Hello, im in dire need of help.

Question

Plazmuh 0 Newbie Poster

19 Years Ago

I dont suppose anyone could help me with some computer problems i am having. Im thinking what is happening is due to some major spyware and adware that got put on last week sometime which is why im posting here. Basically i had around 200 entries from all sorts of crap appear in spybot, alot appear in adaware too which i have removed. I normally do this weekly but it has never got that bad. I have removed all of those, restarted scanned again etc. Been through Hijack this and removed all the suspicious entries (but i will still post my log though i think its clean). And basically i still have some form of adware or spyware on my pc. The same pages, some phone crappy page and another named adw-a-r-e keeps repeatadly opening whilst im browsing my usual sites and even when im not. These are not being picked up by on either of your normal removal software. Eventually ater about 20min sometimes 2 hours my computer just restarts itself. My start menu and toolbar goes a wierd pale colour and bang just clonks. Im running window xp home and have run a hardware testing util named sisoft sandra5 to line out hardware failure but its just left me clueless. If any of you could help, here is my hijack this log if it will do any good

Logfile of HijackThis v1.99.0
Scan saved at 17:30:01, on 16/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ccApp1.exe **i dont know what the heck this is and cant even find the file, norton only loads up ccApp.exe and theres no info on this anywhere.**
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Ad-watch 3.0.lnk = C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099841379359
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2D37110-AFE5-410D-9A76-F85725D3F2E6}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Yeah and just looking over that again i want to point out this entry
C:\WINDOWS\system32\ccApp1.exe **i dont know what the heck this is and cant even find the file, norton only loads up ccApp.exe and theres no info on this anywhere.**
I cant find the exectutable anywhere and this shouldnt be loaded, not on startup entried nothing.

windows-virus

3 Contributors
13 Replies
181 Views
2 Days Discussion Span
Latest Post 19 Years Ago Latest Post by OurNation

All 13 Replies

crunchie 990 Most Valuable Poster

19 Years Ago

Download and run VX2Finder(.exe).
http://www.downloads.subratam.org/VX2Finder.exe

Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. Tocreate a logfile, click the button named: 'Make Log'. This will open logfile using Notepadt. Please post (copy/paste) the results and post them in this topic

Download these two tools:

http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe

Run Dllcompare, by clicking the "Run Locate.com" then click Compare button... when done post that log here..do not reboot because all the filenames will change otherwise.
Have killbox ready, you'll have a few files to delete in a certain way.

crunchie 990 Most Valuable Poster

19 Years Ago

You got the latest VX2 infection. Stay offline whilst doing the following fix.

Run the killbox. Paste in the following line;

C:\WINDOWS\SYSTEM32\ddnhupnp.dll

With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Repeat the process for all the following and after the last line, reboot;

C:\WINDOWS\SYSTEM32\dn4801~1.dll
C:\WINDOWS\SYSTEM32\fbsres.dll
C:\WINDOWS\SYSTEM32\frscomex.dll
C:\WINDOWS\SYSTEM32\g0220a~1.dll
C:\WINDOWS\SYSTEM32\g422le~1.dll
C:\WINDOWS\SYSTEM32\imctl.dll
C:\WINDOWS\SYSTEM32\imuv_32.dll
C:\WINDOWS\SYSTEM32\kt4ml7~1.dll
C:\WINDOWS\SYSTEM32\ktrsl7~1.dll
C:\WINDOWS\SYSTEM32\lv8209~1.dll
C:\WINDOWS\SYSTEM32\m028la~1.dll
C:\WINDOWS\SYSTEM32\mhxml.dll
C:\WINDOWS\SYSTEM32\mqxml4a.dll
C:\WINDOWS\SYSTEM32\mv24l9~1.dll
C:\WINDOWS\SYSTEM32\mvr8l9~1.dll
C:\WINDOWS\SYSTEM32\o0480a~1.dll
C:\WINDOWS\SYSTEM32\p0p60a~1.dll
C:\WINDOWS\SYSTEM32\pwrfnet.dll
C:\WINDOWS\SYSTEM32\r4p80e~1.dll
C:\WINDOWS\SYSTEM32\rsipxmib.dll
C:\WINDOWS\SYSTEM32\whlpda~1.dll
C:\WINDOWS\SYSTEM32\widmlog.dll
C:\WINDOWS\SYSTEM32\wiploc.dll
C:\WINDOWS\SYSTEM32\wpadss.dll
C:\Windows\System32\Guard.tmp

After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty. Post that log here.

crunchie 990 Most Valuable Poster

19 Years Ago

The reason I asked for another log is because there is more to do :). You are still infected.
Open the registry editor and go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and export that key to your desktop. Call it notify.reg
Right click on it and then edit. Copy and paste the results here.

Post another dll compare log too.

crunchie 990 Most Valuable Poster

19 Years Ago

Open the registry editor and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. Backup this key before doing the following; Right click on the subkey MSSYCLM and select delete.

Open Killbox and Copy & Paste the path to the Desktop.ini for recycle bin.
ie:

C:\RECYCLER\Desktop.ini

Click Red X to delete it.

Also paste in C:\Windows\System32\Guard.tmp again and click the red X to delete that.

Run VX2Finder and click the *Click to find etc* button. Then hit the *restore policy* button and follow the prompts. Click the *UserAgent$* button and follow the prompts. Exit the program.

Reboot. Post another hijackthis log as well as a log from VX2Finder.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Plazmuh 0 Newbie Poster · Answer 1 · 2004-12-16T23:49:32+00:00

Oh and i dont know if this may help at all, but since this has started happening i cannot empty my recycle bin or even view its contents. It says i have 9 items in there at the mo but i cant see them and when i empty they wont go.

Plazmuh 0 Newbie Poster · Answer 2 · 2004-12-18T02:46:55+00:00

Right here is the log file of vx2finder:
Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
ccApp1
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
Shell Extensions
termsrv
wlballoon

Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{F28B952E-A07A-4532-8C98-692817F66F74}

And here is the log file which was made through Dllcompare
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\ddnhupnp.dll Wed 15 Dec 2004 17:30:16 ..S.R 223,092 217.86 K
C:\WINDOWS\SYSTEM32\dn4801~1.dll Wed 15 Dec 2004 22:53:28 ..S.R 223,473 218.23 K
C:\WINDOWS\SYSTEM32\fbsres.dll Fri 17 Dec 2004 0:17:06 ..S.R 223,399 218.16 K
C:\WINDOWS\SYSTEM32\frscomex.dll Fri 17 Dec 2004 0:10:28 ..S.R 223,399 218.16 K
C:\WINDOWS\SYSTEM32\g0220a~1.dll Thu 16 Dec 2004 23:11:12 ..S.R 225,199 219.92 K
C:\WINDOWS\SYSTEM32\g422le~1.dll Thu 16 Dec 2004 0:12:14 ..S.R 224,346 219.09 K
C:\WINDOWS\SYSTEM32\imctl.dll Wed 15 Dec 2004 17:24:48 ..S.R 224,233 218.98 K
C:\WINDOWS\SYSTEM32\imuv_32.dll Fri 17 Dec 2004 20:34:24 ..S.R 224,828 219.56 K
C:\WINDOWS\SYSTEM32\kt4ml7~1.dll Wed 15 Dec 2004 16:21:34 ..S.R 225,205 219.93 K
C:\WINDOWS\SYSTEM32\ktrsl7~1.dll Sun 12 Dec 2004 1:38:04 ..S.R 224,912 219.64 K
C:\WINDOWS\SYSTEM32\lv8209~1.dll Wed 15 Dec 2004 23:16:50 ..S.R 223,843 218.59 K
C:\WINDOWS\SYSTEM32\m028la~1.dll Thu 16 Dec 2004 0:07:38 ..S.R 226,166 220.86 K
C:\WINDOWS\SYSTEM32\mhxml.dll Wed 15 Dec 2004 22:54:36 ..S.R 223,092 217.86 K
C:\WINDOWS\SYSTEM32\mqxml4a.dll Thu 16 Dec 2004 0:07:38 ..S.R 224,346 219.09 K
C:\WINDOWS\SYSTEM32\mv24l9~1.dll Fri 17 Dec 2004 0:21:04 ..S.R 224,828 219.56 K
C:\WINDOWS\SYSTEM32\mvr8l9~1.dll Thu 16 Dec 2004 23:38:58 ..S.R 223,111 217.88 K
C:\WINDOWS\SYSTEM32\o0480a~1.dll Wed 15 Dec 2004 0:45:08 ..S.R 224,665 219.40 K
C:\WINDOWS\SYSTEM32\p0p60a~1.dll Wed 15 Dec 2004 17:44:16 ..S.R 225,022 219.75 K
C:\WINDOWS\SYSTEM32\pwrfnet.dll Wed 15 Dec 2004 16:28:20 ..S.R 225,205 219.93 K
C:\WINDOWS\SYSTEM32\r4p80e~1.dll Fri 17 Dec 2004 1:53:08 ..S.R 223,399 218.16 K
C:\WINDOWS\SYSTEM32\rsipxmib.dll Thu 16 Dec 2004 22:05:44 ..S.R 224,389 219.13 K
C:\WINDOWS\SYSTEM32\whlpda~1.dll Sat 2 Aug 2003 9:11:04 ...H. 2,045 1.99 K
C:\WINDOWS\SYSTEM32\widmlog.dll Thu 16 Dec 2004 18:21:40 ..S.R 224,389 219.13 K
C:\WINDOWS\SYSTEM32\wiploc.dll Thu 16 Dec 2004 22:20:12 ..S.R 225,199 219.92 K
C:\WINDOWS\SYSTEM32\wpadss.dll Tue 14 Dec 2004 21:18:42 ..S.R 224,990 219.71 K
________________________________________________

1,286 items found: 1,286 files (25 H/S), 0 directories.
Total of file sizes: 248,249,699 bytes 236.75 M

Administrator Account = True

--------------------End log---------------------

I Finally got the ccapp1.exe and ccapp1.dll removed from my pc after 3 hours of fiddling, damn thing was even hiding the files through safe mode so it was a complete arse to remove. These is a file called ceozkz.exe somewhere inside my system32 directory which i still cannot remove. Norton picked up on it but couldnt delete and i just cannot find it after hours of fiddling. At least the computer randomly restarting has been fixed, i think this eas due to the ccapp1 thing but i still have the adaware on my pc which is not picked up on.

Plazmuh 0 Newbie Poster · Answer 3 · 2004-12-18T07:15:39+00:00

Well the check came up with nothing, log file said my system was clean so thats fixed now. Will just have to see how the system goes :) Thanks for all your help m8. I dont suppose you could give me any info on this vx2 infection so i could detect it myself without having to hasstle you guys again?

Plazmuh 0 Newbie Poster · Answer 4 · 2004-12-19T02:24:22+00:00

Right here are the resulsts of the registry entries
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ccApp1]
"DllName"="ccApp1.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Lock"="WLELock"
"Logoff"="WLELogoff"
"Logon"="WLELogon"
"Shutdown"="WLEShutdown"
"StartScreenSaver"="WLEStartScreenSaver"
"Startup"="WLEStartup"
"StopScreenSaver"="WLEStopScreenSaver"
"Unlock"="WLEUnlock"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MSSYCLM]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r4p80e7ueh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

And here is the dll compare log

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,286 items found: 1,286 files, 0 directories.
Total of file sizes: 242,864,324 bytes 231.61 M

Administrator Account = True

--------------------End log---------------------

Plazmuh 0 Newbie Poster · Answer 5 · 2004-12-19T07:22:28+00:00

Aight here is the hijackthis log

Logfile of HijackThis v1.99.0
Scan saved at 01:20:32, on 19/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Ad-watch 3.0.lnk = C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099841379359
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2D37110-AFE5-410D-9A76-F85725D3F2E6}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Cant see anything myself on there but im open to mistakes :P And here is thatvx2 finder log too

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
ccApp1
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

Guardian Key--- :

User Agent String---

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2004-12-19T07:26:51+00:00

The 01 entries are the ones entered by this infection.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Then you will need to reboot to make sure those 01 entries have not returned. If they are gone, you are clear :).

Plazmuh 0 Newbie Poster · Answer 7 · 2004-12-19T07:28:36+00:00

Well thank god for that. All those adds started getting on my tits after doing repeated scans pfft. Thank for all your help fella, and i dont suppose you could give me any info on how to detect this problem myself have it happens again??

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 8 · 2004-12-19T07:34:14+00:00

This is the only way I know of at the moment as it is such a new infection. Just keep those tools for future reference :).
Personally I would change browsers to either Opera or Firefox.

OurNation 5 Master Poster · Answer 9 · 2004-12-19T09:13:03+00:00

I dont think anyones mentioned this beacuse it is in all your HJT logs but make sure that you are NOT running internet explorer while scanning with HJT

Hello, im in dire need of help.

Recommended Answers Collapse Answers

All 13 Replies

Recommended Answers