Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer, Various Pop Ups and Viruses [RESOLVED]


  • This topic is locked This topic is locked

#1
rhythmco

rhythmco

    Member

  • Member
  • PipPip
  • 10 posts
Dear Friends,

As you have seen many times before, I am another Windows user going insane with advertisement pop up windows. I have tried everything for a week and am at the point of no return with this garbage. I believe the low lifes that advertise through these malicious programs should be burned as well as the folks that write/distribute this trash.

Logfile of HijackThis v1.99.1
Scan saved at 11:35:16 PM, on 8/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\default\My Documents\Programs\HiJack This\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PRO\POPUPPRO.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/227
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121918189004
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123469099918
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: OEMRunOnce - C:\WINDOWS\system32\uarvpa.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:09:58 AM, 8/8/2005
+ Report-Checksum: 8B1B4762

+ Scan result:

HKU\.DEFAULT\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKU\.DEFAULT\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-19\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-19\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-19\Software\RX Toolbar -> Spyware.RXToolbar : Cleaned with backup
HKU\S-1-5-20\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-20\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-20\Software\RX Toolbar -> Spyware.RXToolbar : Cleaned with backup
HKU\S-1-5-18\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-18\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup


::Report End

---------------------------------------------------------
ewido security suite - Connection report
---------------------------------------------------------

+ Created on: 1:13:16 AM, 8/8/2005
+ Report-Checksum: B1236D6C

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1033 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1187 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2675 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2677 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2682 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5101 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1029 127.0.0.1:1034 ESTABLISHED
TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1030 127.0.0.1:1033 ESTABLISHED
TCP 127.0.0.1:1033 127.0.0.1:1030 ESTABLISHED
TCP 127.0.0.1:1034 127.0.0.1:1029 ESTABLISHED
TCP 192.168.1.96:139 0.0.0.0:0 LISTENING
TCP 192.168.1.96:1187 69.45.79.144:80 CLOSE_WAIT
TCP 192.168.1.96:2671 69.45.79.152:80 TIME_WAIT
TCP 192.168.1.96:2673 69.45.79.152:80 TIME_WAIT
TCP 192.168.1.96:2675 216.155.193.151:5050 ESTABLISHED
TCP 192.168.1.96:2677 69.45.79.152:80 ESTABLISHED
TCP 192.168.1.96:2682 216.136.232.45:80 SYN_SENT
UDP 0.0.0.0:135
UDP 0.0.0.0:445
UDP 0.0.0.0:500
UDP 0.0.0.0:1026
UDP 0.0.0.0:1028
UDP 0.0.0.0:1064
UDP 0.0.0.0:1071
UDP 0.0.0.0:1761
UDP 0.0.0.0:2058
UDP 0.0.0.0:2109
UDP 0.0.0.0:2119
UDP 0.0.0.0:2334
UDP 127.0.0.1:123
UDP 127.0.0.1:1045
UDP 127.0.0.1:1655
UDP 127.0.0.1:1900
UDP 192.168.1.96:123
UDP 192.168.1.96:137
UDP 192.168.1.96:138
UDP 192.168.1.96:1900


Please, before I <shotgun>my computer</shotgun>, someone please give me guidance.

Zone Alarm Security Suite catches a Canbede.J virus running. If I end the process rundll32.exe it goes crazy catching this thing.

ANy help in killing this is so greatly appreciated. Many thanks in advance - Chris

Edited by rhythmco, 07 August 2005 - 11:21 PM.

  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Chris and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated. Let’s see what we can do with the first sweep.

Please open Spybot S & D, and turn off Resident Teatimer. Do this by clicking Mode at the top of the screen, choose Advanced Mode then Tools and then Resident and unchecking Teatimer. It will hinder our attempts to clear out some files that need to be removed.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
Spybot S&D
Ad-Aware

Please visit Kaspersky for an online scan.

Please install Spybot search & destroy, open it, update it, immunize it, and perform a scan. When it has completed, ensure that you check everything it finds coloured Red only before clicking Fix Selected Problems. If Spybot requests starting again at reboot to clear memory resident malware, please ensure you click YES, giving it permission to do so.

Install Ad-Aware and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page.

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O20 - Winlogon Notify: OEMRunOnce - C:\WINDOWS\system32\uarvpa.dll

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these files (if present) using Windows Explorer:

C:\WINDOWS\SYSTEM\blank.htm
C:\WINDOWS\system32\uarvpa.dll

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log and I will take another look.
  • 0

#3
rhythmco

rhythmco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Phil,

Much thanks for your help in this matter.

I am at another house this evening visiting family and will be back in tomorrow evening to continue your instructions.,

Please stand by and i thank you again for your help!!!

Chris
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Not a problem Chris.
  • 0

#5
rhythmco

rhythmco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Phil,

Thanks again for your time and attention.

I've done everything as instructed, and even though this computer is NOT currently being used for multiple profiles, I would like to eventually.

When I FIXED the uarvpa.dll entery in HiJackThis, it immediately reappeared in a new scan.

When I tried to delete it in SAFE MODE, the blank.htm file did not exist and the uarvpa.dll file said it could not be deleted because it was in use by another person or program......

I tried ending the winlogon process and windows said it could not be ended as it was a critical process.

So, with everything done at this point (but the uarvpa.dll file still in place) I am still getting the pop ups, which I expected would happen without deletion of the file. So here's the latest HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 1:44:09 AM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\default\My Documents\Programs\HiJack This\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PRO\POPUPPRO.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/227
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121918189004
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123469099918
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\uarvpa.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Tell me what to do next, and thanks again my friend!!

Chris
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Chris

Whatever ails your PC, it is not visible in HJT, other than the file you noted, so I am going to play a hunch based upon what you have previously described, and look for a VX2 infection.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#7
rhythmco

rhythmco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Phil,

Here's the log from the l2mfix:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices-]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\uarvpa.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{04C3CF1A-E06E-8511-AD59-834E6DAED67E}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{548E5D6B-40C5-4C61-AC1A-9FB1544A39E4}"=""
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{03150A15-02D3-4D65-9C1F-B2E8BCCBA424}"=""
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{44484ED8-2A60-4DC9-838D-02805022DEFE}"=""
"{60FC4647-7F98-4CBB-A2A8-3DE6573E706A}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{548E5D6B-40C5-4C61-AC1A-9FB1544A39E4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{548E5D6B-40C5-4C61-AC1A-9FB1544A39E4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{548E5D6B-40C5-4C61-AC1A-9FB1544A39E4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{548E5D6B-40C5-4C61-AC1A-9FB1544A39E4}\InprocServer32]
@="C:\\WINDOWS\\system32\\fbamebuf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{60FC4647-7F98-4CBB-A2A8-3DE6573E706A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{60FC4647-7F98-4CBB-A2A8-3DE6573E706A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{60FC4647-7F98-4CBB-A2A8-3DE6573E706A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{60FC4647-7F98-4CBB-A2A8-3DE6573E706A}\InprocServer32]
@="C:\\WINDOWS\\system32\\MXRATING.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
inetwh32.dll Thu Jun 9 2005 1:18:26a A...R 49,152 48.00 K
roboex32.dll Thu Jun 9 2005 1:18:26a A...R 1,044,480 1020.00 K
picstore.dll Tue Jun 21 2005 12:12:22a A.... 12,288 12.00 K
inloader.dll Tue Jun 21 2005 12:12:32a A.... 78,848 77.00 K
asycpict.dll Tue Jun 21 2005 12:12:22a A.... 161,552 157.77 K
fp30wec.dll Tue Jun 21 2005 12:12:22a A.... 408,848 399.27 K
fpwecui.dll Tue Jun 21 2005 12:12:22a A.... 126,464 123.50 K
fp30wel.dll Tue Jun 21 2005 12:12:22a A.... 706,832 690.27 K
fp30utl.dll Tue Jun 21 2005 12:12:20a A.... 435,984 425.77 K
fp30txt.dll Tue Jun 21 2005 12:12:20a A.... 98,576 96.27 K
pubdlg.dll Tue Jun 21 2005 12:12:22a A.... 27,136 26.50 K
vsdata.dll Wed Jul 20 2005 2:45:14a A.... 83,728 81.77 K
dtu100.dll Wed May 18 2005 5:40:22p A.... 200,704 196.00 K
hhsetup.dll Thu May 26 2005 9:59:52p A.... 38,912 38.00 K
itircl.dll Thu May 26 2005 9:59:52p A.... 143,872 140.50 K
mscms.dll Tue Jun 28 2005 9:54:58p A.... 68,608 67.00 K
icm32.dll Tue Jun 28 2005 9:54:58p A.... 237,056 231.50 K
muweb.dll Thu May 26 2005 4:19:32a A.... 178,408 174.23 K
vsutil.dll Wed Jul 20 2005 2:45:54a A.... 382,736 373.77 K
vsmonapi.dll Wed Jul 20 2005 2:45:34a A.... 104,208 101.77 K
xpsp3res.dll Mon May 16 2005 8:43:40p ..... 7,168 7.00 K
itss.dll Thu May 26 2005 9:59:52p A.... 128,000 125.00 K
divx.dll Thu Jun 9 2005 4:32:28p A.... 692,736 676.50 K
vspubapi.dll Wed Jul 20 2005 2:45:38a A.... 227,088 221.77 K
vsinit.dll Wed Jul 20 2005 2:45:26a A.... 141,072 137.77 K
vsxml.dll Wed Jul 20 2005 2:46:02a A.... 100,112 97.77 K
zlcommdb.dll Wed Jul 20 2005 2:46:26a A.... 71,440 69.77 K
zlcomm.dll Wed Jul 20 2005 2:46:22a A.... 79,632 77.77 K
vsregexp.dll Wed Jul 20 2005 2:45:42a A.... 71,440 69.77 K
vete.dll Fri May 13 2005 6:52:56p A.... 733,236 716.05 K
driverif.dll Fri May 13 2005 6:52:56p A.... 77,824 76.00 K
vetntmsg.dll Fri May 13 2005 6:53:24p A.... 12,288 12.00 K
imslsp.dll Wed Jul 20 2005 2:42:48a A.... 2,807,568 2.68 M
imsins~1.dll Wed Jul 20 2005 2:42:44a A.... 653,072 637.77 K
mxrating.dll Wed Aug 10 2005 1:17:24a ..S.R 417,792 408.00 K
uarvpa.dll Wed Aug 3 2005 10:56:26p ..S.R 417,792 408.00 K
fbamebuf.dll Wed Aug 10 2005 9:09:42a ..S.R 417,792 408.00 K
jxvart.dll Sun Aug 7 2005 11:06:00p ..S.R 417,792 408.00 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wuweb.dll Thu May 26 2005 4:19:32a A.... 173,536 169.47 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K

47 items found: 47 files (4 H/S), 0 directories.
Total of file sizes: 14,699,708 bytes 14.02 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 07D0-0A0D

Directory of C:\WINDOWS\System32

08/10/2005 09:09 AM 417,792 fbamebuf.dll
08/10/2005 01:17 AM 417,792 MXRATING.DLL
08/07/2005 11:06 PM 417,792 jXvart.dll
08/03/2005 10:56 PM 417,792 uarvpa.dll
07/20/2005 11:47 PM <DIR> Microsoft
07/20/2005 10:59 PM <DIR> dllcache
4 File(s) 1,671,168 bytes
2 Dir(s) 3,650,158,592 bytes free


I may not be in again this evening and have to administer your next advice tomorrow night.

Another thing, my computer has restarted a couple of times in the last few days by itself for no reason.

Thanks again! - Chris

Edited by rhythmco, 10 August 2005 - 07:33 AM.

  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
The VX2 infection on your PC is confirmed.

Close any programmes you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#9
rhythmco

rhythmco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Phil,

Got lucky today and had a minute to continue the process.

Everything done as instructed. Please see this fresh l2mfix and HickJackthis log below.

Chris

L2Mfix 1.03a

Running From:
C:\Documents and Settings\default\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\default\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\default\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1112 'explorer.exe'
Killing PID 1112 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1188 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
File not found - C:\WINDOWS\system32\uarvpa.dll
File not found - C:\WINDOWS\system32\uarvpa.dll
Backing Up: C:\WINDOWS\system32\uarvpa.dll
The system cannot find the file specified.
Backing Up: C:\WINDOWS\system32\uarvpa.dll
The system cannot find the file specified.
Backing Up: C:\WINDOWS\system32\jXvart.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jXvart.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\uarvpa.dll
Successfully Deleted: C:\WINDOWS\system32\uarvpa.dll
deleting: C:\WINDOWS\system32\uarvpa.dll
Successfully Deleted: C:\WINDOWS\system32\uarvpa.dll
deleting: C:\WINDOWS\system32\jXvart.dll
Successfully Deleted: C:\WINDOWS\system32\jXvart.dll
deleting: C:\WINDOWS\system32\jXvart.dll
Successfully Deleted: C:\WINDOWS\system32\jXvart.dll

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: echo.reg (deflated 9%)
adding: clear.reg (deflated 51%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 70%)
adding: report 08-11-05.txt (deflated 70%)
adding: lo2.txt (deflated 76%)
adding: test2.txt (deflated 33%)
adding: test3.txt (deflated 33%)
adding: test5.txt (deflated 33%)
adding: test.txt (deflated 73%)
adding: xfind.txt (deflated 65%)
adding: backregs/shell.reg (deflated 59%)
adding: backregs/548E5D6B-40C5-4C61-AC1A-9FB1544A39E4.reg (deflated 70%)
adding: backregs/60FC4647-7F98-4CBB-A2A8-3DE6573E706A.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: uarvpa.dll
deleting local copy: uarvpa.dll
deleting local copy: jXvart.dll
deleting local copy: jXvart.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\uarvpa.dll
C:\WINDOWS\system32\uarvpa.dll
C:\WINDOWS\system32\jXvart.dll
C:\WINDOWS\system32\jXvart.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{548E5D6B-40C5-4C61-AC1A-9FB1544A39E4}"=-
"{03150A15-02D3-4D65-9C1F-B2E8BCCBA424}"=-
"{44484ED8-2A60-4DC9-838D-02805022DEFE}"=-
"{60FC4647-7F98-4CBB-A2A8-3DE6573E706A}"=-
[-HKEY_CLASSES_ROOT\CLSID\{548E5D6B-40C5-4C61-AC1A-9FB1544A39E4}]
[-HKEY_CLASSES_ROOT\CLSID\{03150A15-02D3-4D65-9C1F-B2E8BCCBA424}]
[-HKEY_CLASSES_ROOT\CLSID\{44484ED8-2A60-4DC9-838D-02805022DEFE}]
[-HKEY_CLASSES_ROOT\CLSID\{60FC4647-7F98-4CBB-A2A8-3DE6573E706A}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************



FRESH HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 1:52:00 PM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\default\My Documents\Programs\HiJack This\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PRO\POPUPPRO.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/227
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121918189004
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123469099918
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Phil,

Once we get this thing cleaned, I could sure use some advice on any programs that would block the installation of a VX2 infection in realtime. Also, I'd like to learn more about VX2's, how to prevent them, and how to stop them. I believe this one came from a user on this computer who may have been snooping around serial/crack web sites. (my brother law confessed after I showed him how unuseable this computer had become due to pop ups.)

Chris

  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
MOST IMPORTANT: You should update Windows and Internet Explorer to get all the Latest Security Patches to protect your computer from the malware that is around on the internet.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one.

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one spyware detector/prevention programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep Windows and your Anti-Virus updated. ;)

I am not ignoring your question Chris, its just that no one can answer it. This malware gets in as trojans normally using a carrier like Microsoft Internet Explorer, which is prone to this sort of action.

My advice is use a good antivirus, use a reputable antispyware programme to run in real-time, use an alternative to Microsoft Internet Explorer and ensure your firewall is switched on. Then all you have to do in addition to your daily scans, is use other antispyware detectors for on demand scanning.
  • 0

Advertisements


#11
rhythmco

rhythmco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Phil,

Couple of things:

1) My apologies for not getting back to you in a few days, been very busy.

2) We are going to make a small donation to you, thanks for everything, the pop ups are OFFICIALLY GONE!!!!!! :-)

3) One last issue........
After completing all instructions with the removal, I downloaded and installed Firefox as you recommended. Good browser!! There are some pages though that benefit you to work in IE......since the download and installation of firefox, all of a sudden I cannot view pics on a few web sites.

Most notably, eBay, where I often sell items for other people as a little side business. What is happening is that graphics are not showing up on the page. When you click the properties of a picture, the properties show the address of the picture to be http://127.0.0.1/bug.cgi

I have included a screenshot of ebay to show you what i'm talking about. I was wondering if it may have something to do with the removal process. This happens in BOTH IE and FIREFOX.

Please advise.

Thanks! - Chris

Attached Thumbnails

  • screenshot.jpg

Edited by rhythmco, 15 August 2005 - 08:18 AM.

  • 0

#12
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
I also use FF and have done for about a year or so. I do not have that problem and never have. I would suggest that you click TOOL>OPTIONS check WEB FEATURES.

If you still have problems, uninstall FF and redownload version 1.0.6. Still have probems? Go to Mozillazine Firefox support: http://forums.mozill...wforum.php?f=38 and submit your problem to the forum. One of their experts will soon sort it out for you.

Attached Thumbnails

  • ebay.JPG

  • 0

#13
rhythmco

rhythmco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Phil,

We sent you $10 American Dollars today (5.52 pounds) as thanks for your help.

you REALLY saved us. I'm still having no luck with the pictures on the ebay web site am am very disturbed as to the disruption of my business there.

Oh well...i'll leep working on it.

If you have any more informative links or references on VX2 infections please share them. I would very much like to learn how to recognize and fight off VX2 infections in depth. I've been working with computers security and have a good understanding of how they work, ports, firewalls, connections, and the like.....

Let's take my scenario for instance. Upon posting the second file you replied that it confirmed the VX2......

What did you see in the log specifically indicated the infection? That might help me a bit as well. Furthermore, is there a working list of .dll names that are VX2 infectors?

Again, I am very interested in learning about these types of infections IN DEPTH. Some checking around with my friends lately and i've found a few of them are fighting the infections as we speak. I'd like to try and help them with the tools you had me use (l2mfix and HJT). I believe, due to the behavior of the suspicious files in question, that they too are housing VX2's.

The indicators to me are the unremoveable files in Safe Mode and watching how the file reappears after the fix with HJT.

Thanks again for everything, I am eager to learn.

Chris

PS: The gasoline prices here have dramatically increased in the last few months and are now at all time record highs. The price here is typically $2.50/gallon. I heard today that in the UK, you guys are paying an average of around $5/gallon. What are the current averages in the UK?
  • 0

#14
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Thank you for your generosity.

If you want to learn about spyware, why not join us and go through Geek University.

Petrol is about 90p per litre which is about $7.00 a gallon (imperial).

I'll leave this thread open for a few days.
  • 0

#15
rhythmco

rhythmco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Phil,

what does it take to go through geek university?

Please advise

Chris
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP