Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent VX2- Hijack this logs


  • This topic is locked This topic is locked
1 reply to this topic

#1 vx2hater

vx2hater

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 13 January 2005 - 04:56 PM

I have a persistent infection on a different computer that Ad-aware identifies as VX2 but nothing can eliminate it so far. Any tips?

I have already run HiJack this 1.99 and find.bat, logs below. Computer is running and not rebooted.
--------------------------------------

Logfile of HijackThis v1.99.0
Scan saved at 1:55:27 PM, on 1/13/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\NVATray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\3apps\Catapult\3listen.exe
C:\3apps\Catapult\APPIPC.exe
C:\WINNT\System32\P32HELP.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Eagle Listener.lnk = C:\3apps\Catapult\3listen.exe
O4 - Startup: Eagle Scheduler.lnk = C:\3apps\Catapult\Sched.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

----------------------------------------
FIND.BAT log file:
----------------------------------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: A:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 648B-6BE3

Directory of C:\WINNT\System32

01/13/2005 01:40p 225,248 guard.tmp
01/13/2005 01:38p 225,248 kedpo.dll
01/13/2005 01:35p 56 c6000gdme60a0.dll
01/13/2005 12:41p 225,248 ir80l5lm1.dll
01/13/2005 12:08p 225,363 kndit.dll
01/10/2005 11:29a 224,585 mdident.dll
01/07/2005 10:54a 224,585 ivq.dll
01/07/2005 10:45a 224,585 j8n2li5o18.dll
01/07/2005 10:38a 224,585 namssvc.dll
01/07/2005 10:03a 224,585 UKTFS.DLL
01/07/2005 09:49a 224,585 nvtplwiz.dll
01/06/2005 11:17a 224,585 ddmclien.dll
01/05/2005 04:50p 224,937 j42qlef51h2.dll
01/05/2005 11:13a 224,937 mwcsubs.dll
01/05/2005 11:04a 224,585 dycprop2.dll
01/05/2005 10:32a 224,937 mxxml3.dll
01/05/2005 09:36a 224,585 iessuba.dll
01/04/2005 04:39p 224,937 whnsock.dll
01/04/2005 02:48p 224,585 mxcories.dll
01/04/2005 02:44p 224,585 nrwrssk.dll
02/18/2004 02:29p <DIR> dllcache
20 File(s) 4,271,346 bytes
1 Dir(s) 14,968,958,976 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 648B-6BE3

Directory of C:\WINNT\System32

01/04/2005 01:45p <DIR> vmss
01/04/2005 01:45p <DIR> wsxsvc
02/18/2004 02:29p <DIR> dllcache
04/12/2003 05:17p <DIR> GroupPolicy
04/12/2003 05:10p 21,692 folder.htt
04/12/2003 05:10p 271 desktop.ini
2 File(s) 21,963 bytes
4 Dir(s) 14,968,958,976 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 648B-6BE3

Directory of C:\WINNT\System32

01/13/2005 01:40p 225,248 guard.tmp
1 File(s) 225,248 bytes
0 Dir(s) 14,968,958,976 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 648B-6BE3

Directory of C:\WINNT\System32

01/13/2005 01:40p 225,248 guard.tmp
05/08/2001 04:00a 2,577 CONFIG.TMP
2 File(s) 227,825 bytes
0 Dir(s) 14,968,958,976 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7D23DC40-CE74-4D69-8466-1684D4057486}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\ir80l5lm1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
c6000g~1.dll Thu Jan 13 2005 1:35:06p ..S.R 56 0.05 K
ddmclien.dll Thu Jan 6 2005 11:17:32a ..S.R 224,585 219.32 K
dycprop2.dll Wed Jan 5 2005 11:04:06a ..S.R 224,585 219.32 K
guard.tmp Thu Jan 13 2005 1:40:02p ..S.R 225,248 219.97 K
iessuba.dll Wed Jan 5 2005 9:36:58a ..S.R 224,585 219.32 K
ir80l5~1.dll Thu Jan 13 2005 12:41:52p ..S.R 225,248 219.97 K
ivq.dll Fri Jan 7 2005 10:54:24a ..S.R 224,585 219.32 K
j42qle~1.dll Wed Jan 5 2005 4:50:28p ..S.R 224,937 219.66 K
j8n2li~1.dll Fri Jan 7 2005 10:45:12a ..S.R 224,585 219.32 K
kedpo.dll Thu Jan 13 2005 1:38:02p ..S.R 225,248 219.97 K
kndit.dll Thu Jan 13 2005 12:08:26p ..S.R 225,363 220.08 K
mdident.dll Mon Jan 10 2005 11:29:02a ..S.R 224,585 219.32 K
mwcsubs.dll Wed Jan 5 2005 11:13:28a ..S.R 224,937 219.66 K
mxcories.dll Tue Jan 4 2005 2:48:54p ..S.R 224,585 219.32 K
mxxml3.dll Wed Jan 5 2005 10:32:14a ..S.R 224,937 219.66 K
namssvc.dll Fri Jan 7 2005 10:38:12a ..S.R 224,585 219.32 K
nrwrssk.dll Tue Jan 4 2005 2:44:02p ..S.R 224,585 219.32 K
nvtplwiz.dll Fri Jan 7 2005 9:49:56a ..S.R 224,585 219.32 K
uktfs.dll Fri Jan 7 2005 10:04:00a ..S.R 224,585 219.32 K
whnsock.dll Tue Jan 4 2005 4:39:36p ..S.R 224,937 219.66 K

20 items found: 20 files, 0 directories.
Total of file sizes: 4,271,346 bytes 4.07 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"NVIDIA nForce APU1 Utilities"="NVATray.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

BC AdBot (Login to Remove)

 


#2 vx2hater

vx2hater
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 13 January 2005 - 07:59 PM

Fixed the problem by using killbox to delete the files in the find.bat log date 1/4/05 to 1/13/05 and restarting computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users