Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

UMonitor, VX2 - need some help

Started by ksijur , Jan 10 2005 11:06 AM

Please log in to reply

#1
ksijur

Posted 10 January 2005 - 11:06 AM

New Member

Member
9 posts

Hi,
I have read about this UMonitor & VX2 for last 3 hours and tried many of the steps written on this forum... well, no luck... so, if someone would help me with this, I'd appreciate it very much...
here is hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 12:04:54 PM, on 1/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Progra~1\dnetc\dnetc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuwkwu.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Michael\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: distributed.net client - Distributed Computing Technologies, Inc. - C:\Progra~1\dnetc\dnetc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#2
-=jonnyrotten=-

Posted 10 January 2005 - 12:58 PM

Member 2k

Retired Staff
2,678 posts

Download finditnt2000xp.zip.
Unzip the contents of finditnt2000xp.zip to a convenient location.
Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.
Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

-=jonnyrotten=- :tazz:

#3
ksijur

Posted 10 January 2005 - 01:22 PM

New Member

Topic Starter
Member
9 posts

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Michael\Desktop

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

01/10/2005 11:50 AM 225,132 dn2401fqe.dll
01/10/2005 11:49 AM 225,132 mgtask.dll
01/10/2005 11:47 AM 225,378 lv0809due.dll
01/10/2005 10:24 AM 225,231 o0pq0a75ed.dll
01/07/2005 06:45 AM 224,937 ohbccu32.dll
01/06/2005 05:29 PM 223,149 kwdcz1.dll
01/06/2005 02:36 PM 223,752 ilign32.dll
01/06/2005 02:02 PM 223,149 inencode.dll
01/06/2005 01:28 PM 225,365 PVCN11.DLL
01/06/2005 01:23 PM 224,858 unrfaxa.dll
01/06/2005 01:17 PM 222,859 lVngwrbk.dll
01/06/2005 12:23 PM 224,858 vxrmux.dll
01/06/2005 12:06 PM 222,859 rputetab.dll
01/04/2005 05:19 PM 223,248 lv8o09l3e.dll
01/03/2005 10:26 AM 223,527 o8660ijse8o60.dll
01/01/2005 04:04 PM 222,935 gpp0l37m1.dll
12/31/2004 07:29 PM 224,798 k008ladu1d08.dll
12/28/2004 12:16 PM 225,830 dnj0011me.dll
12/28/2004 09:11 AM 225,654 l20ulcd91f0.dll
12/25/2004 07:15 AM 226,296 m2460chsef460.dll
12/24/2004 09:19 AM 225,828 dn0401dqe.dll
12/22/2004 09:55 PM 223,176 gpl2l33o1.dll
12/19/2004 10:36 AM 223,192 l4p2le7o1h.dll
12/19/2004 08:26 AM 223,187 hrpq0575e.dll
12/18/2004 08:23 AM 223,187 adferror.dll
12/15/2004 11:23 AM 225,269 j02q0af5ed2.dll
12/15/2004 08:24 AM 225,858 f82m0if1e82.dll
12/14/2004 08:36 AM 225,858 wonmm.dll
12/11/2004 04:56 PM 226,220 enp4l17q1.dll
12/11/2004 04:45 PM 225,366 jtj6071se.dll
12/10/2004 12:58 PM 224,749 ktjql7151.dll
10/24/2003 04:34 PM <DIR> Microsoft
10/23/2003 04:24 PM <DIR> dllcache
31 File(s) 6,960,837 bytes
2 Dir(s) 40,907,440,128 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

10/23/2003 04:39 PM 488 logonui.exe.manifest
10/23/2003 04:39 PM 488 WindowsLogon.manifest
10/23/2003 04:39 PM 749 sapi.cpl.manifest
10/23/2003 04:39 PM 749 wuaucpl.cpl.manifest
10/23/2003 04:39 PM 749 cdplayer.exe.manifest
10/23/2003 04:39 PM 749 nwc.cpl.manifest
10/23/2003 04:39 PM 749 ncpa.cpl.manifest
10/23/2003 04:24 PM <DIR> dllcache
7 File(s) 4,721 bytes
1 Dir(s) 40,907,407,360 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

01/10/2005 12:02 PM 225,378 guard.tmp
1 File(s) 225,378 bytes
0 Dir(s) 40,907,374,592 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 3C72-1709

Directory of C:\WINDOWS\System32

01/10/2005 12:02 PM 225,378 guard.tmp
09/03/2002 01:00 PM 53,248 uninst1.tmp
09/03/2002 01:00 PM 238,080 uninst2.tmp
09/03/2002 01:00 PM 8,336,384 uninst3.tmp
09/03/2002 01:00 PM 2,577 CONFIG.TMP
5 File(s) 8,855,667 bytes
0 Dir(s) 40,907,341,824 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DFFBCD33-F07E-4509-A10C-82747DBECA10}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv0809due.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
jtj607~1.dll Sat Dec 11 2004 4:45:12p ..S.R 225,366 220.08 K
enp4l1~1.dll Sat Dec 11 2004 4:56:42p ..S.R 226,220 220.92 K
wonmm.dll Tue Dec 14 2004 8:36:32a ..S.R 225,858 220.56 K
adferror.dll Sat Dec 18 2004 8:23:10a ..S.R 223,187 217.95 K
kwdcz1.dll Thu Jan 6 2005 5:29:40p ..S.R 223,149 217.92 K
f82m0i~1.dll Wed Dec 15 2004 8:24:34a ..S.R 225,858 220.56 K
rputetab.dll Thu Jan 6 2005 12:06:42p ..S.R 222,859 217.63 K
ohbccu32.dll Fri Jan 7 2005 6:45:40a ..S.R 224,937 219.66 K
unrfaxa.dll Thu Jan 6 2005 1:23:28p ..S.R 224,858 219.59 K
dn2401~1.dll Mon Jan 10 2005 11:50:40a ..S.R 225,132 219.86 K
hrpq05~1.dll Sun Dec 19 2004 8:26:10a ..S.R 223,187 217.95 K
vxrmux.dll Thu Jan 6 2005 12:23:36p ..S.R 224,858 219.59 K
pvcn11.dll Thu Jan 6 2005 1:28:38p ..S.R 225,365 220.08 K
inencode.dll Thu Jan 6 2005 2:02:20p ..S.R 223,149 217.92 K
ilign32.dll Thu Jan 6 2005 2:36:28p ..S.R 223,752 218.51 K
mgtask.dll Mon Jan 10 2005 11:49:40a ..S.R 225,132 219.86 K
j02q0a~1.dll Wed Dec 15 2004 11:23:50a ..S.R 225,269 219.99 K
o0pq0a~1.dll Mon Jan 10 2005 10:24:56a ..S.R 225,231 219.95 K
dn0401~1.dll Fri Dec 24 2004 9:19:38a ..S.R 225,828 220.54 K
l4p2le~1.dll Sun Dec 19 2004 10:36:16a ..S.R 223,192 217.96 K
gpl2l3~1.dll Wed Dec 22 2004 9:55:42p ..S.R 223,176 217.95 K
m2460c~1.dll Sat Dec 25 2004 7:15:50a ..S.R 226,296 220.99 K
l20ulc~1.dll Tue Dec 28 2004 9:11:46a ..S.R 225,654 220.36 K
dnj001~1.dll Tue Dec 28 2004 12:16:44p ..S.R 225,830 220.54 K
gpp0l3~1.dll Sat Jan 1 2005 4:04:32p ..S.R 222,935 217.71 K
k008la~1.dll Fri Dec 31 2004 7:29:28p ..S.R 224,798 219.53 K
lv0809~1.dll Mon Jan 10 2005 11:47:00a ..S.R 225,378 220.09 K
o8660i~1.dll Mon Jan 3 2005 10:26:42a ..S.R 223,527 218.29 K
lv8o09~1.dll Tue Jan 4 2005 5:19:32p ..S.R 223,248 218.02 K
lvngwrbk.dll Thu Jan 6 2005 1:17:42p ..S.R 222,859 217.63 K
ktjql7~1.dll Fri Dec 10 2004 12:58:00p ..S.R 224,749 219.48 K

31 items found: 31 files, 0 directories.
Total of file sizes: 6,960,837 bytes 6.64 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\epeaep.dll: updates.qoologic.com
C:\WINDOWS\system32\cucpcu.dll: updates.qoologic.com
C:\WINDOWS\system32\huhqhu.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\wuwkwu.exe: .aspack
C:\WINDOWS\system32\pupvpu.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hghnhg.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Narrator"="C:\\WINDOWS\\system32\\wuwkwu.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

uf... I like this program ;-)

#4
admin

Posted 10 January 2005 - 01:48 PM

Founder Geek

Community Leader
24,639 posts

This is a long fix. Please follow each step closely.

Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\XXXXX.dlldn2401fqe.dll
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 4-8 above for these files:
- C:\WINDOWS\System32\mgtask.dll
- C:\WINDOWS\System32\lv0809due.dll
- C:\WINDOWS\System32\o0pq0a75ed.dll
- C:\WINDOWS\System32\ohbccu32.dll
- C:\WINDOWS\System32\kwdcz1.dll
- C:\WINDOWS\System32\ilign32.dll
- C:\WINDOWS\System32\inencode.dll
- C:\WINDOWS\System32\PVCN11.DLL
- C:\WINDOWS\System32\unrfaxa.dll
- C:\WINDOWS\System32\lVngwrbk.dll
- C:\WINDOWS\System32\vxrmux.dll
- C:\WINDOWS\System32\rputetab.dll
- C:\WINDOWS\System32\lv8o09l3e.dll
- C:\WINDOWS\System32\o8660ijse8o60.dll
- C:\WINDOWS\System32\gpp0l37m1.dll
- C:\WINDOWS\System32\k008ladu1d08.dll
- C:\WINDOWS\System32\dnj0011me.dll
- C:\WINDOWS\System32\l20ulcd91f0.dll
- C:\WINDOWS\System32\m2460chsef460.dll
- C:\WINDOWS\System32\dn0401dqe.dll
- C:\WINDOWS\System32\gpl2l33o1.dll
- C:\WINDOWS\System32\l4p2le7o1h.dll
- C:\WINDOWS\System32\hrpq0575e.dll
- C:\WINDOWS\System32\adferror.dll
- C:\WINDOWS\System32\j02q0af5ed2.dll
- C:\WINDOWS\System32\f82m0if1e82.dll
- C:\WINDOWS\System32\wonmm.dll
- C:\WINDOWS\System32\enp4l17q1.dll
- C:\WINDOWS\System32\jtj6071se.dll
- C:\WINDOWS\System32\ktjql7151.dll
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\Guard.tmp
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.

Copy and paste the code below into a text editor such as Notepad.

Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DFFBCD33-F07E-4509-A10C-82747DBECA10}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

Download VX2Finder.
Double-click on VX2Finder.exe.
Click "Restore Policy".
In the File menu click "Exit".
Double-click on KillBox.exe.
In the File menu click "Delete all Dummy files".
In the Tools menu click "Delete Temp Files".
Choose "Standard File Kill" if not already selected.
Paste these files one by one into the top "Full Path of File to Delete" box.
- C:\RECYCLER\desktop.ini
- C:\WINDOWS\System32\drivers\etc\HOSTS
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Confirm Delete prompt.
It should give you a successful "File was deleted" prompt for each one.
Double-click on find.bat and post the new output.txt.
Paste a fresh HijackThis log.

#5
ksijur

Posted 10 January 2005 - 02:14 PM

New Member

Topic Starter
Member
9 posts

#6
ksijur

Posted 11 January 2005 - 07:13 AM

New Member

Topic Starter
Member
9 posts

waited all night and no response? please, help...

#7
Metallica

Posted 11 January 2005 - 08:48 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\bpackbox.dll
C:\WINDOWS\System32\dnjs0117e.dll
C:\WINDOWS\system32\dn2401fqe.dll
C:\WINDOWS\system32\epeaep.dll
C:\WINDOWS\system32\cucpcu.dll
C:\WINDOWS\system32\huhqhu.exe
C:\WINDOWS\system32\wuwkwu.exe
C:\WINDOWS\system32\pupvpu.dat
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hghnhg.exe <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DFFBCD33-F07E-4509-A10C-82747DBECA10}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-

Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")

attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f

Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Post back with a HijackThis log.

Regards,

Pieter

#8
ksijur

Posted 11 January 2005 - 09:07 AM

New Member

Topic Starter
Member
9 posts

well, I was kinda impatient and studied the procedure from the first step and managed to kill that VX2 s..t. I want to thank you all for your help, however I've got one more question about your guides... what this registrie entry that you suggested putting in does?

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DFFBCD33-F07E-4509-A10C-82747DBECA10}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-

and where did you get it?

thanks again...

#9
Metallica

Posted 11 January 2005 - 09:10 AM

Spyware Veteran

GeekU Moderator
33,101 posts

I made that looking for the related entries in your log.

The first line removes your User Agent, just like VX2finder would.

The second removes the Winlogon\Notify startup for this malware.

The third removes the startup for the Narrator trojan.

Regards,

Pieter