Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help diagnose. VX2?


  • Please log in to reply
4 replies to this topic

#1 mike_westley

mike_westley

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 04 April 2005 - 08:51 PM

Hello:

Could someone please help me clean my computer, please?

Symptons are an internet explorer home page that reverts to a hijacked homepage every other time I run (about:blank), as well as new links that appear even after removal.

I have run ad-aware and it detects VX2, but cannot ever fully remove it. I even tried the VX2 add on, and it says my system is clean (which it is not).

I have attached my hijack this log. Since I ran this, I have no rebooted my pc.

Thanks,
Mike
+++++++++++++++++++++++++++++++++++++++++


Logfile of HijackThis v1.99.1
Scan saved at 6:39:14 PM, on 4/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Apex\ApexAgnt.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel NetStructure VPN Client\icsrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\ntra32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atlwc32.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\csuwp.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\csuwp.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\csuwp.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\csuwp.dll/sp.html#12345
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,"C:\Program Files\Apex\ApexAgnt.exe" -l
O2 - BHO: (no name) - {A9282EF2-B6A1-E5E7-7373-5AEDBA756601} - C:\WINNT\crdj32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ntra32.exe] C:\WINNT\system32\ntra32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunOnce: [atlwc32.exe] C:\WINNT\system32\atlwc32.exe
O4 - HKLM\..\RunOnce: [javakm.exe] C:\WINNT\system32\javakm.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {273CA751-681C-4887-8F3D-5F09DDA824BD} (PullTry.Lips) - http://iss.intel.com/pulltry.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/0816362ae34da3a38319/netzip/RdxIE.cab
O16 - DPF: {D6FE3B24-BAAD-11D2-9717-00AA00A3F20C} (NewCtrl Class) - http://iss.intel.com/iss.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://costco.internetimagingnetwork.com/a...x/PCAXSetup.cab?
O16 - DPF: {F2B3A31A-C56E-4A6E-8E0E-80DACF232ABE} (WMMOutlook.WMMPAB) - http://wmm.fm.patch.intel.com/Activex/WMMOutlook.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 134.134.194.1 134.134.131.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 134.134.194.1 134.134.131.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 134.134.194.1 134.134.131.1
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINNT\sdkbk32.exe (file missing)
O23 - Service: ISS Agent Service (ApexAgent) - Intel Corporation - C:\Program Files\Apex\ApexAgnt.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: BlackICE - Network ICE Corporation - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel NetStructure™ VPN Client (ICService) - Unknown owner - C:\Program Files\Intel NetStructure VPN Client\icsrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:54 PM

Posted 04 April 2005 - 10:18 PM

Hello mike_westley and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Step #2

Click Start>Run, type services.msc into the edit box and then click Ok. In the Services window locate Network Security Service and click the Stop button. In the Startup type dropdown box select Disabled. Click the Apply button and then the Ok button. Close the Services window.

Click Start>Run, type cmd into the editbox and click the Ok button. Copy/paste the line below into the command prompt window and press the Enter key. sc delete 11F#`I
Close the command prompt window.

Step #3

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\csuwp.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\csuwp.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\csuwp.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\csuwp.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A9282EF2-B6A1-E5E7-7373-5AEDBA756601} - C:\WINNT\crdj32.dll
O4 - HKLM\..\Run: [ntra32.exe] C:\WINNT\system32\ntra32.exe
O4 - HKLM\..\RunOnce: [atlwc32.exe] C:\WINNT\system32\atlwc32.exe
O4 - HKLM\..\RunOnce: [javakm.exe] C:\WINNT\system32\javakm.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/0816362ae34da3a38319/netzip/RdxIE.cab
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINNT\sdkbk32.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINNT\csuwp.dll
C:\WINNT\crdj32.dll
C:\WINNT\system32\ntra32.exe
C:\WINNT\system32\atlwc32.exe
C:\WINNT\system32\javakm.exe
C:\WINNT\sdkbk32.exe
C:\WINNT\system32\devldr32.exe

Next, let's clean up the temporary folders:* Click Start
* Point to Programs
* Point to Accessories
* Point to System Tools
* Click Disk Cleanup
* Select the following items that are present and then click the OK button.* Temp Setup Files
* Downloaded Program Files
* Temp Internet Files
* Debug Dump Files
* Office Setup Files
* old chkdsk files
* Recycle Bin
* Temp Remote Desktop Files
* Setup Log Files
* Temp Files
* WebClient temp files
[/list]Step #6

Make sure that all windows are closed, start CWShredder and choose FIX.

Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 mike_westley

mike_westley
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 04 April 2005 - 11:46 PM

Thank you for the help. I followed the instructions as best I could.

I did not mention I was on the internet from a different, uninfected computer. I had the network cable from the infected machine unplugged. Thus, for step 1, I could not check for CWshredder updates (I tried reconnecting the cable and could not get a connection -- I did not reboot as I was afraid the spyware would change again). So I just use CWshredder w/o an update.

For step 2, I got an error disabling the network security service, but it showed as disabled. I also got a file not found for the "sc" command.

For step 4, I did not have O23.

For step 5, devldr32.exe was locked (I was in safe mode). I found a process with this name and killed it. Then I was able to delete devldr32.exe.

All the other steps I did not mention went ok.

My computer seems to be infection free, as much as I can tell. Here is my HJT log:
+++++++++++++++++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 9:24:06 PM, on 4/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Apex\ApexAgnt.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel NetStructure VPN Client\icsrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\hjt\HijackThis.exe
C:\WINNT\system32\svchost.exe

F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,"C:\Program Files\Apex\ApexAgnt.exe" -l
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {273CA751-681C-4887-8F3D-5F09DDA824BD} (PullTry.Lips) - http://iss.intel.com/pulltry.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {D6FE3B24-BAAD-11D2-9717-00AA00A3F20C} (NewCtrl Class) - http://iss.intel.com/iss.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://costco.internetimagingnetwork.com/a...x/PCAXSetup.cab?
O16 - DPF: {F2B3A31A-C56E-4A6E-8E0E-80DACF232ABE} (WMMOutlook.WMMPAB) - http://wmm.fm.patch.intel.com/Activex/WMMOutlook.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 134.134.194.1 134.134.131.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 134.134.194.1 134.134.131.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 134.134.194.1 134.134.131.1
O23 - Service: ISS Agent Service (ApexAgent) - Intel Corporation - C:\Program Files\Apex\ApexAgnt.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: BlackICE - Network ICE Corporation - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Administrator\Desktop\CWShredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel NetStructure™ VPN Client (ICService) - Unknown owner - C:\Program Files\Intel NetStructure VPN Client\icsrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
+++++++++++++++++++++++++++

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:54 PM

Posted 05 April 2005 - 12:14 AM

Hi Mike. Log looks Ok. Before we finish up let me know how things are running. Any problems? Can you connect and get back on the internet?

Post back here and let me know and then we've got a couple of steps to perform to finish up. I'll also have some suggestions for free software for you to help protect you in the future.

Cheers.

OT:)
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 mike_westley

mike_westley
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 05 April 2005 - 12:20 AM

Yes, I am posting from the "infected" computer now. Seems to be ok.

I ran ad-aware and it did not find VX2 for the first time in days. It was clean. After I came to this forum it found some cookies (cookies from doubleclick.net and tribalfusion.com), but no VX2..

I really appreciate all your help.

Mike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users