Jump to content


Photo

VX2 damage?


  • This topic is locked This topic is locked
11 replies to this topic

#1 mrmega

mrmega

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 May 2004 - 02:02 PM

Hello everybody,

I have read the Faq's here, the Hijacked article, ran Adaware, Spybot a a host of other apps (all updated) and been trying to solve the following problem for almost a week now.

The computer I am having trouble with is a Sony 900MHZ laptop with WinXP home.

Late last week I was doing my daily cleansing routine: adaware/spybot and picked up some registry changes and other associated entries identified as VX2. or "Better Internet" in Adaware.

I used Adaware, thought I got rid of it, ran Spybot, saw nothing new and then tried to do a manual scan with Trendmicro PC-Cillin virus scanner. A few seconds into the scan it would stop, and just disappear.

I then thought maybe whatever I caught had messed the virus scanner up, so I uninstalled PC-Cillin, restarted, reinstalled it, updated it and tried to run it again. Same thing happened...... after a few seconds it just stopped.

I started searching Google for VX2. and "Better Internet" and saw how nasty this thing is, so I spend days reading on a lot of boards about solutions and stuff.
I saw several instances where other people had the same problem I had (the virus scanner crashing) and started gathering as much info as I could to solve the problem.

I guess I have a really weird strain, because I don’t detect any of the same .dlls or Registry entries that allot of other people have had.

I have done everything I know to do and I really need some help.

I am not seeing any new traces of VX2. (or anything else that was mentioned in Adaware, Spybot,) the VX2.BetterInternet Finder(from broadbandmedic.com), a host of Trojan scanners or anything else.

I thought maybe I got rid of it, so I started thinking maybe something is my registry was whacked out and that’s why the virus scanner wasn’t working, so I got RegScrubXP and cleaned my registry It did find some problems), and the problem with my virus scanner remains.

The place it stops scanning and disappears is when it is looking inside of c:\WINDOWS\system32\wbem (I am pretty sure that’s the exact directory)

I do have a Hijackthis log I can show too if it will help.
When I run adaware, I only find a couple of data miner cookies now (probably from looking at message boards ot try and solve the problem)

Can someone please assist me?
A. How can I figure out if I am still invaded?
B. How can I get my Virus scanner to work again?

Any observations or help that is provided will be sincerely appreciated. As a small business owner, all of this time is really starting to hurt the wallet.

Thank you!

#2 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 20 May 2004 - 03:14 PM

Post the log here, I'll have a look at it...
If you really still have L2M I'll get you fixed up... :)

Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#3 mrmega

mrmega

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 May 2004 - 03:51 PM

Quinstar,

Thank you!

Here is the latest HJT log:

-------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 4:03:03 PM, on 5/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
D:\D- My Downloads\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ğwww.msn.co
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ğwww.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = ğwww.sony.com/vaiopeople
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - D:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [HitwarePKLite] D:\PROGRA~1\HITWAR~1\HITWAR~1.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - ğ-Web.Washer-/ie_add
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\System32\MetaProducts\Add_Url.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - ğdownload.macromedia.com/pub/shockwave/..
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - ğwww.trojanscan.com/trojanscan/TDECntrl..
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - ğmirror.worldwinner.com/games/shared/de..
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - ğa840.g.akamai.net/7/840/537/2004033001..
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - ğtoolbar.google.com/data/GoogleActivate..
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - ğmirror.worldwinner.com/games/v44/sol/s..
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - ğib.armstrong.com/ib/databases/actimage..
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - ğfpdownload.macromedia.com/pub/shockwav..

------------------------------------------

END OF LOG

-------------------------------------------

Other than a couple of cookie files, I am still not getting any new information from scans etc and the virus scanner still fails.

One cookie that might be weird that seems persistant it:

perran@atdmt[1].txt (Perran is my name). I see this as with a [1] or a [2]. Thats the only persistant thing I see lately from Adaware scans.



On another front, I just ran PC-Cillin again and it made it through:

c:\WINDOWS\system32\wbem

so I got excited and then it was scanning another dir inside of \system32 and then it crashed again :(

I really dont htink I should run that box again until I can get the virus scanner to work!

Thanks again,
:)

#4 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 20 May 2004 - 04:15 PM

Well...
You do really need to get windows updated...
Really...
That could stop those errors...
But also make windows a lot more secure...
Here are the english windows update pages...

I'll give you the latest instructions for the L2M Removal:

Download this: http://www.downloads...g/VX2Finder.exe and run it

1-Click "Click To find Find VX2.Abetterinternet"

If it doesn't find absolutely anything then you aren't infected any more...
If he does find something... continue with the instructions... :)

2-Delete all files found
You will get a message about "cannot delete this one" matching the same name in the Guardian Key.

3-Click "Open regedit" will take you right to the Guardian Key(no need to search for it)

4-Hilite "Guardian", RightClick and choose Security/permissions, you'll get another window with 'advanced'...
DE-select (uncheck) the lower box with "inheritable permissions"
Hit 'ok' and 'remove' on the following security prompts.

Restart computer.

5-On restart use VX2Finder again, select + delete the last file, click "User Agent$" will remove that entry from the registry.

6-Click "Open regedit" again, this time restoring the checkmark in "inheritable permissions"

7-Click "Guardian.reg" in VX2Finder Deletes the Guardian Key.

8-Use Find again should produce a clean log of blank values.

9-Click "Restore Policy" to restore the Debug policy altered in the look2Me installation.(requires reboot to apply, but not immediatley neccessary)

This was the fix...

C:/Windows/system32/wbem/ is a legit windows folder...
It's strange that it crashes... It could be L2M/VX2...
We'll see...


Good Luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#5 mrmega

mrmega

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 May 2004 - 04:21 PM

Quinstar,

Thank you for all of the info:

I will follow the instructions and let you know what I found out.


:)

#6 mrmega

mrmega

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 May 2004 - 05:01 PM

Hey,

Ok I downloaded the VX2finder (I thought it was the same as the one I got from broadbandreports.com and it was and I did it anyways) and I dont think it found anything.


When I ran it, it says

"Files Found---


Guardian Key--- is called:

User Agent String---


---------------------------------------------


I am presuming that means there isnt anything there.

SO, I tried to see what else might be casing my PC-Cillin to fail so I uninstalled it, restarted, cleaned the registry, restarted and reinstalled it and downloaded the latest pattern file and it continues to crash.

It isnt always crashing in Windows\systen32\wbem ... and it is always crashing in \system32


I have never had any problems with PC-Cillin before (In 2.5 years) and this started after I found the first instance of VX2.

Any ideas on how I can determine why my virus scanner continues to crash and how I might fix it?

#7 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 20 May 2004 - 06:39 PM

Try these:

Online Virus Scanner:
Go to TREND MICRO’s free online virus scanner
http://housecall.tre.../start_corp.asp
and deal with it there.


Here's an online Trojan scan:
Click yes when you get prompted...
http://www.trojansca.../trojanscan.htm
And do what they ask...


See what they find...


I'll look around a little for some answers... :)


Good Luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#8 mrmega

mrmega

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 May 2004 - 08:24 PM

Ok,

First I tried to do the online Trojanscan at http://www.trojansca.../trojanscan.htm and it crashed 4 times!!!!

Then I ran the online virus scan at http://housecall.tre.../start_corp.asp just for kicks and gigles (I did dthat yesterday too) and it did not find anything.

I am convinced I have something nasty and am completely lost :(

I find it incredible that both the PC-Cillin on my laptop and the online Trojan scanner get crashed.

BTW thank you for helping and I am hoping for a miricle now :)

The only other new info I have is that this cookie continues to persist when I run Adaware, so maybe its a clue

perran@atdmt[1].txt

Even when the only site I goto is the scanning sites it shows back up :/

I am certain my PC-Cillin itself is ok, because when I only run it on the D: drive it doesnt crash.

Edited by mrmega, 20 May 2004 - 08:27 PM.


#9 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 21 May 2004 - 04:00 AM

Well... Run adaware again, and note down everything it tells you... If it still finds the VX2... We could use some precise information to build upon...
I'll look into the cookie too...

And I'm getting some experts on this, because I don't think I'm missing something, and you have some serious problems...

Have you updated already?

Post a fresh log too...


Hang in there...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#10 mrmega

mrmega

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 May 2004 - 11:37 AM

I hadnt updated yet, I was afraid to do it. I will do that now.

I have been running adaware every hour, and also trying to do a virus scan.
I thought maybe I should know all of the DLLs in my system in case somehting funky is present (I am convinced it is) so I have been doing google for any DLL I didnt recognise or maybe even thought was a real one (out of a possibility it was an evil DLL spelled ot look like osmehting real.)

Just so I am doing a good job providing info: Adaware is only finding that one cookie and a couple of other ones when I goto sites (like when I DL the reg cleaner and stuff). I am using my main PC to do all my work, and avoiding using the laptop except to scan and stuff.

I have been saving Adaware logs periodically. I iwll start saving all of them when I scan.

Thank you very much for helping me!!!! I really really appreciate your help.


I will run some fresh scans and post the new logs and then update. I hope SP1 or SP2 or whatever doesnt break my software lol

:)

Oh yeah, I had tried to look into that cookie on google late last night/early this morning and because i am not as familiar with scumware and how it specifically affects things on a deep level, I dont think i know what kind of clues to look for. I found an infinate number of references to it, mostly in logs people have posted so I bowed out of that mission.

Edited by mrmega, 21 May 2004 - 11:47 AM.


#11 mrmega

mrmega

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 May 2004 - 12:20 PM

Ok here is an update:


First the Adaware scan results:


Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


5-21-2004 12:46:46 PM - Scan started. (Smart mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-21-2004 3:04:38 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:08:59 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:09:00 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 9/8/2001 1:56:48 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:09:00 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 9/8/2001 1:56:23 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:09:05 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/8/2001 1:56:56 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:09:07 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/8/2001 1:56:56 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:09:14 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 9/8/2001 1:56:55 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:8 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:09:21 AM
BasePriority : Normal
FileSize : 80 KB
Created on : 9/8/2001 1:57:45 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 7/18/2001 1:32:18 AM

#:9 [kodakccs.exe]
FilePath : C:\WINDOWS\system32\drivers\
ThreadCreationTime : 5-21-2004 3:09:22 AM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 1.1.4900.0
ProductVersion : 4.3.1.0
Copyright : Copyright © Eastman Kodak Co. 2000-2003
CompanyName : Eastman Kodak Company
FileDescription : Kodak DC Ring 3 Conduit (Win32)
InternalName : DcFsSvc.exe
OriginalFilename : DcFsSvc.exe
ProductName : Kodak DC File System Driver (Win32)
Created on : 6/18/2003 1:54:10 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 6/18/2003 1:54:10 PM

#:10 [scsiaccess.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:09:23 AM
BasePriority : Normal
FileSize : 177 KB
Created on : 2/4/2003 12:22:30 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 2/4/2003 12:22:30 PM

#:11 [tmntsrv.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 5-21-2004 3:09:24 AM
BasePriority : Normal
FileSize : 119 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright © 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : TMNTSRV
InternalName : TMNTSRV
OriginalFilename : TMNTSRV.exe
ProductName : Trend Pc-cillin 7.61
Created on : 9/6/2001 8:18:54 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 9/6/2001 8:18:54 PM

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-21-2004 3:14:33 AM
BasePriority : Normal
FileSize : 977 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 9/8/2001 1:56:13 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:13 [apoint.exe]
FilePath : C:\Program Files\Apoint\
ThreadCreationTime : 5-21-2004 3:14:41 AM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 5.5.5.109
ProductVersion : 5.5.5.109
Copyright : Copyright © 1999-2001 Alps Electric Co., Ltd.
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
OriginalFilename : Apoint.exe
ProductName : Alps Pointing-device Driver
Created on : 9/8/2001 1:57:42 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 8/22/2001 9:23:34 PM

#:14 [atiptaxx.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:14:42 AM
BasePriority : Normal
FileSize : 212 KB
FileVersion : 5.13.2509
ProductVersion : 5.13.2509
Copyright : Copyright © 1998-2001 ATI Technologies Inc.
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
OriginalFilename : Atiptaxx.exe
ProductName : ATI Desktop Component
Created on : 9/8/2001 1:57:46 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 7/5/2001 6:53:32 PM

#:15 [qttask.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 3:14:44 AM
BasePriority : Normal
FileSize : 28 KB
Created on : 9/8/2001 4:08:46 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 9/8/2001 4:08:48 PM

#:16 [taskswitch.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 3:14:45 AM
BasePriority : Normal
FileSize : 44 KB
Created on : 3/19/2002 9:30:00 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 3/19/2002 9:30:00 PM

#:17 [pop3trap.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 5-21-2004 3:14:47 AM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright © 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : Pop3trap
InternalName : Pop3trap
OriginalFilename : Pop3trap.EXE
ProductName : Trend Pc-cillin 7.61
Created on : 9/6/2001 8:25:32 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 9/6/2001 8:25:32 PM

#:18 [apntex.exe]
FilePath : C:\Program Files\Apoint\
ThreadCreationTime : 5-21-2004 3:14:47 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.0.1.13
ProductVersion : 5.0.1.13
Copyright : Copyright © 1998-2001 Alps Electric Co., Ltd.
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for Windows NT/2000
InternalName : Alps Pointing-device Driver for Windows NT/2000
OriginalFilename : ApntEx.exe
ProductName : Alps Pointing-device Driver for Windows NT/2000
Created on : 9/8/2001 1:57:41 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 7/13/2001 2:44:24 PM

#:19 [webtrapnt.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 5-21-2004 3:14:48 AM
BasePriority : Normal
FileSize : 230 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright © 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : WebTrap MFC Application
InternalName : WebTrap
OriginalFilename : WebTrap.EXE
ProductName : Trend Pc-cillin 7.61
Created on : 9/6/2001 8:20:08 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 9/6/2001 8:20:08 PM

#:20 [wcescomm.exe]
FilePath : D:\Program Files\Microsoft ActiveSync\
ThreadCreationTime : 5-21-2004 3:14:49 AM
BasePriority : Normal
FileSize : 392 KB
FileVersion : 3.6.0.2148
ProductVersion : 3.6.2148
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Connection Manager
InternalName : wcescomm
OriginalFilename : WCESCOMM.EXE
ProductName : Microsoft ActiveSync
Created on : 1/5/2003 5:27:19 AM
Last accessed : 5/21/2004 4:46:47 PM
Last modified : 5/28/2002 7:55:26 PM

#:21 [pntiomon.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 5-21-2004 3:14:58 AM
BasePriority : Normal
FileSize : 147 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright © 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : PNTIOMON
InternalName : PNTIOMON
OriginalFilename : PNTIOMON.exe
ProductName : Trend Pc-cillin 7.61
Created on : 9/6/2001 8:17:10 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 9/6/2001 8:17:10 PM

#:22 [pccntupd.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 5-21-2004 3:15:01 AM
BasePriority : Normal
FileSize : 38 KB
Created on : 9/6/2001 8:17:28 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 9/6/2001 8:17:28 PM

#:23 [ad-aware.exe]
FilePath : D:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 5-21-2004 4:46:18 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 1/20/2004 4:28:50 AM
Last accessed : 5/21/2004 4:46:18 PM
Last modified : 7/13/2003 3:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : perran@adrevolver[1].txt
Object : C:\Documents and Settings\Perran\Cookies\

Created on : 9/8/2003 2:57:37 AM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 9/8/2003 2:57:38 AM



Tracking Cookie Object recognized!
Type : File
Data : perran@ads.tripod.lycos[1].txt
Object : C:\Documents and Settings\Perran\Cookies\

Created on : 7/7/2003 9:33:47 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 7/7/2003 9:33:48 PM



Tracking Cookie Object recognized!
Type : File
Data : perran@tripod[2].txt
Object : C:\Documents and Settings\Perran\Cookies\

Created on : 8/16/2003 11:05:06 PM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 8/16/2003 11:05:08 PM



Tracking Cookie Object recognized!
Type : File
Data : perran@domainsponsor[2].txt
Object : C:\Documents and Settings\Perran\Cookies\

Created on : 10/1/2003 10:30:04 AM
Last accessed : 5/21/2004 4:00:00 AM
Last modified : 10/1/2003 10:30:06 AM


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Hosts file scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
1 entries scanned.
New objects :0
Objects found so far: 4




Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 4


12:50:51 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:04:04:141
Objects scanned :47265
Objects identified :4
Objects ignored :0
New objects :4


----------------------------------

END OF ADAWARE LOG

------------------------------------



















Now the HJT Log:



-------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 12:54:52 PM, on 5/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
D:\D- My Downloads\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.co
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - D:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [HitwarePKLite] D:\PROGRA~1\HITWAR~1\HITWAR~1.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\System32\MetaProducts\Add_Url.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojansca...an/TDECntrl.CAB
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v44/sol/sol.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong....timage30717.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab








---------------------------

END OF HJT LOG

----------------------------



A couple of things:

ADAWARE: It REALLY amazes me that these cookies are present because I hadnt been doing any surfing!!!!



Another thing:

A. Ran Adawrae
B. Ran HJT for a new log as requested
C Just for kicks and giggles I ran the reg cleaner again, and it found the following (I took a screenshot and posted it on my website):

http://www.perran.com/reg_cleaner.jpg



So I am sitting here asking myself how there could be registry errors when I hadnt done anything!!!

Yesterday I uninstalled PC-Cillin again, restared, Ran the reg cleaner, restarted, reinstalled PC-CIllin, updated, tried to scan C (It crashed) and tried to scan D: and it was fine.



I am going ot do the updates now.

Hope this helps.

I hope that my pain and frustration can help you guys determine some ways we can combat all the scumware, malware, evilware makers.


I really think things have gotten to a point where its just plain evil. This invasion wasnt an after effect of downloading shareware or warez or freeware. It wasnt caused by an invasion via email.

The only possible cause I can determine is this happened from surifing a website.

Ok end of Rant.

I will go update my system now and report back if anythign new happens.

Thanks again I really appreciate it.
:)

#12 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 22 May 2004 - 09:56 AM

Hi...


It's me again...

Download this zip PV.zip
Please unzip it to the desktop. It will not work if you run it from inside the zip.

After unzipped go to the desktop. Open the pv folder. Double click on the runme.bat

A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.

Notepad will open with a log in it. Please copy and paste the log into this post.


Now, open HiJackThis, click the Config button
Go to Misc tools at the top
Tick the 'add minor sections'
Now generate the startup log...

Post it in here too...


Good Luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button