Tech Support banner

Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
10 Posts
Discussion Starter #1
Deckard's System Scanner v20071014.68
Run by Blakus on 2007-12-03 16:26:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
69: 2007-12-03 05:26:59 UTC - RP87 - Deckard's System Scanner Restore Point
68: 2007-12-02 23:13:57 UTC - RP86 - Installed ESET NOD32 Antivirus
67: 2007-12-02 04:18:13 UTC - RP85 - Installed Guitar Hero III.
66: 2007-12-02 04:16:11 UTC - RP84 - Installed Windows Installer KB893803v2.
65: 2007-12-01 20:29:33 UTC - RP83 - System Checkpoint


-- First Restore Point --
1: 2007-09-04 09:04:52 UTC - RP19 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Blakus.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:58 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Blakus\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Blakus.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: MSVPS System - {5EF40AC5-1BBE-4436-A9E3-F129C0D605D8} - C:\WINDOWS\vipextoxn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: The voipwet - {D4170A6E-8CE3-444B-ACA4-B3A0AF12C55C} - C:\WINDOWS\voipwet.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [LifeChat] "C:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3D7C3EF-4BF0-4CA9-B62E-0056D52251A6}: NameServer = 203.24.100.125,203.123.69.15
O21 - SSODL: jetctrl - {EBB15BD4-7805-40BB-8F34-7B368493556F} - C:\WINDOWS\jetctrl.dll
O21 - SSODL: kopmet - {0654A338-36EE-4ADC-AEE7-C0C05792E4B5} - C:\WINDOWS\kopmet.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 2907 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S0 videX32 - c:\windows\system32\drivers\videx32.sys (file missing)
S3 U81xbus (LGE U8XXX driver (WDM)) - c:\windows\system32\drivers\u81xbus.sys <Not Verified; MCCI; LG Electronics U8110>
S3 U81xmdfl (LGE U8XXX USB WMC Modem Filter) - c:\windows\system32\drivers\u81xmdfl.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem Filter Driver>
S3 U81xmdm (LGE U8XXX USB WMC Modem Driver) - c:\windows\system32\drivers\u81xmdm.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem>
S3 U81xmgmt (LGE U8XXX USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\u81xmgmt.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Device Management>
S3 U81xobex (LGE U8XXX USB WMC OBEX Interface) - c:\windows\system32\drivers\u81xobex.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC OBEX Interface>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aspnet_admin (ASP.NET Admin Service) - c:\windows\microsoft.net\framework\v2.0.40607\aspnet_admin.exe <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: System Interrupt Controller
Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Manufacturer:
Name: System Interrupt Controller
PNP Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: ADMtek AN983 10/100 PCI Adapter
Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_12161113&REV_11\4&71586A9&0&2899
Manufacturer: ADMtek Incorporated
Name: ADMtek AN983 10/100 PCI Adapter
PNP Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_12161113&REV_11\4&71586A9&0&2899
Service: AN983


-- Scheduled Tasks -------------------------------------------------------------

2007-12-03 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2007-12-03 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2007-12-03 10:01:38 350 --a------ C:\WINDOWS\Tasks\At11.job
2007-12-03 08:01:41 350 --a------ C:\WINDOWS\Tasks\At9.job
2007-12-02 20:01:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2007-12-02 19:01:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2007-12-02 18:01:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2007-12-02 17:01:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2007-12-02 07:01:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2007-12-02 06:01:00 350 --a------ C:\WINDOWS\Tasks\At7.job
2007-12-02 05:01:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2007-12-02 04:01:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2007-12-02 03:01:01 350 --a------ C:\WINDOWS\Tasks\At4.job
2007-12-02 02:01:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2007-12-02 01:01:00 350 --a------ C:\WINDOWS\Tasks\At2.job
2007-12-02 00:01:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2007-12-01 23:01:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2007-12-01 22:01:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2007-12-01 21:01:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2007-11-30 11:01:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2007-11-30 09:01:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2007-11-29 14:01:43 350 --a------ C:\WINDOWS\Tasks\At15.job
2007-11-28 13:01:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2007-11-28 12:01:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2007-11-25 04:08:15 280 --a------ C:\WINDOWS\Tasks\LifeChatTask.job


-- Files created between 2007-11-03 and 2007-12-03 -----------------------------

2007-12-03 16:27:52 0 d-------- C:\Program Files\Trend Micro
2007-12-03 16:21:56 0 d-------- C:\ie-spyad_zo
2007-12-03 16:19:02 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-12-03 16:18:53 0 d-------- C:\Program Files\SpywareBlaster
2007-12-03 10:13:59 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-12-03 09:43:01 0 d-------- C:\WINDOWS\privacy_danger
2007-12-03 09:41:53 0 d-------- C:\Program Files\EsetOnlineScanner
2007-12-02 18:43:36 192512 --a------ C:\WINDOWS\voipwet.dll <Not Verified; ; voipwet Module>
2007-12-02 18:43:36 307200 --a------ C:\WINDOWS\vipextoxn.dll <Not Verified; ; vipextoxn>
2007-12-02 18:43:36 147456 --a------ C:\WINDOWS\nretcip.exe
2007-12-02 18:43:36 311296 --a------ C:\WINDOWS\kopmet.dll
2007-12-02 18:43:36 258048 --a------ C:\WINDOWS\jetctrl.dll <Not Verified; ; jetctrl>
2007-12-02 18:37:49 0 d-------- C:\Program Files\RichVideoCodec
2007-12-02 18:22:26 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-02 18:22:24 0 d-------- C:\Fraps
2007-12-02 15:32:07 0 dr-h----- C:\Documents and Settings\Blakus\Application Data\SecuROM
2007-12-02 15:18:29 0 d-------- C:\Program Files\Aspyr
2007-11-29 18:31:23 0 d-------- C:\Program Files\Yahoo!
2007-11-25 00:42:00 0 d-------- C:\Program Files\Microsoft LifeChat
2007-11-15 17:23:11 0 d-------- C:\Program Files\Ventrilo
2007-11-15 17:23:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 11:11:49 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2007-11-11 11:10:42 0 dr------- C:\Documents and Settings\NetworkService\Favorites


-- Find3M Report ---------------------------------------------------------------

2007-11-24 10:32:51 0 d-------- C:\Documents and Settings\Blakus\Application Data\teamspeak2
2007-11-20 12:50:20 0 d-------- C:\Program Files\Steam
2007-11-15 17:23:00 0 d-------- C:\Program Files\Common Files
2007-11-13 09:15:51 0 d-------- C:\Program Files\VIA
2007-11-13 09:13:44 0 d-------- C:\Program Files\Common Files\AOL
2007-11-01 16:44:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-01 16:44:41 0 d-------- C:\Program Files\LG PC Suite
2007-11-01 16:40:45 0 d-------- C:\Documents and Settings\Blakus\Application Data\LG Electronics
2007-10-29 16:03:40 0 d-------- C:\Program Files\Warcraft III
2007-10-27 19:07:25 75518 --a------ C:\WINDOWS\War3Unin.dat
2007-10-27 19:00:30 2829 --a------ C:\WINDOWS\War3Unin.pif
2007-10-27 19:00:30 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2007-10-26 20:56:50 0 d-------- C:\Documents and Settings\Blakus\Application Data\WinRAR
2007-10-24 22:51:30 0 d-------- C:\Program Files\Microsoft Games
2007-10-24 17:10:38 0 d-------- C:\Program Files\Starcraft
2007-10-24 15:47:03 35382 --a------ C:\WINDOWS\scunin.dat
2007-10-24 15:47:02 967 --a------ C:\WINDOWS\ScUnin.pif
2007-10-24 15:47:02 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2007-10-12 22:09:55 0 d-------- C:\Documents and Settings\Blakus\Application Data\Viewpoint
2007-10-12 21:20:38 0 d-------- C:\Program Files\Viewpoint
2007-10-03 06:30:51 0 d-------- C:\Documents and Settings\Blakus\Application Data\vlc
2007-10-03 04:38:24 0 d-------- C:\Program Files\VideoLAN
2007-09-30 02:12:26 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EF40AC5-1BBE-4436-A9E3-F129C0D605D8}]
12/02/2007 02:05 AM 307200 --a------ C:\WINDOWS\vipextoxn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/29/2007 09:43 AM]
"nwiz"="nwiz.exe" [06/29/2007 09:43 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/29/2007 09:43 AM]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [11/22/2006 02:50 PM]
"LifeChat"="C:\Program Files\Microsoft LifeChat\LifeChat.exe" [01/26/2007 02:31 PM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [11/14/2007 03:05 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 09:54 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"jetctrl"= {EBB15BD4-7805-40BB-8F34-7B368493556F} - C:\WINDOWS\jetctrl.dll [12/02/2007 02:05 AM 258048]
"kopmet"= {0654A338-36EE-4ADC-AEE7-C0C05792E4B5} - C:\WINDOWS\kopmet.dll [12/02/2007 02:05 AM 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
"C:\Program Files\Creative\Shared Files\CamTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
"C:\Program Files\Microsoft LifeChat\LifeChat.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent




-- End of Deckard's System Scanner: finished at 2007-12-03 16:28:37 ------------
 

Attachments

·
Security Team (ret.)
Joined
·
7,403 Posts
Download SDFix and save it to your desktop.


Please then reboot your computer in Safe Mode by doing the following :
Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.


=========================================

This will help to identify any malware on your system.
Please download Combofix from any of these locations:

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/Beta/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/Beta/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Caution...Never run ComboFix without being supervised by a security analyst.
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top