Tech Support Guy banner
Cancel

Cancerous VX2 Remnants Eating My XP

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 3 of 3 Posts
C

· Registered
Joined
·
2 Posts
Discussion Starter · #1 ·
I saw a posting with the above title that a user was having problems with VX2/Coolwebsearch Malware. I to like Makehaven tried Ad-aware with VX2 add-on, Spy Sweeper, Spybot Search Destroy and Spy subtract. I ran all my scans in safe mode. I still seem to have 3 instances of this Malware still around. I receive the same “…being used by another person or program” message when I try to delete the DLL. I tried to use msconfig in Diag mode to see if the Malware was resident in memory to no avail. I downloaded and ran Find-it NT-2K-XP. So here is the log file from that:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\temp\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 84C4-E033

Directory of C:\WINDOWS\System32

01/19/2005 12:16 PM 222,471 guard.tmp
01/19/2005 12:15 PM 223,963 p2r4lc9q1f.dll
01/19/2005 10:32 AM 226,159 mti.dll
01/19/2005 09:30 AM 226,159 xzbas10.DLL
01/19/2005 08:21 AM dllcache
01/19/2005 08:18 AM 512 NuzK63G.h8p
01/19/2005 08:17 AM 226,159 mzd32.dll
01/19/2005 06:44 AM 226,159 uyrsvpia.dll
01/12/2005 08:11 PM 226,159 kndgr1.dll
01/03/2005 06:24 PM 224,991 gppsl3771.dll
12/31/2004 12:54 PM 226,159 cBbinet.dll
12/30/2004 01:09 PM 224,991 mgrle32.dll
12/29/2004 06:07 PM 224,991 ccdial32.dll
12/29/2004 06:05 PM 225,716 sjtupdll.dll
12/29/2004 04:47 PM 224,991 mmw3prt.dll
12/28/2004 08:46 PM 222,758 snlogcfg.dll
12/28/2004 08:33 PM 225,964 ufrcntra.dll
12/28/2004 08:29 PM 225,964 gxodmUS.dll
12/28/2004 08:16 PM 225,964 dscompos.dll
12/28/2004 07:59 PM 225,964 mrd32.dll
12/28/2004 07:58 PM 224,958 h60q0gd5e60.dll
12/28/2004 07:55 PM 224,958 utiplat.dll
12/26/2004 03:50 PM 225,964 eoqng.dll
12/22/2004 07:56 PM 224,958 amycfilt.dll
12/22/2004 07:48 PM 225,964 rPsmxs.dll
12/21/2004 07:17 PM 9,895 appnt32.exe
12/21/2004 07:05 PM 224,958 hzp95en.dll
12/18/2004 10:38 PM 11,296 ipoe32.exe
12/11/2004 06:44 AM 56,320 ejqng.dll
12/03/2004 05:45 AM 55,808 wadjs.dll
12/02/2004 02:02 PM 254,043 ThpSK119.exe
12/02/2004 02:02 PM 254,043 MioL9W3.exe
12/02/2004 02:02 PM 499,803 Wprx.exe
12/02/2004 02:02 PM 499,803 Oval63H.exe
12/02/2004 02:02 PM 499,803 Enl7v1Va.exe
11/22/2004 09:21 PM 10,892 iexq.exe
11/22/2004 01:12 PM 10,754 syswn.exe
11/22/2004 08:32 AM 11,575 crdp32.exe
11/09/2004 05:41 PM 56,320 pwisg.dll
11/06/2003 07:51 AM Microsoft
38 File(s) 7,638,309 bytes
2 Dir(s) 15,601,913,856 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 84C4-E033

Directory of C:\WINDOWS\System32

01/19/2005 08:21 AM dllcache
01/19/2005 08:18 AM 512 NuzK63G.h8p
12/21/2004 07:17 PM 9,895 appnt32.exe
12/18/2004 10:38 PM 11,296 ipoe32.exe
12/11/2004 06:44 AM 56,320 ejqng.dll
12/03/2004 05:45 AM 55,808 wadjs.dll
12/02/2004 02:02 PM 254,043 ThpSK119.exe
12/02/2004 02:02 PM 254,043 MioL9W3.exe
12/02/2004 02:02 PM 499,803 Wprx.exe
12/02/2004 02:02 PM 499,803 Oval63H.exe
12/02/2004 02:02 PM 499,803 Enl7v1Va.exe
11/22/2004 09:21 PM 10,892 iexq.exe
11/22/2004 01:12 PM 10,754 syswn.exe
11/22/2004 08:32 AM 11,575 crdp32.exe
11/09/2004 05:41 PM 56,320 pwisg.dll
11/05/2003 09:02 AM 488 logonui.exe.manifest
11/05/2003 09:02 AM 488 WindowsLogon.manifest
11/05/2003 09:02 AM 749 nwc.cpl.manifest
11/05/2003 09:02 AM 749 cdplayer.exe.manifest
11/05/2003 09:02 AM 749 sapi.cpl.manifest
11/05/2003 09:02 AM 749 wuaucpl.cpl.manifest
11/05/2003 09:02 AM 749 ncpa.cpl.manifest
21 File(s) 2,235,588 bytes
1 Dir(s) 15,601,909,760 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 84C4-E033

Directory of C:\WINDOWS\System32

01/19/2005 12:16 PM 222,471 guard.tmp
1 File(s) 222,471 bytes
0 Dir(s) 15,601,909,760 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 84C4-E033

Directory of C:\WINDOWS\System32

01/19/2005 12:16 PM 222,471 guard.tmp
12/13/2004 07:54 PM 45 spm1316.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 225,093 bytes
0 Dir(s) 15,601,905,664 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EC424254-24A2-48F4-BAF0-15E6E36647AF}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Fonts]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irlol5331.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Unlock"="WLEventUnlock"
"Lock"="WLEventLock"
"Startup"="WLEventStartup"
"DllName"="PCANotify.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\gggqpi.dll: updates.qoologic.com
C:\WINDOWS\system32\pppaqx.exe: updates.qoologic.com
C:\WINDOWS\system32\zzznas.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\qqqkvg.dat: .aspack
C:\WINDOWS\system32\yyygkq.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yyyinf.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"Narrator"="C:\\WINDOWS\\System32\\yyygkq.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Any help would be greatly appreciated.
 
C

· Registered
Joined
·
2 Posts
Discussion Starter · #3 ·
Logfile of HijackThis v1.99.0
Scan saved at 2:41:43 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\yyygkq.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Documents and Settings\Administrator\Application Data\csps.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ipvon32.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\temp\Hijackthis\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {ECDB01F4-FF73-F26C-DD86-4D5A54623E8F} - C:\WINDOWS\system32\ippw32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [javaha.exe] C:\WINDOWS\system32\javaha.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [Trtw] C:\Documents and Settings\Administrator\Application Data\csps.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [g023Rga8V] ipvon32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Administrator\Local Settings\Temp\EI40_\msxml4.cab
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\iept.exe (file missing)
 
1 - 3 of 3 Posts
Status
Not open for further replies.
About this Discussion
2 Replies
2 Participants
Last post:
crash69man
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top