Spyware Warrior

khurley · Posted: Tue Mar 22, 2005 1:28 pm Post subject: Need help with vx2 removal

I am trying to fix a computer that, I believe, is infected with some form of the VX2 infection. Random popups, without user action, are occuring without a browser even being open. I have updated and run SPYBOT and ADAWARE. I have fixed any issues that have been found and have taken care of others with HiJack that I know are bad. ADAWARE still reports VX2 problems with the host file and the hosts still show on the HiJack log. I have exhausted all my know how and need help. HiJack Log follows:

Thanks, Keith

Logfile of HijackThis v1.99.1
Scan saved at 3:30:02 PM, on 03/22/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SILICON PRAIRIE SOFTWARE\MEMTURBO\MEMTURBO.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ngpc.state.ne.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ngpc.state.ne.us
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "c:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTRAY.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ngpc.state.ne.us
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = ngpc.state.ne.us,doc.state.ne.us
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.15.58.2,10.15.58.26,164.119.1.1

khurley · Posted: Wed Mar 23, 2005 10:21 am Post subject:

Here's a FindIt log as well:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 08A2-2ED1
Directory of C:\WINDOWS\SYSTEM

WGBCHECK DLL 227,104 03-17-05 1:51p WGBCHECK.DLL
RLR20 DLL 227,104 03-17-05 1:51p RLR20.DLL
DRDREF8 DLL 227,104 03-17-05 1:51p dRdref8.dll
DFDRG16F DLL 227,104 03-17-05 1:51p DFDRG16F.DLL
NGTAPI32 DLL 227,104 03-17-05 1:51p NGTAPI32.DLL
JSAW400 DLL 227,104 03-17-05 1:51p jsaw400.dll
6 file(s) 1,362,624 bytes
0 dir(s) 34,970.44 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 08A2-2ED1
Directory of C:\WINDOWS\SYSTEM

VMSS <DIR> 03-17-05 2:32p vmss
WSXSVC <DIR> 03-17-05 2:31p wsxsvc
JETERR35 GID 10,820 01-02-03 11:08a jeterr35.GID
DESKTOP INI 266 05-20-99 8:58a desktop.ini
FOLDER HTT 13,122 05-20-99 8:58a folder.htt
3 file(s) 24,208 bytes
2 dir(s) 34,970.41 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{667DCBAE-DC9E-2C81-32ED-3ADFF113DA1D}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wgbcheck.dll Thu Mar 17 2005 1:51:46p ..S.R 227,104 221.78 K
rlr20.dll Thu Mar 17 2005 1:51:46p ..S.R 227,104 221.78 K
drdref8.dll Thu Mar 17 2005 1:51:46p ..S.R 227,104 221.78 K
dfdrg16f.dll Thu Mar 17 2005 1:51:46p ..S.R 227,104 221.78 K
ngtapi32.dll Thu Mar 17 2005 1:51:46p ..S.R 227,104 221.78 K
jsaw400.dll Thu Mar 17 2005 1:51:46p ..S.R 227,104 221.78 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,362,624 bytes 1.30 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hggtgn.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiPTA"="Atiptaxx.exe"
"EnsoniqMixer"="starter.exe"
"AdaptecDirectCD"="\"c:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"CreateCD50"="\"c:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="c:\\PROGRA~1\\SYMANT~1\\VPTRAY.EXE"
"CriticalUpdate"="c:\\windows\\SYSTEM\\wucrtupd.exe -startup"

blender · Posted: Wed Mar 23, 2005 9:03 pm Post subject:

Hi and welcome

vx2 on 98 is hard to find/remove. It has since been updated again and the old find_it will not find all files yet.

I would like to try online scanner to show em all to me.

Go here: (works only for IE)

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

When scanner is loaded...click "scan whole computer"
When scan starts....Leave scanner window open....
Disconnect from internet <--Important or scanner crashes!!
If on cable....just pull the cat-5 cable from back of machine (looks like fat phone plug)
Shut off Norton antivirus so no conflict
leave scanner run till its done.

Once scan is done....keep it open...
Turn Norton back on
Reconnect internet.
Close that tiny ad in centre screen
In main scanner window click "see report"
Then click "save report"

Save the report somewhere you will find it. (activescan.txt)

Copy and paste results back here.

Do not reboot after posting report or file names change!!!

If you figure you will be rebooting wait till you have the time to leave machine running before running scan and posting results.

Once log is posted...pm me with link to this thread.

Thanks.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

khurley · Posted: Thu Mar 24, 2005 9:36 am Post subject:

You just missed me by an hour or so! I actually spent a day reviewing some of your other VX2/Win98 threads and was able to figure out what to do. I THINK it's clean at the moment and we haven't had any other pop-ups since. Guess we were lucky enough to not get the most recent one. Next time I'm at the other computer (different office building), I'll run the panda scan and post it just to be sure and I'll PM you so you can see the results.

Thanks for all your work. Without you helping others and providing access to the threads about it I'd never have been able to fix this one. Thanks. I really appreciate your help.

Keith

blender · Posted: Thu Mar 24, 2005 10:54 am Post subject:

Hi

sounds like you likely got it....there will be some registry stuff to look for and clean up as well.
We'll see what Panda has to say then we'll look for reg items.

Does the recycle bin work right?...when deleting files...they go to bin or just get deleted?
Have a look in the C:\windows folder too for folder called bundles
If found....delete the sucker as it is chock full of trojan/spyware/gackware installers. Not everyone gets that gift but is common.

I'll check back later on panda log.

Thanks.

ps...yes...go ahead and pm me when ya post it.
Can make sure it's jumped on right away if i'm on.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You