Thread: js/psyme virus aftermath scan from activescan 2.0
View Single Post
Old 09-19-2008, 12:34 PM   #5 (permalink)
kewlix
Registered User
 
Join Date: Sep 2008
Posts: 27
OS: windows sp1


Re: js/psyme virus aftermath scan from activescan 2.0
Here's My combo fix log file.

ComboFix 08-09-16.05 - RivaL 2008-09-19 14:26:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1054 [GMT -7:00]
Running from: C:\Documents and Settings\RivaL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RivaL\Desktop\winxpsp1_en_pro_bf.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\RivaL\Application Data\Microsoft\dtsc
C:\Documents and Settings\RivaL\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\DW_Start.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM23233a67.txt
C:\WINDOWS\BM23233a67.xml
C:\WINDOWS\Downloaded Program Files\xpreload.ocx
C:\WINDOWS\system32\bbbdgMoq.ini
C:\WINDOWS\system32\bbbdgMoq.ini2
C:\WINDOWS\system32\cquypr.dll
C:\WINDOWS\system32\getsn32.dll
C:\WINDOWS\system32\iaqfobdt.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ncntttdm.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qrgkoeuw.dll
C:\WINDOWS\system32\tuvUNedD.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xxywTKEU.dll
C:\WINDOWS\system32\yayofpnf.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.

2008-09-08 14:46 . 2008-09-08 14:46 <DIR> d-------- C:\Program Files\Panda Security
2008-09-08 14:46 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-07 15:50 . 2008-09-07 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-09-07 15:47 . 2008-09-07 15:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-09-07 15:47 . 2008-09-09 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-09-07 15:27 . 2008-09-07 15:27 <DIR> d-------- C:\Documents and Settings\RivaL\.housecall6.6
2008-09-07 13:44 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-09-07 13:44 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Program Files\Sygate
2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Downloads
2008-09-07 13:43 . 2008-09-07 13:48 <DIR> d-------- C:\Documents and Settings\RivaL\Application Data\GetRightToGo
2008-09-07 13:43 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-09-07 12:56 . 2008-09-07 12:56 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-09-07 12:45 . 2008-09-07 12:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-07 11:52 . 2008-09-07 11:52 335 --a------ C:\WINDOWS\mozregistry.dat
2008-09-07 11:31 . 2008-09-09 11:32 251 --a------ C:\WINDOWS\wininit.ini
2008-09-07 11:11 . 2008-09-07 11:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-07 11:01 . 2008-09-07 11:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-09-07 10:47 . 2008-09-07 10:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo
2008-09-07 10:38 . 2008-09-07 10:38 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-07 03:43 . 2008-09-07 03:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-07 03:43 . 2008-09-07 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-06 16:25 . 2008-09-07 02:38 <DIR> d-------- C:\Program Files\a-squared Free
2008-09-06 15:33 . 2008-09-06 15:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-06 14:08 . 2008-09-19 14:27 1,962 --a------ C:\WINDOWS\system32\default.htm
2008-09-06 14:05 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\wTR19
2008-09-06 13:53 . 2008-09-06 13:53 <DIR> d-------- C:\Program Files\uTorrent
2008-09-06 13:53 . 2008-09-06 13:53 85,008 --a------ C:\WINDOWS\system32\uesiuqcr.exe
2008-09-06 13:53 . 2008-09-19 14:19 8,704 --a------ C:\WINDOWS\system32\smwin32.dll
2008-09-06 13:22 . 2008-09-06 13:22 <DIR> d-------- C:\WINDOWS\system32\zir2
2008-09-06 13:22 . 2008-09-06 13:22 <DIR> d-------- C:\WINDOWS\system32\Xtmp
2008-09-06 13:22 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\wTR02
2008-09-06 13:22 . 2008-09-06 15:13 <DIR> d-------- C:\WINDOWS\system32\hcp
2008-09-06 13:22 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\enB
2008-09-06 13:22 . 2008-09-06 13:22 <DIR> d-------- C:\Temp\dax41
2008-09-06 13:22 . 2008-09-19 14:27 <DIR> d-------- C:\Temp
2008-09-06 13:22 . 2008-09-06 13:22 153,444 --a------ C:\WINDOWS\system32\g49.exe
2008-09-06 13:22 . 2008-09-06 13:22 71,711 --a------ C:\WINDOWS\system32\fjuffubkbhhkp.exe
2008-09-06 13:22 . 2008-09-06 13:22 64,859 --a------ C:\WINDOWS\system32\tockorppzaevwusj.exe
2008-08-30 07:31 . 2008-08-30 07:31 96 --ah----- C:\WINDOWS\system32\HsInfo.dat
2008-08-30 07:29 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\alaplaya
2008-08-27 14:03 . 2008-08-27 14:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 21:30 --------- d-----w C:\Program Files\Steam
2008-09-19 21:20 --------- d-----w C:\Documents and Settings\RivaL\Application Data\OpenOffice.org2
2008-09-18 12:42 --------- d-----w C:\Program Files\mIRC
2008-09-18 06:22 --------- d-s---w C:\Program Files\Xfire
2008-09-16 12:35 --------- d-----w C:\Documents and Settings\RivaL\Application Data\Xfire
2008-09-16 07:22 --------- d-----w C:\Program Files\World of Warcraft
2008-09-07 22:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\AVG7
2008-09-07 22:36 --------- d-----w C:\Program Files\Lavasoft
2008-09-07 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-07 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-07 22:24 --------- d-----w C:\Program Files\Java
2008-09-07 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-09-06 20:25 --------- d-----w C:\Documents and Settings\RivaL\Application Data\LimeWire
2008-09-04 06:05 --------- d-----w C:\Program Files\DivX
2008-09-02 01:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-31 10:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\DNA
2008-08-31 05:46 --------- d-----w C:\Program Files\DNA
2008-08-19 11:23 --------- d-----w C:\Program Files\Warcraft III
2008-08-16 09:22 --------- d-----w C:\Program Files\WC3Banlist
2008-08-16 09:15 --------- d-----w C:\Program Files\WinPcap
2008-08-15 09:11 --------- d-----w C:\Program Files\Common Files\INCA Shared
2007-08-14 14:19 630,784 ----a-w C:\Documents and Settings\RivaL\GoToAssist_chat2way__317_en.exe
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\wininet.dll
2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\dllcache\wininet.dll

2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\explorer.exe
2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\system32\dllcache\explorer.exe

2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\wuauclt.exe
2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-03-28 1271032]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-02-13 7557120]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-02-13 86016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"nwiz"="nwiz.exe" [2006-02-13 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 C:\WINDOWS\KHALMNPR.Exe]
"C-Media Mixer"="Mixer.exe" [2002-06-12 C:\WINDOWS\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2001-08-18 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-03-19 20:10 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-11-01 23:33 67128 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 10:18 3660848 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R0 pavboot;pavboot;C:\WINDOWS\System32\drivers\pavboot.sys [2008-06-19 28544]
R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\ipfnd51.sys [2005-04-05 26752]
S1 mff;mff;C:\WINDOWS\System32\drivers\mff.sys [ ]
S3 Asushwio;Asushwio;C:\WINDOWS\System32\drivers\Asushwio.sys [2000-03-29 5824]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-11-06 34064]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{2D9F1530-0B38-4DCB-A90A-CECD559F3514} - C:\WINDOWS\System32\getsn32.dll
BHO-{65a4805e-60ef-7a07-28c7-3d4261929f71} - C:\WINDOWS\System32\zurkxcitpayrms.dll
BHO-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF} - C:\WINDOWS\system32\tuvUNedD.dll
BHO-{F145B6CD-5D7C-4FE5-9AD9-C85D8F05DDCD} - C:\WINDOWS\System32\qoMgdbbb.dll
Toolbar-SITEguard - (no file)
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-{6665cd51-4a02-f719-a93b-6689e1cce919} - C:\WINDOWS\System32\bdaluemeohdmef.dll
HKLM-Run-201009fb - C:\WINDOWS\System32\fnpfoyay.dll
ShellExecuteHooks-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF} - C:\WINDOWS\system32\tuvUNedD.dll
MSConfigStartUp-WinampAgent - C:\Program Files\Winamp\winampa.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\RivaL\Application Data\Mozilla\Firefox\Profiles\mnib4gm5.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 14:30:57
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-19 14:35:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-19 21:35:53

Pre-Run: 13,882,646,528 bytes free
Post-Run: 13,917,503,488 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

248
kewlix is offline