Jump to content


Photo

VX2 keeps coming back after scans


  • Please log in to reply
6 replies to this topic

#1 Ihatemalware

Ihatemalware

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 10 July 2004 - 02:56 AM

Hello,

I was doing a routine scan for malware/spyware, and the files VX2 updall2m[1].exe and dummy kept coming up in ad-aware after scanning/rebooting. Reg keys are also messed too. Please help. Thanks. If it helps, my HJT log is below.

Logfile of HijackThis v1.97.7
Scan saved at 1:50:08 AM, on 10/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\WINDOWS\System32\alqwfr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\etapi32n.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Andy\My Documents\My Received Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucalgary.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [ulqyafc] C:\WINDOWS\System32\alqwfr.exe
O4 - HKLM\..\Run: [etapi32n] C:\WINDOWS\System32\etapi32n.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Reboot.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {2A9146F3-E5DE-48D8-8B53-E1214450B778} (Generator Class) - http://users.rcn.com...s/MachineID.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7828.8917824074
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 10 July 2004 - 05:06 AM

If you go to the AdAware site, http://www.lavasoft.de/, they are now offering a VX2 plugin for AdAware. Download and run it in accordance with the directions there. Also ensure that AdAware is fully updated.

Then post a fresh Hijack this log, as there are a couple of things that may need removal.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 Ihatemalware

Ihatemalware

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 10 July 2004 - 11:13 AM

Hello,

I've updated and downloaded ad-aware's plug-in for VX2, scanned and re-scanned several times, but no success. Not only are there variants of VX2, but it picked up on Winpup32 and StopPop variants. Thanks.




Logfile of HijackThis v1.97.7
Scan saved at 10:09:37 AM, on 10/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\WINDOWS\System32\alqwfr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andy\My Documents\My Received Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucalgary.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [ulqyafc] C:\WINDOWS\System32\alqwfr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Reboot.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {2A9146F3-E5DE-48D8-8B53-E1214450B778} (Generator Class) - http://users.rcn.com...s/MachineID.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7828.8917824074
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 10 July 2004 - 01:36 PM

Not only are there variants of VX2, but it picked up on Winpup32 and StopPop variants.

It detected these things, but did it remove them?


Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)

O4 - HKLM\..\Run: [ulqyafc] C:\WINDOWS\System32\alqwfr.exe
O4 - Startup: Reboot.exe

Reboot and delete the file C:\WINDOWS\System32\alqwfr.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 Ihatemalware

Ihatemalware

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 11 July 2004 - 01:28 AM

It quarantines them, but after rebooting and rescanning, it comes back. Here's a portion of my Adaware scan and my HJT log after. Thanks.

StopPop Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}

VX2 Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : mxtargetdll.mxtargetdllobj.1

VX2 Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}

VX2 Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : vx2.vx2obj


Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 4
Objects found so far: 4

Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

VX2 Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\MxTarget

VX2 Object recognized!
Type : File
Data : dummy.htm
Category : Data Miner
Comment :
Object : c:\docume~1\andy\locals~1\temp\

Created on : 11/07/2004 4:50:28 AM
Last accessed : 11/07/2004 6:17:26 AM
Last modified : 11/07/2004 4:50:28 AM

VX2 Object recognized!
Type : File
Data : polmx3.cab
Category : Data Miner
Comment :
Object : c:\docume~1\andy\locals~1\temp\
FileSize : 41 KB
Created on : 11/07/2004 5:27:08 AM
Last accessed : 11/07/2004 5:27:08 AM
Last modified : 11/07/2004 5:27:08 AM

VX2 Object recognized!
Type : File
Data : polmx3.exe
Category : Data Miner
Comment :
Object : c:\docume~1\andy\locals~1\temp\
FileSize : 37 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : callinghome.biz
CompanyName : callinghome.biz
FileDescription : Installation utility for www.callinghome.biz
InternalName : Calling Home
OriginalFilename : Caller.exe
ProductName : Calling Home
Created on : 11/07/2004 5:27:09 AM
Last accessed : 11/07/2004 5:27:09 AM
Last modified : 17/06/2004 7:14:12 PM

VX2 Object recognized!
Type : File
Data : polmx3.inf
Category : Data Miner
Comment :
Object : c:\docume~1\andy\locals~1\temp\

Created on : 11/07/2004 5:27:08 AM
Last accessed : 11/07/2004 5:27:09 AM
Last modified : 17/06/2004 7:15:44 PM

VX2 Object recognized!
Type : File
Data : polmx3.inf
Category : Data Miner
Comment :
Object : c:\windows\inf\

Created on : 11/07/2004 5:27:08 AM
Last accessed : 11/07/2004 5:27:30 AM
Last modified : 17/06/2004 7:15:44 PM

VX2 Object recognized!
Type : File
Data : polmx3.inf
Category : Data Miner
Comment :
Object : c:\windows\lastgood\inf\

Created on : 11/07/2004 5:27:30 AM
Last accessed : 11/07/2004 5:27:30 AM
Last modified : 11/07/2004 5:27:30 AM

VX2 Object recognized!
Type : File
Data : polmx3.pnf
Category : Data Miner
Comment :
Object : c:\windows\lastgood\inf\

Created on : 11/07/2004 5:27:30 AM
Last accessed : 11/07/2004 5:27:30 AM
Last modified : 11/07/2004 5:27:30 AM




Logfile of HijackThis v1.97.7
Scan saved at 12:20:38 AM, on 11/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Andy\My Documents\My Received Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucalgary.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {2A9146F3-E5DE-48D8-8B53-E1214450B778} (Generator Class) - http://users.rcn.com...s/MachineID.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8178.3882175926
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 11 July 2004 - 07:04 AM

It looks as if AdAware has removed the "active" infection, and left behind some files.

Most of the items recongised seem to be in the c:\docume~1\andy\locals~1\temp\ folder.
Delete the entire contents of that folder.

Also disable system restore, and reboot, to remove any infected files in there. Restart system restore and set a clean restore point.

Despite the warnings from AdAware, you should then be good to go.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#7 peacenik

peacenik

    Member

  • New Member
  • Pip
  • 3 posts

Posted 12 July 2004 - 10:54 AM

Hi,
I had the same problem being infected by VX2 with mxTarget.dll and I think I fixed it.
I got rid of the mxTarget.dll (at least so far, after many reboots, it has not come back!)

I found file xuzpba.exe to be the prime suspect.

The fix is not trivial. you have to kill files that are either being used by Windows or running as a process.

For my case, after painstaking struggle and a few unsuccessful tug-of-war back and forth using Ad-Aware and HijackThis to "fix" VX2 spyware with mxTarget.dll and its friends (an .ini and an .exe file), I concluded that it's useless. These tools remove bad stuff from the regustry and file system only if they detect that those stuff are malicious. Some malware might disguise itself as a regular program and may not be detected. However, I'm not a Windows expert and this is only my assessment.

In mxTarget.dll problem that keeps coming back on you, the dll file is just a helper. Removing the file and its entry from the registry is not enough. There's a malicious program that keeps putting those files back and creating its own ini file and perhaps change the registry to suit its malprocess. So, it puts us in a tug-of-war between the tools and the malware program where we suffer.

I'm not sure that Ad-Watch actually reported xuzpba.exe trying to modify the registry. If it did, then I had overlooked its alert content. But it sure could not remove it.
Anyhow, none of the anti-spyware tools I use identifies that culprit program.

So, I decided to identify all the processes that are running in my system. I found one process that I could not identify. Guess what, that process name was xuzpba.exe.

I suggest that you try to identify this process using Google search (or other safe search engines). If you can identify that the process belongs to a non-spyware product, please let the Forum know. Then, it would start to get a bit strange and I would have to do further research.

Here's my suggestion which I can only say from my case (hopefully it applies to yours too):
1) We need to terminate process by the name xuzpba.exe. Do the following:
1.1 Bring up Windows Task Manager (by right click in the area of the Start menu bar and select Task Manager...).
1.2 (Note: Make sure your cursor is at the empty menu bar area and not on any process icon).
1.3 Click on Processes Tab.
1.4 From the processes list, find xuzpba.exe.
1.5 Click on the process xuzpba.exe to select it.
1.6 Click on bottom-right button that says End Process and end it.
1.7 Try to find file with the same name xuzpba.exe in c:\windows\systems32 (or c:\winnt\system32 for NT or 2000) or search for it from the C drive at the root directory.
1.8 Because you have terminated the process, Windows now allows you to do anything with the file.
1.9 I suggest that you change its name and move it out of system32 location to a system-safe place like a diskette. If you don't have a diskette at hand, you can also create a new directory with an unusual name (like johndoe) to put them - do not put it in temp. This is to make sure that you can get the file back should missing it cause any problem.

2) Now, we delete c:\windows\mxTarget.dll
2.1 You may be able to delete it now because you have defanged xuzpba.exe
2.2 However, if Windows still grabs it and wouldn't let you touch it, you'll have to do either of the following:
2.2.1 Use KillBox to delete the file
2.2.1.1 Download KillBox from http://download.broadbandmedic.com/ (I got this site from this forum. Check around to find other sites to download the file. The bottom line is that you download stuff only from reliable sites.
2.2.1.2 Unzip KillBox archive and double-click to run KillBox.exe.
2.2.1.3 Give KillBox the full path with filename mxTarget.dll and click button Kill File and go through to delete it.

2.2.2 Second option is to boot in Safe Mode to delete a Windows loaded file. However, I didn't do it that way, so I'm not going to detail it.

I suggest get KillBox and use it. It's a nice program, awesome product and it's free (Bless the creator of this product.) You should have this utility around.

After this, you should also delete thnall1t.exe (from C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\) and some other files that are VX2 spyware helper files. If you're not sure, just move them to a system-safe place like diskettes, or under a newly created directory with an unusual name.

Note: My system is NT-based, so, if directory structure is not familiar to you, I appologize. You'll have to find the equivalent path to your system. When in doubt, do the search from as high directory level as possible.

Now, reboot your system and check for mxTarget.dll and xuzpba.exe, hopefully, you'll not find them again.

I cannot guarantee that after going through this I had really fixed the VX2 problem on my computer because you can't really be sure. It's just so far, so good. Hey, it's a jungle out there.

Please give it a try and correct me, if you find something does not apply to your case or something not right.

Good Luck and let me know how it goes.

peacenik




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button