• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Ihatemalware

VX2 keeps coming back after scans

7 posts in this topic

Hello,

 

I was doing a routine scan for malware/spyware, and the files VX2 updall2m[1].exe and dummy kept coming up in ad-aware after scanning/rebooting. Reg keys are also messed too. Please help. Thanks. If it helps, my HJT log is below.

 

Logfile of HijackThis v1.97.7

Scan saved at 1:50:08 AM, on 10/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE

C:\WINDOWS\System32\alqwfr.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\etapi32n.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Andy\My Documents\My Received Files\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucalgary.ca/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"

O4 - HKLM\..\Run: [ulqyafc] C:\WINDOWS\System32\alqwfr.exe

O4 - HKLM\..\Run: [etapi32n] C:\WINDOWS\System32\etapi32n.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Startup: Reboot.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {2A9146F3-E5DE-48D8-8B53-E1214450B778} (Generator Class) - http://users.rcn.com/hornms/MachineID.dll

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7828.8917824074

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

If you go to the AdAware site, http://www.lavasoft.de/, they are now offering a VX2 plugin for AdAware. Download and run it in accordance with the directions there. Also ensure that AdAware is fully updated.

 

Then post a fresh Hijack this log, as there are a couple of things that may need removal.

Share this post


Link to post
Share on other sites

Hello,

 

I've updated and downloaded ad-aware's plug-in for VX2, scanned and re-scanned several times, but no success. Not only are there variants of VX2, but it picked up on Winpup32 and StopPop variants. Thanks.

 

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:09:37 AM, on 10/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE

C:\WINDOWS\System32\alqwfr.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Andy\My Documents\My Received Files\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucalgary.ca/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"

O4 - HKLM\..\Run: [ulqyafc] C:\WINDOWS\System32\alqwfr.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Startup: Reboot.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {2A9146F3-E5DE-48D8-8B53-E1214450B778} (Generator Class) - http://users.rcn.com/hornms/MachineID.dll

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7828.8917824074

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites
Not only are there variants of VX2, but it picked up on Winpup32 and StopPop variants.
It detected these things, but did it remove them?

 

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)

 

O4 - HKLM\..\Run: [ulqyafc] C:\WINDOWS\System32\alqwfr.exe

O4 - Startup: Reboot.exe

Reboot and delete the file C:\WINDOWS\System32\alqwfr.exe

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

It quarantines them, but after rebooting and rescanning, it comes back. Here's a portion of my Adaware scan and my HJT log after. Thanks.

 

StopPop Object recognized!

Type : RegKey

Data :

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}

 

VX2 Object recognized!

Type : RegKey

Data :

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : mxtargetdll.mxtargetdllobj.1

 

VX2 Object recognized!

Type : RegKey

Data :

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}

 

VX2 Object recognized!

Type : RegKey

Data :

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : vx2.vx2obj

 

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 4

Objects found so far: 4

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

VX2 Object recognized!

Type : RegKey

Data :

Category : Data Miner

Comment :

Rootkey : HKEY_CURRENT_USER

Object : Software\MxTarget

 

VX2 Object recognized!

Type : File

Data : dummy.htm

Category : Data Miner

Comment :

Object : c:\docume~1\andy\locals~1\temp\

 

Created on : 11/07/2004 4:50:28 AM

Last accessed : 11/07/2004 6:17:26 AM

Last modified : 11/07/2004 4:50:28 AM

 

VX2 Object recognized!

Type : File

Data : polmx3.cab

Category : Data Miner

Comment :

Object : c:\docume~1\andy\locals~1\temp\

FileSize : 41 KB

Created on : 11/07/2004 5:27:08 AM

Last accessed : 11/07/2004 5:27:08 AM

Last modified : 11/07/2004 5:27:08 AM

 

VX2 Object recognized!

Type : File

Data : polmx3.exe

Category : Data Miner

Comment :

Object : c:\docume~1\andy\locals~1\temp\

FileSize : 37 KB

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

Copyright : callinghome.biz

CompanyName : callinghome.biz

FileDescription : Installation utility for www.callinghome.biz

InternalName : Calling Home

OriginalFilename : Caller.exe

ProductName : Calling Home

Created on : 11/07/2004 5:27:09 AM

Last accessed : 11/07/2004 5:27:09 AM

Last modified : 17/06/2004 7:14:12 PM

 

VX2 Object recognized!

Type : File

Data : polmx3.inf

Category : Data Miner

Comment :

Object : c:\docume~1\andy\locals~1\temp\

 

Created on : 11/07/2004 5:27:08 AM

Last accessed : 11/07/2004 5:27:09 AM

Last modified : 17/06/2004 7:15:44 PM

 

VX2 Object recognized!

Type : File

Data : polmx3.inf

Category : Data Miner

Comment :

Object : c:\windows\inf\

 

Created on : 11/07/2004 5:27:08 AM

Last accessed : 11/07/2004 5:27:30 AM

Last modified : 17/06/2004 7:15:44 PM

 

VX2 Object recognized!

Type : File

Data : polmx3.inf

Category : Data Miner

Comment :

Object : c:\windows\lastgood\inf\

 

Created on : 11/07/2004 5:27:30 AM

Last accessed : 11/07/2004 5:27:30 AM

Last modified : 11/07/2004 5:27:30 AM

 

VX2 Object recognized!

Type : File

Data : polmx3.pnf

Category : Data Miner

Comment :

Object : c:\windows\lastgood\inf\

 

Created on : 11/07/2004 5:27:30 AM

Last accessed : 11/07/2004 5:27:30 AM

Last modified : 11/07/2004 5:27:30 AM

 

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:20:38 AM, on 11/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Documents and Settings\Andy\My Documents\My Received Files\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucalgary.ca/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: PowerReg SchedulerV2.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {2A9146F3-E5DE-48D8-8B53-E1214450B778} (Generator Class) - http://users.rcn.com/hornms/MachineID.dll

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8178.3882175926

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

It looks as if AdAware has removed the "active" infection, and left behind some files.

 

Most of the items recongised seem to be in the c:\docume~1\andy\locals~1\temp\ folder.

Delete the entire contents of that folder.

 

Also disable system restore, and reboot, to remove any infected files in there. Restart system restore and set a clean restore point.

 

Despite the warnings from AdAware, you should then be good to go.

Share this post


Link to post
Share on other sites

Hi,

I had the same problem being infected by VX2 with mxTarget.dll and I think I fixed it.

I got rid of the mxTarget.dll (at least so far, after many reboots, it has not come back!)

 

I found file xuzpba.exe to be the prime suspect.

 

The fix is not trivial. you have to kill files that are either being used by Windows or running as a process.

 

For my case, after painstaking struggle and a few unsuccessful tug-of-war back and forth using Ad-Aware and HijackThis to "fix" VX2 spyware with mxTarget.dll and its friends (an .ini and an .exe file), I concluded that it's useless. These tools remove bad stuff from the regustry and file system only if they detect that those stuff are malicious. Some malware might disguise itself as a regular program and may not be detected. However, I'm not a Windows expert and this is only my assessment.

 

In mxTarget.dll problem that keeps coming back on you, the dll file is just a helper. Removing the file and its entry from the registry is not enough. There's a malicious program that keeps putting those files back and creating its own ini file and perhaps change the registry to suit its malprocess. So, it puts us in a tug-of-war between the tools and the malware program where we suffer.

 

I'm not sure that Ad-Watch actually reported xuzpba.exe trying to modify the registry. If it did, then I had overlooked its alert content. But it sure could not remove it.

Anyhow, none of the anti-spyware tools I use identifies that culprit program.

 

So, I decided to identify all the processes that are running in my system. I found one process that I could not identify. Guess what, that process name was xuzpba.exe.

 

I suggest that you try to identify this process using Google search (or other safe search engines). If you can identify that the process belongs to a non-spyware product, please let the Forum know. Then, it would start to get a bit strange and I would have to do further research.

 

Here's my suggestion which I can only say from my case (hopefully it applies to yours too):

1) We need to terminate process by the name xuzpba.exe. Do the following:

1.1 Bring up Windows Task Manager (by right click in the area of the Start menu bar and select Task Manager...).

1.2 (Note: Make sure your cursor is at the empty menu bar area and not on any process icon).

1.3 Click on Processes Tab.

1.4 From the processes list, find xuzpba.exe.

1.5 Click on the process xuzpba.exe to select it.

1.6 Click on bottom-right button that says End Process and end it.

1.7 Try to find file with the same name xuzpba.exe in c:\windows\systems32 (or c:\winnt\system32 for NT or 2000) or search for it from the C drive at the root directory.

1.8 Because you have terminated the process, Windows now allows you to do anything with the file.

1.9 I suggest that you change its name and move it out of system32 location to a system-safe place like a diskette. If you don't have a diskette at hand, you can also create a new directory with an unusual name (like johndoe) to put them - do not put it in temp. This is to make sure that you can get the file back should missing it cause any problem.

 

2) Now, we delete c:\windows\mxTarget.dll

2.1 You may be able to delete it now because you have defanged xuzpba.exe

2.2 However, if Windows still grabs it and wouldn't let you touch it, you'll have to do either of the following:

2.2.1 Use KillBox to delete the file

2.2.1.1 Download KillBox from http://download.broadbandmedic.com/ (I got this site from this forum. Check around to find other sites to download the file. The bottom line is that you download stuff only from reliable sites.

2.2.1.2 Unzip KillBox archive and double-click to run KillBox.exe.

2.2.1.3 Give KillBox the full path with filename mxTarget.dll and click button Kill File and go through to delete it.

 

2.2.2 Second option is to boot in Safe Mode to delete a Windows loaded file. However, I didn't do it that way, so I'm not going to detail it.

 

I suggest get KillBox and use it. It's a nice program, awesome product and it's free (Bless the creator of this product.) You should have this utility around.

 

After this, you should also delete thnall1t.exe (from C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\) and some other files that are VX2 spyware helper files. If you're not sure, just move them to a system-safe place like diskettes, or under a newly created directory with an unusual name.

 

Note: My system is NT-based, so, if directory structure is not familiar to you, I appologize. You'll have to find the equivalent path to your system. When in doubt, do the search from as high directory level as possible.

 

Now, reboot your system and check for mxTarget.dll and xuzpba.exe, hopefully, you'll not find them again.

 

I cannot guarantee that after going through this I had really fixed the VX2 problem on my computer because you can't really be sure. It's just so far, so good. Hey, it's a jungle out there.

 

Please give it a try and correct me, if you find something does not apply to your case or something not right.

 

Good Luck and let me know how it goes.

 

peacenik

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0