Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VX2 Finder Log


  • Please log in to reply
17 replies to this topic

#1 Crimson_World

Crimson_World

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 01 January 2005 - 02:08 AM

Please review my log file from the program of HiJackThis. If there is anything wrong or suspicious said in the log, please help me fix the issue. All your help is greatly appreciated. And also wish you all a Happy New Year.

Logfile of HijackThis v1.99.0
Scan saved at 1:59:53 AM, on 1/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4AE2DE7-C109-4962-A8EA-83A2BF2B35C4}: NameServer = 216.194.28.33 216.194.28.69
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-There is one more thing I would like to point out, probably seen from the log shows I'm in a lack of Windows Update. I would like to say I choose to not update because of several reasons and wishes not to ever update because of too much bugs from patches, waste of space and time, and also many useless materials that I don't need. Once again, thank you to all those who can help me with my log.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:46 PM

Posted 01 January 2005 - 06:44 PM

Clean log...night and tight.

#3 Crimson_World

Crimson_World
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 01 January 2005 - 11:24 PM

Thank you Grinler for seeing this log. Although I'm suspicious of one of the results from the scan, could you explain this one?

O17 - HKLM\System\CCS\Services\Tcpip\..\{B4AE2DE7-C109-4962-A8EA-83A2BF2B35C4}: NameServer = 216.194.28.33 216.194.28.69

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:46 PM

Posted 01 January 2005 - 11:47 PM

Is your isp metconnect?

#5 Crimson_World

Crimson_World
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 04 January 2005 - 07:39 PM

Yes, I use Metconnect as my isp. How come you ask?

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:46 PM

Posted 05 January 2005 - 12:49 AM

Because that ISP is what :

O17 - HKLM\System\CCS\Services\Tcpip\..\{B4AE2DE7-C109-4962-A8EA-83A2BF2B35C4}: NameServer = 216.194.28.33 216.194.28.69


refers to. Nothing wrong with the log.. Good job!

#7 Truth Loves You

Truth Loves You

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 05 January 2005 - 01:14 AM

Do you use download accelerator?

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE

You might want to switch to using GetRight, or flashget instead. Either will allow IE click integration. While on the subject of IE: STOP using it. CERT, a division of homeland security, as well as most security firms strongly recommend no sane person use IE. Many will agree mozilla firefox is the superiour browser. Get a free copy from

http://getfirefox.com

it has builtin popup blocking

Posted Image


It will import all your bookmarks, cookies and other user preferences. Once you make the simple switch you can further customize your malware-proof browser with offerings from

http://ExtensionsMirror.nl

At the very least install

AdBlock: http://www.extensionsmirror.nl/index.php?showtopic=774
Tabbrowser Extension: http://www.extensionsmirror.nl/index.php?showtopic=111

Grab this adblock list: http://www.geocities.com/pierceive/adblock/



Do you really need this loading at startup?
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

If ads annoy you as much as they annoy me you might want to consider installing the free, opensource aim addon:
http://aimutation.com


I suggest regressing your aim version to 5.2.3292 find a copy here
http://oldversion.com/program.php?n=aim (as suggested also by aimuation)


Aimutation will allow you not only to suppress the ads in the aim interface but it also ads nifty features like chat logging, window transparency, etc.

Posted Image



If you're not a novice computer user I recommend switching to Miranda if you use any other chat services in addition to AIM:

http://miranda-im.org



HTH

Edited by smashmonkey, 05 January 2005 - 01:21 AM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:46 PM

Posted 05 January 2005 - 01:37 AM

Hey smashmonkey :thumbsup: Though your advice is excellent, we like to keep posts in the HJT logs forum just for members in the HJT team as read in the rules above.

If you are interested in helping out in the logs, send me a private message

#9 Truth Loves You

Truth Loves You

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 05 January 2005 - 01:52 AM

we like to keep posts in the HJT logs forum just for members in the HJT team as read in the rules above.

If you are interested in helping out in the logs, send me a private message

K. You've got PM. ;) See also: http://www.bleepingcomputer.com/forums/t/8146/hjt-forum-moderation/


:thumbsup:

#10 Crimson_World

Crimson_World
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 15 January 2005 - 01:09 AM

There are some pop-up ads that comes up constantly everytime I am online. Using Ctrl+Alt+Del, the pop-up ad process lead to csrss.exe program. But that program is not seen as a virus or trojan. One of the following pop-ups are:

Message from SECURITY MONITOR to WINDOWS USER on (Date)(Time)

Important Windows Security Bulletin
=======================
Buffer Overrun in Messenger Service Allows Remote Code Execution,
Virus Infection and Unexpected Computer Shutdowns

Affected Software:

Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win98
Microsoft Windows Server 2003

Non Affected Software:

Microsoft Windows Millennium Edition

Your system is affected, download the patch from the address below !
FIRST TYPE THE ADDRESS BELOW INTO YOUR INTERNET BROWSER, THEN CLICK "OK". THE ADDRESS WILL DISAPPEAR ONCE YOU CLICK "OK".

www.patchnow.net
or
www.updatenow.org
--------------------------------------------------------------------------------------------------
The following HiJackThis log shows nothing about this pop-up ad:

Logfile of HijackThis v1.99.0
Scan saved at 1:07:47 AM, on 1/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4AE2DE7-C109-4962-A8EA-83A2BF2B35C4}: NameServer = 216.194.28.33 216.194.28.69
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

If anybody can find a solution to this problem, please tell me so and I can fix it. I appreciate it if anybody can help me on this matter. Thanks.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:46 PM

Posted 15 January 2005 - 04:38 PM

Download VX2Finder from this link:

http://tools.zerosrealm.com/VX2Finder(126).exe

or

http://www.downloads.subratam.org/VX2Finder(126).exe

Run Vx2Finder and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.

#12 Crimson_World

Crimson_World
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 27 January 2005 - 12:51 AM

I apologize for the delay, been busy with school and stuff. Here's the log from the VX2 Finder:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---


-I appreciate your patiences for waiting this long.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:46 PM

Posted 27 January 2005 - 01:19 PM

Post a new log please

#14 Crimson_World

Crimson_World
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 27 January 2005 - 08:03 PM

This is concerning about a pop-up Ad-Aware or HiJackThis couldn't pick up. It says the following:

Message from SECURITY MONITOR to WINDOWS USER on (Date)(Time)

Important Windows Security Bulletin
=======================
Buffer Overrun in Messenger Service Allows Remote Code Execution,
Virus Infection and Unexpected Computer Shutdowns

Affected Software:

Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win98
Microsoft Windows Server 2003

Non Affected Software:

Microsoft Windows Millennium Edition

Your system is affected, download the patch from the address below !
FIRST TYPE THE ADDRESS BELOW INTO YOUR INTERNET BROWSER, THEN CLICK "OK". THE ADDRESS WILL DISAPPEAR ONCE YOU CLICK "OK".

www.patchnow.net
or
www.updatenow.org
or
www.updatepatch.info
--------------------------------------------------------------------------------------------------

I used the VX2 Finder and made a log with it.

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---

- Can anybody find where the pop-up ad is coming from? All help is appreciated.

#15 Crimson_World

Crimson_World
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 27 January 2005 - 08:05 PM

Done, if this is what you mean...

http://www.bleepingcomputer.com/forums/ind...ST&f=22&t=10088




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users