Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VX2 Finder Log


  • Please log in to reply
8 replies to this topic

#1 Crimson_World

Crimson_World

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 01 February 2005 - 02:53 PM

This is concerning about a pop-up Ad-Aware or HiJackThis couldn't pick up. It says the following:

Message from SECURITY MONITOR to WINDOWS USER on (Date)(Time)

Important Windows Security Bulletin
=======================
Buffer Overrun in Messenger Service Allows Remote Code Execution,
Virus Infection and Unexpected Computer Shutdowns

Affected Software:

Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win98
Microsoft Windows Server 2003

Non Affected Software:

Microsoft Windows Millennium Edition

Your system is affected, download the patch from the address below !
FIRST TYPE THE ADDRESS BELOW INTO YOUR INTERNET BROWSER, THEN CLICK "OK". THE ADDRESS WILL DISAPPEAR ONCE YOU CLICK "OK".

www.patchnow.net
or
www.updatenow.org
or
www.updatepatch.info
--------------------------------------------------------------------------------------------------
My HiJackThis log would be the following:

Logfile of HijackThis v1.99.0
Scan saved at 2:52:21 PM, on 2/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4AE2DE7-C109-4962-A8EA-83A2BF2B35C4}: NameServer = 216.194.28.33 216.194.28.69
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

---------------------------------------------------------------------------------------------------

I used the VX2 Finder and made a log with it.

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---

- Can anybody find where the pop-up ad is coming from? All help is appreciated.

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:20 PM

Posted 03 February 2005 - 05:41 PM

Reboot into safe mode and delete this file:

C:\WINDOWS\System32\CMMON32.EXE

Reboot and post a new log

#3 Crimson_World

Crimson_World
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 05 February 2005 - 12:56 PM

Uhh, why do I have to delete this? CMMON32.exe is my Microsoft Connection Manager Monitor. You don't want me to ever go online back huh?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:20 PM

Posted 05 February 2005 - 01:55 PM

You sure about that? I think CMMON32.EXE is a virus. Let me take a look at it:

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

c:\windows\system32\CMMON32.EXE

To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder. If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com/submit-malware.php, fill in the required fields, and browse to the file. Then click on the Send File button.

#5 Crimson_World

Crimson_World
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 06 February 2005 - 12:47 AM

I checked the file from my C:\Windows and found the file named "cmmon32.exe" but not "CMMON32.EXE". Are they the same thing or not?

Message recieved after attempting to send file.

> Malware Submission
There was a problem with your submission. Please Contact Us and let us know the name of the file, the size of the file, and the error code given below.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:20 PM

Posted 06 February 2005 - 01:14 PM

It is the same file. Send the file to grinler@yahoo.com instead

#7 Crimson_World

Crimson_World
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 07 February 2005 - 11:24 PM

Email has been sent.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:20 PM

Posted 08 February 2005 - 07:34 PM

My bad you are right. Nice catch...

Ok lets try something else as your log is clean. Click on start, run and type services.msc and press enter. Tell me if the messenger service is on. If it is, turn it off and disable it. Reboot.

Tell me if the problems continue..you may have been getting messenger spam

#9 Crimson_World

Crimson_World
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 09 February 2005 - 02:53 PM

Messenger service was on, now disabled. Thanks for the help Grinler, I'll see if it still comes up. If it does, I'll tell you soon.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users