 |  |  |  |  |  |  |  |
Hello, im in dire need of help.
 |
I dont suppose anyone could help me with some computer problems i am having. Im thinking what is happening is due to some major spyware and adware that got put on last week sometime which is why im posting here. Basically i had around 200 entries from all sorts of crap appear in spybot, alot appear in adaware too which i have removed. I normally do this weekly but it has never got that bad. I have removed all of those, restarted scanned again etc. Been through Hijack this and removed all the suspicious entries (but i will still post my log though i think its clean). And basically i still have some form of adware or spyware on my pc. The same pages, some phone crappy page and another named adw-a-r-e keeps repeatadly opening whilst im browsing my usual sites and even when im not. These are not being picked up by on either of your normal removal software. Eventually ater about 20min sometimes 2 hours my computer just restarts itself. My start menu and toolbar goes a wierd pale colour and bang just clonks. Im running window xp home and have run a hardware testing util named sisoft sandra5 to line out hardware failure but its just left me clueless. If any of you could help, here is my hijack this log if it will do any good
Logfile of HijackThis v1.99.0
Scan saved at 17:30:01, on 16/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ccApp1.exe **i dont know what the heck this is and cant even find the file, norton only loads up ccApp.exe and theres no info on this anywhere.**
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Ad-watch 3.0.lnk = C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099841379359
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2D37110-AFE5-410D-9A76-F85725D3F2E6}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Yeah and just looking over that again i want to point out this entry
C:\WINDOWS\system32\ccApp1.exe **i dont know what the heck this is and cant even find the file, norton only loads up ccApp.exe and theres no info on this anywhere.**
I cant find the exectutable anywhere and this shouldnt be loaded, not on startup entried nothing.
Logfile of HijackThis v1.99.0
Scan saved at 17:30:01, on 16/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ccApp1.exe **i dont know what the heck this is and cant even find the file, norton only loads up ccApp.exe and theres no info on this anywhere.**
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Ad-watch 3.0.lnk = C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099841379359
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2D37110-AFE5-410D-9A76-F85725D3F2E6}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Yeah and just looking over that again i want to point out this entry
C:\WINDOWS\system32\ccApp1.exe **i dont know what the heck this is and cant even find the file, norton only loads up ccApp.exe and theres no info on this anywhere.**
I cant find the exectutable anywhere and this shouldnt be loaded, not on startup entried nothing.
Oh and i dont know if this may help at all, but since this has started happening i cannot empty my recycle bin or even view its contents. It says i have 9 items in there at the mo but i cant see them and when i empty they wont go.
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation: 
Solved Threads: 768
Download and run VX2Finder(.exe).
http://www.downloads.subratam.org/VX2Finder.exe
Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. Tocreate a logfile, click the button named: 'Make Log'. This will open logfile using Notepadt. Please post (copy/paste) the results and post them in this topic
Download these two tools:
http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe
Run Dllcompare, by clicking the "Run Locate.com" then click Compare button... when done post that log here..do not reboot because all the filenames will change otherwise.
Have killbox ready, you'll have a few files to delete in a certain way.
http://www.downloads.subratam.org/VX2Finder.exe
Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. Tocreate a logfile, click the button named: 'Make Log'. This will open logfile using Notepadt. Please post (copy/paste) the results and post them in this topic
Download these two tools:
http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe
Run Dllcompare, by clicking the "Run Locate.com" then click Compare button... when done post that log here..do not reboot because all the filenames will change otherwise.
Have killbox ready, you'll have a few files to delete in a certain way.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Right here is the log file of vx2finder:
Log for VX2.BetterInternet File Finder (ALL)
Files Found---
Additional Files---
Keys Under Notify---
ccApp1
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
Shell Extensions
termsrv
wlballoon
Guardian Key--- is called:
Guardian Key--- :
User Agent String---
{F28B952E-A07A-4532-8C98-692817F66F74}
And here is the log file which was made through Dllcompare
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\ddnhupnp.dll Wed 15 Dec 2004 17:30:16 ..S.R 223,092 217.86 K
C:\WINDOWS\SYSTEM32\dn4801~1.dll Wed 15 Dec 2004 22:53:28 ..S.R 223,473 218.23 K
C:\WINDOWS\SYSTEM32\fbsres.dll Fri 17 Dec 2004 0:17:06 ..S.R 223,399 218.16 K
C:\WINDOWS\SYSTEM32\frscomex.dll Fri 17 Dec 2004 0:10:28 ..S.R 223,399 218.16 K
C:\WINDOWS\SYSTEM32\g0220a~1.dll Thu 16 Dec 2004 23:11:12 ..S.R 225,199 219.92 K
C:\WINDOWS\SYSTEM32\g422le~1.dll Thu 16 Dec 2004 0:12:14 ..S.R 224,346 219.09 K
C:\WINDOWS\SYSTEM32\imctl.dll Wed 15 Dec 2004 17:24:48 ..S.R 224,233 218.98 K
C:\WINDOWS\SYSTEM32\imuv_32.dll Fri 17 Dec 2004 20:34:24 ..S.R 224,828 219.56 K
C:\WINDOWS\SYSTEM32\kt4ml7~1.dll Wed 15 Dec 2004 16:21:34 ..S.R 225,205 219.93 K
C:\WINDOWS\SYSTEM32\ktrsl7~1.dll Sun 12 Dec 2004 1:38:04 ..S.R 224,912 219.64 K
C:\WINDOWS\SYSTEM32\lv8209~1.dll Wed 15 Dec 2004 23:16:50 ..S.R 223,843 218.59 K
C:\WINDOWS\SYSTEM32\m028la~1.dll Thu 16 Dec 2004 0:07:38 ..S.R 226,166 220.86 K
C:\WINDOWS\SYSTEM32\mhxml.dll Wed 15 Dec 2004 22:54:36 ..S.R 223,092 217.86 K
C:\WINDOWS\SYSTEM32\mqxml4a.dll Thu 16 Dec 2004 0:07:38 ..S.R 224,346 219.09 K
C:\WINDOWS\SYSTEM32\mv24l9~1.dll Fri 17 Dec 2004 0:21:04 ..S.R 224,828 219.56 K
C:\WINDOWS\SYSTEM32\mvr8l9~1.dll Thu 16 Dec 2004 23:38:58 ..S.R 223,111 217.88 K
C:\WINDOWS\SYSTEM32\o0480a~1.dll Wed 15 Dec 2004 0:45:08 ..S.R 224,665 219.40 K
C:\WINDOWS\SYSTEM32\p0p60a~1.dll Wed 15 Dec 2004 17:44:16 ..S.R 225,022 219.75 K
C:\WINDOWS\SYSTEM32\pwrfnet.dll Wed 15 Dec 2004 16:28:20 ..S.R 225,205 219.93 K
C:\WINDOWS\SYSTEM32\r4p80e~1.dll Fri 17 Dec 2004 1:53:08 ..S.R 223,399 218.16 K
C:\WINDOWS\SYSTEM32\rsipxmib.dll Thu 16 Dec 2004 22:05:44 ..S.R 224,389 219.13 K
C:\WINDOWS\SYSTEM32\whlpda~1.dll Sat 2 Aug 2003 9:11:04 ...H. 2,045 1.99 K
C:\WINDOWS\SYSTEM32\widmlog.dll Thu 16 Dec 2004 18:21:40 ..S.R 224,389 219.13 K
C:\WINDOWS\SYSTEM32\wiploc.dll Thu 16 Dec 2004 22:20:12 ..S.R 225,199 219.92 K
C:\WINDOWS\SYSTEM32\wpadss.dll Tue 14 Dec 2004 21:18:42 ..S.R 224,990 219.71 K
________________________________________________
1,286 items found: 1,286 files (25 H/S), 0 directories.
Total of file sizes: 248,249,699 bytes 236.75 M
Administrator Account = True
--------------------End log---------------------
I Finally got the ccapp1.exe and ccapp1.dll removed from my pc after 3 hours of fiddling, damn thing was even hiding the files through safe mode so it was a complete **** to remove. These is a file called ceozkz.exe somewhere inside my system32 directory which i still cannot remove. Norton picked up on it but couldnt delete and i just cannot find it after hours of fiddling. At least the computer randomly restarting has been fixed, i think this eas due to the ccapp1 thing but i still have the adaware on my pc which is not picked up on.
Log for VX2.BetterInternet File Finder (ALL)
Files Found---
Additional Files---
Keys Under Notify---
ccApp1
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
Shell Extensions
termsrv
wlballoon
Guardian Key--- is called:
Guardian Key--- :
User Agent String---
{F28B952E-A07A-4532-8C98-692817F66F74}
And here is the log file which was made through Dllcompare
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\ddnhupnp.dll Wed 15 Dec 2004 17:30:16 ..S.R 223,092 217.86 K
C:\WINDOWS\SYSTEM32\dn4801~1.dll Wed 15 Dec 2004 22:53:28 ..S.R 223,473 218.23 K
C:\WINDOWS\SYSTEM32\fbsres.dll Fri 17 Dec 2004 0:17:06 ..S.R 223,399 218.16 K
C:\WINDOWS\SYSTEM32\frscomex.dll Fri 17 Dec 2004 0:10:28 ..S.R 223,399 218.16 K
C:\WINDOWS\SYSTEM32\g0220a~1.dll Thu 16 Dec 2004 23:11:12 ..S.R 225,199 219.92 K
C:\WINDOWS\SYSTEM32\g422le~1.dll Thu 16 Dec 2004 0:12:14 ..S.R 224,346 219.09 K
C:\WINDOWS\SYSTEM32\imctl.dll Wed 15 Dec 2004 17:24:48 ..S.R 224,233 218.98 K
C:\WINDOWS\SYSTEM32\imuv_32.dll Fri 17 Dec 2004 20:34:24 ..S.R 224,828 219.56 K
C:\WINDOWS\SYSTEM32\kt4ml7~1.dll Wed 15 Dec 2004 16:21:34 ..S.R 225,205 219.93 K
C:\WINDOWS\SYSTEM32\ktrsl7~1.dll Sun 12 Dec 2004 1:38:04 ..S.R 224,912 219.64 K
C:\WINDOWS\SYSTEM32\lv8209~1.dll Wed 15 Dec 2004 23:16:50 ..S.R 223,843 218.59 K
C:\WINDOWS\SYSTEM32\m028la~1.dll Thu 16 Dec 2004 0:07:38 ..S.R 226,166 220.86 K
C:\WINDOWS\SYSTEM32\mhxml.dll Wed 15 Dec 2004 22:54:36 ..S.R 223,092 217.86 K
C:\WINDOWS\SYSTEM32\mqxml4a.dll Thu 16 Dec 2004 0:07:38 ..S.R 224,346 219.09 K
C:\WINDOWS\SYSTEM32\mv24l9~1.dll Fri 17 Dec 2004 0:21:04 ..S.R 224,828 219.56 K
C:\WINDOWS\SYSTEM32\mvr8l9~1.dll Thu 16 Dec 2004 23:38:58 ..S.R 223,111 217.88 K
C:\WINDOWS\SYSTEM32\o0480a~1.dll Wed 15 Dec 2004 0:45:08 ..S.R 224,665 219.40 K
C:\WINDOWS\SYSTEM32\p0p60a~1.dll Wed 15 Dec 2004 17:44:16 ..S.R 225,022 219.75 K
C:\WINDOWS\SYSTEM32\pwrfnet.dll Wed 15 Dec 2004 16:28:20 ..S.R 225,205 219.93 K
C:\WINDOWS\SYSTEM32\r4p80e~1.dll Fri 17 Dec 2004 1:53:08 ..S.R 223,399 218.16 K
C:\WINDOWS\SYSTEM32\rsipxmib.dll Thu 16 Dec 2004 22:05:44 ..S.R 224,389 219.13 K
C:\WINDOWS\SYSTEM32\whlpda~1.dll Sat 2 Aug 2003 9:11:04 ...H. 2,045 1.99 K
C:\WINDOWS\SYSTEM32\widmlog.dll Thu 16 Dec 2004 18:21:40 ..S.R 224,389 219.13 K
C:\WINDOWS\SYSTEM32\wiploc.dll Thu 16 Dec 2004 22:20:12 ..S.R 225,199 219.92 K
C:\WINDOWS\SYSTEM32\wpadss.dll Tue 14 Dec 2004 21:18:42 ..S.R 224,990 219.71 K
________________________________________________
1,286 items found: 1,286 files (25 H/S), 0 directories.
Total of file sizes: 248,249,699 bytes 236.75 M
Administrator Account = True
--------------------End log---------------------
I Finally got the ccapp1.exe and ccapp1.dll removed from my pc after 3 hours of fiddling, damn thing was even hiding the files through safe mode so it was a complete **** to remove. These is a file called ceozkz.exe somewhere inside my system32 directory which i still cannot remove. Norton picked up on it but couldnt delete and i just cannot find it after hours of fiddling. At least the computer randomly restarting has been fixed, i think this eas due to the ccapp1 thing but i still have the adaware on my pc which is not picked up on.
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation:
Solved Threads: 768
You got the latest VX2 infection. Stay offline whilst doing the following fix.
Run the killbox. Paste in the following line;
C:\WINDOWS\SYSTEM32\ddnhupnp.dll
With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Repeat the process for all the following and after the last line, reboot;
C:\WINDOWS\SYSTEM32\dn4801~1.dll
C:\WINDOWS\SYSTEM32\fbsres.dll
C:\WINDOWS\SYSTEM32\frscomex.dll
C:\WINDOWS\SYSTEM32\g0220a~1.dll
C:\WINDOWS\SYSTEM32\g422le~1.dll
C:\WINDOWS\SYSTEM32\imctl.dll
C:\WINDOWS\SYSTEM32\imuv_32.dll
C:\WINDOWS\SYSTEM32\kt4ml7~1.dll
C:\WINDOWS\SYSTEM32\ktrsl7~1.dll
C:\WINDOWS\SYSTEM32\lv8209~1.dll
C:\WINDOWS\SYSTEM32\m028la~1.dll
C:\WINDOWS\SYSTEM32\mhxml.dll
C:\WINDOWS\SYSTEM32\mqxml4a.dll
C:\WINDOWS\SYSTEM32\mv24l9~1.dll
C:\WINDOWS\SYSTEM32\mvr8l9~1.dll
C:\WINDOWS\SYSTEM32\o0480a~1.dll
C:\WINDOWS\SYSTEM32\p0p60a~1.dll
C:\WINDOWS\SYSTEM32\pwrfnet.dll
C:\WINDOWS\SYSTEM32\r4p80e~1.dll
C:\WINDOWS\SYSTEM32\rsipxmib.dll
C:\WINDOWS\SYSTEM32\whlpda~1.dll
C:\WINDOWS\SYSTEM32\widmlog.dll
C:\WINDOWS\SYSTEM32\wiploc.dll
C:\WINDOWS\SYSTEM32\wpadss.dll
C:\Windows\System32\Guard.tmp
After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty. Post that log here.
Run the killbox. Paste in the following line;
C:\WINDOWS\SYSTEM32\ddnhupnp.dll
With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Repeat the process for all the following and after the last line, reboot;
C:\WINDOWS\SYSTEM32\dn4801~1.dll
C:\WINDOWS\SYSTEM32\fbsres.dll
C:\WINDOWS\SYSTEM32\frscomex.dll
C:\WINDOWS\SYSTEM32\g0220a~1.dll
C:\WINDOWS\SYSTEM32\g422le~1.dll
C:\WINDOWS\SYSTEM32\imctl.dll
C:\WINDOWS\SYSTEM32\imuv_32.dll
C:\WINDOWS\SYSTEM32\kt4ml7~1.dll
C:\WINDOWS\SYSTEM32\ktrsl7~1.dll
C:\WINDOWS\SYSTEM32\lv8209~1.dll
C:\WINDOWS\SYSTEM32\m028la~1.dll
C:\WINDOWS\SYSTEM32\mhxml.dll
C:\WINDOWS\SYSTEM32\mqxml4a.dll
C:\WINDOWS\SYSTEM32\mv24l9~1.dll
C:\WINDOWS\SYSTEM32\mvr8l9~1.dll
C:\WINDOWS\SYSTEM32\o0480a~1.dll
C:\WINDOWS\SYSTEM32\p0p60a~1.dll
C:\WINDOWS\SYSTEM32\pwrfnet.dll
C:\WINDOWS\SYSTEM32\r4p80e~1.dll
C:\WINDOWS\SYSTEM32\rsipxmib.dll
C:\WINDOWS\SYSTEM32\whlpda~1.dll
C:\WINDOWS\SYSTEM32\widmlog.dll
C:\WINDOWS\SYSTEM32\wiploc.dll
C:\WINDOWS\SYSTEM32\wpadss.dll
C:\Windows\System32\Guard.tmp
After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty. Post that log here.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Well the check came up with nothing, log file said my system was clean so thats fixed now. Will just have to see how the system goes 
Thanks for all your help m8. I dont suppose you could give me any info on this vx2 infection so i could detect it myself without having to hasstle you guys again?
Thanks for all your help m8. I dont suppose you could give me any info on this vx2 infection so i could detect it myself without having to hasstle you guys again? •
•
Join Date: Feb 2004
Posts: 10,107
Reputation:
Solved Threads: 768
The reason I asked for another log is because there is more to do . You are still infected.
Open the registry editor and go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and export that key to your desktop. Call it notify.reg
Right click on it and then edit. Copy and paste the results here.
Post another dll compare log too.
. You are still infected. Open the registry editor and go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and export that key to your desktop. Call it notify.reg
Right click on it and then edit. Copy and paste the results here.
Post another dll compare log too.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Right here are the resulsts of the registry entries
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ccApp1]
"DllName"="ccApp1.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Lock"="WLELock"
"Logoff"="WLELogoff"
"Logon"="WLELogon"
"Shutdown"="WLEShutdown"
"StartScreenSaver"="WLEStartScreenSaver"
"Startup"="WLEStartup"
"StopScreenSaver"="WLEStopScreenSaver"
"Unlock"="WLEUnlock"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MSSYCLM]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r4p80e7ueh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
And here is the dll compare log
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found"
________________________________________________
1,286 items found: 1,286 files, 0 directories.
Total of file sizes: 242,864,324 bytes 231.61 M
Administrator Account = True
--------------------End log---------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ccApp1]
"DllName"="ccApp1.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Lock"="WLELock"
"Logoff"="WLELogoff"
"Logon"="WLELogon"
"Shutdown"="WLEShutdown"
"StartScreenSaver"="WLEStartScreenSaver"
"Startup"="WLEStartup"
"StopScreenSaver"="WLEStopScreenSaver"
"Unlock"="WLEUnlock"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MSSYCLM]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r4p80e7ueh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
And here is the dll compare log
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"________________________________________________
1,286 items found: 1,286 files, 0 directories.
Total of file sizes: 242,864,324 bytes 231.61 M
Administrator Account = True
--------------------End log---------------------
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation:
Solved Threads: 768
Open the registry editor and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. Backup this key before doing the following; Right click on the subkey MSSYCLM and select delete.
Open Killbox and Copy & Paste the path to the Desktop.ini for recycle bin.
ie:
C:\RECYCLER\Desktop.ini
Click Red X to delete it.
Also paste in C:\Windows\System32\Guard.tmp again and click the red X to delete that.
Run VX2Finder and click the *Click to find etc* button. Then hit the *restore policy* button and follow the prompts. Click the *UserAgent$* button and follow the prompts. Exit the program.
Reboot. Post another hijackthis log as well as a log from VX2Finder.
Open Killbox and Copy & Paste the path to the Desktop.ini for recycle bin.
ie:
C:\RECYCLER\Desktop.ini
Click Red X to delete it.
Also paste in C:\Windows\System32\Guard.tmp again and click the red X to delete that.
Run VX2Finder and click the *Click to find etc* button. Then hit the *restore policy* button and follow the prompts. Click the *UserAgent$* button and follow the prompts. Exit the program.
Reboot. Post another hijackthis log as well as a log from VX2Finder.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Aight here is the hijackthis log
Logfile of HijackThis v1.99.0
Scan saved at 01:20:32, on 19/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Ad-watch 3.0.lnk = C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099841379359
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2D37110-AFE5-410D-9A76-F85725D3F2E6}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Cant see anything myself on there but im open to mistakes
And here is thatvx2 finder log too
Log for VX2.BetterInternet File Finder (ALL)
Files Found---
Additional Files---
Keys Under Notify---
ccApp1
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
Guardian Key--- :
User Agent String---
Logfile of HijackThis v1.99.0
Scan saved at 01:20:32, on 19/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Ad-watch 3.0.lnk = C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099841379359
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2D37110-AFE5-410D-9A76-F85725D3F2E6}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Cant see anything myself on there but im open to mistakes
And here is thatvx2 finder log tooLog for VX2.BetterInternet File Finder (ALL)
Files Found---
Additional Files---
Keys Under Notify---
ccApp1
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
Guardian Key--- :
User Agent String---
|
Similar Threads
- 4 short programs (Java)
- Scientific word processor (Computer Science)
- .OCX Could not be loaded (Visual Basic 4 / 5 / 6)
- Olympic moments (Geeks' Lounge)
- Broken Folder Icon OSX 10.04 Startup (OS X)
- Someone please save me from About:Blank (Viruses, Spyware and other Nasties)
- Ever Notice this? (*nix Software)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Can't get rid of Backdoor.Colfusion
- Next Thread: iexplore.exe; rundll32.exe; HiJackThis Log Posted - Please help
Views: 3356 | Replies: 13
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
adobe adware anti-malware anti-virussitesaccessissue antivirus attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china combofix commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile news norton obama panel parents patch pc phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus rootkit scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system threat trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume warning windows worm zero-day
