Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was Darksma / Vav2008... Am I Clean Now?


  • This topic is locked This topic is locked
13 replies to this topic

#1 andyhof

andyhof

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 01 August 2008 - 10:58 PM

Massive infestation...

Roge.AntiSpywareExpert
Trojan.Vundo-Variant/Small-V2
darksma
VAV.exe
TrojanDownloader_NewJuan/VM
FadeAlert.BD

and others were found over the course of last 36 hours.

I've cleaned following instructions in these forums.

Running Windows XP SP2 on rather old P4.

Here's the reports as per forum guidelines. Can you tell me if I'm clean now?
Seems like I could be running a bit quicker.

Attached Files



BC AdBot (Login to Remove)

 


#2 andyhof

andyhof
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 04 August 2008 - 10:23 PM

posted few days ago of massive infestation:


Roge.AntiSpywareExpert
Trojan.Vundo-Variant/Small-V2
darksma
VAV.exe
TrojanDownloader_NewJuan/VM
FadeAlert.BD

and others were found over the course of last 36 hours.

I've cleaned following instructions in these forums.

Running Windows XP SP2 on rather old P4.

Here's the reports as per forum guidelines.

Can someone tell me if I'm clean now?



Deckard's System Scanner v20071014.68
Run by 13 madison on 2008-08-01 23:46:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-08-02 03:46:43 UTC - RP198 - Deckard's System Scanner Restore Point
3: 2008-08-02 03:37:56 UTC - RP197 - Installed Java™ 6 Update 7
2: 2008-08-01 21:34:13 UTC - RP196 - Software Distribution Service 3.0
1: 2008-08-01 02:11:26 UTC - RP195 - Installed SUPERAntiSpyware Free Edition


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as 13 madison.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:48:05, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\13 madison\Desktop\dss.exe
G:\ANTIVI~1\13 madison.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: (no name) - {39E03C49-BADC-4DE7-9FA3-356FD74107B1} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {a5aebe2b-fecc-c78a-3f54-66e30057906d} - {d6097500-3e66-45f3-a87c-ccefb2ebea5a} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {8DF3C332-F00E-4E3B-A990-51BF8372CEC4} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1200590081043
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://download.dinerdash.com/play/game/di...tg.1.0.0.32.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: NVDESK32.DLL,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4806 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Pivot - c:\windows\system32\drivers\pivot.sys <Not Verified; Portrait Displays, Inc.; Windows ® 2000 DDK driver>
R3 pivotmou (Pivot Mouse/Pointers Filter Driver) - c:\windows\system32\drivers\pivotmou.sys <Not Verified; Portrait Displays, Inc.; Pivot ® Software ®>

S3 pdiddcci (DDC/CI monitor) - c:\windows\system32\drivers\pdiddcci.sys <Not Verified; Portrait Displays, Inc.; Portrait Displays DDC/CI Monitor Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 DTSRVC (Portrait Displays Display Tune Service) - c:\program files\common files\portrait displays\shared\dtsrvc.exe
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&163C0F35&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&163C0F35&0
Service: i8042prt


-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 23:38:06 0 d-------- C:\Program Files\Java
2008-08-01 23:38:02 0 d-------- C:\Program Files\Common Files\Java
2008-08-01 23:35:01 0 d-------- C:\Documents and Settings\13 madison\Application Data\Sun
2008-08-01 22:23:12 0 dr-h----- C:\Documents and Settings\13 madison\Recent
2008-08-01 17:06:04 2002 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-31 23:02:37 1152 --a------ C:\WINDOWS\system32\windrv.sys
2008-07-31 23:00:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-31 22:54:07 0 d--h----- C:\$AVG8.VAULT$
2008-07-31 20:30:51 0 d-------- C:\Program Files\CCleaner
2008-07-31 20:29:27 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-31 20:29:03 0 d-------- C:\Program Files\AVG
2008-07-31 20:29:03 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-31 16:54:47 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-31 16:54:21 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-31 16:54:21 0 d-------- C:\Documents and Settings\13 madison\Application Data\SUPERAntiSpyware.com
2008-07-30 22:31:17 0 d-------- C:\WINDOWS\pss
2008-07-30 19:36:28 99712 --a------ C:\WINDOWS\system32\asurssts.dll
2008-07-30 19:32:18 235852 --ahs---- C:\WINDOWS\system32\JknTEfhk.ini2
2008-07-30 19:21:21 0 d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-07-30 19:20:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 13:52:51 0 d-------- C:\Program Files\Common Files\AOL
2008-07-24 00:21:23 0 d-------- C:\Documents and Settings\13 madison\Application Data\Apple Computer
2008-07-24 00:18:54 0 d-------- C:\Program Files\QuickTime
2008-07-24 00:18:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-24 00:18:02 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-07-13 17:39:30 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-13 17:39:30 0 d-------- C:\Documents and Settings\13 madison\Application Data\PlayFirst
2008-07-13 17:38:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-13 17:34:04 0 d-------- C:\Program Files\Diner Dash Flo on the Go
2008-07-13 17:34:04 0 d-------- C:\Program Files\BFG
2008-07-13 17:28:58 0 d-------- C:\Documents and Settings\13 madison\Application Data\WinRAR
2008-07-09 22:43:45 0 d-------- C:\Program Files\Microsoft Picture It! 10


-- Find3M Report ---------------------------------------------------------------

2008-08-01 23:38:02 0 d-------- C:\Program Files\Common Files
2008-07-30 22:42:01 0 d-------- C:\Program Files\FLAC
2008-07-24 01:18:04 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-09 22:36:49 0 d-------- C:\Program Files\Common Files\Ahead
2008-06-26 13:52:32 16 --a------ C:\WINDOWS\popcinfot.dat
2008-06-26 13:34:53 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-25 00:55:20 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-06-18 18:57:39 0 d-------- C:\Documents and Settings\13 madison\Application Data\Real
2008-06-18 18:54:29 0 d-------- C:\Program Files\Common Files\xing shared
2008-06-18 18:54:22 0 d-------- C:\Program Files\Common Files\Real
2008-06-16 23:47:20 62009 --a------ C:\WINDOWS\system32\wpfb_nv4_disp.dll <Not Verified; Portrait Displays, Inc.; Pivot Sofware>
2008-06-16 23:35:58 0 d-------- C:\Program Files\SystemRequirementsLab
2008-06-16 23:17:49 0 d-------- C:\Documents and Settings\13 madison\Application Data\DisplayTune
2008-06-16 23:14:18 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-16 23:13:59 0 d-------- C:\Program Files\Common Files\Portrait Displays
2008-06-16 23:13:47 0 d-------- C:\Program Files\Portrait Displays
2008-06-16 23:12:56 0 d-------- C:\Program Files\Acer Display
2008-06-16 23:12:03 0 d-------- C:\Program Files\Common Files\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39E03C49-BADC-4DE7-9FA3-356FD74107B1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d6097500-3e66-45f3-a87c-ccefb2ebea5a}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [08/15/2001 17:50]
"Smapp"="Smtray.exe" [05/31/2001 22:32 C:\WINDOWS\system32\SMTray.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 23:16]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/31/2008 20:29]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfETnkJ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuc28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT ACR]
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe -startup_folder

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PivotSoftware]
"C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys1.exe]
C:\Windows\Sys1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"Pctspk"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"ITMRTSVC"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"DTSRVC"=2 (0x2)
"CaCCProvSP"=3 (0x3)
"Bonjour Service"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-08-01 23:49:16 ------------

Merged topics. ~ OB

Edited by Orange Blossom, 05 August 2008 - 06:35 PM.


#3 andyhof

andyhof
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 06 August 2008 - 05:56 PM

Title was: Lost Desktop...just Blue. Need Help ~ OB

Please help me tell what's wrong here.
Running WinXP SP2

keep having trojan.downloader found ... but AVG can't remove.

Can someone help me ?

Edited by Orange Blossom, 06 August 2008 - 09:18 PM.
Merged topics. ~ OB


#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:05:48 PM

Posted 10 August 2008 - 11:02 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.


DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards

Edited by SNOWHITE, 14 August 2008 - 12:27 AM.

SNOWHITE
Posted Image

#5 andyhof

andyhof
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 13 August 2008 - 10:00 PM

Running scans now. Kaspersky is taking its time.
Will post results. Thanks for getting back to me.

#6 andyhof

andyhof
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 14 August 2008 - 11:19 PM

scan results attached below.

Attached Files


Edited by andyhof, 15 August 2008 - 07:11 PM.


#7 andyhof

andyhof
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 15 August 2008 - 05:57 PM

Attached File  kaspersky_report.html   2.61KB   30 downloadsAttached File  extra.txt   12.75KB   29 downloadsAttached File  main.txt   18.04KB   33 downloads

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:48 PM

Posted 17 August 2008 - 06:15 AM

Hi andyhof,

I am farbar. I am going to assist you with your problem. Please give me some time to look it over and I will get back to you as soon as possible. A quick look at your log shows no any apparent sign of infection.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:48 PM

Posted 19 August 2008 - 11:58 AM

Hi again,

Please copy and paste the log to your reply instead of attaching them. That would be easier to read. Thanks
  • Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you remove the program now.
    Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist:

    Viewpoint Media Player.

    Also remove the folder in bold: C:\Program Files\Viewpoint

  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows
    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the file in bold:

    C:\WINDOWS\system32\JknTEfhk.ini2

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O2 - BHO: (no name) - {39E03C49-BADC-4DE7-9FA3-356FD74107B1} - (no file)
    O2 - BHO: {a5aebe2b-fecc-c78a-3f54-66e30057906d} - {d6097500-3e66-45f3-a87c-ccefb2ebea5a} - (no file)


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • We need to repair the broken file associations
    • Click Start and then Run to bring up the Run box.
    • Copy and paste the contents of this quote box into the run box:

      "%userprofile%\desktop\dss.exe" /daft

    • Click OK.
    • Click OK to the prompt from Deckard's System Scanner.
    • Click Scan.
    • Place a tick next to the following entries (if they are present):
      .reg
      .scr
    • Click Fix
  • Please run the F-Secure Online Scanner
    Note: This Scanner is for Internet Explorer Only!
    Follow the Instruction here for installation.
    Accept the License Agreement.
    Once the ActiveX installs,Click Full System Scan
    Once the download completes, the scan will begin automatically.
    The scan will take some time to finish, so please be patient.
    When the scan completes, click the Automatic cleaning (recommended) button.
    Click the Show Report button and Copy&Paste the entire report in your next reply.

In your next reply:
  • The scan results of F-Secure.
  • A fresh DSS log. DSS creates just one log this time.


#10 andyhof

andyhof
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 19 August 2008 - 09:27 PM

F-Secure Online Scanner / Scanning Report
Tuesday, August 19, 2008 17:29:15 - 22:18:24
Computer name: YOUR-KKXX5RXWD9
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ H:\


--------------------------------------------------------------------------------

Result: 1 malware found
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 44907
System: 3233
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{62211434-9BA2-4841-8FC7-B97F1D39A3A3}.BIN
C:\DOCUMENTS AND SETTINGS\13 MADISON\LOCAL SETTINGS\TEMP\HSPERFDATA_13 MADISON\480

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-08-19
F-Secure AVP: 7.0.171, 2008-08-19
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

___________________



Deckard's System Scanner v20071014.68
Run by 13 madison on 2008-08-19 22:22:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 83% (more than 75%).


-- HijackThis (run as 13 madison.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:23:43, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Smtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\13MADI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\13MADI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\13 madison\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\13MADI~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [DT ACR] C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe -startup_folder
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {8DF3C332-F00E-4E3B-A990-51BF8372CEC4} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1200590081043
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - http://download.dinerdash.com/play/game/di...tg.1.0.0.32.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: NVDESK32.DLL,avgrsstx.dll,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 6570 bytes

-- Files created between 2008-07-19 and 2008-08-19 -----------------------------

2008-08-19 17:26:23 0 d-------- C:\fsaua.data
2008-08-14 23:48:39 0 dr-h----- C:\Documents and Settings\13 madison\Recent
2008-08-13 22:36:46 0 d-------- C:\WINDOWS\Sun
2008-08-13 22:27:30 0 d-------- C:\Program Files\Trend Micro
2008-08-04 23:32:10 0 d-------- C:\Documents and Settings\13 madison\Application Data\Malwarebytes
2008-08-04 23:32:04 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 23:32:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 19:07:14 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 12:57:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 23:38:06 0 d-------- C:\Program Files\Java
2008-08-01 23:38:02 0 d-------- C:\Program Files\Common Files\Java
2008-08-01 23:35:01 0 d-------- C:\Documents and Settings\13 madison\Application Data\Sun
2008-08-01 17:06:04 2002 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-31 23:02:37 1152 --a------ C:\WINDOWS\system32\windrv.sys
2008-07-31 23:00:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-31 22:54:07 0 d--h----- C:\$AVG8.VAULT$
2008-07-31 20:30:51 0 d-------- C:\Program Files\CCleaner
2008-07-31 20:29:27 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-31 20:29:03 0 d-------- C:\Program Files\AVG
2008-07-31 20:29:03 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-31 16:54:47 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-31 16:54:21 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-31 16:54:21 0 d-------- C:\Documents and Settings\13 madison\Application Data\SUPERAntiSpyware.com
2008-07-30 22:31:17 0 d-------- C:\WINDOWS\pss
2008-07-30 19:32:18 235852 --ahs---- C:\WINDOWS\system32\JknTEfhk.ini2
2008-07-30 19:20:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 13:52:51 0 d-------- C:\Program Files\Common Files\AOL
2008-07-24 00:21:23 0 d-------- C:\Documents and Settings\13 madison\Application Data\Apple Computer
2008-07-24 00:18:54 0 d-------- C:\Program Files\QuickTime
2008-07-24 00:18:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-24 00:18:02 0 d------c- C:\WINDOWS\system32\DRVSTORE


-- Find3M Report ---------------------------------------------------------------

2008-08-14 23:45:31 0 d-------- C:\Program Files\NCH Swift Sound
2008-08-14 03:06:46 0 d-------- C:\Program Files\Messenger
2008-08-01 23:38:02 0 d-------- C:\Program Files\Common Files
2008-07-30 22:42:01 0 d-------- C:\Program Files\FLAC
2008-07-24 01:18:04 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-13 17:39:30 0 d-------- C:\Documents and Settings\13 madison\Application Data\PlayFirst
2008-07-13 17:34:04 0 d-------- C:\Program Files\BFG
2008-07-13 17:28:58 0 d-------- C:\Documents and Settings\13 madison\Application Data\WinRAR
2008-07-11 22:57:21 0 d-------- C:\Program Files\Microsoft Picture It! 10
2008-07-09 22:36:49 0 d-------- C:\Program Files\Common Files\Ahead
2008-06-26 13:52:32 16 --a------ C:\WINDOWS\popcinfot.dat
2008-06-26 13:34:53 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-25 00:55:20 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-06-16 23:47:20 62009 --a------ C:\WINDOWS\system32\wpfb_nv4_disp.dll <Not Verified; Portrait Displays, Inc.; Pivot Sofware>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [08/15/2001 17:50]
"Smapp"="Smtray.exe" [05/31/2001 22:32 C:\WINDOWS\system32\SMTray.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 23:16]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/31/2008 20:29]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/18/2008 18:53]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [07/24/2001 17:34]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [02/09/2007 12:17]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 16:57]
"DT ACR"="C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe" [09/20/2007 11:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL,avgrsstx.dll,

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfETnkJ

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuc28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"iPod Service"=3 (0x3)
"CaCCProvSP"=3 (0x3)
"Bonjour Service"=2 (0x2)

*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER



-- End of Deckard's System Scanner: finished at 2008-08-19 22:24:21 ------------

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:48 PM

Posted 20 August 2008 - 09:39 AM

The F-Secure didn't found anything but taking a deeper look into your log shows the traces of one or more backdoor trojan with rootkits capability.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojans might have been removed, because of their backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to search and if found clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to go on with checking and removing the infection please move on to the following steps.


Removal Instructions
  • I can't see the following files on the log but the log is recent and we don't know for sure how long the infection was there. So to make sure using Windows Explorer and Windows search please make sure the following files are deleted. Please make sure that you can view all system and hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

    C:\WINDOWS\system32\khfETnkJ.dll
    C:\Windows\Sys1.exe

  • We are going to repair the default Authentication Packages and the SafeBoot registry keys altered by the malware. Open a notepad, make sure the wordwrap under format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4 
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuc28.sys]

    Save the file to the desktop as regfix.reg
    Make sure the Save as typefield says All files.
    Locate regfix.reg on the Desktop and double-click on it and confirm.

    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • I see from your log you have disabled some startup items by using System Configuration Utility. I know many people use and advise use of System Configuration Utility to disable startup items. But the utility is designed to use for diagnostic purposes. There are good free software to use for this purpose.

    The log we made shows that you have disabled a malware startup items. The item does no harm at the moment but in case you or somebody els again enabled the item the malware might become active again. To make sure this is not going to happen we are going to remove the entries with Hijackthis.

    Go to Start > Run
    • In the run box type: msconfig to open up System Configuration Utility.
    • Click on startup tab.
    • Find Sys1.exe
    • Check the box next to it.
    • Press Apply and Close .
    • A Windows pops up select "Exit Without Reboot".
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O4 - HKLM\..\Run: [Sys1.exe] C:\Windows\Sys1.exe

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

    Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

    Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Scan with DrWeb-CureIt as follows:
    • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
    • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
    • Once the short scan has finished, Click Options > Change settings
    • Choose the "Scan tab" and UNcheck "Heuristic analysis"
    • Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
    • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
    • When done, a message will be displayed at the bottom advising if any viruses were found.
    • Click "Yes to all" if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
      (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
    • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
    • Save the DrWeb.csv report to your desktop.
    • Exit Dr.Web Cureit when done.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  • Download gmer.zip and save to your desktop.
    alternate download site 1
    alternate download site 2
    • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
    • When you have done this, disconnect from the Internet and close all running programs.
      There is a small chance this application may crash your computer so save any work you have open.
    • Double-click on Gmer.exe to start the program.
    • Allow the gmer.sys driver to load if asked.
    • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
    • Click on "Settings", then check the first five settings:
      *System Protection and Tracing
      *Processes
      *Save created processes to the log
      *Drivers
      *Save loaded drivers to the log
    • You will be prompted to restart your computer. Please do so.
    Run Gmer again and click on the Rootkit tab.
    • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
    • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    • Click on the "Scan" and wait for the scan to finish.
      Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
    • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
    • Note: If you have any problems, try running GMER in SAFE MODE"
    Important! Please do not select the "Show all" checkbox during the scan..

  • Download Find File Information (scroll down the page) and save it to your desktop.
    • Double-click on FileInfo.vbs to start and follow the prompts.
    • When you see a prompt like this "Enter drive letter to search (letter only)", enter an asterisk (*) and click OK.
    • In the next window, enter: clbdriver
      File name only (without extension)
    • Click OK. A text file named searched.txt will open and automatically be saved in the root of your C:\ directory.
    • Please copy/paste the information from searched.txt in your next reply if it contains a report. If it is empty it means the file was not found. In that case just report that the searched.txt was empty.
    • After you copied the searched.txt repeat the procedure this time enter: Winuc28
    Note: If you have a script blocking program you may get a warning asking if you want to allow the script to run. Some will say "malicious script warning" or something to that effect. There is nothing malicious about this script, you can click to allow it to execute.

  • Please make a fresh DSS log and copy and paste it into your replay. DSS makes this time just one log (main.txt).
In your next reply:
  • The log of DrWeb.
  • The log of GMER.
  • The findings of File Find Information.
  • A fresh DSS log.

Edited by farbar, 20 August 2008 - 04:44 PM.


#12 andyhof

andyhof
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 21 August 2008 - 10:36 PM

Never found:
C:\WINDOWS\system32\khfETnkJ.dll
C:\Windows\Sys1.exe

Never found:
O4 - HKLM\..\Run: [Sys1.exe] C:\Windows\Sys1.exe
using Hijack This.



[*]The log of DrWeb:
A0047520.exe;C:\System Volume Information\_restore{B9E2BB15-B458-4D49-B6D4-8E74CDCA04F2}\RP211;Tool.Prockill;Incurable.Moved.;
A0047522.exe;C:\System Volume Information\_restore{B9E2BB15-B458-4D49-B6D4-8E74CDCA04F2}\RP211;Tool.ShutDown.11;Incurable.Moved.;


[*]The log of GMER:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-21 23:11:37
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF4901F20]
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.14 ----


[*]The findings of File Find Information:
nothing found

[*]A fresh DSS log:
Deckard's System Scanner v20071014.68
Run by 13 madison on 2008-08-21 23:20:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as 13 madison.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:20:53, on 8/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\13 madison\Desktop\dss.exe
C:\DOCUME~1\13MADI~1\Desktop\13 madison.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [DT ACR] C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe -startup_folder
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {8DF3C332-F00E-4E3B-A990-51BF8372CEC4} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1200590081043
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - http://download.dinerdash.com/play/game/di...tg.1.0.0.32.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: NVDESK32.DLL,avgrsstx.dll,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 6227 bytes

-- Files created between 2008-07-21 and 2008-08-21 -----------------------------

2008-08-20 23:38:43 0 d-------- C:\Documents and Settings\13 madison\DoctorWeb
2008-08-20 22:38:43 0 dr-h----- C:\Documents and Settings\13 madison\Recent
2008-08-19 17:26:23 0 d-------- C:\fsaua.data
2008-08-13 22:36:46 0 d-------- C:\WINDOWS\Sun
2008-08-13 22:27:30 0 d-------- C:\Program Files\Trend Micro
2008-08-04 23:32:10 0 d-------- C:\Documents and Settings\13 madison\Application Data\Malwarebytes
2008-08-04 23:32:04 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 23:32:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 19:07:14 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 12:57:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 23:38:06 0 d-------- C:\Program Files\Java
2008-08-01 23:38:02 0 d-------- C:\Program Files\Common Files\Java
2008-08-01 23:35:01 0 d-------- C:\Documents and Settings\13 madison\Application Data\Sun
2008-08-01 17:06:04 2002 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-31 23:02:37 1152 --a------ C:\WINDOWS\system32\windrv.sys
2008-07-31 23:00:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-31 22:54:07 0 d--h----- C:\$AVG8.VAULT$
2008-07-31 20:30:51 0 d-------- C:\Program Files\CCleaner
2008-07-31 20:29:27 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-31 20:29:03 0 d-------- C:\Program Files\AVG
2008-07-31 20:29:03 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-31 16:54:47 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-31 16:54:21 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-31 16:54:21 0 d-------- C:\Documents and Settings\13 madison\Application Data\SUPERAntiSpyware.com
2008-07-30 22:31:17 0 d-------- C:\WINDOWS\pss
2008-07-30 19:32:18 235852 --ahs---- C:\WINDOWS\system32\JknTEfhk.ini2
2008-07-30 19:20:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 13:52:51 0 d-------- C:\Program Files\Common Files\AOL
2008-07-24 00:21:23 0 d-------- C:\Documents and Settings\13 madison\Application Data\Apple Computer
2008-07-24 00:18:54 0 d-------- C:\Program Files\QuickTime
2008-07-24 00:18:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-24 00:18:02 0 d------c- C:\WINDOWS\system32\DRVSTORE


-- Find3M Report ---------------------------------------------------------------

2008-08-14 23:45:31 0 d-------- C:\Program Files\NCH Swift Sound
2008-08-14 03:06:46 0 d-------- C:\Program Files\Messenger
2008-08-01 23:38:02 0 d-------- C:\Program Files\Common Files
2008-07-30 22:42:01 0 d-------- C:\Program Files\FLAC
2008-07-24 01:18:04 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-13 17:39:30 0 d-------- C:\Documents and Settings\13 madison\Application Data\PlayFirst
2008-07-13 17:34:04 0 d-------- C:\Program Files\BFG
2008-07-13 17:28:58 0 d-------- C:\Documents and Settings\13 madison\Application Data\WinRAR
2008-07-11 22:57:21 0 d-------- C:\Program Files\Microsoft Picture It! 10
2008-07-09 22:36:49 0 d-------- C:\Program Files\Common Files\Ahead
2008-06-26 13:52:32 16 --a------ C:\WINDOWS\popcinfot.dat
2008-06-26 13:34:53 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-25 00:55:20 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-06-16 23:47:20 62009 --a------ C:\WINDOWS\system32\wpfb_nv4_disp.dll <Not Verified; Portrait Displays, Inc.; Pivot Sofware>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [08/15/2001 17:50]
"Smapp"="Smtray.exe" [05/31/2001 22:32 C:\WINDOWS\system32\SMTray.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 23:16]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/31/2008 20:29]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/18/2008 18:53]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [07/24/2001 17:34]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [02/09/2007 12:17]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 16:57]
"DT ACR"="C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe" [09/20/2007 11:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL,avgrsstx.dll,

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ITMRTSVC"=2 (0x2)
"iPod Service"=3 (0x3)
"CaCCProvSP"=3 (0x3)
"Bonjour Service"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-08-21 23:21:24 ------------

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:48 PM

Posted 22 August 2008 - 01:35 AM

Everything looks good.

Please remove dss.exe from your computer.

Your log looks clean. But your computer is still very much susceptible in particular to hacking and intrusion from outside. I strongly advise you to install a firewall before surfing. The windows firewall is not good enough. The Windows firewall provides protection from outside threats as long as the malware is not on your system. When the malware gets to your computer Windows firewall is no more effective. You find more information on firewalls below.


In order to reduce the possible infection in the future, you may follow the following steps:
  • First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.
  • Change the folder options to default if it was needed to change in order to show the hidden files and folders during the fixes we made.

  • Sometimes the Privacy, Security and Web settings are altered by the malware. Check and if needed reset them to default:
    • Open Internet explorer > Tools menu > Internet options.
    • Under privacy tab press default.
    • Under security tab press default.
  • Update your Anti Virus and Antispyware Software definitions and run the program on a regular basis.

  • Use a firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
    Click for more information on:Understanding and Using Firewalls


    There are several good free programs available like:
    Sunbelt-Kerio
    Comodo Firewall Pro
    Online Armor Free edition

  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has recently released Service Pack 3 which has more features and is more secure than Service Pack 2. You may update your Windows via Windows update.

    You can update by going to start > All Programs > Windows update > click on Custom button.

  • Install Javacools© SpywareBlaster -
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. You can find more information and a download link here.

Enjoy surfing!

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:48 PM

Posted 22 August 2008 - 10:29 PM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users