Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webhancer And Virtumonde


  • This topic is locked This topic is locked
2 replies to this topic

#1 Swimboy

Swimboy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 12 May 2008 - 05:32 PM

Running Ad-aware and Spybot Search and Destroy identified and attempted to remove both WebHancer and Virtumonde. However, it appears that they have been unsuccessful. Every time I reboot and rescan, one or both reappear.

Spybot blocks attempts to re-infect (every second or two), but internet access is flaky nonetheless. I noticed during Ad-aware's scan, that it is scanning multiple entries in the hosts file (not the 127.0.0.1 entries that Spybot innoculation puts there, but what appears to be phishing entries; i.e. comerica.com, firstusabank.com).

My hosts file is clean, and the registry entry still points to c:\windows\system32\drivers\etc; but it looks like somewhere, something is redirecting DNS lookups to some other hosts file.

Here are my logs:

Deckard's System Scanner v20071014.68
Run by mark on 2008-05-12 17:52:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
93: 2008-05-12 21:52:15 UTC - RP124 - Deckard's System Scanner Restore Point
92: 2008-05-11 19:49:27 UTC - RP123 - System Checkpoint
91: 2008-05-10 19:02:44 UTC - RP122 - System Checkpoint
90: 2008-05-09 18:10:02 UTC - RP121 - System Checkpoint
89: 2008-05-08 16:25:43 UTC - RP120 - System Checkpoint


-- First Restore Point --
1: 2008-05-04 17:20:12 UTC - RP32 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as mark.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:12 PM, on 05/12/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Active-Charge\Active-Charge.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\dss.exe
C:\HJT\mark.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {0AB866DF-7D65-4FEE-ACAB-AC1211803335} - C:\WINDOWS\system32\tuvVlJYR.dll
O2 - BHO: {137773f3-5b07-018a-4b34-01b026ff0e74} - {47e0ff62-0b10-43b4-a810-70b53f377731} - C:\WINDOWS\system32\fvpkysfx.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56949BD2-15CC-40F4-8F29-EB2C1F498D04} - C:\WINDOWS\system32\jkkHXNhI.dll (file missing)
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINDOWS\system32\jkkLFurs.dll (file missing)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\yayvtsrP.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [2c3b76ef] rundll32.exe "C:\WINDOWS\system32\oxyrcaxi.dll",b
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: DigiWin.lnk = C:\Program Files\DigiGate\DigiWin.exe
O4 - Startup: PCCharge Payment Server.lnk = C:\Program Files\Active-Charge\Active-Charge.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.penskerentalagent.com
O15 - Trusted Zone: *.pensketruckleasing.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} (LogMeIn Rescue Applet Downloader) - https://secure.logmeinrescue.com/Customer/x...eDownloader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {7D5DD829-6C90-42C5-B54C-2AFA82F988BA} (CLoader Object) - http://www.winifixer.net/tools/malwareremover.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rowpm.local
O17 - HKLM\Software\..\Telephony: DomainName = rowpm.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rowpm.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rowpm.local
O20 - Winlogon Notify: jkkLFurs - C:\WINDOWS\
O20 - Winlogon Notify: yayvtsrP - C:\WINDOWS\SYSTEM32\yayvtsrP.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 6961 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Gernuwa - c:\windows\system32\drivers\gernuwa.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 AW_HOST - c:\windows\system32\drivers\aw_host5.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 awlegacy - c:\windows\system32\drivers\awlegacy.sys <Not Verified; Symantec Corporation; pcAnywhere>
R3 HypSerPort (Hypercom Serial port driver for L4100) - c:\windows\system32\drivers\hypserport.sys
R3 RS232ToUsb (RS232ToUsb.Sys Hypercom RS232 to USB driver) - c:\windows\system32\drivers\rs232tousb.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 MagEpNt - c:\windows\system32\drivers\magepnt.sys <Not Verified; MagTek; MagEpNt Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 awhost32 (pcAnywhere Host Service) - c:\program files\symantec\pcanywhere\awhost32.exe <Not Verified; Symantec Corporation; pcAnywhere>
R2 winvnc (VNC Server) - "c:\program files\ultravnc\winvnc.exe" -service <Not Verified; UltraVNC; UltraVNC>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-12 and 2008-05-12 -----------------------------

2008-05-12 17:39:43 0 d-------- C:\HJT
2008-05-12 16:49:22 2656 --ahs---- C:\WINDOWS\system32\RYJlVvut.ini2
2008-05-12 16:49:15 314480 --a------ C:\WINDOWS\system32\tuvVlJYR.dll
2008-05-12 15:27:52 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 15:19:57 1710 --ahs---- C:\WINDOWS\system32\ccKjkUtv.ini2
2008-05-11 13:34:00 98912 --a------ C:\WINDOWS\system32\fvpkysfx.dll
2008-05-11 13:31:00 83024 --a------ C:\WINDOWS\system32\jvhmirlw.dll
2008-05-11 13:28:56 90208 --a------ C:\WINDOWS\system32\ctrkbyhi.dll
2008-05-11 13:28:00 1037072 --ahs---- C:\WINDOWS\system32\fLmlTvut.ini2
2008-05-11 11:51:23 1035720 --ahs---- C:\WINDOWS\system32\xFPWwGgh.ini2
2008-05-11 10:52:55 98912 --a------ C:\WINDOWS\system32\lxjqcgij.dll
2008-05-11 10:52:46 90208 --a------ C:\WINDOWS\system32\byclhwax.dll
2008-05-11 10:52:01 1036069 --ahs---- C:\WINDOWS\system32\AHQBaccf.ini2
2008-05-11 10:47:07 32768 --a------ C:\WINDOWS\system32\sockins32.dll <Not Verified; ThinkPad; ThinkPad repl>
2008-05-11 10:47:02 0 d-------- C:\Program Files\QdrPack
2008-05-11 10:46:52 25728 --a------ C:\WINDOWS\system32\yayvtsrP.dll
2008-05-11 10:46:51 0 d-------- C:\Program Files\QdrModule
2008-05-11 10:46:51 0 d-------- C:\Program Files\QdrDrive
2008-05-11 10:46:51 0 d-------- C:\Program Files\ISM
2008-05-11 10:46:49 0 d-------- C:\WINDOWS\system32\dFrnx06
2008-05-06 12:02:10 0 d-------- C:\WINDOWS\system32\Dell
2008-05-06 12:02:10 0 d-------- C:\Program Files\Dell
2008-05-05 14:37:29 0 d-------- C:\Program Files\Lavasoft
2008-05-05 14:37:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 14:36:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 13:50:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-04 13:23:53 0 d-------- C:\Program Files\SpyMaxx
2008-05-04 13:22:21 25344 --a------ C:\WINDOWS\voiceip.dll
2008-05-04 13:22:20 24576 --a------ C:\WINDOWS\swin32.dll
2008-05-04 13:22:20 30208 --a------ C:\WINDOWS\mssvr.exe
2008-05-04 13:22:20 18944 --a------ C:\WINDOWS\mspphe.dll
2008-05-04 13:22:20 8704 --a------ C:\WINDOWS\bokja.exe
2008-05-04 13:22:20 31488 --a------ C:\WINDOWS\bjam.dll
2008-05-04 13:22:14 18432 --a------ C:\WINDOWS\saiemod.dll
2008-05-04 13:22:13 25088 --a------ C:\WINDOWS\msapasrc.dll
2008-05-04 13:22:13 29440 --a------ C:\WINDOWS\msa64chk.dll
2008-05-04 13:22:12 11264 --a------ C:\WINDOWS\shdocpl.dll
2008-05-04 13:22:11 28928 --a------ C:\WINDOWS\winsb.dll
2008-05-04 13:22:11 24576 --a------ C:\WINDOWS\shdocpe.dll
2008-05-04 13:22:11 20736 --a------ C:\WINDOWS\ntnut.exe
2008-05-04 13:22:10 17920 --a------ C:\WINDOWS\browserad.dll
2008-05-04 13:22:10 32256 --a------ C:\WINDOWS\aviwrap32.dll
2008-05-04 13:22:10 16896 --a------ C:\WINDOWS\avisynthex32.dll
2008-05-04 13:22:09 14080 --a------ C:\WINDOWS\avifile32.dll
2008-05-04 13:22:09 19712 --a------ C:\WINDOWS\autodisc32.dll
2008-05-04 13:22:09 24320 --a------ C:\WINDOWS\audiosrv32.dll
2008-05-04 13:22:09 30720 --a------ C:\WINDOWS\ati2dvag32.dll
2008-05-04 13:22:09 12032 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-05-04 13:22:09 17152 --a------ C:\WINDOWS\athprxy32.dll
2008-05-04 13:22:09 19456 --a------ C:\WINDOWS\asycfilt32.dll
2008-05-04 13:22:08 12544 --a------ C:\WINDOWS\changeurl_30.dll
2008-05-04 13:22:08 17664 --a------ C:\WINDOWS\asferror32.dll
2008-05-04 13:22:08 13824 --a------ C:\WINDOWS\apphelp32.dll
2008-05-04 13:08:30 541300 --ahs---- C:\WINDOWS\system32\IhNXHkkj.ini2
2008-05-04 13:03:24 0 dr-h----- C:\$VAULT$.AVG
2008-05-04 13:02:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-04 13:02:45 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-04 13:02:43 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-04 13:02:42 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-05-03 12:48:00 270709 --a------ C:\WINDOWS\system32\000060.exe
2008-04-14 11:48:25 0 d-------- C:\Documents and Settings\mark\Application Data\Move Networks


-- Find3M Report ---------------------------------------------------------------

2008-05-12 17:51:03 0 d-------- C:\Program Files\DigiGate
2008-05-12 17:50:50 0 d-------- C:\Program Files\Active-Charge
2008-05-12 15:12:15 0 d-------- C:\Program Files\Space Control Next Generation
2008-05-12 09:46:58 0 d-------- C:\Documents and Settings\mark\Application Data\AVG7
2008-05-12 08:18:04 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-05 14:36:43 0 d-------- C:\Program Files\Common Files
2008-04-09 15:36:27 0 d-------- C:\Documents and Settings\mark\Application Data\Talkback
2008-03-20 11:12:17 0 d-------- C:\Program Files\UltraVNC
2008-03-18 11:53:29 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-14 13:10:18 0 d-------- C:\Program Files\Hypercom
2008-03-12 16:37:34 0 d-------- C:\Documents and Settings\mark\Application Data\Adobe
2008-03-12 12:15:49 144 --a------ C:\sc.bat
2008-02-12 15:58:44 13147 --a------ C:\WINDOWS\hpbins01.dat
2008-02-12 15:18:45 140 --a------ C:\WINDOWS\system32\'


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0AB866DF-7D65-4FEE-ACAB-AC1211803335}]
05/12/08 04:49 PM 314480 --a------ C:\WINDOWS\system32\tuvVlJYR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47e0ff62-0b10-43b4-a810-70b53f377731}]
05/11/08 01:34 PM 98912 --a------ C:\WINDOWS\system32\fvpkysfx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56949BD2-15CC-40F4-8F29-EB2C1F498D04}]
C:\WINDOWS\system32\jkkHXNhI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}]
C:\WINDOWS\system32\jkkLFurs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
05/11/08 10:46 AM 25728 --a------ C:\WINDOWS\system32\yayvtsrP.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [07/01/04 03:02 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [07/01/04 02:58 PM]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [06/18/06 04:56 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/15/08 08:03 AM]
"2c3b76ef"="C:\WINDOWS\system32\oxyrcaxi.dll" []
"webHancer Agent"="C:\Program Files\webHancer\Programs\whagent.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/04 12:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/04 08:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

C:\Documents and Settings\mark\Start Menu\Programs\Startup\
DigiWin.lnk - C:\Program Files\DigiGate\DigiWin.exe [03/10/08 11:32:53 AM]
PCCharge Payment Server.lnk - C:\Program Files\Active-Charge\Active-Charge.exe [03/11/08 3:45:40 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [09/23/05 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=01000000
"SpaceControlSaveSettings"=01000000
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\yayvtsrP.dll [05/11/08 10:46 AM 25728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLFurs]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 05/29/03 12:00 PM 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvtsrP]
yayvtsrP.dll 05/11/08 10:46 AM 25728 C:\WINDOWS\system32\yayvtsrP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\tuvVlJYR

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\bootcd\wintools\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0538e7da-987f-11dc-9760-806d6172696f}]
AutoRun\command- D:\bootcd\wintools\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8373 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-12 17:55:07 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 1526.98 MiB / 1061.77 MiB
Pagefile Memory (total/avail): 2136.49 MiB / 1791.22 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.91 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.27 GiB total, 29.49 GiB free.
D: is CDROM (CDFS)
O: is Network (Unformatted)
P: is Network (NTFS)
S: is Network (NTFS)
X: is Network (NTFS)
Z: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - WDC WD400BB-23DEA0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe:*:Enabled:pcAnywhere Main Program"
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe:*:Enabled:pcAnywhere Host Service"
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Enabled:pcAnywhere Remote Service"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\WINDOWS\\LMI8D0.tmp\\lmi_rescue.exe"="C:\\WINDOWS\\LMI8D0.tmp\\lmi_rescue.exe:*:Enabled:LogMeIn Rescue"
"C:\\WINDOWS\\LMID8.tmp\\lmi_rescue.exe"="C:\\WINDOWS\\LMID8.tmp\\lmi_rescue.exe:*:Enabled:LogMeIn Rescue"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mark\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CERULEAN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mark
HOMESHARE=\\hol\home$
LOGONSERVER=\\HOL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Symantec\pcAnywhere\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\mark\LOCALS~1\Temp
TMP=C:\DOCUME~1\mark\LOCALS~1\Temp
USERDNSDOMAIN=ROWPM.LOCAL
USERDOMAIN=ROWPM
USERNAME=mark
USERPROFILE=C:\Documents and Settings\mark
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

winuser (admin)
WSUSUpdateAdmin (new local, admin)
mark (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Crystal 9 Runtime --> MsiExec.exe /I{E40EA05C-F83F-4FA9-8136-AD4CF646E821}
DigiGate for Windows --> C:\WINDOWS\uninst.exe -f"C:\Program Files\DigiGate\DeIsL1.isu" -c"C:\Program Files\DigiGate\_ISREG32.DLL"
HijackThis 2.0.2 --> "C:\DOCUME~1\mark\LOCALS~1\Temp\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp LaserJet-all-in-one --> C:\Program Files\hp\Digital Imaging\{1B4B2D13-BA87-4c7c-8B67-0EE7CE698415}\setup\hpzscr01.exe -datfile hpbscr01.dat
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
Hypercom FPE Interface Services --> C:\PROGRA~1\Hypercom\FPEINT~1\UNWISE.EXE C:\PROGRA~1\Hypercom\FPEINT~1\INSTALL.LOG
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Connections Drivers --> Prounstl.exe
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
LaserAIO --> MsiExec.exe /I{DD23CAA4-8872-4B95-B263-EA46FD82CF19}
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\mark\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.14) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PCCharge Payment Server --> C:\PROGRA~1\ACTIVE~1\UNWISE.EXE C:\PROGRA~1\ACTIVE~1\INSTALL.LOG
RS232ToUSB --> MsiExec.exe /I{3491630E-88B0-4DC3-B6BA-26DE5D7D710C}
Space Control Next Generation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Space Control Next Generation\SpaceControl.isu"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec pcAnywhere --> MsiExec.exe /I{E05E8183-866A-11D3-97DF-0000F8D8F2E9}
UltraVNC v1.0.2 --> "C:\Program Files\UltraVNC\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type10711 / Error
Event Submitted/Written: 05/12/2008 05:50:10 PM
Event ID/Source: 1053 / Userenv
Event Description:
Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type10709 / Error
Event Submitted/Written: 05/12/2008 05:45:57 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type10708 / Error
Event Submitted/Written: 05/12/2008 05:44:56 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type10707 / Error
Event Submitted/Written: 05/12/2008 05:44:41 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type10703 / Error
Event Submitted/Written: 05/12/2008 05:17:18 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5591 / Error
Event Submitted/Written: 05/12/2008 05:44:45 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type5590 / Warning
Event Submitted/Written: 05/12/2008 05:44:45 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Event Record #/Type5589 / Error
Event Submitted/Written: 05/12/2008 05:44:29 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type5588 / Warning
Event Submitted/Written: 05/12/2008 05:44:29 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Event Record #/Type5587 / Error
Event Submitted/Written: 05/12/2008 05:44:26 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain ROWPM due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.



-- End of Deckard's System Scanner: finished at 2008-05-12 17:55:07 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:07 AM

Posted 13 May 2008 - 12:10 PM

Hello Swimboy,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 13 May 2008 - 12:11 PM.
Hilight text

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:07 AM

Posted 20 May 2008 - 09:03 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users