Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

vx2 here ?

Status
Not open for further replies.

iceb

Technical User
Jan 13, 2002
64
DK
Hi


I have a redirection of all my active browsers

(in my hosts file)

and pop up windows too on ramdom sites and times.

What is going on ? How do I remove it ?

I have windows xp home. ed........


Here is my log:

Logfile of HijackThis v1.99.0
Scan saved at 13:56:59, on 09-12-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
E:\Programmer\Winamp\winampa.exe
E:\Programmer\TrojanHunter 4.0\THGuard.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Programmer\MSN Messenger\MsnMsgr.Exe
E:\Programmer\Meaya\Popup Ad Filter\PopFilter.exe
E:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
E:\PROGRA~1\ICQ\ICQ.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\rundll32.exe
E:\Programmer\Internet Explorer\iexplore.exe
E:\Programmer\Internet Explorer\iexplore.exe
E:\Documents and Settings\ice\Skrivebord\antibug\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = internet explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cybercity.dk:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "kontakt.ofir.dk"); (E:\Documents and Settings\ice\Application Data\Mozilla\Profiles\default\z4xr3x5m.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgrammer%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (E:\Documents and Settings\ice\Application Data\Mozilla\Profiles\default\z4xr3x5m.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mirabilis ICQ] E:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Popup Ad Filter] E:\Programmer\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [SpySweeper] "E:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TeaTimer.exe.lnk = E:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - O23 - Service: Sony SPTI Service - Sony Corporation - E:\PROGRA~1\FLLESF~1\SONYSH~1\AVLib\Sptisrv.exe



Best Regards
iceb
 
Disable system restore.

Using Hijack This!, remove these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = internet explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cybercity.dk:8080

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [Mirabilis ICQ] E:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKCU\..\Run: [Popup Ad Filter] E:\Programmer\Meaya\Popup Ad Filter\PopFilter.exe

O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) -
Reboot.

Get rid of this: E:\PROGRA~1\ICQ\ICQ.exe

Disable Windows Messenger Service via the instructions found here :


Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Ok Why should i delelete my icq ? Is it a virus?

Here is my log now...... (I have tried to remove these

lines with hjt before but they keep returning)



Logfile of HijackThis v1.99.0
Scan saved at 14:54:23, on 09-12-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
E:\Programmer\Winamp\winampa.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Programmer\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\BulletProofSoft.com\SpywareRemover\Spyware.exe
E:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
E:\Programmer\BulletProofSoft.com\SpywareRemover\E47EC6DD.DLL
E:\WINDOWS\system32\rundll32.exe
E:\Programmer\Internet Explorer\iexplore.exe
E:\Documents and Settings\ice\Skrivebord\antibug\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = N3 - Netscape 7: user_pref("browser.startup.homepage", "kontakt.ofir.dk"); (E:\Documents and Settings\ice\Application Data\Mozilla\Profiles\default\z4xr3x5m.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgrammer%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (E:\Documents and Settings\ice\Application Data\Mozilla\Profiles\default\z4xr3x5m.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "E:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [BPSANTISPY] E:\Programmer\BulletProofSoft.com\SpywareRemover\Spyware.exe /STARTUP
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TeaTimer.exe.lnk = E:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O23 - Service: Sony SPTI Service - Sony Corporation - E:\PROGRA~1\FLLESF~1\SONYSH~1\AVLib\Sptisrv.exe
 
You're correct in assuming VX2

Read here for info on killing this off:

.dll's and .tmp files in the system32 folder are the culprits. Be sure that you have "Show Hidden Files" enabled, and go to work. Have a copy of Pocket Killbox handy ( as some of these tend to be hard to yank.

As far as your ICQ, that's your choice. Personally, anything P2P, I avoid like the plague.

Good luck.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Ok but should I just delete ALL dll and tmp files in the

system32 folder ? Guess not ? How to distinguish

between them?



Regards
iceb
 
No no no no no.

You delete all the .dlls in your sytem32 folder and you're really going to have problems.

READ the link I posted...it details how to spot them. One tip is, they are going to be of far more recent creation than any of the others. Also, random alpha/alphanumeric names tend to be used.



Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
ok now I have tried with killbox but the files return

just with other names......

I can see that it must be better with the recovery console

but how do you install/use it in windows xp home?


It seems that everytime i restart with the machine connected

to the internet I get a new virus file in the exact same

size....


Best Regards
iceb
 
Have you disabled system restore before killing the files?
If you haven't, they will repopulate as you describe.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
carr, this is a newer variant of Vx2, the look2me, it's causing a lot of problems. I have been over at TSG forum's and they're working on a fix.

khaz
 
I used the windows console and in combination with

dllcompare and it worked.



Thanks ...


iceb
 
iceb, could you post the exact method you used please, it would help all concerned with this pest!

khaz
 
Well well my recycle bin does still not work as it is

supposed to but does not store the files so they can

be recovered. But when I choose to empty it it asks

if the x number of files should be deleted so something

is still wrong.

I used comparedll to scan for the files. This is risky

because it is not always that it will find the unwanted

files...

Then it creates a log and I search for each file in the

buttom of the log. This is to take the writeprotection

off so they can be deleted.

Then I had a list on a piece of paper by my pc and

I restarted and booted into the console.Here I deleted

all files.

Then I want back into windows and deleted the entries

from my hijackthis log. All this time I have not

been connected to the net.

I restarted and went back into windows and checked for

my hijackthislog again and that the files I deleted still

was not reapearing.

I restarted again and connected to the internet and

ran the dllcompare and my hijackthis and panda online

antivirus and all did not find anything wrong...


Best Regards
iceb


 
Sorry I mean the program "Find It" and not dllcompare...

Can you help me out with the recycle bin?



Regards
iceb
 
no I should just the prompt and delete and then

windows recreated it and BINGO it works too now...


Thanks for you help people Merry Christmas
iceb
 
pechenegs,

Look2Me is not a "new" pest. A specific removal tool for this variant has been around since it manifested itself earlier this year: (
Or...are you referencing a new variant of this?

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Any differences for 98/ME other than system vs system32 folder?

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top