyware Terminator\STServer.Exe
C:\Program Files\Spyware Terminator\unins000.dat
C:\Program Files\Spyware Terminator\unins000.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RDRIV

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 16:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 23:51 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\system32\el-gr
2008-01-09 23:43 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-09 23:16 . 2008-01-09 23:16 <DIR> d-------- C:\Program Files\uTorrent
2008-01-09 23:16 . 2008-01-09 23:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-01-09 22:44 . 2007-07-09 15:19 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-09 22:21 . 2008-01-10 00:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-09 22:06 . 2008-01-09 22:06 <DIR> d-------- C:\Program Files\SAGEM
2008-01-09 19:46 . 2008-01-09 23:51 3,352 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-09 19:44 . 2004-09-04 06:45 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-09 19:33 . 2008-01-09 19:33 <DIR> d-------- C:\WINDOWS\provisioning
2008-01-09 19:27 . 2008-01-09 19:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-09 19:18 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002181_.tmp
2008-01-09 19:17 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-09 19:12 . 2008-01-09 19:34 <DIR> d-------- C:\WINDOWS\EHome
2008-01-08 20:04 . 2008-01-08 20:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-08 19:12 . 2008-01-08 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-08 19:12 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-08 17:10 . 2007-12-04 15:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-08 17:10 . 2004-01-09 11:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-08 17:10 . 2007-12-04 14:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-08 17:10 . 2007-12-04 16:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-08 17:10 . 2007-12-04 16:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-08 17:10 . 2007-12-04 16:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-08 17:10 . 2007-12-04 16:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-08 17:10 . 2007-12-04 16:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-07 22:58 . 1999-11-07 05:34 40,960 --a------ C:\WINDOWS\_detmp.2
2008-01-07 22:58 . 2006-10-06 16:07 6,823 --a------ C:\WINDOWS\_detmp.1
2008-01-07 22:19 . 2008-01-07 22:19 <DIR> d-------- C:\Program Files\ToniArts
2007-12-21 20:17 . 2007-12-21 20:17 <DIR> d-------- C:\WINDOWS\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 21:03 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 20:07 31 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-01-09 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 19:27 --------- d-----w C:\Program Files\mangeta
2008-01-08 19:27 --------- d-----w C:\Program Files\AtomixMP3
2008-01-08 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Simple Sudoku
2008-01-08 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-01-07 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-01-07 21:05 --------- d-----w C:\Program Files\Canon
2008-01-07 20:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-10_17.11.51.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-10 14:59:16 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-10 18:42:14 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-10 14:59:16 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-10 18:42:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-10 14:59:16 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-10 18:42:14 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-10 14:59:16 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-10 18:42:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-10 14:59:16 4,050,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-10 18:42:15 4,050,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-10 14:59:17 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-10 18:42:15 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-10 18:49:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-04 06:45 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 10:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"CnxDslTaskBar"="C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" [2004-06-16 07:55 233472]
"avast!"="C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-04 06:45 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:55 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]
C:\Program Files\TClock\tclock_install.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-03-02 19:25]
S3 CnxEtP;Crypto F200 USB ADSL Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2004-06-16 07:51]
S3 CnxEtU;Crypto F200 USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2004-06-16 07:51]
S3 CnxTgNW;Crypto F200 USB ADSL WAN PPPoA Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgNW.sys [2004-06-16 07:51]
S3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-05-04 18:50]

.
Contents of the 'Scheduled Tasks' folder
"2006-12-06 14:33:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 20:50:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 20:55:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 18:55:54
ComboFix2.txt 2008-01-10 15:12:19
.
2008-01-09 22:44:10 --- E O F ---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 10, 2008 10:59:08 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/01/2008
Kaspersky Anti-Virus database records: 506695
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: false

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 95000
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 01:43:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\keyfinder.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\NTRECYCLER\S-1-5-18\DC10359 Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D3E16888-F6EE-40AB-A584-A03E9974056A}\RP2\A0000005.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{D3E16888-F6EE-40AB-A584-A03E9974056A}\RP2\A0000006.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D3E16888-F6EE-40AB-A584-A03E9974056A}\RP3\change.log Object is locked skipped
C:\WINDOWS\comsetup.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\FaxSetup.log Object is locked skipped
C:\WINDOWS\iis6.log Object is locked skipped
C:\WINDOWS\ntdtcsetup.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\setupact.log Object is locked skipped
C:\WINDOWS\setuperr.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{206081F2-8ECC-4EA2-924C-6AE1A437A6A3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\spupdsvc.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4e4.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:43 μμ, on 10/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe
C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" "Crypto SA\AccessRunner ADSL USB"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 4714 bytes

Ried · 01-10-2008, 07:46 PM

Hi,

Just these left to take care of, then you're good to go.

Delete the following file:

C:\Program Files\MSN Messenger\msimg32.dll <--Careful, from this location only.

-------------------

My apologies, I missed one. Run a scan with HijackThis and fix this entry:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

Click 'Fix Checked' and close HijackThis.

--------------------

Empty the recycle bin.

--------------------

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

**Kindly respond one more time and let me know if we may consider this thread resolved.

pyanna7 · 01-10-2008, 11:43 PM

Yes, I thought you'd see it by the end of the thread

A final question: Did combofix wipe the Recycler and NTrecycler folders? They are legit folders for system restore aren't they? Should I watch out for sth regarding them? And now that they are gone is there a problem? Or they will just appear the next time I reboot keeping a "last known good configuration" ?

All clear here, wrap it up! Thanks a ton for the help!

Panos, Piraues, Greece.

Ried · 01-12-2008, 10:53 AM

You're welcome.

Those folders are related to the Recycle Bin --> http://support.microsoft.com/kb/171694/en-us

Emptying the Recycle Bin took care of that. ComboFix cleared Temp and Temp internet files (as did dss.exe in it's initial run). Uninstalling ComboFix cleared the System Restore and set a new restore point, as well as re-hiding file extensions and hidden files. (Windows default recommended settings)

Take care.

01-09-2008, 11:58 AM	#1 (permalink)
pyanna7 Registered User Join Date: Jan 2008 Posts: 7 OS: XP SP2	HijackThis log plus NTRecycler folder too big Hello all! I have, in the past 3 days, fixed a dreadful XP laptop laden with viruses of all kinds, added SP2 and cleaned it with av and antispyware. It works fine except: 1. The firewall settings are greyed out (cannot turn it on or off) 2. There IS a Recycler folder (about 10 kB!) and a NTRecycler folder (about 7,5 GB!!!!). 3. Below is the logfile from HJT. (some letters are in greek - it's a greek installation, nevertheless you get the picture) Before giving it back and before hooking it up on the net to download every MS windows update out there, i thought i should give you guys a chance to suggest anything more. I really am tired now and i won't look into it any more! :) Thanks Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:24:27 μμ, on 9/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\spupdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spnpinst.exe C:\WINDOWS\system32\Sysocmgr.exe C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {99B3001C-1D0E-42FC-A16B-9C51780534C2} - (no file) O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" "Crypto SA\AccessRunner ADSL USB" O4 - HKLM\..\Run: [avast!] C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Policies\Explorer\Run: [{6C6CED07-09BB-1032-0530-02020321001e}] "C:\Program Files\Common Files\{6C6CED07-09BB-1032-0530-02020321001e}\Update.exe" mc-110-12-0000229 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm238YYGR O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab O20 - Winlogon Notify: Group Policy - C:\WINDOWS\ O20 - Winlogon Notify: hggdc - C:\WINDOWS\ O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\ O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\cHJhdGlz\command.exe (file missing) -- End of file - 4097 bytes

01-09-2008, 11:30 PM	#2 (permalink)
pyanna7 Registered User Join Date: Jan 2008 Posts: 7 OS: XP SP2	Re: HijackThis log plus NTRecycler folder too big Just an update, I reset the windows firewall by deleting a branch in the registry. Instructions here: http://windowsxp.mvps.org/resetfwpol.htm

01-09-2008, 11:45 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,972 OS: WinXP and Vista	Re: HijackThis log plus NTRecycler folder too big Hello pyanna7, This system is still quite infected. This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. ************************************************* Download Combofix from any of the links below, and save it to your desktop. Link 1 Link 2 Link 3 Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- 1. Disconnect from the internet. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log** so we can continue cleaning the system. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-10-2008, 07:21 AM	#4 (permalink)
pyanna7 Registered User Join Date: Jan 2008 Posts: 7 OS: XP SP2	Re: HijackThis log plus NTRecycler folder too big ok, here they are: ComboFix 08-01-10.2 - Administrator 2008-01-10 16:59:47.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1253.1.1032.18.281 [GMT 2:00] Running from: C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\C92M5WQ4\www.broadcaster.com C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006 C:\Documents and Settings\LocalService\Application Data\NetMon C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt C:\Program Files\Common Files\{6C6CE~1 C:\Program Files\Common Files\{6C6CE~2 C:\Program Files\Common Files\companion wizard C:\Program Files\internet explorer\msimg32.dll C:\Program Files\network monitor C:\WINDOWS\cHJhdGlz\ C:\WINDOWS\keyboard1.dat C:\WINDOWS\newname.dat C:\WINDOWS\system32\cdggh.bak1 C:\WINDOWS\system32\cdggh.bak2 C:\WINDOWS\system32\cdggh.ini C:\WINDOWS\system32\cdggh.ini2 C:\WINDOWS\system32\cdggh.tmp C:\WINDOWS\system32\f3PSSavr.scr C:\WINDOWS\system32\guard.tmp C:\WINDOWS\system32\p.exe C:\WINDOWS\system32\stera.job C:\WINDOWS\system32\stera.log C:\WINDOWS\system32\svcp.csv C:\WINDOWS\system32\winsub.xml . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CMDSERVICE -------\LEGACY_FOPN -------\LEGACY_NETWORK_MONITOR -------\LEGACY_RDRIV -------\LEGACY_VSPF -------\LEGACY_VSPF_HK -------\cmdService -------\rdriv ((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 ))))))))))))))))))))))))))))))) . 2008-01-10 16:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-09 23:51 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\system32\el-gr 2008-01-09 23:43 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll 2008-01-09 23:16 . 2008-01-09 23:16 <DIR> d-------- C:\Program Files\uTorrent 2008-01-09 23:16 . 2008-01-09 23:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-01-09 22:44 . 2007-07-09 15:19 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-01-09 22:21 . 2008-01-10 00:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2008-01-09 22:06 . 2008-01-09 22:06 <DIR> d-------- C:\Program Files\SAGEM 2008-01-09 19:46 . 2008-01-09 23:51 3,352 --a------ C:\WINDOWS\system32\spupdsvc.inf 2008-01-09 19:44 . 2004-09-04 06:45 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-01-09 19:33 . 2008-01-09 19:33 <DIR> d-------- C:\WINDOWS\provisioning 2008-01-09 19:27 . 2008-01-09 19:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-01-09 19:18 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002181_.tmp 2008-01-09 19:17 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-01-09 19:12 . 2008-01-09 19:34 <DIR> d-------- C:\WINDOWS\EHome 2008-01-08 20:04 . 2008-01-08 20:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-01-08 19:12 . 2008-01-08 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-08 19:12 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-08 19:10 . 2008-01-10 00:15 <DIR> d-------- C:\Program Files\Spyware Terminator 2008-01-08 19:10 . 2008-01-08 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator 2008-01-08 19:10 . 2008-01-10 00:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator 2008-01-08 17:10 . 2007-12-04 15:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2008-01-08 17:10 . 2004-01-09 11:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2008-01-08 17:10 . 2007-12-04 14:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2008-01-08 17:10 . 2007-12-04 16:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2008-01-08 17:10 . 2007-12-04 16:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2008-01-08 17:10 . 2007-12-04 16:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2008-01-08 17:10 . 2007-12-04 16:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2008-01-08 17:10 . 2007-12-04 16:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2008-01-07 22:58 . 1999-11-07 05:34 40,960 --a------ C:\WINDOWS\_detmp.2 2008-01-07 22:58 . 2006-10-06 16:07 6,823 --a------ C:\WINDOWS\_detmp.1 2008-01-07 22:19 . 2008-01-07 22:19 <DIR> d-------- C:\Program Files\ToniArts 2007-12-21 20:17 . 2007-12-21 20:17 <DIR> d-------- C:\WINDOWS\LogFiles . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-09 21:03 --------- d-----w C:\Program Files\MSN Messenger 2008-01-09 20:07 31 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2008-01-09 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-08 19:27 --------- d-----w C:\Program Files\mangeta 2008-01-08 19:27 --------- d-----w C:\Program Files\AtomixMP3 2008-01-08 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Simple Sudoku 2008-01-08 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire 2008-01-07 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent 2008-01-07 21:05 --------- d-----w C:\Program Files\Canon 2008-01-07 20:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-04 06:45 15360] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55 5674352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 10:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe] "CnxDslTaskBar"="C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" [2004-06-16 07:55 233472] "avast!"="C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-04 06:45 15360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] "{6C6CED07-09BB-1032-0530-02020321001e}"= "C:\Program Files\Common Files\{6C6CED07-09BB-1032-0530-02020321001e}\Update.exe" mc-110-12-0000229 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 11:55 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-04-13 02:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe] C:\Program Files\TClock\tclock_install.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-03-02 19:25] S3 CnxEtP;Crypto F200 USB ADSL Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2004-06-16 07:51] S3 CnxEtU;Crypto F200 USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2004-06-16 07:51] S3 CnxTgNW;Crypto F200 USB ADSL WAN PPPoA Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgNW.sys [2004-06-16 07:51] S3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-05-04 18:50] . Contents of the 'Scheduled Tasks' folder "2006-12-06 14:33:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-10 17:07:52 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-10 17:12:18 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-10 15:12:15 . 2008-01-09 22:44:10 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:16:24 μμ, on 10/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\spupdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spnpinst.exe C:\WINDOWS\system32\Sysocmgr.exe C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800\dslmon.exe C:\Documents and Settings\Administrator\Επιφάνεια εργασίας\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" "Crypto SA\AccessRunner ADSL USB" O4 - HKLM\..\Run: [avast!] C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Policies\Explorer\Run: [{6C6CED07-09BB-1032-0530-02020321001e}] "C:\Program Files\Common Files\{6C6CED07-09BB-1032-0530-02020321001e}\Update.exe" mc-110-12-0000229 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: DSLMON.lnk = ? O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm238YYGR O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580 O20 - Winlogon Notify: hggdc - C:\WINDOWS\ O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe -- End of file - 4771 bytes

01-10-2008, 07:46 AM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,972 OS: WinXP and Vista	Re: HijackThis log plus NTRecycler folder too big Hello pyanna7, Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. ************************************************* 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry: O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm238YYGR Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Open notepad and copy/paste the text in the code box below into it: Code: File:: Folder:: C:\Program Files\Spyware Terminator C:\Documents and Settings\All Users\Application Data\Spyware Terminator C:\Documents and Settings\Administrator\Application Data\Spyware Terminator Registry:: [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] "{6C6CED07-09BB-1032-0530-02020321001e}"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdc] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin] Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text** button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------- Run a new scan with HijackThis and save the log. --------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt Kaspersky results New HijackThis log Update on system behavior __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-10-2008, 07:46 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,972 OS: WinXP and Vista	Re: HijackThis log plus NTRecycler folder too big Hi, Just these left to take care of, then you're good to go. Delete the following file: C:\Program Files\MSN Messenger\msimg32.dll <--Careful, from this location only. ------------------- My apologies, I missed one. Run a scan with HijackThis and fix this entry: O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab Click 'Fix Checked' and close HijackThis. -------------------- Empty the recycle bin. -------------------- Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u **Kindly respond one more time and let me know if we may consider this thread resolved. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-10-2008, 11:43 PM	#8 (permalink)
pyanna7 Registered User Join Date: Jan 2008 Posts: 7 OS: XP SP2	Re: HijackThis log plus NTRecycler folder too big Yes, I thought you'd see it by the end of the thread A final question: Did combofix wipe the Recycler and NTrecycler folders? They are legit folders for system restore aren't they? Should I watch out for sth regarding them? And now that they are gone is there a problem? Or they will just appear the next time I reboot keeping a "last known good configuration" ? All clear here, wrap it up! Thanks a ton for the help! Panos, Piraues, Greece.

01-12-2008, 10:53 AM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,972 OS: WinXP and Vista	Re: HijackThis log plus NTRecycler folder too big You're welcome. Those folders are related to the Recycle Bin --> http://support.microsoft.com/kb/171694/en-us Emptying the Recycle Bin took care of that. ComboFix cleared Temp and Temp internet files (as did dss.exe in it's initial run). Uninstalling ComboFix cleared the System Restore and set a new restore point, as well as re-hiding file extensions and hidden files. (Windows default recommended settings) Take care. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."