0

It simply asks if I would like it to remove VX2 next time windows starts. Trouble is this nasty has embedded itself in the "system32" folder and i've tried removing in safe mode and everything.

Has anyone else had this problem and if so did they fix it?

Cheers
Kris

4
Contributors
19
Replies
20
Views
12 Years
Discussion Span
Last Post by crunchie
0

The newest variant of the VX2 infection is extremely nasty and at the moment it seems that there is no "automatic" utility which will remove it. Read our member "crunchie"'s posts in these recent threads on the subject for a bit more insight:

http://www.daniweb.com/techtalkforums/search.php?searchid=242139


In the mean time, please download the latest version of HijackThis from the link in my sig below. Once downloaded, follow these instructions to install and run the program:

Create a new separate folder on your drive for HijackThis, move the program into thids folder, and run it from there. (Don't run HJT from within any Temp or Temporary Internet folder, and don't run it directly from your desktop.) Do not have HJT fix anything yet, only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

0

Ok, This is my hijackthis log:


Logfile of HijackThis v1.99.0
Scan saved at 01:18:50, on 12/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\KM\My Documents\My Pictures\Utilities for CD\Ad-Aware SE\VX2 Cleaning add on\VX2Finder.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\KM\My Documents\My Pictures\Utilities for CD\Ad-Aware SE\VX2 Cleaning add on\DllCompare.exe
C:\WINDOWS\SYSTEM32\WrapperOuter.exe
C:\Documents and Settings\KM\My Documents\My Pictures\Utilities for CD\hijackthis v199\HijackThis.exe

O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094843081852
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AEA3B5F-ADCF-4D63-82F8-EB3F08A3B516}: NameServer = 195.93.48.134
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

ALSO, I've found this topic on VX2 - http://www.daniweb.com/techtalkforums/thread15679-vx2.html - and have downloaded and ran VX2Finder and DllCompare.
Here's the log from VX2Finder:
Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
MediaContentIndex
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{73AFE2EE-ABF9-4DD7-96B4-53BDF9FB3658}

And the DllCompare log:
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\akicap32.dll Wed 15 Dec 2004 15:28:46 ..S.R 224,809 219.54 K
C:\WINDOWS\SYSTEM32\kbdfaib.dll Wed 16 Jun 2004 14:44:08 ....R 57,344 56.00 K
C:\WINDOWS\SYSTEM32\mrdemui.dll Wed 15 Dec 2004 17:33:38 ..S.R 223,108 217.88 K
C:\WINDOWS\SYSTEM32\oishel32.dll Mon 20 Dec 2004 1:01:02 ..S.R 225,816 220.52 K
C:\WINDOWS\SYSTEM32\mgpmspsv.dll Sat 11 Dec 2004 14:44:38 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\svlsrv32.dll Sat 11 Dec 2004 15:31:48 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\kfdsp.dll Mon 13 Dec 2004 14:05:48 ..S.R 226,169 220.87 K
C:\WINDOWS\SYSTEM32\oebcjt32.dll Sat 11 Dec 2004 15:53:16 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\n4p40e~1.dll Sun 19 Dec 2004 20:23:40 ..S.R 224,536 219.27 K
C:\WINDOWS\SYSTEM32\lvr609~1.dll Sat 11 Dec 2004 12:08:58 ..S.R 223,931 218.68 K
C:\WINDOWS\SYSTEM32\mzise.dll Sun 12 Dec 2004 16:13:58 ..S.R 226,169 220.87 K
C:\WINDOWS\SYSTEM32\wmwfax.dll Tue 14 Dec 2004 20:01:14 ..S.R 225,341 220.06 K
C:\WINDOWS\SYSTEM32\nscodins.dll Tue 14 Dec 2004 20:30:52 ..S.R 225,941 220.64 K
C:\WINDOWS\SYSTEM32\juau500.dll Tue 14 Dec 2004 11:52:08 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\dq16gt.dll Sat 11 Dec 2004 13:55:08 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\n6p4lg~1.dll Sat 11 Dec 2004 14:44:36 ..S.R 226,179 220.88 K
C:\WINDOWS\SYSTEM32\hrl805~1.dll Sat 11 Dec 2004 15:31:48 ..S.R 225,538 220.25 K
C:\WINDOWS\SYSTEM32\l46o0e~1.dll Tue 14 Dec 2004 17:47:44 ..S.R 225,705 220.41 K
C:\WINDOWS\SYSTEM32\m082la~1.dll Sun 19 Dec 2004 18:08:38 ..S.R 225,816 220.52 K
________________________________________________

1,438 items found: 1,438 files (18 H/S), 0 directories.
Total of file sizes: 283,571,926 bytes 270.43 M

Administrator Account = True

--------------------End log---------------------

0

OK- it looks like you may very well have the new VX2 variant. I haven't had much experience with that one, but crunchie seems to know how to deal with it. Let me contact him and see if he can have a look at this for you. Hang in there...

0

Download
http://www.downloads.subratam.org/KillBox.exe

Stay offline when doing the following fix.

Open killbox and paste in C:\WINDOWS\SYSTEM32\akicap32.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;

C:\WINDOWS\SYSTEM32\kbdfaib.dll
C:\WINDOWS\SYSTEM32\mrdemui.dll
C:\WINDOWS\SYSTEM32\oishel32.dll
C:\WINDOWS\SYSTEM32\mgpmspsv.dll
C:\WINDOWS\SYSTEM32\svlsrv32.dll
C:\WINDOWS\SYSTEM32\kfdsp.dll
C:\WINDOWS\SYSTEM32\oebcjt32.dll
C:\WINDOWS\SYSTEM32\n4p40e~1.dll
C:\WINDOWS\SYSTEM32\lvr609~1.dll
C:\WINDOWS\SYSTEM32\mzise.dll
C:\WINDOWS\SYSTEM32\wmwfax.dll
C:\WINDOWS\SYSTEM32\nscodins.dll
C:\WINDOWS\SYSTEM32\juau500.dll
C:\WINDOWS\SYSTEM32\dq16gt.dll
C:\WINDOWS\SYSTEM32\n6p4lg~1.dll
C:\WINDOWS\SYSTEM32\hrl805~1.dll
C:\WINDOWS\SYSTEM32\l46o0e~1.dll
C:\WINDOWS\SYSTEM32\m082la~1.dll
C:\Windows\System32\Guard.tmp

On that last file, close all programs and Reboot your computer.

Post another log from dllcompare please.

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Only reboot when I ask you to or the file names will change! In other words, do not switch off your PC. If you have already we need to start afresh.

0

Yup, sorry I did switch off my computer.

Here's the VX2finder log:
Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
SharedDLLs
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{2C5065D5-07B6-48AF-A859-5D7E9CC0547A}

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\akicap32.dll Wed 15 Dec 2004 15:28:46 ..S.R 224,809 219.54 K
C:\WINDOWS\SYSTEM32\kbdfaib.dll Wed 16 Jun 2004 14:44:08 ....R 57,344 56.00 K
C:\WINDOWS\SYSTEM32\mrdemui.dll Wed 15 Dec 2004 17:33:38 ..S.R 223,108 217.88 K
C:\WINDOWS\SYSTEM32\irmpagnt.dll Mon 20 Dec 2004 15:35:44 ..S.R 225,816 220.52 K
C:\WINDOWS\SYSTEM32\ltwfx90n.dll Mon 20 Dec 2004 1:51:18 ..S.R 225,816 220.52 K
C:\WINDOWS\SYSTEM32\fpj003~1.dll Mon 20 Dec 2004 3:10:10 ..S.R 223,223 217.99 K
C:\WINDOWS\SYSTEM32\mgpmspsv.dll Sat 11 Dec 2004 14:44:38 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\svlsrv32.dll Sat 11 Dec 2004 15:31:48 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\kfdsp.dll Mon 13 Dec 2004 14:05:48 ..S.R 226,169 220.87 K
C:\WINDOWS\SYSTEM32\oebcjt32.dll Sat 11 Dec 2004 15:53:16 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\n4p40e~1.dll Sun 19 Dec 2004 20:23:40 ..S.R 224,536 219.27 K
C:\WINDOWS\SYSTEM32\lvr609~1.dll Sat 11 Dec 2004 12:08:58 ..S.R 223,931 218.68 K
C:\WINDOWS\SYSTEM32\mzise.dll Sun 12 Dec 2004 16:13:58 ..S.R 226,169 220.87 K
C:\WINDOWS\SYSTEM32\wmwfax.dll Tue 14 Dec 2004 20:01:14 ..S.R 225,341 220.06 K
C:\WINDOWS\SYSTEM32\nscodins.dll Tue 14 Dec 2004 20:30:52 ..S.R 225,941 220.64 K
C:\WINDOWS\SYSTEM32\juau500.dll Tue 14 Dec 2004 11:52:08 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\dq16gt.dll Sat 11 Dec 2004 13:55:08 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\n6p4lg~1.dll Sat 11 Dec 2004 14:44:36 ..S.R 226,179 220.88 K
C:\WINDOWS\SYSTEM32\hrl805~1.dll Sat 11 Dec 2004 15:31:48 ..S.R 225,538 220.25 K
C:\WINDOWS\SYSTEM32\l46o0e~1.dll Tue 14 Dec 2004 17:47:44 ..S.R 225,705 220.41 K
C:\WINDOWS\SYSTEM32\enrql1~1.dll Mon 20 Dec 2004 3:01:18 ..S.R 225,816 220.52 K
________________________________________________

1,440 items found: 1,440 files (20 H/S), 0 directories.
Total of file sizes: 284,020,965 bytes 270.86 M

Administrator Account = True

--------------------End log---------------------


I'll leave my pc on now until I hear back from you, thanks.

0

Stay offline when doing the following fix.

Open killbox and paste in C:\WINDOWS\SYSTEM32\akicap32.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;

C:\WINDOWS\SYSTEM32\kbdfaib.dll
C:\WINDOWS\SYSTEM32\mrdemui.dll
C:\WINDOWS\SYSTEM32\irmpagnt.dll
C:\WINDOWS\SYSTEM32\ltwfx90n.dll
C:\WINDOWS\SYSTEM32\fpj003~1.dll
C:\WINDOWS\SYSTEM32\mgpmspsv.dll
C:\WINDOWS\SYSTEM32\svlsrv32.dll
C:\WINDOWS\SYSTEM32\kfdsp.dll
C:\WINDOWS\SYSTEM32\oebcjt32.dll
C:\WINDOWS\SYSTEM32\n4p40e~1.dll
C:\WINDOWS\SYSTEM32\lvr609~1.dll
C:\WINDOWS\SYSTEM32\mzise.dll
C:\WINDOWS\SYSTEM32\wmwfax.dll
C:\WINDOWS\SYSTEM32\nscodins.dll
C:\WINDOWS\SYSTEM32\juau500.dll
C:\WINDOWS\SYSTEM32\dq16gt.dll
C:\WINDOWS\SYSTEM32\n6p4lg~1.dll
C:\WINDOWS\SYSTEM32\hrl805~1.dll
C:\WINDOWS\SYSTEM32\l46o0e~1.dll
C:\WINDOWS\SYSTEM32\enrql1~1.dll
C:\Windows\System32\Guard.tmp

On that last file, close all programs and Reboot your computer.

Post another log from dllcompare please.

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

0

Ok I've done the above and here's the latest dll.compare log:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\kbdfaib.dll Wed 16 Jun 2004 14:44:08 ....R 57,344 56.00 K
________________________________________________

1,441 items found: 1,441 files, 0 directories.
Total of file sizes: 279,520,529 bytes 266.57 M

Administrator Account = True

By the way, that link to "FindIt.zip" doesn't seem to work.

--------------------End log---------------------

0

P.S I just ran Ad-aware and VX2 is no longer on my system! :D
Does anyone know what causes it?

0

Ok, here's the Findit log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


Find.bat is running from: C:\Documents and Settings\KM\Desktop\Find It NT-2K-XP


------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 2224-15D4


Directory of C:\WINDOWS\System32


06/30/2004  17:30            19,456 Thumbs.db
11/19/2003  00:08             1,020 Dkp0h.y89
01/25/2003  17:03    <DIR>          Microsoft
01/25/2003  14:10    <DIR>          dllcache
2 File(s)         20,476 bytes
2 Dir(s)   9,976,987,648 bytes free


------- Hidden Files in System32 Directory -------


Volume in drive C has no label.
Volume Serial Number is 2224-15D4


Directory of C:\WINDOWS\System32


06/30/2004  17:30            19,456 Thumbs.db
11/22/2003  16:03               488 WindowsLogon.manifest
11/22/2003  16:03               488 logonui.exe.manifest
11/22/2003  16:02               749 cdplayer.exe.manifest
11/22/2003  16:02               749 nwc.cpl.manifest
11/22/2003  16:02               749 wuaucpl.cpl.manifest
11/22/2003  16:02               749 sapi.cpl.manifest
11/22/2003  16:02               749 ncpa.cpl.manifest
11/19/2003  00:08             1,020 Dkp0h.y89
11/06/2003  10:12    <DIR>          GroupPolicy
02/27/2003  12:02             1,372 anfysaver.html
02/27/2003  12:00           382,984 1.jpg
01/25/2003  14:10    <DIR>          dllcache
07/17/2002  15:36            18,543 AnLake.jar
07/17/2002  15:36            18,521 AnLake.class
07/17/2002  14:14            13,567 Lware.class
11/24/1999  21:29           196,608 anfysave.scr
06/22/1999  22:06             2,930 ajbut1.gif
11/29/1998  23:48               648 anfy.class
17 File(s)        660,370 bytes
2 Dir(s)   9,976,971,264 bytes free


---------- Files Named "Guard" -------------


Volume in drive C has no label.
Volume Serial Number is 2224-15D4


Directory of C:\WINDOWS\System32


12/21/2004  10:41                56 Guard.tmp
1 File(s)             56 bytes
0 Dir(s)   9,976,954,880 bytes free


--------- Temp Files in System32 Directory --------


Volume in drive C has no label.
Volume Serial Number is 2224-15D4


Directory of C:\WINDOWS\System32


12/21/2004  10:41                56 Guard.tmp
1 File(s)             56 bytes
0 Dir(s)   9,976,938,496 bytes free


---------------- User Agent ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B46CB99C-25CC-4733-8095-1540AF80DAE0}"=""



------------ Keys Under Notify ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\p6n80g5ue6.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



------------------ Locate.com Results ------------------


No matches found.


------------ Strings.exe Qoologic Results ------------



-------------- Strings.exe Aspack Results -------------



----------------- HKLM Run Key ------------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"AVGCtrl"="\"C:\\Program Files\\AVPersonal\\AVGNT.EXE\" /min"


And another Dll Compare log.....
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________


C:\WINDOWS\SYSTEM32\kbdfaib.dll    Wed 16 Jun 2004  14:44:08   ....R         57,344    56.00 K
________________________________________________


1,441 items found:  1,441 files, 0 directories.
Total of file sizes:  279,520,529 bytes    266.57 M


Administrator Account =  True


--------------------End log---------------------

Edited by happygeek: fixed formatting

0

Stay offline when doing the following fix.

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No


C:\WINDOWS\SYSTEM32\kbdfaib.dll
C:\Windows\System32\Guard.tmp

On that last file, close all programs and Reboot your computer.

In Killbox, Copy & Paste the path to the Desktop.ini for recycle bin.
ie:

C:\RECYCLER\Desktop.ini

Click Red X to delete it.

Also paste in C:\Windows\System32\Guard.tmp again and click the red X to delete that.

Run VX2Finder and click the *Click to find etc* button. Then hit the *restore policy* button and follow the prompts. Click the *UserAgent$* button and follow the prompts. Exit the program.

Open regedit and go to *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify* and delete the *IPConfTSP* sub-key.
NOTE. Please back up the *notify* key by exporting it to a safe location. Call it notify.reg.

Post another log from dllcompare please. Another findit log, a VX2 log and a hijackthis log.

0

Crikey, this'll take some reading :o

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________


C:\WINDOWS\SYSTEM32\kbdfaib.dll    Wed 16 Jun 2004  14:44:08   ....R         57,344    56.00 K
________________________________________________


1,441 items found:  1,441 files, 0 directories.
Total of file sizes:  279,520,529 bytes    266.57 M


Administrator Account =  True


--------------------End log---------------------


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


Find.bat is running from: C:\Documents and Settings\KM\Desktop\Find It NT-2K-XP


------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 2224-15D4


Directory of C:\WINDOWS\System32


06/30/2004  17:30            19,456 Thumbs.db
11/19/2003  00:08             1,020 Dkp0h.y89
01/25/2003  17:03    <DIR>          Microsoft
01/25/2003  14:10    <DIR>          dllcache
2 File(s)         20,476 bytes
2 Dir(s)   9,973,071,872 bytes free


------- Hidden Files in System32 Directory -------


Volume in drive C has no label.
Volume Serial Number is 2224-15D4


Directory of C:\WINDOWS\System32


06/30/2004  17:30            19,456 Thumbs.db
11/22/2003  16:03               488 WindowsLogon.manifest
11/22/2003  16:03               488 logonui.exe.manifest
11/22/2003  16:02               749 cdplayer.exe.manifest
11/22/2003  16:02               749 nwc.cpl.manifest
11/22/2003  16:02               749 wuaucpl.cpl.manifest
11/22/2003  16:02               749 sapi.cpl.manifest
11/22/2003  16:02               749 ncpa.cpl.manifest
11/19/2003  00:08             1,020 Dkp0h.y89
11/06/2003  10:12    <DIR>          GroupPolicy
02/27/2003  12:02             1,372 anfysaver.html
02/27/2003  12:00           382,984 1.jpg
01/25/2003  14:10    <DIR>          dllcache
07/17/2002  15:36            18,543 AnLake.jar
07/17/2002  15:36            18,521 AnLake.class
07/17/2002  14:14            13,567 Lware.class
11/24/1999  21:29           196,608 anfysave.scr
06/22/1999  22:06             2,930 ajbut1.gif
11/29/1998  23:48               648 anfy.class
17 File(s)        660,370 bytes
2 Dir(s)   9,973,055,488 bytes free


---------- Files Named "Guard" -------------


Volume in drive C has no label.
Volume Serial Number is 2224-15D4


Directory of C:\WINDOWS\System32


12/22/2004  02:15                56 Guard.tmp
1 File(s)             56 bytes
0 Dir(s)   9,973,039,104 bytes free


--------- Temp Files in System32 Directory --------


Volume in drive C has no label.
Volume Serial Number is 2224-15D4


Directory of C:\WINDOWS\System32


12/22/2004  02:15                56 Guard.tmp
1 File(s)             56 bytes
0 Dir(s)   9,973,022,720 bytes free


---------------- User Agent ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]



------------ Keys Under Notify ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



------------------ Locate.com Results ------------------


No matches found.


------------ Strings.exe Qoologic Results ------------



-------------- Strings.exe Aspack Results -------------



----------------- HKLM Run Key ------------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"AVGCtrl"="\"C:\\Program Files\\AVPersonal\\AVGNT.EXE\" /min"


Log for VX2.BetterInternet File Finder (ALL)


Files Found---


Additional Files---


Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon



Guardian Key--- is called:


Guardian Key--- :


User Agent String---



Logfile of HijackThis v1.99.0
Scan saved at 02:52:40, on 12/22/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\strings.exe
C:\WINDOWS\system32\find.exe
C:\Documents and Settings\KM\My Documents\My Pictures\Utilities for CD\Ad-Aware SE\VX2 Cleaning add on\VX2Finder.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\KM\My Documents\My Pictures\Utilities for CD\hijackthis v199\HijackThis.exe


O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - Global Startup: strings.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094843081852
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Edited by happygeek: fixed formatting

0

Looks like the file that will not die is a leftover from an A:B infection. The date on it is June, whereas this VX2 infection only began late November.

Start Killbox and select *standard file Kill* and paste in C:\Windows\System32\Guard.tmp and hit the kill file button.

Apart from that I would say you are in the clear :).

0

You may want to delete strings.exe from the global startup folder. AFAIK it is put there when a scan from findit isn't allowed to finish. It put the file in my startup folder too.

EDIT. I rechecked and it actually removes itself once the scan is completed :).

0

Can I now delete that "notify.reg" back up I've made?

Thank you for your help. I've not increased my security settings by reading that link in your signature.

0

Can I now delete that "notify.reg" back up I've made?

Thank you for your help. I've not increased my security settings by reading that link in your signature.

If everything is working good, delete the notify.reg. It was only made in case the wrong entry was deleted :).

So....you have not increased security, or you have now increased security?

0

Sorry, the above "not" was a typing error lol. So yes I've increased the security in the Internet Options box.

0

Im having this problem, Could I get someone's assistance.

I've searched the web and used almost all of the techniques listed.
VX2 still shows up.

here is the hijack log :

Logfile of HijackThis v1.99.1
Scan saved at 3:09:06 AM, on 18/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Cacheman\Cacheman.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jarrett\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Cacheman] C:\Program Files\Cacheman\Cacheman.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116910517138
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

0

Mcfats. Please start your own thread and let us know where VX2 shows up. I am not seeing it in your log. I can see you have/had the Aurora infection though.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.