js/psyme virus aftermath scan from activescan 2.0

kewlix · 09-09-2008, 01:51 AM

Hello hows every one doing?

Good i hope

, as for me I'm currently in a sticky situation.

My task manager is disabled for one, two js/psyme keeps dling a Cazillian viruses which makes me so frustrated

i tried every and any thing except for professional help.

I do know that they are other things that i could use but i have yet to tamper with those programs such as hijack this and cwshedder. I have no clue how to use these programs

and that's why i'm here BEGGING FOR YOUR HELP PLEASE

help me I don't have a windows xp cd to reinstall this virus is insanely smart it deleted all my restore points, it also changed my desktop back ground to a blue screen with this statement " Warning: Spyware threat has been detected on your pc. Your Computer has several fatal errors due to spyware activity. It is strongly recommended to install an antispyware to close all security vulnerabilities. Antispyware software helps protect your pc against spyware and other security threats." Then there is a link that says "UPDATE YOUR ANTISPYWARE PROTECTION" its actually clickable on my screen but i know better to not even think about clicking it.

Things i have tried:
(1) Avg virus scanner (doesn't work for js/pysme and task manager disable)
(2) search and destroy (doesn't work for js/pysme and task manager disable)
(3) I tried a registry fix for my task manager but that didnt work.
(4) manually changing "disabletaskMGR" value from 1 - "0" all i got was a never ending cycle of "screw you haha i win im back to 1 again"

Last but not least the good old System restore

but that didnt work either If you guys could some how pull a rabbit out of this messed up hat of a comp i would BE superly awesomely happy and would never forget you guys when i'm famous

Before i forget here's a copy of my hijackthis /active scan 2.0. And i Apologize for huge post just wanted to get everything out there before i forgot.

Active scan 2.0
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-09-08 15:28:14
PROTECTIONS: 0
MALWARE: 48
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\rival\favorites\insurance
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\RivaL\Cookies\rival@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.atdmt.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.247realmedia.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.mediaplex.com/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\RivaL\Cookies\rival@azjmp[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.statcounter.com/]
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\RivaL\Cookies\rival@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\RivaL\Cookies\rival@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\RivaL\Cookies\rival@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.apmebf.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[server.iad.liveperson.net/hc/56483237]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[server.iad.liveperson.net/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.advertising.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[statse.webtrendslive.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.questionmarket.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.adrevolver.com/]
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.bravenet.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\RivaL\Cookies\rival@target[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.target.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\RivaL\Cookies\rival@did-it[1].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.did-it.com/]
00250251 Adware/ISearch Adware No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0290567.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.atwola.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ehg-dig.hitbox.com/]
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\AMIEL\Application Data\Mozilla\Firefox\Profiles\wf6mk85s.default\cookies.txt[.ehg-dig.hitbox.com/]
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\RivaL\Cookies\rival@enhance[2].txt
01271851 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP276\A0292861.DLL
02941684 Trj/WmaDownloader.G Virus/Trojan No 0 Yes No C:\Documents and Settings\RivaL\Incomplete\T-60301-Gigantic Brick House Butts 2.avi
02944473 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291561.exe
03412473 Adware/Zenosearch Adware No 0 Yes No C:\WINDOWS\system32\ncntttdm.exe
03421659 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291688.exe
03485688 Rootkit/Agent.JQL Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP276\A0292891.sys
03508074 Adware/Zenosearch Adware No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291692.exe
03508074 Adware/Zenosearch Adware No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291696.exe
03548696 Adware/SpyShredder Adware No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291691.exe
03548696 Adware/SpyShredder Adware No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291689.exe
03548697 Trj/Clicker.ALY Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291686.dll
03548823 Adware/Zenosearch Adware No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291685.exe
03584928 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP276\A0291705.dll
03586664 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291560.exe
03586803 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291699.exe
03587001 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291698.exe
03591886 Adware/AccesMembre Adware No 0 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291697.exe
03614195 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{EA153135-794A-442D-BB1C-160510ABB975}\RP275\A0291693.dll
03623169 Adware/WebSearch Adware Yes 1 Yes No C:\WINDOWS\System32\uesiuqcr.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location \;s5<
;===================================================================================================================================================================================
No C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\Uninst.exe \;s5<
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description \;s5<
;===================================================================================================================================================================================
133387 MEDIUM MS06-065 \;s5<
133386 MEDIUM MS06-064 \;s5<
133385 MEDIUM MS06-063 \;s5<
133379 HIGH MS06-057 \;s5<
131654 HIGH MS06-055 \;s5<
129977 MEDIUM MS06-053 \;s5<
129976 MEDIUM MS06-052 \;s5<
126093 HIGH MS06-051 \;s5<
126092 MEDIUM MS06-050 \;s5<
126087 HIGH MS06-046 \;s5<
126086 MEDIUM MS06-045 \;s5<
126083 HIGH MS06-042 \;s5<
126082 HIGH MS06-041 \;s5<
126081 HIGH MS06-040 \;s5<
123421 HIGH MS06-036 \;s5<
123420 HIGH MS06-035 \;s5<
120825 MEDIUM MS06-032 \;s5<
120823 MEDIUM MS06-030 \;s5<
120818 HIGH MS06-025 \;s5<
120815 HIGH MS06-022 \;s5<
120814 HIGH MS06-021 \;s5<
117384 MEDIUM MS06-018 \;s5<
114666 HIGH MS06-015 \;s5<
114664 HIGH MS06-013 \;s5<
111790 MEDIUM MS06-011 \;s5<
108744 MEDIUM MS06-008 \;s5<
108743 MEDIUM MS06-007 \;s5<
108742 MEDIUM MS06-006 \;s5<
104567 HIGH MS06-002 \;s5<
104237 HIGH MS06-001 \;s5<
101055 HIGH MS05-054 \;s5<
96574 HIGH MS05-053 \;s5<
93396 HIGH MS05-052 \;s5<
93395 HIGH MS05-051 \;s5<
93394 HIGH MS05-050 \;s5<
93454 MEDIUM MS05-049 \;s5<
;===================================================================================================================================================================================

Hijackthis scan
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\uesiuqcr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\program files\steam\steam.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RivaL\Desktop\HiJackThis_v2.exe

R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL (file missing)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\uesiuqcr.exe,
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: (no name) - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: agadoo browser optimizer - {65a4805e-60ef-7a07-28c7-3d4261929f71} - C:\WINDOWS\System32\zurkxcitpayrms.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AE55C7EC-82F8-46CB-8DC2-57BF42F025FF} - C:\WINDOWS\System32\tuvUNedD.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {F145B6CD-5D7C-4FE5-9AD9-C85D8F05DDCD} - C:\WINDOWS\System32\qoMgdbbb.dll (file missing)
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [{6665cd51-4a02-f719-a93b-6689e1cce919}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\bdaluemeohdmef.dll" DllStub
O4 - HKLM\..\Run: [201009fb] rundll32.exe "C:\WINDOWS\System32\fnpfoyay.dll",b
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntttdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rmwnw64o.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {17DF9D0D-036E-424B-98D7-A41E4CE783EF} - ms-its:mhtml:file://c:\\nores.mht!http://adxcnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: tuvUNedD - C:\WINDOWS\SYSTEM32\tuvUNedD.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 9062 bytes

kewlix · 09-14-2008, 10:18 PM

Bump Please

Ried · 09-14-2008, 10:59 PM

Hello kewlix and thank you for your patience. : )

This will require more than one round to properly clean. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

kewlix · 09-18-2008, 01:45 PM

thanks sry it took me quite some time to find my post, but i will get started on this asap thanks for taking the time to help me out i appreciate it ill keep you posted.

kewlix · 09-19-2008, 12:34 PM

Here's My combo fix log file.

ComboFix 08-09-16.05 - RivaL 2008-09-19 14:26:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1054 [GMT -7:00]
Running from: C:\Documents and Settings\RivaL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RivaL\Desktop\winxpsp1_en_pro_bf.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\RivaL\Application Data\Microsoft\dtsc
C:\Documents and Settings\RivaL\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\DW_Start.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM23233a67.txt
C:\WINDOWS\BM23233a67.xml
C:\WINDOWS\Downloaded Program Files\xpreload.ocx
C:\WINDOWS\system32\bbbdgMoq.ini
C:\WINDOWS\system32\bbbdgMoq.ini2
C:\WINDOWS\system32\cquypr.dll
C:\WINDOWS\system32\getsn32.dll
C:\WINDOWS\system32\iaqfobdt.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ncntttdm.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qrgkoeuw.dll
C:\WINDOWS\system32\tuvUNedD.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xxywTKEU.dll
C:\WINDOWS\system32\yayofpnf.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.

2008-09-08 14:46 . 2008-09-08 14:46 <DIR> d-------- C:\Program Files\Panda Security
2008-09-08 14:46 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-07 15:50 . 2008-09-07 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-09-07 15:47 . 2008-09-07 15:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-09-07 15:47 . 2008-09-09 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-09-07 15:27 . 2008-09-07 15:27 <DIR> d-------- C:\Documents and Settings\RivaL\.housecall6.6
2008-09-07 13:44 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-09-07 13:44 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Program Files\Sygate
2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Downloads
2008-09-07 13:43 . 2008-09-07 13:48 <DIR> d-------- C:\Documents and Settings\RivaL\Application Data\GetRightToGo
2008-09-07 13:43 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-09-07 12:56 . 2008-09-07 12:56 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-09-07 12:45 . 2008-09-07 12:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-07 11:52 . 2008-09-07 11:52 335 --a------ C:\WINDOWS\mozregistry.dat
2008-09-07 11:31 . 2008-09-09 11:32 251 --a------ C:\WINDOWS\wininit.ini
2008-09-07 11:11 . 2008-09-07 11:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-07 11:01 . 2008-09-07 11:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-09-07 10:47 . 2008-09-07 10:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo
2008-09-07 10:38 . 2008-09-07 10:38 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-07 03:43 . 2008-09-07 03:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-07 03:43 . 2008-09-07 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-06 16:25 . 2008-09-07 02:38 <DIR> d-------- C:\Program Files\a-squared Free
2008-09-06 15:33 . 2008-09-06 15:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-06 14:08 . 2008-09-19 14:27 1,962 --a------ C:\WINDOWS\system32\default.htm
2008-09-06 14:05 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\wTR19
2008-09-06 13:53 . 2008-09-06 13:53 <DIR> d-------- C:\Program Files\uTorrent
2008-09-06 13:53 . 2008-09-06 13:53 85,008 --a------ C:\WINDOWS\system32\uesiuqcr.exe
2008-09-06 13:53 . 2008-09-19 14:19 8,704 --a------ C:\WINDOWS\system32\smwin32.dll
2008-09-06 13:22 . 2008-09-06 13:22 <DIR> d-------- C:\WINDOWS\system32\zir2
2008-09-06 13:22 . 2008-09-06 13:22 <DIR> d-------- C:\WINDOWS\system32\Xtmp
2008-09-06 13:22 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\wTR02
2008-09-06 13:22 . 2008-09-06 15:13 <DIR> d-------- C:\WINDOWS\system32\hcp
2008-09-06 13:22 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\enB
2008-09-06 13:22 . 2008-09-06 13:22 <DIR> d-------- C:\Temp\dax41
2008-09-06 13:22 . 2008-09-19 14:27 <DIR> d-------- C:\Temp
2008-09-06 13:22 . 2008-09-06 13:22 153,444 --a------ C:\WINDOWS\system32\g49.exe
2008-09-06 13:22 . 2008-09-06 13:22 71,711 --a------ C:\WINDOWS\system32\fjuffubkbhhkp.exe
2008-09-06 13:22 . 2008-09-06 13:22 64,859 --a------ C:\WINDOWS\system32\tockorppzaevwusj.exe
2008-08-30 07:31 . 2008-08-30 07:31 96 --ah----- C:\WINDOWS\system32\HsInfo.dat
2008-08-30 07:29 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\alaplaya
2008-08-27 14:03 . 2008-08-27 14:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 21:30 --------- d-----w C:\Program Files\Steam
2008-09-19 21:20 --------- d-----w C:\Documents and Settings\RivaL\Application Data\OpenOffice.org2
2008-09-18 12:42 --------- d-----w C:\Program Files\mIRC
2008-09-18 06:22 --------- d-s---w C:\Program Files\Xfire
2008-09-16 12:35 --------- d-----w C:\Documents and Settings\RivaL\Application Data\Xfire
2008-09-16 07:22 --------- d-----w C:\Program Files\World of Warcraft
2008-09-07 22:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\AVG7
2008-09-07 22:36 --------- d-----w C:\Program Files\Lavasoft
2008-09-07 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-07 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-07 22:24 --------- d-----w C:\Program Files\Java
2008-09-07 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-09-06 20:25 --------- d-----w C:\Documents and Settings\RivaL\Application Data\LimeWire
2008-09-04 06:05 --------- d-----w C:\Program Files\DivX
2008-09-02 01:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-31 10:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\DNA
2008-08-31 05:46 --------- d-----w C:\Program Files\DNA
2008-08-19 11:23 --------- d-----w C:\Program Files\Warcraft III
2008-08-16 09:22 --------- d-----w C:\Program Files\WC3Banlist
2008-08-16 09:15 --------- d-----w C:\Program Files\WinPcap
2008-08-15 09:11 --------- d-----w C:\Program Files\Common Files\INCA Shared
2007-08-14 14:19 630,784 ----a-w C:\Documents and Settings\RivaL\GoToAssist_chat2way__317_en.exe
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\wininet.dll
2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\dllcache\wininet.dll

2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\explorer.exe
2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\system32\dllcache\explorer.exe

2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\wuauclt.exe
2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-03-28 1271032]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-02-13 7557120]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-02-13 86016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"nwiz"="nwiz.exe" [2006-02-13 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 C:\WINDOWS\KHALMNPR.Exe]
"C-Media Mixer"="Mixer.exe" [2002-06-12 C:\WINDOWS\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2001-08-18 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-03-19 20:10 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-11-01 23:33 67128 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 10:18 3660848 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R0 pavboot;pavboot;C:\WINDOWS\System32\drivers\pavboot.sys [2008-06-19 28544]
R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\ipfnd51.sys [2005-04-05 26752]
S1 mff;mff;C:\WINDOWS\System32\drivers\mff.sys [ ]
S3 Asushwio;Asushwio;C:\WINDOWS\System32\drivers\Asushwio.sys [2000-03-29 5824]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-11-06 34064]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{2D9F1530-0B38-4DCB-A90A-CECD559F3514} - C:\WINDOWS\System32\getsn32.dll
BHO-{65a4805e-60ef-7a07-28c7-3d4261929f71} - C:\WINDOWS\System32\zurkxcitpayrms.dll
BHO-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF} - C:\WINDOWS\system32\tuvUNedD.dll
BHO-{F145B6CD-5D7C-4FE5-9AD9-C85D8F05DDCD} - C:\WINDOWS\System32\qoMgdbbb.dll
Toolbar-SITEguard - (no file)
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-{6665cd51-4a02-f719-a93b-6689e1cce919} - C:\WINDOWS\System32\bdaluemeohdmef.dll
HKLM-Run-201009fb - C:\WINDOWS\System32\fnpfoyay.dll
ShellExecuteHooks-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF} - C:\WINDOWS\system32\tuvUNedD.dll
MSConfigStartUp-WinampAgent - C:\Program Files\Winamp\winampa.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\RivaL\Application Data\Mozilla\Firefox\Profiles\mnib4gm5.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 14:30:57
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-19 14:35:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-19 21:35:53

Pre-Run: 13,882,646,528 bytes free
Post-Run: 13,917,503,488 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

248

kewlix · 09-19-2008, 12:35 PM

Also Here is my Hijackthis log file

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:39:29 PM, on 9/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\program files\steam\steam.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RivaL\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17DF9D0D-036E-424B-98D7-A41E4CE783EF} - ms-its:mhtml:file://c:\\nores.mht!http://adxcnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7056 bytes

kewlix · 09-19-2008, 12:38 PM

Btw since i got this virus I have been getting these errors up on booting up into my desk top
Error loading C:\windows\system32\bdaluemeohdmef.dll

Error loading C:\windows\system32\fnpfoyay.dll

Ried · 09-19-2008, 07:57 PM

Hello kewlix,

Do you still get those error messages after running ComboFix?

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/289973-js-psyme-virus-aftermath-scan-activescan-2-0-a-post1713655.html#post1713655

Collect::
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\g49.exe
C:\WINDOWS\system32\fjuffubkbhhkp.exe
C:\WINDOWS\system32\tockorppzaevwusj.exe

Folder::
C:\WINDOWS\system32\zir2
C:\WINDOWS\system32\Xtmp
C:\WINDOWS\system32\wTR02
C:\WINDOWS\system32\hcp
C:\WINDOWS\system32\enB
C:\Temp\dax41

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------

Next, please go to Virus Total

Copy paste the following full path into the empty box under 'Upload a file'

C:\WINDOWS\system32\wininet.dll
Click 'Send File'
Copy/paste the results inot Notepad and save it to your desktop.

Please repeat the above procedure for these files:

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe

Please post the results of those scans in your next reply along with the C:\ComboFix.txt

kewlix · 09-20-2008, 03:26 AM

ok will do ill post it soon

kewlix · 09-20-2008, 03:26 AM

ok will do ill post it soon

kewlix · 09-22-2008, 01:13 PM

Hi Ried The combo fix file scan has been uploaded to the specified site.

kewlix · 09-22-2008, 01:14 PM

Here is my Virus Total scan one for C:\WINDOWS\system32\wininet.dll

File size: 632832 bytes
MD5...: f9ea5d5a5b2a5c0db24f7733795ba0c8
SHA1..: 919b857767279b0883d72ff2b73f4ed9789dedf9
SHA256: 4b50f45c44e3ea9e8860c5270c07fadc6c76c912bbb5873a4ab0144e5691289e
SHA512: 4b372087b39617c737932d9b4367625373697ce217e930d37b65c3b0a0aa7475
2ea0e266b7299e294f2d2de37fc96be092584ee52e7f7d0b7be0a7362b385b78
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (63.0%)
Win32 Executable MS Visual C++ (generic) (27.7%)
Win32 Executable Generic (6.2%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x76201763
timedatestamp.....: 0x3d6dfa1c (Thu Aug 29 10:40:28 2002)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x79184 0x79200 6.68 2fcc2c4a8561c7adbdf48f6475f98cef
.data 0x7b000 0x5e84 0x2a00 1.84 8d0ebadcc19c1038d84670afe5e4dbc8
.rsrc 0x81000 0x19dbe 0x19e00 4.88 d1c209e312afe93a8dd22401c521e1d4
.reloc 0x9b000 0x48b8 0x4a00 6.74 7d76521ec33573ea92c439fcdad269b5

( 7 imports )
> msvcrt.dll: memchr, isdigit, strpbrk, isspace, isalnum, time, strtoul, _ftol, ispunct, iscntrl, isalpha, _purecall, _CxxThrowException, wcsncpy, sprintf, rand, wcsstr, srand, wcslen, _wtoi, wcscpy, _wcsnicmp, wcstok, _wcsicmp, wcscmp, malloc, free, realloc, _except_handler3, _initterm, _adjust_fdiv, __dllonexit, _onexit, __1type_info@@UAE@XZ, _terminate@@YAXXZ, wcscat, isxdigit
> SHLWAPI.dll: PathRemoveFileSpecW, PathRemoveBackslashA, PathRemoveFileSpecA, StrNCatA, -, StrChrA, -, SHDeleteKeyA, StrCmpNIW, -, wvnsprintfA, -, -, -, -, StrCmpNIA, StrStrA, -, -, UrlCombineW, UrlCanonicalizeW, -, UrlCombineA, UrlCanonicalizeA, -, UrlUnescapeA, PathCreateFromUrlA, StrNCatW, StrToIntW, StrCpyW, -, -, StrStrIA, -, StrCmpW, StrCmpNA, StrToIntA, StrCatBuffA, StrRChrA, StrCmpIW, -, -, SHSetValueW, -, -, -, StrStrIW, SHGetValueW, SHSetValueA, SHGetValueA, wnsprintfA, wnsprintfW, StrCpyNW, -, StrCatW, -, -, -, StrCatBuffW, -, -, -
> CRYPT32.dll: CryptDecodeObject, CertFindRDNAttr, CertRDNValueToStrA, CertControlStore, CertNameToStrA, CertCreateCertificateContext, CertGetCertificateContextProperty, CertFindCertificateInStore, CertSetCertificateContextProperty, CertOpenSystemStoreA, CertCloseStore, CertGetIntendedKeyUsage, CertDuplicateCertificateContext, CertFreeCertificateContext, CryptUnprotectData
> ADVAPI32.dll: RegDeleteValueW, RegSetValueExW, RegQueryValueExW, RegCreateKeyA, RegOpenKeyA, RegEnumKeyA, CryptGetProvParam, CryptSetProvParam, CryptAcquireContextA, CryptReleaseContext, RegDeleteValueA, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, GetTokenInformation, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegQueryInfoKeyA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, GetUserNameA, OpenSCManagerA, EnumServicesStatusA, CloseServiceHandle, RegCreateKeyExW
> KERNEL32.dll: ExitThread, ExpandEnvironmentStringsA, SuspendThread, TerminateThread, GetACP, RtlMoveMemory, ResetEvent, CreateThread, Sleep, SetErrorMode, FormatMessageA, lstrcatA, SystemTimeToFileTime, GetTickCount, TlsGetValue, TlsAlloc, GetCurrentThreadId, TlsFree, TlsSetValue, GetDateFormatA, GetTimeFormatA, lstrcpyA, InterlockedCompareExchange, GetCurrentThread, WaitForMultipleObjects, IsBadReadPtr, GlobalAlloc, GlobalFree, IsBadStringPtrW, DeleteFileA, IsBadCodePtr, IsBadWritePtr, SleepEx, GetModuleFileNameA, GetSystemTime, WritePrivateProfileStringA, WriteFile, SetFilePointer, ReadFile, FileTimeToSystemTime, LocalReAlloc, DeleteCriticalSection, InitializeCriticalSection, InterlockedDecrement, InterlockedIncrement, LocalAlloc, IsBadStringPtrA, CreateEventA, SetEvent, lstrcmpA, GetFileTime, ReleaseSemaphore, CreateSemaphoreA, LocalFileTimeToFileTime, GetSystemTimeAsFileTime, GetVersion, CompareStringA, GetFileAttributesA, GetEnvironmentVariableA, GetWindowsDirectoryA, RemoveDirectoryA, GetShortPathNameA, FileTimeToDosDateTime, SetFileAttributesA, CreateDirectoryA, GetPrivateProfileStringA, SetFileTime, CopyFileA, DeviceIoControl, GetDiskFreeSpaceA, FindClose, FindNextFileA, FindFirstFileA, MoveFileA, DosDateTimeToFileTime, FlushViewOfFile, IsDBCSLeadByte, OutputDebugStringA, UnmapViewOfFile, MapViewOfFileEx, CreateFileMappingA, OpenFileMappingA, SetEndOfFile, GetUserDefaultLCID, HeapFree, HeapAlloc, GetProcessHeap, GetComputerNameA, LoadLibraryW, GlobalUnlock, GlobalLock, GlobalSize, GetCurrentProcess, OpenMutexA, GetProcAddress, LoadLibraryA, lstrcmpiA, GetLastError, FreeLibrary, lstrcpynA, lstrlenA, WideCharToMultiByte, InterlockedExchange, CloseHandle, OpenEventA, LeaveCriticalSection, EnterCriticalSection, SetLastError, LocalFree, GetVersionExA, GetFileSize, CreateFileA, GetSystemDirectoryA, lstrlenW, MultiByteToWideChar, GetModuleHandleA, RaiseException, CreateMutexA, ReleaseMutex, WaitForSingleObject
> USER32.dll: CharNextA, IntersectRect, EqualRect, wsprintfW, LoadIconA, LoadImageA, DestroyIcon, SetForegroundWindow, EnumChildWindows, SetWindowTextA, GetParent, GetWindowRect, ScreenToClient, SetWindowPos, SendDlgItemMessageA, WinHelpA, IsWindow, IsCharAlphaNumericA, SendMessageA, PostMessageA, FindWindowA, LoadStringA, ShowWindow, GetDesktopWindow, wsprintfA, CharLowerA, DestroyWindow, IsDlgButtonChecked, EnableWindow, SetFocus, GetDlgItem, EndDialog, CheckDlgButton, CreateWindowExA, RegisterWindowMessageA, KillTimer, SetTimer, DefWindowProcA, SetWindowLongA, GetWindowLongA, RegisterClassA, CharLowerW, CharToOemA, CharUpperA
> OLEAUT32.dll: -, -, -, -, -

( 224 exports )
CommitUrlCacheEntryA, CommitUrlCacheEntryW, CreateMD5SSOHash, CreateUrlCacheContainerA, CreateUrlCacheContainerW, CreateUrlCacheEntryA, CreateUrlCacheEntryW, CreateUrlCacheGroup, DeleteIE3Cache, DeleteUrlCacheContainerA, DeleteUrlCacheContainerW, DeleteUrlCacheEntry, DeleteUrlCacheEntryA, DeleteUrlCacheEntryW, DeleteUrlCacheGroup, DetectAutoProxyUrl, DllInstall, FindCloseUrlCache, FindFirstUrlCacheContainerA, FindFirstUrlCacheContainerW, FindFirstUrlCacheEntryA, FindFirstUrlCacheEntryExA, FindFirstUrlCacheEntryExW, FindFirstUrlCacheEntryW, FindFirstUrlCacheGroup, FindNextUrlCacheContainerA, FindNextUrlCacheContainerW, FindNextUrlCacheEntryA, FindNextUrlCacheEntryExA, FindNextUrlCacheEntryExW, FindNextUrlCacheEntryW, FindNextUrlCacheGroup, ForceNexusLookup, ForceNexusLookupExW, FreeUrlCacheSpaceA, FreeUrlCacheSpaceW, FtpCommandA, FtpCommandW, FtpCreateDirectoryA, FtpCreateDirectoryW, FtpDeleteFileA, FtpDeleteFileW, FtpFindFirstFileA, FtpFindFirstFileW, FtpGetCurrentDirectoryA, FtpGetCurrentDirectoryW, FtpGetFileA, FtpGetFileEx, FtpGetFileSize, FtpGetFileW, FtpOpenFileA, FtpOpenFileW, FtpPutFileA, FtpPutFileEx, FtpPutFileW, FtpRemoveDirectoryA, FtpRemoveDirectoryW, FtpRenameFileA, FtpRenameFileW, FtpSetCurrentDirectoryA, FtpSetCurrentDirectoryW, GetUrlCacheConfigInfoA, GetUrlCacheConfigInfoW, GetUrlCacheEntryInfoA, GetUrlCacheEntryInfoExA, GetUrlCacheEntryInfoExW, GetUrlCacheEntryInfoW, GetUrlCacheGroupAttributeA, GetUrlCacheGroupAttributeW, GetUrlCacheHeaderData, GopherCreateLocatorA, GopherCreateLocatorW, GopherFindFirstFileA, GopherFindFirstFileW, GopherGetAttributeA, GopherGetAttributeW, GopherGetLocatorTypeA, GopherGetLocatorTypeW, GopherOpenFileA, GopherOpenFileW, HttpAddRequestHeadersA, HttpAddRequestHeadersW, HttpCheckDavCompliance, HttpEndRequestA, HttpEndRequestW, HttpOpenRequestA, HttpOpenRequestW, HttpQueryInfoA, HttpQueryInfoW, HttpSendRequestA, HttpSendRequestExA, HttpSendRequestExW, HttpSendRequestW, IncrementUrlCacheHeaderData, InternetAlgIdToStringA, InternetAlgIdToStringW, InternetAttemptConnect, InternetAutodial, InternetAutodialCallback, InternetAutodialHangup, InternetCanonicalizeUrlA, InternetCanonicalizeUrlW, InternetCheckConnectionA, InternetCheckConnectionW, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetCombineUrlA, InternetCombineUrlW, InternetConfirmZoneCrossing, InternetConfirmZoneCrossingA, InternetConfirmZoneCrossingW, InternetConnectA, InternetConnectW, InternetCrackUrlA, InternetCrackUrlW, InternetCreateUrlA, InternetCreateUrlW, InternetDial, InternetDialA, InternetDialW, InternetEnumPerSiteCookieDecisionA, InternetEnumPerSiteCookieDecisionW, InternetErrorDlg, InternetFindNextFileA, InternetFindNextFileW, InternetFortezzaCommand, InternetGetCertByURL, InternetGetCertByURLA, InternetGetConnectedState, InternetGetConnectedStateEx, InternetGetConnectedStateExA, InternetGetConnectedStateExW, InternetGetCookieA, InternetGetCookieExA, InternetGetCookieExW, InternetGetCookieW, InternetGetLastResponseInfoA, InternetGetLastResponseInfoW, InternetGetPerSiteCookieDecisionA, InternetGetPerSiteCookieDecisionW, InternetGoOnline, InternetGoOnlineA, InternetGoOnlineW, InternetHangUp, InternetInitializeAutoProxyDll, InternetLockRequestFile, InternetOpenA, InternetOpenUrlA, InternetOpenUrlW, InternetOpenW, InternetQueryDataAvailable, InternetQueryFortezzaStatus, InternetQueryOptionA, InternetQueryOptionW, InternetReadFile, InternetReadFileExA, InternetReadFileExW, InternetSecurityProtocolToStringA, InternetSecurityProtocolToStringW, InternetSetCookieA, InternetSetCookieExA, InternetSetCookieExW, InternetSetCookieW, InternetSetDialState, InternetSetDialStateA, InternetSetDialStateW, InternetSetFilePointer, InternetSetOptionA, InternetSetOptionExA, InternetSetOptionExW, InternetSetOptionW, InternetSetPerSiteCookieDecisionA, InternetSetPerSiteCookieDecisionW, InternetSetStatusCallback, InternetSetStatusCallbackA, InternetSetStatusCallbackW, InternetShowSecurityInfoByURL, InternetShowSecurityInfoByURLA, InternetShowSecurityInfoByURLW, InternetTimeFromSystemTime, InternetTimeFromSystemTimeA, InternetTimeFromSystemTimeW, InternetTimeToSystemTime, InternetTimeToSystemTimeA, InternetTimeToSystemTimeW, InternetUnlockRequestFile, InternetWriteFile, InternetWriteFileExA, InternetWriteFileExW, IsHostInProxyBypassList, IsUrlCacheEntryExpiredA, IsUrlCacheEntryExpiredW, LoadUrlCacheContent, ParseX509EncodedCertificateForListBoxEntry, PrivacyGetZonePreferenceW, PrivacySetZonePreferenceW, ReadUrlCacheEntryStream, RegisterUrlCacheNotification, ResumeSuspendedDownload, RetrieveUrlCacheEntryFileA, RetrieveUrlCacheEntryFileW, RetrieveUrlCacheEntryStreamA, RetrieveUrlCacheEntryStreamW, RunOnceUrlCache, SetUrlCacheConfigInfoA, SetUrlCacheConfigInfoW, SetUrlCacheEntryGroup, SetUrlCacheEntryGroupA, SetUrlCacheEntryGroupW, SetUrlCacheEntryInfoA, SetUrlCacheEntryInfoW, SetUrlCacheGroupAttributeA, SetUrlCacheGroupAttributeW, SetUrlCacheHeaderData, ShowCertificate, ShowClientAuthCerts, ShowSecurityInfo, ShowX509EncodedCertificate, UnlockUrlCacheEntryFile, UnlockUrlCacheEntryFileA, UnlockUrlCacheEntryFileW, UnlockUrlCacheEntryStream, UpdateUrlCacheContentPath, UrlZonesDetach

kewlix · 09-22-2008, 01:15 PM

Here is my Second scan for C:\WINDOWS\explorer.exe

Additional information
File size: 946176 bytes
MD5...: 30becef60f38197d4921b8785f8897c8
SHA1..: 2488c4376ab7875cacc521e104dff1632aa4a0c4
SHA256: 6aa65e86de710b95e6caee3707edc84ee02874b544769c824bc04caea335a0d9
SHA512: 38a7e4a3bc8c40c5529e277425b8815aaec04c43b0d51a9284e2d5d23c0b8abe
5e4cce6c8084e0ff770b83cef5faafb775bee5b4c5a3aa11bcf6d1a1de4dccb6
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10160cc
timedatestamp.....: 0x3d6de1e2 (Thu Aug 29 08:57:06 2002)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3d78d 0x3d800 6.47 224429129ab70cdb49c0236e22786104
.data 0x3f000 0x1cd8 0x1c00 0.96 02facb4867aeeafea7058f9e55938fd9
.rsrc 0x41000 0xa40c7 0xa4200 6.57 9a7fe653d1744378514067e5b62fec0c
.reloc 0xe6000 0x34cc 0x3600 6.75 428919792c2214f0c87c578ed0170d3e

( 13 imports )
> msvcrt.dll: realloc, memmove, free, _itow, _ftol, _except_handler3
> ADVAPI32.dll: RegSetValueW, RegEnumKeyW, RegNotifyChangeKeyValue, RegQueryValueExA, RegOpenKeyExA, RegQueryValueW, RegCloseKey, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegEnumKeyExW, GetUserNameW
> KERNEL32.dll: GetLocaleInfoW, FreeLibrary, GetSystemDefaultLCID, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, CompareFileTime, GetSystemTimeAsFileTime, lstrcpynW, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, MoveFileW, FindClose, FindNextFileW, CreateEventW, IsBadCodePtr, SetEvent, GetCurrentProcessId, GetEnvironmentVariableW, lstrcatW, lstrcmpW, UnregisterWait, ResetEvent, GlobalGetAtomNameW, LoadLibraryExW, lstrcmpiA, RegisterWaitForSingleObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, HeapFree, GetProcessHeap, HeapAlloc, HeapReAlloc, HeapSize, GetUserDefaultLCID, ReadProcessMemory, SetLastError, OpenProcess, InterlockedCompareExchange, LoadLibraryA, GetLastError, OpenEventW, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateFileW, DeviceIoControl, lstrcmpiW, LocalAlloc, LocalFree, ExitProcess, CreateJobObjectW, CreateThread, CreateProcessW, AssignProcessToJobObject, ResumeThread, TerminateProcess, TerminateThread, DelayLoadFailureHook, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, GetProcAddress, DeleteCriticalSection, HeapDestroy, InitializeCriticalSection, lstrlenW, lstrcpyW, InterlockedDecrement, InterlockedIncrement, CreateEventA, GetFileAttributesExW, MulDiv, GetLongPathNameW, GetProcessTimes, GetVersionExA, GetModuleHandleA, InterlockedExchange, GlobalFree, GlobalAlloc, FindFirstFileW
> GDI32.dll: OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, SetStretchBltMode, GetStockObject, CreatePatternBrush, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, CreateRectRgnIndirect, CreateFontIndirectW, SetTextColor, SetBkMode, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetViewportOrgEx
> USER32.dll: SendDlgItemMessageW, EndDialog, ChildWindowFromPoint, SetCursorPos, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, DestroyWindow, SendMessageCallbackW, GetClassLongW, LoadIconW, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, TileWindows, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, OpenInputDesktop, CloseDesktop, EnumWindows, GetSysColorBrush, AllowSetForegroundWindow, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, GetSysColor, DrawTextW, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, wsprintfW, SetMenuItemInfoW, CharUpperBuffW, PeekMessageW, PostMessageW, EnumDisplayDevicesW, EnumDisplaySettingsExW, GetDC, ReleaseDC, LoadStringW, MessageBoxW, GetShellWindow, FindWindowW, SystemParametersInfoW, GetSystemMetrics, GetDoubleClickTime, CharNextW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetKeyState, RegisterWindowMessageW, SendMessageW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, CheckDlgButton, GetMessagePos, EnableWindow, IsDlgButtonChecked, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, GetDCEx, ExitWindowsEx, WindowFromPoint, SetRect, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, AppendMenuW, SetWindowPlacement, CheckMenuItem, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, InvalidateRect, GetClassNameW, GetWindowLongW, EnumChildWindows, DrawEdge
> ntdll.dll: NtQueryInformationProcess, RtlNtStatusToDosError
> SHLWAPI.dll: -, -, -, -, -, -, -, -, -, AssocCreate, -, -, PathIsNetworkPathW, SHQueryValueExW, -, -, -, StrRetToStrW, StrRetToBufW, -, -, -, -, StrCpyW, -, StrCmpNW, -, StrCmpIW, -, -, -, -, -, -, SHGetValueW, -, wnsprintfW, PathUnquoteSpacesW, PathGetArgsW, -, StrCatBuffW, PathQuoteSpacesW, PathAppendW, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, -, -, -, -, -, PathCombineW, SHSetValueW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, StrCatW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathFindExtensionW, PathIsDirectoryW, -, PathRemoveFileSpecW, StrChrW, -, PathFileExistsW, PathGetDriveNumberW, -, -, -, PathStripToRootW, -, -, SHOpenRegStream2W, -, StrCpyNW, -, -, StrDupW, SHDeleteValueW, SHDeleteKeyW
> SHELL32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetDesktopFolder, SHChangeNotify, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, -, SHGetPathFromIDListA, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, SHGetFolderPathW, -, SHGetSpecialFolderLocation, -, -, -, -, -, -, -, -, -, -, ShellExecuteW, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderPathW, ShellExecuteExW, -, -, -, SHBindToParent, -, -
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, RevokeDragDrop, OleUninitialize, CoInitializeEx, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, CoUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> BROWSEUI.dll: -, -, -, -
> SHDOCVW.dll: -, -, -
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, CloseThemeData, DrawThemeBackground, SetWindowTheme, GetThemeTextExtent, DrawThemeText, GetThemeBackgroundRegion, -, IsAppThemed, GetThemeFont, GetThemeColor, GetThemeMargins, GetThemeRect

kewlix · 09-22-2008, 01:16 PM

Here is my 3rd and final scan from virus Total free C:\WINDOWS\system32\wuauclt.exe

Additional information
File size: 155136 bytes
MD5...: a6b22f62b544cd118677ebbcf6dcc62b
SHA1..: 59cc9aedb9bb2b4292c1bff82fc833702de12bd8
SHA256: 2ee5d11c8206f6152d2da6df1f97d6a49c96363faad03b1707cb6e9eeb2442c0
SHA512: 2b225984116178cacdffc387dde393e52eb37855246f98266de6ce3e9f75158e
6fb7d2b06784222d6b56cb63331bf31ca8a7acae1f426b8d67c3163ccc187090
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100a335
timedatestamp.....: 0x3d6de0e1 (Thu Aug 29 08:52:49 2002)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xe614 0xe800 6.35 23b5784f99d18650ec1cf0bfe8a5c97d
.data 0x10000 0x1098 0x200 1.10 daac5105f85f7bb2e5083204a86c560e
.rsrc 0x12000 0x16f1e 0x17000 4.86 9dd74817de2041d8ec11cf4a8b8cb668

( 13 imports )
> msvcrt.dll: _vsnprintf, _ftol, memmove, _wsplitpath, _wtoi, __2@YAPAXI@Z, __CxxFrameHandler, _vsnwprintf, free, malloc, wcschr, _terminate@@YAXXZ, _except_handler3, _controlfp, __1type_info@@UAE@XZ, _onexit, __dllonexit, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _CxxThrowException, __3@YAXPAX@Z
> KERNEL32.dll: EnterCriticalSection, GetCurrentThreadId, ExitProcess, SystemTimeToFileTime, GetLocalTime, lstrlenW, GetSystemDefaultLangID, CreateProcessW, GetSystemDirectoryW, GetProcAddress, InterlockedIncrement, LeaveCriticalSection, WaitForMultipleObjects, CreateThread, TryEnterCriticalSection, Sleep, CompareStringW, GetTimeFormatW, LocalFree, GetModuleHandleA, GetStartupInfoA, lstrlenA, CreateMutexW, CreateEventW, OpenEventW, RegisterWaitForSingleObject, SetEvent, WaitForSingleObject, ReleaseMutex, UnregisterWaitEx, FreeLibrary, DeleteCriticalSection, GetLastError, MultiByteToWideChar, GetCurrentProcessId, ProcessIdToSessionId, CloseHandle, SetLastError, GetSystemTime, InterlockedDecrement, FindFirstFileW, FindNextFileW, RemoveDirectoryW, FindClose, DeleteFileW, CreateDirectoryW, SetFileAttributesW, lstrcmpiW, GetFileAttributesW, VerSetConditionMask, VerifyVersionInfoW, GetCommandLineW, LoadLibraryA, ReadFile, GetFileSize, CreateFileW, InitializeCriticalSection, GetModuleHandleW, GetVersionExW, LoadLibraryExW, HeapFree, HeapAlloc, GetProcessHeap, WideCharToMultiByte, FileTimeToSystemTime, GetTickCount, GetCurrentProcess, MoveFileW, HeapReAlloc, SetEndOfFile, SetFilePointer, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, WriteFile, FormatMessageW, GetDateFormatW
> GDI32.dll: SetBkColor, GetCurrentObject, TextOutW, CreateSolidBrush, GetTextExtentPoint32W, BitBlt, CreateCompatibleDC, SetStretchBltMode, StretchBlt, DeleteDC, SetBkMode, SetTextColor, SelectObject, DeleteObject, GetStockObject, CreateFontIndirectW, GetObjectW
> USER32.dll: SetWindowTextW, IsWindow, GetDesktopWindow, CopyRect, OffsetRect, RemovePropW, EqualRect, DrawEdge, GetWindowLongW, UpdateWindow, IsDlgButtonChecked, CheckRadioButton, CheckDlgButton, SetPropW, DrawTextW, GetFocus, SetWindowLongW, GetCapture, ReleaseCapture, GetParent, GetClientRect, FillRect, SetCapture, SetCursor, ScreenToClient, PtInRect, CallWindowProcW, CreateCursor, InvalidateRect, DestroyCursor, SetRectEmpty, DestroyMenu, CreatePopupMenu, AppendMenuW, CreateWindowExW, ShowWindow, SetTimer, PeekMessageW, MsgWaitForMultipleObjectsEx, TranslateMessage, DispatchMessageW, DestroyWindow, PostQuitMessage, SetWindowsHookExW, DefWindowProcW, GetCursorPos, SetForegroundWindow, TrackPopupMenu, SetActiveWindow, SetFocus, DialogBoxParamW, KillTimer, LoadImageW, GetSystemMetrics, LoadStringW, LoadAcceleratorsW, SendMessageW, EndDialog, PostMessageW, LoadCursorW, RegisterClassExW, GetWindowTextLengthW, GetWindowTextW, GetPropW, CreateDialogParamW, BeginPaint, EndPaint, SetWindowPos, GetSystemMenu, EnableMenuItem, TranslateAcceleratorW, CallNextHookEx, GetDlgCtrlID, GetSysColor, GetSysColorBrush, MessageBoxW, GetWindowRect, MapWindowPoints, ReleaseDC, DrawFocusRect, EnableWindow, GetDC, GetDlgItem, GetKeyState
> SHELL32.dll: SHGetFolderPathW, ShellExecuteW, Shell_NotifyIconW
> ole32.dll: CoInitializeEx, CoUninitialize, CoCreateInstance
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -
> urlmon.dll: CreateURLMoniker
> COMCTL32.dll: InitCommonControlsEx
> WTSAPI32.dll: WTSFreeMemory, WTSQuerySessionInformationW
> ADVAPI32.dll: RegCreateKeyExW, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorOwner, QueryServiceStatus, CloseServiceHandle, OpenServiceW, OpenSCManagerW, RegOpenKeyExW, RegSetValueExW, RegQueryValueExW, RegOpenKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetNamedSecurityInfoW, GetSecurityDescriptorDacl
> SHLWAPI.dll: PathFindFileNameW, StrChrW, StrRChrW, PathIsRootW, PathIsUNCW, PathStripToRootW, PathIsRelativeW, StrStrW, StrToIntW
> ADVPACK.dll: ExtractFiles

kewlix · 09-22-2008, 01:18 PM

Last but not least the combo fix file scan

ComboFix 08-09-20.05 - RivaL 2008-09-22 14:48:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1056 [GMT -7:00]
Running from: C:\Documents and Settings\RivaL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RivaL\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\dax41
C:\Temp\dax41\A3G.log
C:\WINDOWS\system32\enB
C:\WINDOWS\system32\fjuffubkbhhkp.exe
C:\WINDOWS\system32\g49.exe
C:\WINDOWS\system32\hcp
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\tockorppzaevwusj.exe
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\system32\wTR02
C:\WINDOWS\system32\Xtmp
C:\WINDOWS\system32\zir2
C:\WINDOWS\system32\zir2\KPL21i24.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-08 14:46 . 2008-09-08 14:46 <DIR> d-------- C:\Program Files\Panda Security
2008-09-08 14:46 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-07 15:50 . 2008-09-07 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-09-07 15:47 . 2008-09-07 15:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-09-07 15:47 . 2008-09-09 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-09-07 15:27 . 2008-09-07 15:27 <DIR> d-------- C:\Documents and Settings\RivaL\.housecall6.6
2008-09-07 13:44 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-09-07 13:44 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Program Files\Sygate
2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Downloads
2008-09-07 13:43 . 2008-09-07 13:48 <DIR> d-------- C:\Documents and Settings\RivaL\Application Data\GetRightToGo
2008-09-07 13:43 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-09-07 12:56 . 2008-09-07 12:56 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-09-07 12:45 . 2008-09-07 12:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-07 11:52 . 2008-09-07 11:52 335 --a------ C:\WINDOWS\mozregistry.dat
2008-09-07 11:31 . 2008-09-09 11:32 251 --a------ C:\WINDOWS\wininit.ini
2008-09-07 11:11 . 2008-09-07 11:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-07 11:01 . 2008-09-07 11:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-09-07 10:47 . 2008-09-07 10:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo
2008-09-07 10:38 . 2008-09-07 10:38 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-07 03:43 . 2008-09-07 03:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-07 03:43 . 2008-09-07 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-06 16:25 . 2008-09-07 02:38 <DIR> d-------- C:\Program Files\a-squared Free
2008-09-06 15:33 . 2008-09-06 15:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-06 14:08 . 2008-09-19 14:27 1,962 --a------ C:\WINDOWS\system32\default.htm
2008-09-06 14:05 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\wTR19
2008-09-06 13:53 . 2008-09-06 13:53 <DIR> d-------- C:\Program Files\uTorrent
2008-09-06 13:22 . 2008-09-22 14:50 <DIR> d-------- C:\Temp
2008-08-30 07:31 . 2008-08-30 07:31 96 --ah----- C:\WINDOWS\system32\HsInfo.dat
2008-08-30 07:29 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\alaplaya
2008-08-27 14:03 . 2008-08-27 14:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 21:41 --------- d-----w C:\Program Files\Steam
2008-09-22 21:41 --------- d-----w C:\Documents and Settings\RivaL\Application Data\OpenOffice.org2
2008-09-18 12:42 --------- d-----w C:\Program Files\mIRC
2008-09-18 06:22 --------- d-s---w C:\Program Files\Xfire
2008-09-16 12:35 --------- d-----w C:\Documents and Settings\RivaL\Application Data\Xfire
2008-09-16 07:22 --------- d-----w C:\Program Files\World of Warcraft
2008-09-07 22:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\AVG7
2008-09-07 22:36 --------- d-----w C:\Program Files\Lavasoft
2008-09-07 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-07 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-07 22:24 --------- d-----w C:\Program Files\Java
2008-09-07 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-09-06 20:25 --------- d-----w C:\Documents and Settings\RivaL\Application Data\LimeWire
2008-09-04 06:05 --------- d-----w C:\Program Files\DivX
2008-09-02 01:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-31 10:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\DNA
2008-08-31 05:46 --------- d-----w C:\Program Files\DNA
2008-08-19 11:23 --------- d-----w C:\Program Files\Warcraft III
2008-08-16 09:22 --------- d-----w C:\Program Files\WC3Banlist
2008-08-16 09:15 --------- d-----w C:\Program Files\WinPcap
2008-08-15 09:11 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-14 14:19 630,784 ----a-w C:\Documents and Settings\RivaL\GoToAssist_chat2way__317_en.exe
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\wininet.dll
2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\dllcache\wininet.dll

2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\explorer.exe
2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\system32\dllcache\explorer.exe

2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\wuauclt.exe
2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-19_14.35.35.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-19 21:30:15 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-22 20:38:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-19 21:30:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-22 20:38:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-19 21:30:15 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-22 20:38:05 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-19 21:25:41 241,664 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-09-22 21:48:17 241,664 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-03-28 1271032]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-02-13 7557120]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-02-13 86016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"nwiz"="nwiz.exe" [2006-02-13 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 C:\WINDOWS\KHALMNPR.Exe]
"C-Media Mixer"="Mixer.exe" [2002-06-12 C:\WINDOWS\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2001-08-18 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-03-19 20:10 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-11-01 23:33 67128 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 10:18 3660848 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R0 pavboot;pavboot;C:\WINDOWS\System32\drivers\pavboot.sys [2008-06-19 28544]
R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\ipfnd51.sys [2005-04-05 26752]
S1 mff;mff;C:\WINDOWS\System32\drivers\mff.sys [ ]
S3 Asushwio;Asushwio;C:\WINDOWS\System32\drivers\Asushwio.sys [2000-03-29 5824]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-11-06 34064]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 14:50:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-09-22 14:51:34
ComboFix-quarantined-files.txt 2008-09-22 21:51:28
ComboFix2.txt 2008-09-19 21:35:57

Pre-Run: 13,758,386,176 bytes free
Post-Run: 13,775,527,936 bytes free

198

Ried · 09-22-2008, 09:29 PM

Hello kewlix,

I appreciate the upload, but what you uploaded was the ComboFix.txt.

Click Start>Run and type the following into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please copy/paste the contents of that report in your next reply.

kewlix · 09-23-2008, 01:58 AM

2007-04-26 04:30:16 29,184 C:\Qoobox\Quarantine\C\WINDOWS\system32\MSINET.oca.vir
2007-09-24 00:05:16 279,600 C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir
2008-07-05 22:56:54 49,375 C:\Qoobox\Quarantine\C\Temp\1cb\syscheck.log.vir
2008-09-06 15:20:00 162,849 C:\Qoobox\Quarantine\C\WINDOWS\system32\zir2\KPL21i24.exe.vir
2008-09-06 20:22:08 34,816 C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvUNedD.dll.vir
2008-09-06 20:22:08 34,816 C:\Qoobox\Quarantine\C\WINDOWS\system32\xxywTKEU.dll.vir
2008-09-06 20:22:19 1,858 C:\Qoobox\Quarantine\C\Temp\dax41\A3G.log.vir
2008-09-06 20:22:19 71,711 C:\Qoobox\Quarantine\C\WINDOWS\system32\fjuffubkbhhkp.exe.vir
2008-09-06 20:22:21 153,444 C:\Qoobox\Quarantine\C\WINDOWS\system32\g49.exe.vir
2008-09-06 20:22:23 64,859 C:\Qoobox\Quarantine\C\WINDOWS\system32\tockorppzaevwusj.exe.vir
2008-09-06 20:22:29 861 C:\Qoobox\Quarantine\C\WINDOWS\system32\winpfz33.sys.vir
2008-09-06 20:30:04 115,200 C:\Qoobox\Quarantine\C\WINDOWS\system32\cquypr.dll.vir
2008-09-06 20:30:04 115,200 C:\Qoobox\Quarantine\C\WINDOWS\system32\iaqfobdt.dll.vir
2008-09-06 20:53:25 85,008 C:\Qoobox\Quarantine\C\WINDOWS\system32\uesiuqcr.exe.vir
2008-09-06 20:53:48 50 C:\Qoobox\Quarantine\C\Documents and Settings\RivaL\Application Data\Microsoft\dtsc\s.vir
2008-09-06 20:55:28 10,240 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\xpreload.ocx.vir
2008-09-06 21:56:22 648 C:\Qoobox\Quarantine\C\Documents and Settings\RivaL\Start Menu\Programs\Startup\DW_Start.lnk.vir
2008-09-06 21:57:13 684 C:\Qoobox\Quarantine\C\Documents and Settings\RivaL\Start Menu\Programs\Startup\Deewoo.lnk.vir
2008-09-06 22:26:58 192,582 C:\Qoobox\Quarantine\C\WINDOWS\system32\ncntttdm.exe.vir
2008-09-06 22:52:16 1,298,874 C:\Qoobox\Quarantine\C\WINDOWS\system32\yayofpnf.ini.vir
2008-09-07 10:04:59 115,200 C:\Qoobox\Quarantine\C\WINDOWS\system32\qrgkoeuw.dll.vir
2008-09-07 10:14:43 7,723 C:\Qoobox\Quarantine\C\WINDOWS\BM23233a67.txt.vir
2008-09-07 10:46:58 111,637 C:\Qoobox\Quarantine\C\WINDOWS\BM23233a67.xml.vir
2008-09-07 22:57:03 876,412 C:\Qoobox\Quarantine\C\WINDOWS\system32\bbbdgMoq.ini2.vir
2008-09-07 22:57:13 876,412 C:\Qoobox\Quarantine\C\WINDOWS\system32\bbbdgMoq.ini.vir
2008-09-19 21:19:44 15,360 C:\Qoobox\Quarantine\C\WINDOWS\system32\getsn32.dll.vir
2008-09-19 21:19:45 8,704 C:\Qoobox\Quarantine\C\WINDOWS\system32\smwin32.dll.vir
2008-09-19 21:35:35 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-09-19 21:35:35 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-09-19 21:35:35 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-09-19 21:35:36 378 C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}.reg.dat
2008-09-19 21:35:36 378 C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{0A94B116-4504-4e26-AB05-E61E474AA38B}.reg.dat
2008-09-19 21:35:37 1,006 C:\Qoobox\Quarantine\Registry_backups\BHO-{2D9F1530-0B38-4DCB-A90A-CECD559F3514}.reg.dat
2008-09-19 21:35:37 157 C:\Qoobox\Quarantine\Registry_backups\BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}.reg.dat
2008-09-19 21:35:37 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF}.reg.dat
2008-09-19 21:35:37 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{F145B6CD-5D7C-4FE5-9AD9-C85D8F05DDCD}.reg.dat
2008-09-19 21:35:37 436 C:\Qoobox\Quarantine\Registry_backups\BHO-{65a4805e-60ef-7a07-28c7-3d4261929f71}.reg.dat
2008-09-19 21:35:38 121 C:\Qoobox\Quarantine\Registry_backups\Toolbar-SITEguard.reg.dat
2008-09-19 21:35:38 175 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-updateMgr.reg.dat
2008-09-19 21:35:39 149 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-201009fb.reg.dat
2008-09-19 21:35:39 214 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-{6665cd51-4a02-f719-a93b-6689e1cce919}.reg.dat
2008-09-19 21:35:42 363 C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF}.reg.dat
2008-09-19 21:35:43 590 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-WinampAgent.reg.dat
2008-09-22 21:48:34 334,334 C:\Qoobox\Quarantine\[4]-Submit_2008-09-22@14.48.zip
2008-09-22 21:50:15 6,751 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-09-22 21:50:26 108 C:\Qoobox\Quarantine\catchme.log

kewlix · 09-23-2008, 09:00 PM

Hi ried i have a question. Ever since i got this virus i took the step of getting a fire wall to stop it from downloading more viruses, since that time i have notice these files seem to try to connect to the web so i blocked it. Could this be a virus as well? C:\WINDOWS\ system32\svchost ndins.sys i didn't get the full name of the second but i will post it another time once it pops up ill take a screen shot.

Ried · 09-23-2008, 09:13 PM

Hello kewlix,

Please visit this site and follow the instructions for uploading the C:\Qoobox\Quarantine\[4]-Submit_2008-09-22@14.48.zip

Quote:

svchost ndins.sys

Are you sure that is the exact file name? It's important that you type it in exactly as Sygate reports.

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

Kaspersky results
New HijackThis log
Update on system behavior

kewlix · 09-24-2008, 08:32 PM

C:\WINDOWS\ system32\svchost.exe is the first one the other is C:\WINDOWS\ Drivers\ndisuio.sys

09-14-2008, 10:18 PM	#2 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Bump Please

09-14-2008, 10:59 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,615 OS: WinXP and Vista	Re: js/psyme virus aftermath scan from activescan 2.0 Hello kewlix and thank you for your patience. : ) This will require more than one round to properly clean. Please stay with me until given the 'all clear' even if symptoms seemingly abate. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-18-2008, 01:45 PM	#4 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 thanks sry it took me quite some time to find my post, but i will get started on this asap thanks for taking the time to help me out i appreciate it ill keep you posted.

09-19-2008, 12:34 PM	#5 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Here's My combo fix log file. ComboFix 08-09-16.05 - RivaL 2008-09-19 14:26:21.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1054 [GMT -7:00] Running from: C:\Documents and Settings\RivaL\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\RivaL\Desktop\winxpsp1_en_pro_bf.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\RivaL\Application Data\Microsoft\dtsc C:\Documents and Settings\RivaL\Application Data\Microsoft\dtsc\s C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\Deewoo.lnk C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\DW_Start.lnk C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\temp\tn3 C:\WINDOWS\BM23233a67.txt C:\WINDOWS\BM23233a67.xml C:\WINDOWS\Downloaded Program Files\xpreload.ocx C:\WINDOWS\system32\bbbdgMoq.ini C:\WINDOWS\system32\bbbdgMoq.ini2 C:\WINDOWS\system32\cquypr.dll C:\WINDOWS\system32\getsn32.dll C:\WINDOWS\system32\iaqfobdt.dll C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\ncntttdm.exe C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\qrgkoeuw.dll C:\WINDOWS\system32\tuvUNedD.dll C:\WINDOWS\system32\winpfz33.sys C:\WINDOWS\system32\xxywTKEU.dll C:\WINDOWS\system32\yayofpnf.ini . ((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 ))))))))))))))))))))))))))))))) . 2008-09-08 14:46 . 2008-09-08 14:46 <DIR> d-------- C:\Program Files\Panda Security 2008-09-08 14:46 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-09-07 15:50 . 2008-09-07 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard 2008-09-07 15:47 . 2008-09-07 15:47 <DIR> d-------- C:\Program Files\Common Files\iS3 2008-09-07 15:47 . 2008-09-09 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla! 2008-09-07 15:27 . 2008-09-07 15:27 <DIR> d-------- C:\Documents and Settings\RivaL\.housecall6.6 2008-09-07 13:44 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys 2008-09-07 13:44 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys 2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Program Files\Sygate 2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Downloads 2008-09-07 13:43 . 2008-09-07 13:48 <DIR> d-------- C:\Documents and Settings\RivaL\Application Data\GetRightToGo 2008-09-07 13:43 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll 2008-09-07 12:56 . 2008-09-07 12:56 <DIR> d-------- C:\Program Files\microsoft frontpage 2008-09-07 12:45 . 2008-09-07 12:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2008-09-07 11:52 . 2008-09-07 11:52 335 --a------ C:\WINDOWS\mozregistry.dat 2008-09-07 11:31 . 2008-09-09 11:32 251 --a------ C:\WINDOWS\wininit.ini 2008-09-07 11:11 . 2008-09-07 11:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback 2008-09-07 11:01 . 2008-09-07 11:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-09-07 10:47 . 2008-09-07 10:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo 2008-09-07 10:38 . 2008-09-07 10:38 <DIR> d-------- C:\Documents and Settings\Administrator 2008-09-07 03:43 . 2008-09-07 03:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-09-07 03:43 . 2008-09-07 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-06 16:25 . 2008-09-07 02:38 <DIR> d-------- C:\Program Files\a-squared Free 2008-09-06 15:33 . 2008-09-06 15:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-09-06 14:08 . 2008-09-19 14:27 1,962 --a------ C:\WINDOWS\system32\default.htm 2008-09-06 14:05 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\wTR19 2008-09-06 13:53 . 2008-09-06 13:53 <DIR> d-------- C:\Program Files\uTorrent 2008-09-06 13:53 . 2008-09-06 13:53 85,008 --a------ C:\WINDOWS\system32\uesiuqcr.exe 2008-09-06 13:53 . 2008-09-19 14:19 8,704 --a------ C:\WINDOWS\system32\smwin32.dll 2008-09-06 13:22 . 2008-09-06 13:22 <DIR> d-------- C:\WINDOWS\system32\zir2 2008-09-06 13:22 . 2008-09-06 13:22 <DIR> d-------- C:\WINDOWS\system32\Xtmp 2008-09-06 13:22 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\wTR02 2008-09-06 13:22 . 2008-09-06 15:13 <DIR> d-------- C:\WINDOWS\system32\hcp 2008-09-06 13:22 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\enB 2008-09-06 13:22 . 2008-09-06 13:22 <DIR> d-------- C:\Temp\dax41 2008-09-06 13:22 . 2008-09-19 14:27 <DIR> d-------- C:\Temp 2008-09-06 13:22 . 2008-09-06 13:22 153,444 --a------ C:\WINDOWS\system32\g49.exe 2008-09-06 13:22 . 2008-09-06 13:22 71,711 --a------ C:\WINDOWS\system32\fjuffubkbhhkp.exe 2008-09-06 13:22 . 2008-09-06 13:22 64,859 --a------ C:\WINDOWS\system32\tockorppzaevwusj.exe 2008-08-30 07:31 . 2008-08-30 07:31 96 --ah----- C:\WINDOWS\system32\HsInfo.dat 2008-08-30 07:29 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\alaplaya 2008-08-27 14:03 . 2008-08-27 14:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-19 21:30 --------- d-----w C:\Program Files\Steam 2008-09-19 21:20 --------- d-----w C:\Documents and Settings\RivaL\Application Data\OpenOffice.org2 2008-09-18 12:42 --------- d-----w C:\Program Files\mIRC 2008-09-18 06:22 --------- d-s---w C:\Program Files\Xfire 2008-09-16 12:35 --------- d-----w C:\Documents and Settings\RivaL\Application Data\Xfire 2008-09-16 07:22 --------- d-----w C:\Program Files\World of Warcraft 2008-09-07 22:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\AVG7 2008-09-07 22:36 --------- d-----w C:\Program Files\Lavasoft 2008-09-07 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-09-07 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-09-07 22:24 --------- d-----w C:\Program Files\Java 2008-09-07 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-09-06 20:25 --------- d-----w C:\Documents and Settings\RivaL\Application Data\LimeWire 2008-09-04 06:05 --------- d-----w C:\Program Files\DivX 2008-09-02 01:35 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-31 10:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\DNA 2008-08-31 05:46 --------- d-----w C:\Program Files\DNA 2008-08-19 11:23 --------- d-----w C:\Program Files\Warcraft III 2008-08-16 09:22 --------- d-----w C:\Program Files\WC3Banlist 2008-08-16 09:15 --------- d-----w C:\Program Files\WinPcap 2008-08-15 09:11 --------- d-----w C:\Program Files\Common Files\INCA Shared 2007-08-14 14:19 630,784 ----a-w C:\Documents and Settings\RivaL\GoToAssist_chat2way__317_en.exe 2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ------- Sigcheck ------- 2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\wininet.dll 2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\dllcache\wininet.dll 2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\explorer.exe 2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\system32\dllcache\explorer.exe 2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\wuauclt.exe 2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\dllcache\wuauclt.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\steam\steam.exe" [2008-03-28 1271032] "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-02-13 7557120] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-02-13 86016] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632] "nwiz"="nwiz.exe" [2006-02-13 C:\WINDOWS\system32\nwiz.exe] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 C:\WINDOWS\KHALMNPR.Exe] "C-Media Mixer"="Mixer.exe" [2002-06-12 C:\WINDOWS\mixer.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2001-08-18 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\ OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216] RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784] UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableTaskMgr"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] --a------ 2008-03-19 20:10 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] --a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] --a------ 2007-11-01 23:33 67128 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2008-08-28 10:18 3660848 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= R0 pavboot;pavboot;C:\WINDOWS\System32\drivers\pavboot.sys [2008-06-19 28544] R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\ipfnd51.sys [2005-04-05 26752] S1 mff;mff;C:\WINDOWS\System32\drivers\mff.sys [ ] S3 Asushwio;Asushwio;C:\WINDOWS\System32\drivers\Asushwio.sys [2000-03-29 5824] S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [2006-10-19 10664] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-11-06 34064] . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file) BHO-{2D9F1530-0B38-4DCB-A90A-CECD559F3514} - C:\WINDOWS\System32\getsn32.dll BHO-{65a4805e-60ef-7a07-28c7-3d4261929f71} - C:\WINDOWS\System32\zurkxcitpayrms.dll BHO-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF} - C:\WINDOWS\system32\tuvUNedD.dll BHO-{F145B6CD-5D7C-4FE5-9AD9-C85D8F05DDCD} - C:\WINDOWS\System32\qoMgdbbb.dll Toolbar-SITEguard - (no file) HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe HKLM-Run-{6665cd51-4a02-f719-a93b-6689e1cce919} - C:\WINDOWS\System32\bdaluemeohdmef.dll HKLM-Run-201009fb - C:\WINDOWS\System32\fnpfoyay.dll ShellExecuteHooks-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF} - C:\WINDOWS\system32\tuvUNedD.dll MSConfigStartUp-WinampAgent - C:\Program Files\Winamp\winampa.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\RivaL\Application Data\Mozilla\Firefox\Profiles\mnib4gm5.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p= FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-19 14:30:57 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant] "ImagePath"="" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Sygate\SPF\Smc.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\a-squared Free\a2service.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.bin C:\ComboFix\pv.cfexe . ************************************************************************ . Completion time: 2008-09-19 14:35:56 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-19 21:35:53 Pre-Run: 13,882,646,528 bytes free Post-Run: 13,917,503,488 bytes free winxpsp1_en_pro_bf.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect 248

09-19-2008, 12:35 PM	#6 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Also Here is my Hijackthis log file Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 2:39:29 PM, on 9/19/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Mixer.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\program files\steam\steam.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\RivaL\Desktop\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file) O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing) O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing) O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {17DF9D0D-036E-424B-98D7-A41E4CE783EF} - ms-its:mhtml:file://c:\\nores.mht!http://adxcnet.net/code/chm/xpre.chm::/xpreload.ocx O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 7056 bytes

09-19-2008, 12:38 PM	#7 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Btw since i got this virus I have been getting these errors up on booting up into my desk top Error loading C:\windows\system32\bdaluemeohdmef.dll Error loading C:\windows\system32\fnpfoyay.dll

09-20-2008, 03:26 AM	#9 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 ok will do ill post it soon

09-20-2008, 03:26 AM	#10 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 ok will do ill post it soon

09-22-2008, 01:13 PM	#11 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Hi Ried The combo fix file scan has been uploaded to the specified site.

09-22-2008, 01:14 PM	#12 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Here is my Virus Total scan one for C:\WINDOWS\system32\wininet.dll File size: 632832 bytes MD5...: f9ea5d5a5b2a5c0db24f7733795ba0c8 SHA1..: 919b857767279b0883d72ff2b73f4ed9789dedf9 SHA256: 4b50f45c44e3ea9e8860c5270c07fadc6c76c912bbb5873a4ab0144e5691289e SHA512: 4b372087b39617c737932d9b4367625373697ce217e930d37b65c3b0a0aa7475 2ea0e266b7299e294f2d2de37fc96be092584ee52e7f7d0b7be0a7362b385b78 PEiD..: - TrID..: File type identification Win64 Executable Generic (63.0%) Win32 Executable MS Visual C++ (generic) (27.7%) Win32 Executable Generic (6.2%) Generic Win/DOS Executable (1.4%) DOS Executable Generic (1.4%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x76201763 timedatestamp.....: 0x3d6dfa1c (Thu Aug 29 10:40:28 2002) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x79184 0x79200 6.68 2fcc2c4a8561c7adbdf48f6475f98cef .data 0x7b000 0x5e84 0x2a00 1.84 8d0ebadcc19c1038d84670afe5e4dbc8 .rsrc 0x81000 0x19dbe 0x19e00 4.88 d1c209e312afe93a8dd22401c521e1d4 .reloc 0x9b000 0x48b8 0x4a00 6.74 7d76521ec33573ea92c439fcdad269b5 ( 7 imports ) > msvcrt.dll: memchr, isdigit, strpbrk, isspace, isalnum, time, strtoul, _ftol, ispunct, iscntrl, isalpha, _purecall, _CxxThrowException, wcsncpy, sprintf, rand, wcsstr, srand, wcslen, _wtoi, wcscpy, _wcsnicmp, wcstok, _wcsicmp, wcscmp, malloc, free, realloc, _except_handler3, _initterm, _adjust_fdiv, __dllonexit, _onexit, __1type_info@@UAE@XZ, _terminate@@YAXXZ, wcscat, isxdigit > SHLWAPI.dll: PathRemoveFileSpecW, PathRemoveBackslashA, PathRemoveFileSpecA, StrNCatA, -, StrChrA, -, SHDeleteKeyA, StrCmpNIW, -, wvnsprintfA, -, -, -, -, StrCmpNIA, StrStrA, -, -, UrlCombineW, UrlCanonicalizeW, -, UrlCombineA, UrlCanonicalizeA, -, UrlUnescapeA, PathCreateFromUrlA, StrNCatW, StrToIntW, StrCpyW, -, -, StrStrIA, -, StrCmpW, StrCmpNA, StrToIntA, StrCatBuffA, StrRChrA, StrCmpIW, -, -, SHSetValueW, -, -, -, StrStrIW, SHGetValueW, SHSetValueA, SHGetValueA, wnsprintfA, wnsprintfW, StrCpyNW, -, StrCatW, -, -, -, StrCatBuffW, -, -, - > CRYPT32.dll: CryptDecodeObject, CertFindRDNAttr, CertRDNValueToStrA, CertControlStore, CertNameToStrA, CertCreateCertificateContext, CertGetCertificateContextProperty, CertFindCertificateInStore, CertSetCertificateContextProperty, CertOpenSystemStoreA, CertCloseStore, CertGetIntendedKeyUsage, CertDuplicateCertificateContext, CertFreeCertificateContext, CryptUnprotectData > ADVAPI32.dll: RegDeleteValueW, RegSetValueExW, RegQueryValueExW, RegCreateKeyA, RegOpenKeyA, RegEnumKeyA, CryptGetProvParam, CryptSetProvParam, CryptAcquireContextA, CryptReleaseContext, RegDeleteValueA, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, GetTokenInformation, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegQueryInfoKeyA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, GetUserNameA, OpenSCManagerA, EnumServicesStatusA, CloseServiceHandle, RegCreateKeyExW > KERNEL32.dll: ExitThread, ExpandEnvironmentStringsA, SuspendThread, TerminateThread, GetACP, RtlMoveMemory, ResetEvent, CreateThread, Sleep, SetErrorMode, FormatMessageA, lstrcatA, SystemTimeToFileTime, GetTickCount, TlsGetValue, TlsAlloc, GetCurrentThreadId, TlsFree, TlsSetValue, GetDateFormatA, GetTimeFormatA, lstrcpyA, InterlockedCompareExchange, GetCurrentThread, WaitForMultipleObjects, IsBadReadPtr, GlobalAlloc, GlobalFree, IsBadStringPtrW, DeleteFileA, IsBadCodePtr, IsBadWritePtr, SleepEx, GetModuleFileNameA, GetSystemTime, WritePrivateProfileStringA, WriteFile, SetFilePointer, ReadFile, FileTimeToSystemTime, LocalReAlloc, DeleteCriticalSection, InitializeCriticalSection, InterlockedDecrement, InterlockedIncrement, LocalAlloc, IsBadStringPtrA, CreateEventA, SetEvent, lstrcmpA, GetFileTime, ReleaseSemaphore, CreateSemaphoreA, LocalFileTimeToFileTime, GetSystemTimeAsFileTime, GetVersion, CompareStringA, GetFileAttributesA, GetEnvironmentVariableA, GetWindowsDirectoryA, RemoveDirectoryA, GetShortPathNameA, FileTimeToDosDateTime, SetFileAttributesA, CreateDirectoryA, GetPrivateProfileStringA, SetFileTime, CopyFileA, DeviceIoControl, GetDiskFreeSpaceA, FindClose, FindNextFileA, FindFirstFileA, MoveFileA, DosDateTimeToFileTime, FlushViewOfFile, IsDBCSLeadByte, OutputDebugStringA, UnmapViewOfFile, MapViewOfFileEx, CreateFileMappingA, OpenFileMappingA, SetEndOfFile, GetUserDefaultLCID, HeapFree, HeapAlloc, GetProcessHeap, GetComputerNameA, LoadLibraryW, GlobalUnlock, GlobalLock, GlobalSize, GetCurrentProcess, OpenMutexA, GetProcAddress, LoadLibraryA, lstrcmpiA, GetLastError, FreeLibrary, lstrcpynA, lstrlenA, WideCharToMultiByte, InterlockedExchange, CloseHandle, OpenEventA, LeaveCriticalSection, EnterCriticalSection, SetLastError, LocalFree, GetVersionExA, GetFileSize, CreateFileA, GetSystemDirectoryA, lstrlenW, MultiByteToWideChar, GetModuleHandleA, RaiseException, CreateMutexA, ReleaseMutex, WaitForSingleObject > USER32.dll: CharNextA, IntersectRect, EqualRect, wsprintfW, LoadIconA, LoadImageA, DestroyIcon, SetForegroundWindow, EnumChildWindows, SetWindowTextA, GetParent, GetWindowRect, ScreenToClient, SetWindowPos, SendDlgItemMessageA, WinHelpA, IsWindow, IsCharAlphaNumericA, SendMessageA, PostMessageA, FindWindowA, LoadStringA, ShowWindow, GetDesktopWindow, wsprintfA, CharLowerA, DestroyWindow, IsDlgButtonChecked, EnableWindow, SetFocus, GetDlgItem, EndDialog, CheckDlgButton, CreateWindowExA, RegisterWindowMessageA, KillTimer, SetTimer, DefWindowProcA, SetWindowLongA, GetWindowLongA, RegisterClassA, CharLowerW, CharToOemA, CharUpperA > OLEAUT32.dll: -, -, -, -, - ( 224 exports ) CommitUrlCacheEntryA, CommitUrlCacheEntryW, CreateMD5SSOHash, CreateUrlCacheContainerA, CreateUrlCacheContainerW, CreateUrlCacheEntryA, CreateUrlCacheEntryW, CreateUrlCacheGroup, DeleteIE3Cache, DeleteUrlCacheContainerA, DeleteUrlCacheContainerW, DeleteUrlCacheEntry, DeleteUrlCacheEntryA, DeleteUrlCacheEntryW, DeleteUrlCacheGroup, DetectAutoProxyUrl, DllInstall, FindCloseUrlCache, FindFirstUrlCacheContainerA, FindFirstUrlCacheContainerW, FindFirstUrlCacheEntryA, FindFirstUrlCacheEntryExA, FindFirstUrlCacheEntryExW, FindFirstUrlCacheEntryW, FindFirstUrlCacheGroup, FindNextUrlCacheContainerA, FindNextUrlCacheContainerW, FindNextUrlCacheEntryA, FindNextUrlCacheEntryExA, FindNextUrlCacheEntryExW, FindNextUrlCacheEntryW, FindNextUrlCacheGroup, ForceNexusLookup, ForceNexusLookupExW, FreeUrlCacheSpaceA, FreeUrlCacheSpaceW, FtpCommandA, FtpCommandW, FtpCreateDirectoryA, FtpCreateDirectoryW, FtpDeleteFileA, FtpDeleteFileW, FtpFindFirstFileA, FtpFindFirstFileW, FtpGetCurrentDirectoryA, FtpGetCurrentDirectoryW, FtpGetFileA, FtpGetFileEx, FtpGetFileSize, FtpGetFileW, FtpOpenFileA, FtpOpenFileW, FtpPutFileA, FtpPutFileEx, FtpPutFileW, FtpRemoveDirectoryA, FtpRemoveDirectoryW, FtpRenameFileA, FtpRenameFileW, FtpSetCurrentDirectoryA, FtpSetCurrentDirectoryW, GetUrlCacheConfigInfoA, GetUrlCacheConfigInfoW, GetUrlCacheEntryInfoA, GetUrlCacheEntryInfoExA, GetUrlCacheEntryInfoExW, GetUrlCacheEntryInfoW, GetUrlCacheGroupAttributeA, GetUrlCacheGroupAttributeW, GetUrlCacheHeaderData, GopherCreateLocatorA, GopherCreateLocatorW, GopherFindFirstFileA, GopherFindFirstFileW, GopherGetAttributeA, GopherGetAttributeW, GopherGetLocatorTypeA, GopherGetLocatorTypeW, GopherOpenFileA, GopherOpenFileW, HttpAddRequestHeadersA, HttpAddRequestHeadersW, HttpCheckDavCompliance, HttpEndRequestA, HttpEndRequestW, HttpOpenRequestA, HttpOpenRequestW, HttpQueryInfoA, HttpQueryInfoW, HttpSendRequestA, HttpSendRequestExA, HttpSendRequestExW, HttpSendRequestW, IncrementUrlCacheHeaderData, InternetAlgIdToStringA, InternetAlgIdToStringW, InternetAttemptConnect, InternetAutodial, InternetAutodialCallback, InternetAutodialHangup, InternetCanonicalizeUrlA, InternetCanonicalizeUrlW, InternetCheckConnectionA, InternetCheckConnectionW, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetCombineUrlA, InternetCombineUrlW, InternetConfirmZoneCrossing, InternetConfirmZoneCrossingA, InternetConfirmZoneCrossingW, InternetConnectA, InternetConnectW, InternetCrackUrlA, InternetCrackUrlW, InternetCreateUrlA, InternetCreateUrlW, InternetDial, InternetDialA, InternetDialW, InternetEnumPerSiteCookieDecisionA, InternetEnumPerSiteCookieDecisionW, InternetErrorDlg, InternetFindNextFileA, InternetFindNextFileW, InternetFortezzaCommand, InternetGetCertByURL, InternetGetCertByURLA, InternetGetConnectedState, InternetGetConnectedStateEx, InternetGetConnectedStateExA, InternetGetConnectedStateExW, InternetGetCookieA, InternetGetCookieExA, InternetGetCookieExW, InternetGetCookieW, InternetGetLastResponseInfoA, InternetGetLastResponseInfoW, InternetGetPerSiteCookieDecisionA, InternetGetPerSiteCookieDecisionW, InternetGoOnline, InternetGoOnlineA, InternetGoOnlineW, InternetHangUp, InternetInitializeAutoProxyDll, InternetLockRequestFile, InternetOpenA, InternetOpenUrlA, InternetOpenUrlW, InternetOpenW, InternetQueryDataAvailable, InternetQueryFortezzaStatus, InternetQueryOptionA, InternetQueryOptionW, InternetReadFile, InternetReadFileExA, InternetReadFileExW, InternetSecurityProtocolToStringA, InternetSecurityProtocolToStringW, InternetSetCookieA, InternetSetCookieExA, InternetSetCookieExW, InternetSetCookieW, InternetSetDialState, InternetSetDialStateA, InternetSetDialStateW, InternetSetFilePointer, InternetSetOptionA, InternetSetOptionExA, InternetSetOptionExW, InternetSetOptionW, InternetSetPerSiteCookieDecisionA, InternetSetPerSiteCookieDecisionW, InternetSetStatusCallback, InternetSetStatusCallbackA, InternetSetStatusCallbackW, InternetShowSecurityInfoByURL, InternetShowSecurityInfoByURLA, InternetShowSecurityInfoByURLW, InternetTimeFromSystemTime, InternetTimeFromSystemTimeA, InternetTimeFromSystemTimeW, InternetTimeToSystemTime, InternetTimeToSystemTimeA, InternetTimeToSystemTimeW, InternetUnlockRequestFile, InternetWriteFile, InternetWriteFileExA, InternetWriteFileExW, IsHostInProxyBypassList, IsUrlCacheEntryExpiredA, IsUrlCacheEntryExpiredW, LoadUrlCacheContent, ParseX509EncodedCertificateForListBoxEntry, PrivacyGetZonePreferenceW, PrivacySetZonePreferenceW, ReadUrlCacheEntryStream, RegisterUrlCacheNotification, ResumeSuspendedDownload, RetrieveUrlCacheEntryFileA, RetrieveUrlCacheEntryFileW, RetrieveUrlCacheEntryStreamA, RetrieveUrlCacheEntryStreamW, RunOnceUrlCache, SetUrlCacheConfigInfoA, SetUrlCacheConfigInfoW, SetUrlCacheEntryGroup, SetUrlCacheEntryGroupA, SetUrlCacheEntryGroupW, SetUrlCacheEntryInfoA, SetUrlCacheEntryInfoW, SetUrlCacheGroupAttributeA, SetUrlCacheGroupAttributeW, SetUrlCacheHeaderData, ShowCertificate, ShowClientAuthCerts, ShowSecurityInfo, ShowX509EncodedCertificate, UnlockUrlCacheEntryFile, UnlockUrlCacheEntryFileA, UnlockUrlCacheEntryFileW, UnlockUrlCacheEntryStream, UpdateUrlCacheContentPath, UrlZonesDetach

09-22-2008, 01:15 PM	#13 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Here is my Second scan for C:\WINDOWS\explorer.exe Additional information File size: 946176 bytes MD5...: 30becef60f38197d4921b8785f8897c8 SHA1..: 2488c4376ab7875cacc521e104dff1632aa4a0c4 SHA256: 6aa65e86de710b95e6caee3707edc84ee02874b544769c824bc04caea335a0d9 SHA512: 38a7e4a3bc8c40c5529e277425b8815aaec04c43b0d51a9284e2d5d23c0b8abe 5e4cce6c8084e0ff770b83cef5faafb775bee5b4c5a3aa11bcf6d1a1de4dccb6 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10160cc timedatestamp.....: 0x3d6de1e2 (Thu Aug 29 08:57:06 2002) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x3d78d 0x3d800 6.47 224429129ab70cdb49c0236e22786104 .data 0x3f000 0x1cd8 0x1c00 0.96 02facb4867aeeafea7058f9e55938fd9 .rsrc 0x41000 0xa40c7 0xa4200 6.57 9a7fe653d1744378514067e5b62fec0c .reloc 0xe6000 0x34cc 0x3600 6.75 428919792c2214f0c87c578ed0170d3e ( 13 imports ) > msvcrt.dll: realloc, memmove, free, _itow, _ftol, _except_handler3 > ADVAPI32.dll: RegSetValueW, RegEnumKeyW, RegNotifyChangeKeyValue, RegQueryValueExA, RegOpenKeyExA, RegQueryValueW, RegCloseKey, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegEnumKeyExW, GetUserNameW > KERNEL32.dll: GetLocaleInfoW, FreeLibrary, GetSystemDefaultLCID, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, CompareFileTime, GetSystemTimeAsFileTime, lstrcpynW, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, MoveFileW, FindClose, FindNextFileW, CreateEventW, IsBadCodePtr, SetEvent, GetCurrentProcessId, GetEnvironmentVariableW, lstrcatW, lstrcmpW, UnregisterWait, ResetEvent, GlobalGetAtomNameW, LoadLibraryExW, lstrcmpiA, RegisterWaitForSingleObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, HeapFree, GetProcessHeap, HeapAlloc, HeapReAlloc, HeapSize, GetUserDefaultLCID, ReadProcessMemory, SetLastError, OpenProcess, InterlockedCompareExchange, LoadLibraryA, GetLastError, OpenEventW, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateFileW, DeviceIoControl, lstrcmpiW, LocalAlloc, LocalFree, ExitProcess, CreateJobObjectW, CreateThread, CreateProcessW, AssignProcessToJobObject, ResumeThread, TerminateProcess, TerminateThread, DelayLoadFailureHook, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, GetProcAddress, DeleteCriticalSection, HeapDestroy, InitializeCriticalSection, lstrlenW, lstrcpyW, InterlockedDecrement, InterlockedIncrement, CreateEventA, GetFileAttributesExW, MulDiv, GetLongPathNameW, GetProcessTimes, GetVersionExA, GetModuleHandleA, InterlockedExchange, GlobalFree, GlobalAlloc, FindFirstFileW > GDI32.dll: OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, SetStretchBltMode, GetStockObject, CreatePatternBrush, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, CreateRectRgnIndirect, CreateFontIndirectW, SetTextColor, SetBkMode, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetViewportOrgEx > USER32.dll: SendDlgItemMessageW, EndDialog, ChildWindowFromPoint, SetCursorPos, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, DestroyWindow, SendMessageCallbackW, GetClassLongW, LoadIconW, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, TileWindows, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, OpenInputDesktop, CloseDesktop, EnumWindows, GetSysColorBrush, AllowSetForegroundWindow, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, GetSysColor, DrawTextW, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, wsprintfW, SetMenuItemInfoW, CharUpperBuffW, PeekMessageW, PostMessageW, EnumDisplayDevicesW, EnumDisplaySettingsExW, GetDC, ReleaseDC, LoadStringW, MessageBoxW, GetShellWindow, FindWindowW, SystemParametersInfoW, GetSystemMetrics, GetDoubleClickTime, CharNextW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetKeyState, RegisterWindowMessageW, SendMessageW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, CheckDlgButton, GetMessagePos, EnableWindow, IsDlgButtonChecked, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, GetDCEx, ExitWindowsEx, WindowFromPoint, SetRect, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, AppendMenuW, SetWindowPlacement, CheckMenuItem, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, InvalidateRect, GetClassNameW, GetWindowLongW, EnumChildWindows, DrawEdge > ntdll.dll: NtQueryInformationProcess, RtlNtStatusToDosError > SHLWAPI.dll: -, -, -, -, -, -, -, -, -, AssocCreate, -, -, PathIsNetworkPathW, SHQueryValueExW, -, -, -, StrRetToStrW, StrRetToBufW, -, -, -, -, StrCpyW, -, StrCmpNW, -, StrCmpIW, -, -, -, -, -, -, SHGetValueW, -, wnsprintfW, PathUnquoteSpacesW, PathGetArgsW, -, StrCatBuffW, PathQuoteSpacesW, PathAppendW, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, -, -, -, -, -, PathCombineW, SHSetValueW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, StrCatW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathFindExtensionW, PathIsDirectoryW, -, PathRemoveFileSpecW, StrChrW, -, PathFileExistsW, PathGetDriveNumberW, -, -, -, PathStripToRootW, -, -, SHOpenRegStream2W, -, StrCpyNW, -, -, StrDupW, SHDeleteValueW, SHDeleteKeyW > SHELL32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetDesktopFolder, SHChangeNotify, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, -, SHGetPathFromIDListA, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, SHGetFolderPathW, -, SHGetSpecialFolderLocation, -, -, -, -, -, -, -, -, -, -, ShellExecuteW, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderPathW, ShellExecuteExW, -, -, -, SHBindToParent, -, - > ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, RevokeDragDrop, OleUninitialize, CoInitializeEx, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, CoUninitialize, DoDragDrop > OLEAUT32.dll: -, - > BROWSEUI.dll: -, -, -, - > SHDOCVW.dll: -, -, - > UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, CloseThemeData, DrawThemeBackground, SetWindowTheme, GetThemeTextExtent, DrawThemeText, GetThemeBackgroundRegion, -, IsAppThemed, GetThemeFont, GetThemeColor, GetThemeMargins, GetThemeRect

09-22-2008, 01:16 PM	#14 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Here is my 3rd and final scan from virus Total free C:\WINDOWS\system32\wuauclt.exe Additional information File size: 155136 bytes MD5...: a6b22f62b544cd118677ebbcf6dcc62b SHA1..: 59cc9aedb9bb2b4292c1bff82fc833702de12bd8 SHA256: 2ee5d11c8206f6152d2da6df1f97d6a49c96363faad03b1707cb6e9eeb2442c0 SHA512: 2b225984116178cacdffc387dde393e52eb37855246f98266de6ce3e9f75158e 6fb7d2b06784222d6b56cb63331bf31ca8a7acae1f426b8d67c3163ccc187090 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x100a335 timedatestamp.....: 0x3d6de0e1 (Thu Aug 29 08:52:49 2002) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xe614 0xe800 6.35 23b5784f99d18650ec1cf0bfe8a5c97d .data 0x10000 0x1098 0x200 1.10 daac5105f85f7bb2e5083204a86c560e .rsrc 0x12000 0x16f1e 0x17000 4.86 9dd74817de2041d8ec11cf4a8b8cb668 ( 13 imports ) > msvcrt.dll: _vsnprintf, _ftol, memmove, _wsplitpath, _wtoi, __2@YAPAXI@Z, __CxxFrameHandler, _vsnwprintf, free, malloc, wcschr, _terminate@@YAXXZ, _except_handler3, _controlfp, __1type_info@@UAE@XZ, _onexit, __dllonexit, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _CxxThrowException, __3@YAXPAX@Z > KERNEL32.dll: EnterCriticalSection, GetCurrentThreadId, ExitProcess, SystemTimeToFileTime, GetLocalTime, lstrlenW, GetSystemDefaultLangID, CreateProcessW, GetSystemDirectoryW, GetProcAddress, InterlockedIncrement, LeaveCriticalSection, WaitForMultipleObjects, CreateThread, TryEnterCriticalSection, Sleep, CompareStringW, GetTimeFormatW, LocalFree, GetModuleHandleA, GetStartupInfoA, lstrlenA, CreateMutexW, CreateEventW, OpenEventW, RegisterWaitForSingleObject, SetEvent, WaitForSingleObject, ReleaseMutex, UnregisterWaitEx, FreeLibrary, DeleteCriticalSection, GetLastError, MultiByteToWideChar, GetCurrentProcessId, ProcessIdToSessionId, CloseHandle, SetLastError, GetSystemTime, InterlockedDecrement, FindFirstFileW, FindNextFileW, RemoveDirectoryW, FindClose, DeleteFileW, CreateDirectoryW, SetFileAttributesW, lstrcmpiW, GetFileAttributesW, VerSetConditionMask, VerifyVersionInfoW, GetCommandLineW, LoadLibraryA, ReadFile, GetFileSize, CreateFileW, InitializeCriticalSection, GetModuleHandleW, GetVersionExW, LoadLibraryExW, HeapFree, HeapAlloc, GetProcessHeap, WideCharToMultiByte, FileTimeToSystemTime, GetTickCount, GetCurrentProcess, MoveFileW, HeapReAlloc, SetEndOfFile, SetFilePointer, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, WriteFile, FormatMessageW, GetDateFormatW > GDI32.dll: SetBkColor, GetCurrentObject, TextOutW, CreateSolidBrush, GetTextExtentPoint32W, BitBlt, CreateCompatibleDC, SetStretchBltMode, StretchBlt, DeleteDC, SetBkMode, SetTextColor, SelectObject, DeleteObject, GetStockObject, CreateFontIndirectW, GetObjectW > USER32.dll: SetWindowTextW, IsWindow, GetDesktopWindow, CopyRect, OffsetRect, RemovePropW, EqualRect, DrawEdge, GetWindowLongW, UpdateWindow, IsDlgButtonChecked, CheckRadioButton, CheckDlgButton, SetPropW, DrawTextW, GetFocus, SetWindowLongW, GetCapture, ReleaseCapture, GetParent, GetClientRect, FillRect, SetCapture, SetCursor, ScreenToClient, PtInRect, CallWindowProcW, CreateCursor, InvalidateRect, DestroyCursor, SetRectEmpty, DestroyMenu, CreatePopupMenu, AppendMenuW, CreateWindowExW, ShowWindow, SetTimer, PeekMessageW, MsgWaitForMultipleObjectsEx, TranslateMessage, DispatchMessageW, DestroyWindow, PostQuitMessage, SetWindowsHookExW, DefWindowProcW, GetCursorPos, SetForegroundWindow, TrackPopupMenu, SetActiveWindow, SetFocus, DialogBoxParamW, KillTimer, LoadImageW, GetSystemMetrics, LoadStringW, LoadAcceleratorsW, SendMessageW, EndDialog, PostMessageW, LoadCursorW, RegisterClassExW, GetWindowTextLengthW, GetWindowTextW, GetPropW, CreateDialogParamW, BeginPaint, EndPaint, SetWindowPos, GetSystemMenu, EnableMenuItem, TranslateAcceleratorW, CallNextHookEx, GetDlgCtrlID, GetSysColor, GetSysColorBrush, MessageBoxW, GetWindowRect, MapWindowPoints, ReleaseDC, DrawFocusRect, EnableWindow, GetDC, GetDlgItem, GetKeyState > SHELL32.dll: SHGetFolderPathW, ShellExecuteW, Shell_NotifyIconW > ole32.dll: CoInitializeEx, CoUninitialize, CoCreateInstance > OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, - > urlmon.dll: CreateURLMoniker > COMCTL32.dll: InitCommonControlsEx > WTSAPI32.dll: WTSFreeMemory, WTSQuerySessionInformationW > ADVAPI32.dll: RegCreateKeyExW, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorOwner, QueryServiceStatus, CloseServiceHandle, OpenServiceW, OpenSCManagerW, RegOpenKeyExW, RegSetValueExW, RegQueryValueExW, RegOpenKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetNamedSecurityInfoW, GetSecurityDescriptorDacl > SHLWAPI.dll: PathFindFileNameW, StrChrW, StrRChrW, PathIsRootW, PathIsUNCW, PathStripToRootW, PathIsRelativeW, StrStrW, StrToIntW > ADVPACK.dll: ExtractFiles

09-22-2008, 01:18 PM	#15 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Last but not least the combo fix file scan ComboFix 08-09-20.05 - RivaL 2008-09-22 14:48:35.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1056 [GMT -7:00] Running from: C:\Documents and Settings\RivaL\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\RivaL\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Temp\dax41 C:\Temp\dax41\A3G.log C:\WINDOWS\system32\enB C:\WINDOWS\system32\fjuffubkbhhkp.exe C:\WINDOWS\system32\g49.exe C:\WINDOWS\system32\hcp C:\WINDOWS\system32\smwin32.dll C:\WINDOWS\system32\tockorppzaevwusj.exe C:\WINDOWS\system32\uesiuqcr.exe C:\WINDOWS\system32\wTR02 C:\WINDOWS\system32\Xtmp C:\WINDOWS\system32\zir2 C:\WINDOWS\system32\zir2\KPL21i24.exe . ((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 ))))))))))))))))))))))))))))))) . 2008-09-08 14:46 . 2008-09-08 14:46 <DIR> d-------- C:\Program Files\Panda Security 2008-09-08 14:46 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-09-07 15:50 . 2008-09-07 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard 2008-09-07 15:47 . 2008-09-07 15:47 <DIR> d-------- C:\Program Files\Common Files\iS3 2008-09-07 15:47 . 2008-09-09 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla! 2008-09-07 15:27 . 2008-09-07 15:27 <DIR> d-------- C:\Documents and Settings\RivaL\.housecall6.6 2008-09-07 13:44 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys 2008-09-07 13:44 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys 2008-09-07 13:44 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys 2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Program Files\Sygate 2008-09-07 13:43 . 2008-09-07 13:43 <DIR> d-------- C:\Downloads 2008-09-07 13:43 . 2008-09-07 13:48 <DIR> d-------- C:\Documents and Settings\RivaL\Application Data\GetRightToGo 2008-09-07 13:43 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll 2008-09-07 12:56 . 2008-09-07 12:56 <DIR> d-------- C:\Program Files\microsoft frontpage 2008-09-07 12:45 . 2008-09-07 12:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2008-09-07 11:52 . 2008-09-07 11:52 335 --a------ C:\WINDOWS\mozregistry.dat 2008-09-07 11:31 . 2008-09-09 11:32 251 --a------ C:\WINDOWS\wininit.ini 2008-09-07 11:11 . 2008-09-07 11:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback 2008-09-07 11:01 . 2008-09-07 11:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-09-07 10:47 . 2008-09-07 10:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo 2008-09-07 10:38 . 2008-09-07 10:38 <DIR> d-------- C:\Documents and Settings\Administrator 2008-09-07 03:43 . 2008-09-07 03:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-09-07 03:43 . 2008-09-07 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-06 16:25 . 2008-09-07 02:38 <DIR> d-------- C:\Program Files\a-squared Free 2008-09-06 15:33 . 2008-09-06 15:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-09-06 14:08 . 2008-09-19 14:27 1,962 --a------ C:\WINDOWS\system32\default.htm 2008-09-06 14:05 . 2008-09-06 20:42 <DIR> d-------- C:\WINDOWS\system32\wTR19 2008-09-06 13:53 . 2008-09-06 13:53 <DIR> d-------- C:\Program Files\uTorrent 2008-09-06 13:22 . 2008-09-22 14:50 <DIR> d-------- C:\Temp 2008-08-30 07:31 . 2008-08-30 07:31 96 --ah----- C:\WINDOWS\system32\HsInfo.dat 2008-08-30 07:29 . 2008-08-30 07:29 <DIR> d-------- C:\Program Files\alaplaya 2008-08-27 14:03 . 2008-08-27 14:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-22 21:41 --------- d-----w C:\Program Files\Steam 2008-09-22 21:41 --------- d-----w C:\Documents and Settings\RivaL\Application Data\OpenOffice.org2 2008-09-18 12:42 --------- d-----w C:\Program Files\mIRC 2008-09-18 06:22 --------- d-s---w C:\Program Files\Xfire 2008-09-16 12:35 --------- d-----w C:\Documents and Settings\RivaL\Application Data\Xfire 2008-09-16 07:22 --------- d-----w C:\Program Files\World of Warcraft 2008-09-07 22:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\AVG7 2008-09-07 22:36 --------- d-----w C:\Program Files\Lavasoft 2008-09-07 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-09-07 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-09-07 22:24 --------- d-----w C:\Program Files\Java 2008-09-07 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-09-06 20:25 --------- d-----w C:\Documents and Settings\RivaL\Application Data\LimeWire 2008-09-04 06:05 --------- d-----w C:\Program Files\DivX 2008-09-02 01:35 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-31 10:45 --------- d-----w C:\Documents and Settings\RivaL\Application Data\DNA 2008-08-31 05:46 --------- d-----w C:\Program Files\DNA 2008-08-19 11:23 --------- d-----w C:\Program Files\Warcraft III 2008-08-16 09:22 --------- d-----w C:\Program Files\WC3Banlist 2008-08-16 09:15 --------- d-----w C:\Program Files\WinPcap 2008-08-15 09:11 --------- d-----w C:\Program Files\Common Files\INCA Shared 2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-08-14 14:19 630,784 ----a-w C:\Documents and Settings\RivaL\GoToAssist_chat2way__317_en.exe 2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ------- Sigcheck ------- 2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\wininet.dll 2002-08-28 19:41 632832 f9ea5d5a5b2a5c0db24f7733795ba0c8 C:\WINDOWS\system32\dllcache\wininet.dll 2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\explorer.exe 2002-08-28 19:41 946176 30becef60f38197d4921b8785f8897c8 C:\WINDOWS\system32\dllcache\explorer.exe 2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\wuauclt.exe 2002-08-28 19:41 155136 a6b22f62b544cd118677ebbcf6dcc62b C:\WINDOWS\system32\dllcache\wuauclt.exe . ((((((((((((((((((((((((((((( snapshot@2008-09-19_14.35.35.54 ))))))))))))))))))))))))))))))))))))))))) . - 2008-09-19 21:30:15 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-09-22 20:38:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-09-19 21:30:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-09-22 20:38:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-09-19 21:30:15 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-09-22 20:38:05 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-09-19 21:25:41 241,664 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat + 2008-09-22 21:48:17 241,664 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\steam\steam.exe" [2008-03-28 1271032] "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-02-13 7557120] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-02-13 86016] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632] "nwiz"="nwiz.exe" [2006-02-13 C:\WINDOWS\system32\nwiz.exe] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 C:\WINDOWS\KHALMNPR.Exe] "C-Media Mixer"="Mixer.exe" [2002-06-12 C:\WINDOWS\mixer.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2001-08-18 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\RivaL\Start Menu\Programs\Startup\ OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216] RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784] UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableTaskMgr"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] --a------ 2008-03-19 20:10 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] --a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] --a------ 2007-11-01 23:33 67128 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh] --a------ 2008-08-28 10:18 3660848 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= R0 pavboot;pavboot;C:\WINDOWS\System32\drivers\pavboot.sys [2008-06-19 28544] R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\ipfnd51.sys [2005-04-05 26752] S1 mff;mff;C:\WINDOWS\System32\drivers\mff.sys [ ] S3 Asushwio;Asushwio;C:\WINDOWS\System32\drivers\Asushwio.sys [2000-03-29 5824] S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [2006-10-19 10664] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-11-06 34064] . Contents of the 'Scheduled Tasks' folder . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-22 14:50:31 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant] "ImagePath"="" . Completion time: 2008-09-22 14:51:34 ComboFix-quarantined-files.txt 2008-09-22 21:51:28 ComboFix2.txt 2008-09-19 21:35:57 Pre-Run: 13,758,386,176 bytes free Post-Run: 13,775,527,936 bytes free 198

09-22-2008, 09:29 PM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,615 OS: WinXP and Vista	Re: js/psyme virus aftermath scan from activescan 2.0 Hello kewlix, I appreciate the upload, but what you uploaded was the ComboFix.txt. Click Start>Run and type the following into the Run box and click OK: C:\Qoobox\ComboFix-quarantined-files.txt A report should pop open for you. Please copy/paste the contents of that report in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-23-2008, 01:58 AM	#17 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 2007-04-26 04:30:16 29,184 C:\Qoobox\Quarantine\C\WINDOWS\system32\MSINET.oca.vir 2007-09-24 00:05:16 279,600 C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir 2008-07-05 22:56:54 49,375 C:\Qoobox\Quarantine\C\Temp\1cb\syscheck.log.vir 2008-09-06 15:20:00 162,849 C:\Qoobox\Quarantine\C\WINDOWS\system32\zir2\KPL21i24.exe.vir 2008-09-06 20:22:08 34,816 C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvUNedD.dll.vir 2008-09-06 20:22:08 34,816 C:\Qoobox\Quarantine\C\WINDOWS\system32\xxywTKEU.dll.vir 2008-09-06 20:22:19 1,858 C:\Qoobox\Quarantine\C\Temp\dax41\A3G.log.vir 2008-09-06 20:22:19 71,711 C:\Qoobox\Quarantine\C\WINDOWS\system32\fjuffubkbhhkp.exe.vir 2008-09-06 20:22:21 153,444 C:\Qoobox\Quarantine\C\WINDOWS\system32\g49.exe.vir 2008-09-06 20:22:23 64,859 C:\Qoobox\Quarantine\C\WINDOWS\system32\tockorppzaevwusj.exe.vir 2008-09-06 20:22:29 861 C:\Qoobox\Quarantine\C\WINDOWS\system32\winpfz33.sys.vir 2008-09-06 20:30:04 115,200 C:\Qoobox\Quarantine\C\WINDOWS\system32\cquypr.dll.vir 2008-09-06 20:30:04 115,200 C:\Qoobox\Quarantine\C\WINDOWS\system32\iaqfobdt.dll.vir 2008-09-06 20:53:25 85,008 C:\Qoobox\Quarantine\C\WINDOWS\system32\uesiuqcr.exe.vir 2008-09-06 20:53:48 50 C:\Qoobox\Quarantine\C\Documents and Settings\RivaL\Application Data\Microsoft\dtsc\s.vir 2008-09-06 20:55:28 10,240 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\xpreload.ocx.vir 2008-09-06 21:56:22 648 C:\Qoobox\Quarantine\C\Documents and Settings\RivaL\Start Menu\Programs\Startup\DW_Start.lnk.vir 2008-09-06 21:57:13 684 C:\Qoobox\Quarantine\C\Documents and Settings\RivaL\Start Menu\Programs\Startup\Deewoo.lnk.vir 2008-09-06 22:26:58 192,582 C:\Qoobox\Quarantine\C\WINDOWS\system32\ncntttdm.exe.vir 2008-09-06 22:52:16 1,298,874 C:\Qoobox\Quarantine\C\WINDOWS\system32\yayofpnf.ini.vir 2008-09-07 10:04:59 115,200 C:\Qoobox\Quarantine\C\WINDOWS\system32\qrgkoeuw.dll.vir 2008-09-07 10:14:43 7,723 C:\Qoobox\Quarantine\C\WINDOWS\BM23233a67.txt.vir 2008-09-07 10:46:58 111,637 C:\Qoobox\Quarantine\C\WINDOWS\BM23233a67.xml.vir 2008-09-07 22:57:03 876,412 C:\Qoobox\Quarantine\C\WINDOWS\system32\bbbdgMoq.ini2.vir 2008-09-07 22:57:13 876,412 C:\Qoobox\Quarantine\C\WINDOWS\system32\bbbdgMoq.ini.vir 2008-09-19 21:19:44 15,360 C:\Qoobox\Quarantine\C\WINDOWS\system32\getsn32.dll.vir 2008-09-19 21:19:45 8,704 C:\Qoobox\Quarantine\C\WINDOWS\system32\smwin32.dll.vir 2008-09-19 21:35:35 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-09-19 21:35:35 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-09-19 21:35:35 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat 2008-09-19 21:35:36 378 C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}.reg.dat 2008-09-19 21:35:36 378 C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{0A94B116-4504-4e26-AB05-E61E474AA38B}.reg.dat 2008-09-19 21:35:37 1,006 C:\Qoobox\Quarantine\Registry_backups\BHO-{2D9F1530-0B38-4DCB-A90A-CECD559F3514}.reg.dat 2008-09-19 21:35:37 157 C:\Qoobox\Quarantine\Registry_backups\BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}.reg.dat 2008-09-19 21:35:37 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF}.reg.dat 2008-09-19 21:35:37 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{F145B6CD-5D7C-4FE5-9AD9-C85D8F05DDCD}.reg.dat 2008-09-19 21:35:37 436 C:\Qoobox\Quarantine\Registry_backups\BHO-{65a4805e-60ef-7a07-28c7-3d4261929f71}.reg.dat 2008-09-19 21:35:38 121 C:\Qoobox\Quarantine\Registry_backups\Toolbar-SITEguard.reg.dat 2008-09-19 21:35:38 175 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-updateMgr.reg.dat 2008-09-19 21:35:39 149 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-201009fb.reg.dat 2008-09-19 21:35:39 214 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-{6665cd51-4a02-f719-a93b-6689e1cce919}.reg.dat 2008-09-19 21:35:42 363 C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{AE55C7EC-82F8-46CB-8DC2-57BF42F025FF}.reg.dat 2008-09-19 21:35:43 590 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-WinampAgent.reg.dat 2008-09-22 21:48:34 334,334 C:\Qoobox\Quarantine\[4]-Submit_2008-09-22@14.48.zip 2008-09-22 21:50:15 6,751 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-09-22 21:50:26 108 C:\Qoobox\Quarantine\catchme.log

09-23-2008, 09:00 PM	#18 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 Hi ried i have a question. Ever since i got this virus i took the step of getting a fire wall to stop it from downloading more viruses, since that time i have notice these files seem to try to connect to the web so i blocked it. Could this be a virus as well? C:\WINDOWS\ system32\svchost ndins.sys i didn't get the full name of the second but i will post it another time once it pops up ill take a screen shot.

09-24-2008, 08:32 PM	#20 (permalink)
kewlix Registered User Join Date: Sep 2008 Posts: 27 OS: windows sp1	Re: js/psyme virus aftermath scan from activescan 2.0 C:\WINDOWS\ system32\svchost.exe is the first one the other is C:\WINDOWS\ Drivers\ndisuio.sys