Tech Support Forum - View Single Post - js/psyme virus aftermath scan from activescan 2.0

kewlix · 09-22-2008, 01:18 PM

Last but not least the combo fix file scan

ComboFix 08-09-20.05 - RivaL 2008-09-22 14:48:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1056 [GMT -7:00]
Running from: C:\Documents and Settings\RivaL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RivaL\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\dax41
C:\Temp\dax41\A3G.log
C:\WINDOWS\system32\enB
C:\WINDOWS\system32\fjuffubkbhhkp.exe
C:\WINDOWS\system32\g49.exe
C:\WINDOWS\system32\hcp
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\tockorppzaevwusj.exe
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\system32\wTR02
C:\WINDOWS\system32\Xtmp
C:\WINDOWS\system32\zir2
C:\WINDOWS\system32\zir2\KPL21i24.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-08 14:46 . 2008-09-08 14:46 <DIR> d-------- C:\Program Files\Panda Security
2008-09-08 14:46 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-07 15:50 . 2008-09-07 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-09-07 15:47 . 2008-09-07 15:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-09-07 15:47 . 2008-09-09 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-09-07 15:27 . 2008-09-07 15:27 <DIR> d-------- C:\Documents and Settings\RivaL\.housecall6.6
2008-09-07 13:44 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-09-07 13:44 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Program Files\Sygate
2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Downloads
2008-09-07 13:43 . 2008-09-07 13:48 <DIR> d-------- C:\Documents and Settings\RivaL\Application Data\GetRightToGo
2008-09-07 13:43 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-09-07 12:56 . 2008-09-07 12:56 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-09-07 12:45 . 2008-09-07 12:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-07 11:52 . 2008-09-07 11:52 335 --a------ C:\WINDOWS\mozregistry.dat
2008-09-07 11:31 . 2008-09-09 11:32 251 --a------ C:\WINDOWS\wininit.ini
2008-09-07 11:11 . 2008-09-07 11:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-07 11:01 . 2008-09-07 11:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-09-07 10:47 . 2008-09-07 10:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo
2008-09-07 10:38 . 2008-09-07 10:38 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-07 03:43 . 2008-09-07 03:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-07 03:43 . 2008-09-07 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-06 16:25 . 2008-09-07 02:38 <DIR> d-------- C:\Program Files\a-squared Free
2008-09-06 15:33 . 2008-09-06 15:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-06 14:08 . 2008-09-19 14:27 1,962 --a------ C:\WINDOWS\system32\default.htm
2008-09-06 14:05 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\wTR19
2008-09-06 13:53 . 2008-09-06 13:53 <DIR> d-------- C:\Program Files\uTorrent
2008-09-06 13:22 . 2008-09-22 14:50 <DIR> d-------- C:\Temp
2008-08-30 07:31 . 2008-08-30 07:31 96 --ah----- C:\WINDOWS\system32\HsInfo.dat
2008-08-30 07:29 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\alaplaya
2008-08-27 14:03 . 2008-08-27 14:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 21:41 --------- d-----w C:\Program Files\Steam
2008-09-22 21:41 --------- d-----w C:\Documents and Settings\RivaL\Application Data\OpenOffice.org2
2008-09-18 12:42 --------- d-----w C:\Program Files\mIRC
2008-09-18 06:22 --------- d-s---w C:\Program Files\Xfire
2008-09-16 12:35 --------- d-----w C:\Documents and Settings\RivaL\Application Data\Xfire
2008-09-16 07:22 --------- d-----w C:\Program Files\World of Warcraft
2008-09-07 22:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\AVG7
2008-09-07 22:36 --------- d-----w C:\Program Files\Lavasoft
2008-09-07 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-07 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-07 22:24 --------- d-----w C:\Program Files\Java
2008-09-07 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-09-06 20:25 --------- d-----w C:\Documents and Settings\RivaL\Application Data\LimeWire
2008-09-04 06:05 --------- d-----w C:\Program Files\DivX
2008-09-02 01:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-31 10:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\DNA
2008-08-31 05:46 --------- d-----w C:\Program Files\DNA
2008-08-19 11:23 --------- d-----w C:\Program Files\Warcraft III
2008-08-16 09:22 --------- d-----w C:\Program Files\WC3Banlist
2008-08-16 09:15 --------- d-----w C:\Program Files\WinPcap
2008-08-15 09:11 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-14 14:19 630,784 ----a-w C:\Documents and Settings\RivaL\GoToAssist_chat2way__317_en.exe
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\wininet.dll
2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\dllcache\wininet.dll

2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\explorer.exe
2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\system32\dllcache\explorer.exe

2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\wuauclt.exe
2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-19_14.35.35.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-19 21:30:15 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-22 20:38:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-19 21:30:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-22 20:38:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-19 21:30:15 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-22 20:38:05 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-19 21:25:41 241,664 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-09-22 21:48:17 241,664 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-03-28 1271032]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-02-13 7557120]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-02-13 86016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"nwiz"="nwiz.exe" [2006-02-13 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 C:\WINDOWS\KHALMNPR.Exe]
"C-Media Mixer"="Mixer.exe" [2002-06-12 C:\WINDOWS\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2001-08-18 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-03-19 20:10 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-11-01 23:33 67128 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 10:18 3660848 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R0 pavboot;pavboot;C:\WINDOWS\System32\drivers\pavboot.sys [2008-06-19 28544]
R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\ipfnd51.sys [2005-04-05 26752]
S1 mff;mff;C:\WINDOWS\System32\drivers\mff.sys [ ]
S3 Asushwio;Asushwio;C:\WINDOWS\System32\drivers\Asushwio.sys [2000-03-29 5824]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-11-06 34064]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 14:50:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-09-22 14:51:34
ComboFix-quarantined-files.txt 2008-09-22 21:51:28
ComboFix2.txt 2008-09-19 21:35:57

Pre-Run: 13,758,386,176 bytes free
Post-Run: 13,775,527,936 bytes free

198

09-22-2008, 01:18 PM	#15 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Last but not least the combo fix file scan ComboFix 08-09-20.05 - RivaL 2008-09-22 14:48:35.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1056 [GMT -7:00] Running from: C:\Documents and Settings\RivaL\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\RivaL\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Temp\dax41 C:\Temp\dax41\A3G.log C:\WINDOWS\system32\enB C:\WINDOWS\system32\fjuffubkbhhkp.exe C:\WINDOWS\system32\g49.exe C:\WINDOWS\system32\hcp C:\WINDOWS\system32\smwin32.dll C:\WINDOWS\system32\tockorppzaevwusj.exe C:\WINDOWS\system32\uesiuqcr.exe C:\WINDOWS\system32\wTR02 C:\WINDOWS\system32\Xtmp C:\WINDOWS\system32\zir2 C:\WINDOWS\system32\zir2\KPL21i24.exe . ((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 ))))))))))))))))))))))))))))))) . 2008-09-08 14:46 . 2008-09-08 14:46 <DIR> d-------- C:\Program Files\Panda Security 2008-09-08 14:46 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-09-07 15:50 . 2008-09-07 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard 2008-09-07 15:47 . 2008-09-07 15:47 <DIR> d-------- C:\Program Files\Common Files\iS3 2008-09-07 15:47 . 2008-09-09 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla! 2008-09-07 15:27 . 2008-09-07 15:27 <DIR> d-------- C:\Documents and Settings\RivaL\.housecall6.6 2008-09-07 13:44 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys 2008-09-07 13:44 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys 2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Program Files\Sygate 2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Downloads 2008-09-07 13:43 . 2008-09-07 13:48 <DIR> d-------- C:\Documents and Settings\RivaL\Application Data\GetRightToGo 2008-09-07 13:43 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll 2008-09-07 12:56 . 2008-09-07 12:56 <DIR> d-------- C:\Program Files\microsoft frontpage 2008-09-07 12:45 . 2008-09-07 12:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2008-09-07 11:52 . 2008-09-07 11:52 335 --a------ C:\WINDOWS\mozregistry.dat 2008-09-07 11:31 . 2008-09-09 11:32 251 --a------ C:\WINDOWS\wininit.ini 2008-09-07 11:11 . 2008-09-07 11:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback 2008-09-07 11:01 . 2008-09-07 11:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-09-07 10:47 . 2008-09-07 10:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo 2008-09-07 10:38 . 2008-09-07 10:38 <DIR> d-------- C:\Documents and Settings\Administrator 2008-09-07 03:43 . 2008-09-07 03:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-09-07 03:43 . 2008-09-07 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-06 16:25 . 2008-09-07 02:38 <DIR> d-------- C:\Program Files\a-squared Free 2008-09-06 15:33 . 2008-09-06 15:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-09-06 14:08 . 2008-09-19 14:27 1,962 --a------ C:\WINDOWS\system32\default.htm 2008-09-06 14:05 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\wTR19 2008-09-06 13:53 . 2008-09-06 13:53 <DIR> d-------- C:\Program Files\uTorrent 2008-09-06 13:22 . 2008-09-22 14:50 <DIR> d-------- C:\Temp 2008-08-30 07:31 . 2008-08-30 07:31 96 --ah----- C:\WINDOWS\system32\HsInfo.dat 2008-08-30 07:29 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\alaplaya 2008-08-27 14:03 . 2008-08-27 14:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-22 21:41 --------- d-----w C:\Program Files\Steam 2008-09-22 21:41 --------- d-----w C:\Documents and Settings\RivaL\Application Data\OpenOffice.org2 2008-09-18 12:42 --------- d-----w C:\Program Files\mIRC 2008-09-18 06:22 --------- d-s---w C:\Program Files\Xfire 2008-09-16 12:35 --------- d-----w C:\Documents and Settings\RivaL\Application Data\Xfire 2008-09-16 07:22 --------- d-----w C:\Program Files\World of Warcraft 2008-09-07 22:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\AVG7 2008-09-07 22:36 --------- d-----w C:\Program Files\Lavasoft 2008-09-07 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-09-07 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-09-07 22:24 --------- d-----w C:\Program Files\Java 2008-09-07 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-09-06 20:25 --------- d-----w C:\Documents and Settings\RivaL\Application Data\LimeWire 2008-09-04 06:05 --------- d-----w C:\Program Files\DivX 2008-09-02 01:35 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-31 10:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\DNA 2008-08-31 05:46 --------- d-----w C:\Program Files\DNA 2008-08-19 11:23 --------- d-----w C:\Program Files\Warcraft III 2008-08-16 09:22 --------- d-----w C:\Program Files\WC3Banlist 2008-08-16 09:15 --------- d-----w C:\Program Files\WinPcap 2008-08-15 09:11 --------- d-----w C:\Program Files\Common Files\INCA Shared 2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-08-14 14:19 630,784 ----a-w C:\Documents and Settings\RivaL\GoToAssist_chat2way__317_en.exe 2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ------- Sigcheck ------- 2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\wininet.dll 2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\dllcache\wininet.dll 2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\explorer.exe 2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\system32\dllcache\explorer.exe 2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\wuauclt.exe 2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\dllcache\wuauclt.exe . ((((((((((((((((((((((((((((( snapshot@2008-09-19_14.35.35.54 ))))))))))))))))))))))))))))))))))))))))) . - 2008-09-19 21:30:15 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-09-22 20:38:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-09-19 21:30:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-09-22 20:38:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-09-19 21:30:15 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-09-22 20:38:05 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-09-19 21:25:41 241,664 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat + 2008-09-22 21:48:17 241,664 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\steam\steam.exe" [2008-03-28 1271032] "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-02-13 7557120] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-02-13 86016] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632] "nwiz"="nwiz.exe" [2006-02-13 C:\WINDOWS\system32\nwiz.exe] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 C:\WINDOWS\KHALMNPR.Exe] "C-Media Mixer"="Mixer.exe" [2002-06-12 C:\WINDOWS\mixer.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2001-08-18 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\ OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216] RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784] UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableTaskMgr"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] --a------ 2008-03-19 20:10 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] --a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] --a------ 2007-11-01 23:33 67128 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2008-08-28 10:18 3660848 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= R0 pavboot;pavboot;C:\WINDOWS\System32\drivers\pavboot.sys [2008-06-19 28544] R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\ipfnd51.sys [2005-04-05 26752] S1 mff;mff;C:\WINDOWS\System32\drivers\mff.sys [ ] S3 Asushwio;Asushwio;C:\WINDOWS\System32\drivers\Asushwio.sys [2000-03-29 5824] S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [2006-10-19 10664] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-11-06 34064] . Contents of the 'Scheduled Tasks' folder . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-22 14:50:31 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant] "ImagePath"="" . Completion time: 2008-09-22 14:51:34 ComboFix-quarantined-files.txt 2008-09-22 21:51:28 ComboFix2.txt 2008-09-19 21:35:57 Pre-Run: 13,758,386,176 bytes free Post-Run: 13,775,527,936 bytes free 198