Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]Keylogged?


  • This topic is locked This topic is locked
8 replies to this topic

#1 toed

toed

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 29 July 2007 - 07:20 AM

I was visiting some WoW forum and I visited a link posted on it. Then there were people detecting a pop-up trojan attempt (KKvr.sigsign32.dll - malicious data entry unit) when opening the link. However, I didnt pickup on anything. I dont have the best protection so I wouldnt know and Id like to be safe. Here's my log and I'd appreciate any help I can get.

Logfile of HijackThis v1.99.1
Scan saved at 9:10:32 AM, on 7/29/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

    Advertisements

Register to Remove


#2 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 29 July 2007 - 11:49 PM

Hi toed,

Can't see anything bad in your HijackThis log, but we'll do a couple of checks to make sure your machine is clean.

When you visited the link, did anything occur - like a UAC prompt? If so, tell me whether you approved the prompt and any other information you think might be relevant.

You have restrictions on your Internet Explorer control panel settings. These are often put in place by protection programs but can also be done by malware. Let me know whether you think these restrictions should be in place, and if you wish to remove them.

Download Dr.WEB CureIt to your desktop from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Right-click cureit.exe and choose Run as administrator to start the program. Allow the UAC prompt.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and remove the check mark from Heuristic analysis
  • Choose the Actions tab and next to Infected objects select Move, then press OK to close the settings box.
  • Select all hard drives to be scanned by clicking on them - choose all drives - a red dot confirms they will be scanned
  • Click the green arrow on the right to start the scan
  • Click Yes to all if it asks if you want to move a file
  • Click File-> Save report list and save the report to your desktop
  • Close Dr.Web Cureit and reboot your computer (this is important as files may be moved/deleted during reboot)
Download Deckard's System Scanner (DSS)
  • Close all applications and windows.
  • Right-click on dss.exe and select Run as administrator to start the program, then follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply
Once complete, please post the Dr Web log and both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
ASAP & UNITE Member

#3 toed

toed

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 30 July 2007 - 10:49 AM

Hello _silver_,

First off, Id like to thank you for the assistance. When I visited the link, I do not recall getting any popups or any kind of prompt with Firefox. I used DrWeb's Cureit and everything came up clean.

Heres the DSS log.

Deckard's System Scanner v20070729.57
Run by Guolin Wang on 2007-07-30 at 12:40:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
16: 2007-07-29 03:36:04 UTC - RP147 - Removed Halo 2 for Windows Vista
15: 2007-07-29 03:18:10 UTC - RP146 - Removed LIVE gaming on Windows Runtime Version 1.0.6027
14: 2007-07-29 03:11:11 UTC - RP145 - Restore Operation
13: 2007-07-28 11:45:39 UTC - RP144 - Removed ATLAS Translation Double Pack V13.0 Trial Version
12: 2007-07-28 11:21:06 UTC - RP143 - Removed Microsoft AppLocale


-- First Restore Point --
1: 2007-07-28 05:42:14 UTC - RP128 - ???????? PRODUCT_NAME


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-07-30 12:41:24
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)

Running processes:
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Windows\System32\mobsync.exe
C:\Users\Guolin Wang\Desktop\utorrent.exe
C:\Windows\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Guolin Wang\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKEY_LOCAL_MACHINE\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\system32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 AvgWFP (AVG7 Firewall Driver x86) - c:\windows\system32\drivers\avgwfp.sys
R3 pgfilter - \??\c:\program files\peerguardian2\pgfilter.sys

S3 ENTECH - \??\c:\windows\system32\drivers\entech.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-07-30 06:05:33 430 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{E76537CB-C56F-4DFE-9E6F-166AF3A2B80A}.job


-- Files created between 2007-06-30 and 2007-07-30 -----------------------------

2007-07-30 11:11:33 0 d-------- C:\Users\Guolin Wang\DoctorWeb
2007-07-29 20:49:34 2379 --a------ C:\Windows\mozver.dat
2007-07-28 22:12:22 0 d-------- C:\Users\Guolin Wang\.housecall6.6
2007-07-25 15:21:01 0 d-------- C:\Windows\Internet Logs
2007-07-24 03:59:00 0 d-------- C:\Users\All Users\Microsoft Games


-- Find3M Report ---------------------------------------------------------------

2007-07-30 12:41:33 0 d-------- C:\Program Files\PeerGuardian2
2007-07-30 12:41:32 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\uTorrent
2007-07-30 11:04:33 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\AVG7
2007-07-30 08:56:00 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\LimeWire
2007-07-29 22:59:30 0 d-------- C:\Program Files\Warcraft III
2007-07-28 23:37:26 0 d-------- C:\Program Files\Microsoft Games
2007-07-28 23:13:20 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\Winamp
2007-07-28 23:13:20 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\Ventrilo
2007-07-28 02:53:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-28 01:42:06 0 d-------- C:\Program Files\Common Files\InstallShield
2007-07-27 22:59:08 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\Microsoft Game Studios
2007-07-23 15:12:54 0 d-------- C:\Program Files\World of Warcraft
2007-07-23 15:12:30 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\WowAceUpdater
2007-07-23 02:19:46 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-07-22 07:45:40 24227 --a------ C:\Users\Guolin Wang\AppData\Roaming\UserTile.png
2007-07-16 18:11:18 0 d-------- C:\Program Files\WC3Banlist
2007-07-11 11:54:45 0 d-------- C:\Program Files\Windows Mail
2007-07-09 21:33:02 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\WinRAR
2007-07-04 00:04:17 0 d-------- C:\Program Files\DivX
2007-06-29 14:53:59 0 d-------- C:\Program Files\Analog Devices
2007-06-15 03:08:23 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\Sun
2007-06-11 16:26:10 0 d-------- C:\Program Files\LimeWire
2007-06-11 16:26:03 0 d-------- C:\Program Files\Java
2007-06-11 16:24:53 0 d-------- C:\Program Files\Common Files
2007-06-11 16:24:53 0 d-------- C:\Program Files\Common Files\Java
2007-06-11 16:17:36 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\Sony
2007-06-11 16:08:39 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\Publish Providers
2007-06-11 15:29:08 0 d-------- C:\Program Files\Vstplugins
2007-06-11 15:28:47 0 d-------- C:\Program Files\Sony
2007-06-11 15:27:13 0 d-------- C:\Program Files\Sony Setup
2007-06-09 16:47:35 0 d-------- C:\Users\Guolin Wang\AppData\Roaming\Apple Computer
2007-06-09 16:45:42 0 d-------- C:\Program Files\QuickTime
2007-06-07 21:15:56 530 --a------ C:\Windows\eReg.dat
2007-06-05 18:40:14 0 d-------- C:\Program Files\Common Files\Invictus
2007-06-05 18:37:30 0 d-------- C:\Program Files\DAEMON Tools
2007-05-31 09:28:26 0 d-------- C:\Program Files\Starcraft
2007-05-30 18:16:42 33926 --a------ C:\Windows\scunin.dat
2007-05-30 18:16:41 967 --a------ C:\Windows\ScUnin.pif
2007-05-30 18:16:41 70656 --a------ C:\Windows\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2007-05-21 16:34:51 76604 --a------ C:\Windows\War3Unin.dat
2007-05-21 16:30:57 2829 --a------ C:\Windows\War3Unin.pif
2007-05-21 16:30:57 139264 --a------ C:\Windows\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2007-05-21 15:37:31 335 --a------ C:\Windows\nsreg.dat
2007-05-15 17:40:07 0 -rahs---- C:\MSDOS.SYS
2007-05-15 17:40:07 0 -rahs---- C:\IO.SYS
2007-05-14 20:09:00 262144 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-05-14 20:09:00 86016 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [05/14/2007 03:25 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [05/23/2007 10:09 AM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [04/26/2007 04:17 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [04/26/2007 04:17 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [04/26/2007 04:17 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 09:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 08:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 05/23/2007 10:10 AM 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b11ec4a-024e-11dc-9d18-806e6f6e6963}]
AutoRun\command- D:\autoplay.exe

*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2007-07-30 at 12:41:59 ---------

#4 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 30 July 2007 - 07:17 PM

Hi,

Please also post the DSS extra.txt log

You should find the original extra.txt located in this folder or a subfolder under it named with the date and time of the scan:
C:\Deckard\System Scanner

If required, you can produce another one as follows:
  • Make sure DSS.exe is on your Desktop
  • Press the Start orb and copy/paste the following command into the search box and press enter:

    "%userprofile%\desktop\dss.exe" /config

  • A configuration box will appear, click the Check All button then then press Scan!
  • The extra report will be minimized so please look for it's window on the taskbar

Edited by _silver_, 30 July 2007 - 07:20 PM.

ASAP & UNITE Member

#5 toed

toed

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 30 July 2007 - 10:03 PM

Sorry about that. Couldnt find the extra.txt at first.

Here it is.
Deckard's System Scanner v20070729.57
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Basic (build 6000)
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 2045.94 MiB / 847.72 MiB
Pagefile Memory (total/avail): 4312.9 MiB / 3293.69 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1945.05 MiB

C: is Fixed (NTFS) - 465.77 GiB total, 363.38 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.476 v7.5.476 (GRISOFT)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Groove Games\\LASR\\LASR.exe"="C:\\Program Files\\Groove Games\\LASR\\LASR.exe:*:Enabled:LASR"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Guolin Wang\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GUOLINWANG-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Guolin Wang
LOCALAPPDATA=C:\Users\Guolin Wang\AppData\Local
LOGONSERVER=\\GUOLINWANG-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\GUOLIN~1\AppData\Local\Temp
TMP=C:\Users\GUOLIN~1\AppData\Local\Temp
USERDOMAIN=GuolinWang-PC
USERNAME=Guolin Wang
USERPROFILE=C:\Users\Guolin Wang
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Guolin Wang (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Quake\ezuninstall.exe"
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Combined Community Codec Pack 2007-07-22 --> "C:\Program Files\Combined Community Codec Pack\unins001.exe"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
InterVideo WinDVD 5 --> "C:\Program Files\InstallShield Installation Information\{1B399A41-C1D0-40A2-9E4F-095868EFAF01}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
LimeWire PRO 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.5) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Sony Media Manager 2.2 --> MsiExec.exe /X{878D2EB2-2D55-42A9-955E-1E08F28529FD}
Sony Vegas 7.0 --> MsiExec.exe /X{DFB951D6-4270-42D8-B4B7-AA4B01911DC3}
SoundMAX --> C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe -runfromtemp -l0x0009 -removeonly
Starcraft --> C:\Windows\SCunin.exe C:\Windows\SCunin.dat
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Warcraft III --> C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
Warcraft III: All Products --> C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
WC3Banlist --> "C:\Program Files\WC3Banlist\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinPcap 4.0 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe


-- End of Deckard's System Scanner: finished at 2007-07-30 at 12:41:59 ---------

#6 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 30 July 2007 - 10:15 PM

Hi toed,

Some uninstalls to consider, you can remove all these by opening Start orb->Programs and Features:

Your Java is outdated and is now a security risk
Please uninstall J2SE Runtime Environment 5.0 Update 3
Download and install the newest version of Java Runtime Environment (JRE) (version 6 update 2), from here:
http://java.sun.com/...loads/index.jsp

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Player or Media Player Classic.

You have LimeWire, a P2P file sharing program installed on your computer. This program does not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I recommend you remove it, but of course the choice is yours.

There is no sign of malware on your system so I think your machine is clean :)

Here are some tips to help you keep it that way:

Please check your antivirus program is up to date. From your log it looks like you have AVG Antivirus installed, this is a good program but it is only as good as it's last update. Please check that it is set to automatically update virus definitions.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Spywareblaster is a free program which prevents the download and installation of Internet Explorer ActiveX based malware by immunizing your system against it. You can download Spywareblaster from here and a tutorial to help you get started is available here.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Find out more about how to prevent infection in the future:
http://forum.malware...pic.php?p=33687

Please post back to let me know you have read this, and if there are any further issues.
ASAP & UNITE Member

#7 toed

toed

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 31 July 2007 - 03:18 PM

Thanks _silver. I appreciate it. Take care!

#8 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 31 July 2007 - 07:18 PM

You're very welcome and best of luck!
ASAP & UNITE Member

#9 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 31 July 2007 - 07:18 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
ASAP & UNITE Member

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users