Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:vapsup-hb [adw] / Vbs:malware-gen Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 jmmwv

jmmwv

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 28 June 2008 - 11:33 PM

This incident began with an alert from Avast followed very shortly by a BSOD and automatic reboot. The display was partially corrupted by artifacts of the Avast alert during and after this reboot, and when another BSOD / reboot was triggered, I powered the machine off and back on. When XP loaded, the desktop had been replaced; the new desktop was a blue background with a box in the center stating that a virus had been detected. The machine then went into another BSOD / reboot with graphical corruption, so I powered down and booted into safe mode.

In safe mode, I used XP's built-in event viewer to check for errors. I found the following in the antivirus section:

Sign of "Win32:Vapsup-GR [Adw]" has been found in "C:\DOCUME~1\PREINS~1\LOCALS~1\Temp\ac8zt2\tovafrnm.exe" file.

Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\PreInstalledUsr\Local Settings\Temp\.tt297D.tmp.vbs" file.

Sign of "Win32:Vapsup-HB [Adw]" has been found in "C:\DOCUME~1\PREINS~1\LOCALS~1\Temp\ac8zt2\qegbdmwf.dll" file.

Sign of "Win32:Vapsup-HB [Adw]" has been found in "C:\DOCUME~1\PREINS~1\LOCALS~1\Temp\ac8zt2\qegbdmwf.dll" file.

Sign of "VBS:Malware-gen" has been found in "C:\Documents and Settings\PreInstalledUsr\Local Settings\Temp\.tt1.tmp.vbs" file.

I deleted the files referenced in these alerts and then ran msconfig. In the startup section, I found and disabled the following:

lphc15nj0e199 | C:\WINDOWS\system32\lphc15nj0e199.exe | SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rhc55nj0e199 | C:\Program Files\rhc55nj0e\rhc55nj0e199.exe | SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In addition to disabling these two items, I deleted the associated files as well, including the entire folder placed in Program Files. I discovered that a group named "AntivirusXP 2008" (or maybe "Antivirus 2008XP") had been added to the Start menu, and shortcuts to the files within pinned to the Start menu. I deleted all of these, as well as the corresponding entry I found in Add / Remove Programs.

I rebooted and attempted to run Microsoft's online scanner, but that resulted in another BSOD. I rebooted into Safe Mode with Networking and downloaded Microsoft's Malicious Software Removal Tool. I ran that in the Administrator account I was on and then rebooted into XP and ran the tool on the normal user account. I then downloaded and ran SDFix and Combofix, in that order, and then DSS.

The system shows no signs of being infected now, but I wanted to post the DSS log in case there are further steps I should take. I do know I should remove the registry entries corresponding to the startup items I mentioned above, but I would greatly appreciate any advice as to what else should be done, particularly regarding the application errors in the logs. Thank you in advance.



Deckard's System Scanner v20071014.68
Run by PreInstalledUsr on 2008-06-28 23:37:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x0000000F


-- Last 5 Restore Point(s) --
84: 2008-06-29 03:37:29 UTC - RP708 - Deckard's System Scanner Restore Point
83: 2008-06-29 03:17:16 UTC - RP707 - ComboFix created restore point
82: 2008-06-27 20:21:33 UTC - RP706 - System Checkpoint
81: 2008-06-26 19:24:47 UTC - RP705 - System Checkpoint
80: 2008-06-25 18:13:23 UTC - RP704 - System Checkpoint


-- First Restore Point --
1: 2008-04-17 12:13:19 UTC - RP625 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as PreInstalledUsr.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:24 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\WEBSHOTS\webshots.scr
C:\PROGRA~1\WEBSHOTS\webshots.scr
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\PreInstalledUsr\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\PreInstalledUsr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\SYSTEM32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\SYSTEM32\TwcToolbarIe7.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [\\FAMILY\EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "\\FAMILY\EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on LAPTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P45 "Auto EPSON Stylus Photo R200 Series on LAPTOP" /O17 "\\LAPTOP\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto Auto EPSON Stylus Photo R200 Series on FAMILY on LAPTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P60 "Auto Auto EPSON Stylus Photo R200 Series on FAMILY on LAPTOP" /O17 "\\LAPTOP\AutoEPSO" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on USER-87E86E9047] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P54 "Auto EPSON Stylus Photo R200 Series on USER-87E86E9047" /O23 "\\USER-87E86E9047\Epson" /M "Stylus Photo R200"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [\\FAMILY\EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "\\FAMILY\EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [Auto EPSON Stylus Photo R200 Series on USER-87E86E9047] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P54 "Auto EPSON Stylus Photo R200 Series on USER-87E86E9047" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - Startup: EverNote.lnk = C:\Program Files\EverNote\EverNote\EverNote.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuweather.com/tnpl_awda/cli...LDownloader.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/Data...6-6D5536C585C9}
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164599583194
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://74.62.226.77:6001/activex/AMC.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://200.33.20.193:2000/activex/AxisCamControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://209.20.250.7/activex/AMC.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 7643 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS\system32\migicons.exe,9
.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\system32\migicons.exe,8


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path ManagerŪ (32-bit)>
R4 catchme - c:\combofix\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-28 22:16:19 376 --a------ C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job
2008-06-15 01:00:01 508 --a------ C:\WINDOWS\Tasks\Maintenance-Defragment programs.job
2008-06-07 23:00:00 502 --a------ C:\WINDOWS\Tasks\Tune-up Application Start.job
2008-06-01 00:30:00 546 --a------ C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job


-- Files created between 2008-05-28 and 2008-06-28 -----------------------------

2008-06-28 23:39:09 0 d-------- C:\Program Files\Trend Micro
2008-06-28 23:17:46 0 d-------- C:\cmdcons
2008-06-28 23:16:40 68096 --a------ C:\WINDOWS\zip.exe
2008-06-28 23:16:40 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-28 23:16:40 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-28 23:16:40 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-28 23:16:40 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-28 23:16:40 98816 --a------ C:\WINDOWS\sed.exe
2008-06-28 23:16:40 80412 --a------ C:\WINDOWS\grep.exe
2008-06-28 23:16:40 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-28 22:46:18 0 d-------- C:\WINDOWS\ERUNT
2008-06-28 22:25:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-28 22:25:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-28 22:08:50 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-28 21:45:34 0 d-------- C:\WINDOWS\pss
2008-06-28 21:24:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Webshots
2008-06-28 21:16:46 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-28 21:16:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-28 21:16:46 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-28 21:16:46 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-28 21:16:46 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-28 21:16:45 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-28 21:16:45 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-28 21:16:45 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-28 21:16:45 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-28 21:16:45 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-28 21:16:45 1310720 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-06-28 21:16:45 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-28 21:16:45 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-28 21:16:45 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-28 21:10:09 94208 --a------ C:\WINDOWS\system32\pphc15nj0e199.exe
2008-06-28 21:10:09 0 d-------- C:\Documents and Settings\PreInstalledUsr\Application Data\rhc55nj0e199
2008-06-28 21:09:17 60928 --a------ C:\WINDOWS\system32\blphc15nj0e199.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-06-17 11:54:03 0 d-------- C:\Documents and Settings\PreInstalledUsr\Application Data\USPS
2008-06-16 12:32:40 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-06-16 12:32:23 0 d-------- C:\Program Files\MSECACHE
2008-06-16 11:53:10 0 d-------- C:\Documents and Settings\PreInstalledUsr\Application Data\Adobe
2008-06-16 11:35:22 0 d-------- C:\Program Files\Foxit Software


-- Find3M Report ---------------------------------------------------------------

2008-06-28 23:26:51 0 d-------- C:\Program Files\Google
2008-06-17 11:57:05 0 d-------- C:\Documents and Settings\PreInstalledUsr\Application Data\ShippingAssistant
2008-06-05 17:10:50 0 d-------- C:\Program Files\The Weather Channel FW
2008-06-05 17:10:50 0 d-------- C:\Documents and Settings\PreInstalledUsr\Application Data\The Weather Channel
2008-05-19 14:00:33 4 --a------ C:\WINDOWS\system32\132DEA
2008-04-29 14:22:19 0 d-------- C:\Program Files\Usability Sciences


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\FAMILY\EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [07/08/2003 04:00 AM]
"Auto EPSON Stylus Photo R200 Series on LAPTOP"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [07/08/2003 04:00 AM]
"Auto Auto EPSON Stylus Photo R200 Series on FAMILY on LAPTOP"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [07/08/2003 04:00 AM]
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" [04/12/2006 08:37 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 07:19 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" []
"Auto EPSON Stylus Photo R200 Series on USER-87E86E9047"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [07/08/2003 04:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 01:00 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/22/2007 06:43 PM]
"\\FAMILY\EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [07/08/2003 04:00 AM]
"Auto EPSON Stylus Photo R200 Series on USER-87E86E9047"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [07/08/2003 04:00 AM]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [06/10/2008 04:18 PM]

C:\Documents and Settings\PreInstalledUsr\Start Menu\Programs\Startup\
EverNote.lnk - C:\Program Files\EverNote\EverNote\EverNote.exe [3/22/2008 12:05:53 AM]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [12/12/2005 10:31:11 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [8/22/2007 6:43:23 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 9:05:56 PM]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [12/12/2005 10:31:11 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc15nj0e199]
C:\WINDOWS\system32\lphc15nj0e199.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhc55nj0e199]
C:\Program Files\rhc55nj0e199\rhc55nj0e199.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"PRPCMonitor"=PRPCUI.exe
"ATIPOLAB"=ati2evxx.exe
"AtiPTA"=Atiptaxx.exe
"Ati2cwxx"=Ati2cwxx.exe
"Hidserv"=Hidserv.exe run
"ICSDCLT"=C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\ICSDCLT.DLL,ICSClient
"LoadQM"=loadqm.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-06-28 23:41:34 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 511.47 MiB / 275.84 MiB
Pagefile Memory (total/avail): 1250.27 MiB / 1044.13 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.48 MiB

C: is Fixed (NTFS) - 37.31 GiB total, 29.64 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - MERIT021MP0402H - 37.31 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.31 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.8.1201 [VPS 080629-0] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\SAGENT4.EXE:*:Enabled:SAgent4"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\PreInstalledUsr\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LIBBY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\PreInstalledUsr
LOGONSERVER=\\LIBBY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$p$g
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\PREINS~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\PREINS~1\LOCALS~1\Temp
USERDOMAIN=LIBBY
USERNAME=PreInstalledUsr
USERPROFILE=C:\Documents and Settings\PreInstalledUsr
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

PreInstalledUsr (admin)
Visitor
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /UNINSTALL /PROMPT
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AXIS Media Control --> rundll32 "C:\Program Files\Axis Communications\AXIS Media Control\AxisMediaControl.dll",UninstallMe
AXIS Media Control Embedded --> rundll32 "C:\Program Files\Axis Communications\AXIS Media Control Embedded\AxisMediaControlEmb.dll",UninstallMe
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Data Lifeguard Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}\Setup.exe"
Dell Dock Quick Install for Windows --> C:\WINDOWS\IsUninst.exe -f"C:\WINDOWS\Quick Install\Uninst.isu"
East Side Story 1.0 --> C:\Program Files\East Side Story\uninst.exe
EverNote --> C:\Program Files\InstallShield Installation Information\{00C297B1-02F3-4BEE-8B57-7BCA695A41DA}\setup.exe -runfromtemp -l0x0009 -removeonly
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel SpeedStep technology Applet --> C:\WINDOWS\IsUninst.exe -f"C:\WINDOWS\SYSTEM\Intel® SpeedStep™ technology Applet.isu"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Word 2000 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\PreInstalledUsr\Application Data\Move Networks\ie_bin\Uninst.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shipping Assistant 3.4 --> MsiExec.exe /X{15C77FC3-8137-4A5E-8F81-F559045DD6B0}
The Weather Channel Desktop 6 --> C:\Program Files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
The Weather Channel Toolbar --> C:\PROGRA~1\THEWEA~2\UNWISE.EXE C:\PROGRA~1\THEWEA~2\twcINSTALL.LOG
Ultra WinCleaner One Click! Version 8.0 --> "C:\Program Files\blcorp\UWCSuite\UWC\unins000.exe"
Verizon Rhapsody --> C:\PROGRA~1\VERIZO~1\UNWISE32.EXE /A C:\PROGRA~1\VERIZO~1\install.log
Weather Services --> C:\WINDOWS\system32\control.exe C:\PROGRA~1\THEWEA~1\Framework\wxfw.cpl,4
WebIQ Technology Engine --> C:\WINDOWS\system32\WebIQEngineSetup.exe u
Webshots Desktop --> C:\PROGRA~1\WEBSHOTS\UNWISE.EXE C:\PROGRA~1\WEBSHOTS\INSTALL.LOG
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1282 / Error
Event Submitted/Written: 06/28/2008 10:34:57 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 127254195.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type1281 / Error
Event Submitted/Written: 06/28/2008 10:34:53 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rstrui.exe, version 5.1.2600.2180, faulting module srrstr.dll, version 5.1.2600.2180, fault address 0x00009826.
Processing media-specific event for [rstrui.exe!ws!]

Event Record #/Type1278 / Error
Event Submitted/Written: 06/28/2008 10:31:40 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 127254195.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type1277 / Error
Event Submitted/Written: 06/28/2008 10:31:37 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rstrui.exe, version 5.1.2600.2180, faulting module srrstr.dll, version 5.1.2600.2180, fault address 0x00009826.
Processing media-specific event for [rstrui.exe!ws!]

Event Record #/Type1276 / Error
Event Submitted/Written: 06/28/2008 10:24:44 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rstrui.exe, version 5.1.2600.2180, faulting module srrstr.dll, version 5.1.2600.2180, fault address 0x00009826.
Processing media-specific event for [rstrui.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15864 / Error
Event Submitted/Written: 06/28/2008 10:47:00 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswSP
aswTdi
Fips
IPSec
MRxSmb
NetBIOS
NetBT
P3
RasAcd
Rdbss
Tcpip

Event Record #/Type15863 / Error
Event Submitted/Written: 06/28/2008 10:47:00 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type15862 / Error
Event Submitted/Written: 06/28/2008 10:47:00 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

Event Record #/Type15861 / Error
Event Submitted/Written: 06/28/2008 10:47:00 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Event Record #/Type15860 / Error
Event Submitted/Written: 06/28/2008 10:47:00 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-06-28 23:41:34 ------------

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:18 PM

Posted 30 June 2008 - 11:03 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\pphc15nj0e199.exe
    C:\Documents and Settings\PreInstalledUsr\Application Data\rhc55nj0e199
    C:\WINDOWS\system32\blphc15nj0e199.scr
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:18 PM

Posted 20 July 2008 - 09:38 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users