HJT:HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:57 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Owner\Desktop\wowclient-downloader.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: dsgkvuai - dsgkvuai.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
--
End of file - 2915 bytes
COMBOFIX: ComboFix 08-04-22.5 - Owner 2008-04-24 17:38:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.300 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.
2008-04-24 17:32 . 2008-04-24 17:34 <DIR> d-------- C:\Program Files\AEVITA Wipe & Delete
2008-04-24 17:32 . 2008-04-24 17:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AEVITA
2008-04-23 19:47 . 2006-05-25 08:43 57,801 --a------ C:\WINDOWS\system32\igfx.hlp
2008-04-23 19:19 . 2008-04-23 19:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 16:52 . 2008-04-23 16:52 <DIR> d-------- C:\VundoFix Backups
2008-04-20 21:14 . 2008-04-20 21:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-20 20:42 . 2008-04-20 20:42 <DIR> d-------- C:\WoW-2.0.0-enUS-Installer
2008-04-19 13:02 . 2008-04-19 13:02 <DIR> d-------- C:\WAN Miniport (PPTP)
2008-04-19 13:00 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-04-19 12:35 . 2008-04-19 18:14 <DIR> d-------- C:\Program Files\Symantec
2008-04-19 12:35 . 2008-04-19 19:09 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-19 12:35 . 2008-04-19 12:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-04-19 12:35 . 2008-04-22 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-19 11:36 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-19 11:36 . 2008-04-19 11:36 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-19 11:35 . 2008-04-19 11:35 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-19 11:35 . 2008-04-19 11:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-19 11:35 . 2008-04-19 11:35 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-19 11:35 . 2008-04-19 11:35 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-19 11:35 . 2008-04-19 11:35 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-04-19 11:32 . 2008-04-19 11:32 <DIR> dr-h----- C:\MSOCache
2008-04-19 03:00 . 2008-04-19 05:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-19 03:00 . 2005-02-24 20:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-18 18:02 . 2006-05-25 08:43 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2008-04-18 18:02 . 2008-04-18 18:02 1,024 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT.LOG
2008-04-18 17:56 . 2004-08-03 18:07 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-18 17:54 . 2008-04-18 17:54 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-18 17:54 . 2008-04-18 17:54 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-18 17:54 . 2008-04-18 17:54 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-18 17:54 . 2008-04-18 17:54 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-04-18 17:54 . 2008-04-18 17:54 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-18 17:54 . 2008-04-18 17:54 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-18 17:53 . 2004-08-03 18:07 358,912 --a--c--- C:\WINDOWS\system32\dllcache\wmic.exe
2008-04-18 17:53 . 2004-08-03 18:07 92,672 --a--c--- C:\WINDOWS\system32\dllcache\policman.dll
2008-04-18 17:47 . 2004-08-03 18:07 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-04-18 17:47 . 2004-08-03 18:07 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-04-18 17:47 . 2004-08-03 18:07 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-04-18 17:47 . 2004-08-03 18:07 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-04-18 10:40 . 2008-04-18 10:44 <DIR> d-------- C:\WINDOWS\ehome
2008-04-17 12:48 . 2008-04-17 12:48 <DIR> d-------- C:\Program Files\World of Warcraft
2008-04-17 12:48 . 2008-04-17 12:48 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-04-16 23:08 . 2008-04-16 23:08 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-16 22:42 . 2008-04-24 07:04 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\NtUser.dat.LOG
2008-04-16 20:54 . 2008-04-20 22:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-16 20:54 . 2003-03-18 12:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-16 20:54 . 2003-03-18 11:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-16 20:54 . 2003-02-20 19:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-16 18:50 . 2008-04-16 18:50 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2008-04-16 18:47 . 2008-04-16 18:47 <DIR> d-------- C:\Program Files\Telstra
2008-04-16 18:33 . 2008-04-16 18:33 <DIR> d-------- C:\drvrtmp
2008-04-16 18:32 . 2003-02-11 09:58 126,976 --a------ C:\WINDOWS\system32\e1000msg.dll
2008-04-16 18:32 . 2003-07-11 10:58 121,856 --a------ C:\WINDOWS\system32\drivers\e1000325.sys
2008-04-16 18:32 . 2003-07-11 12:15 118,784 --a------ C:\WINDOWS\system32\Prounstl.exe
2008-04-16 18:32 . 2002-12-29 05:00 24,064 --a------ C:\WINDOWS\system32\IntelNic.dll
2008-04-16 18:32 . 2002-09-03 02:34 2,725 --a------ C:\WINDOWS\system32\e1000325.din
2008-04-16 17:13 . 2008-04-16 17:13 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-16 17:13 . 2008-04-23 19:03 <DIR> d-------- C:\Documents and Settings\Owner
2008-04-16 17:13 . 2008-04-16 17:13 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-04-16 17:13 . 2008-04-24 17:39 159,744 --ah----- C:\Documents and Settings\Owner\ntuser.dat.LOG
2008-04-16 17:13 . 2008-04-24 17:36 1,024 --ah----- C:\Documents and Settings\LocalService\ntuser.dat.LOG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 23:45 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((( snapshot@2008-04-24_ 7.05.43.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 13:43:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 00:35:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 00:38:29 11,914 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{D24CAD3C-5FC0-4919-A8D6-FBE45039A10A}.bin
+ 2008-04-25 00:35:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_61c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:07 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-05-25 08:43 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-05-25 08:43 126976]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 10:37 79224]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dsgkvuai]
dsgkvuai.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\30d8683f]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UGES_0001_N122M2603]
c:\documents and settings\owner\application data\setup_en
[1].exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\wowclient-downloader.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 10:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 10:35]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 19:36:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-04-24 17:39:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-24 17:40:11
ComboFix-quarantined-files.txt 2008-04-25 00:40:07
ComboFix2.txt 2008-04-24 14:05:53
Pre-Run: 244,371,234,816 bytes free
Post-Run: 244,368,564,224 bytes free
130 --- E O F --- 2008-04-24 10:00:14
NOTES: Had to download AEVITA Wipe & Delete to delete the .dll file
got kinda tricky but both of them are gone from the c:/windows/system32.
Edited by Zuarfia, 24 April 2008 - 01:44 AM.