Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hit With Video Ax

Started by Bschriever , Apr 24 2007 11:18 PM

  • Please log in to reply
2 replies to this topic

#1 Bschriever

Bschriever

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 24 April 2007 - 11:18 PM

I just got hit with Video AX and am through the first steps on the self help forum to the point where I was to stop, send a post and include the rapport printout. Here tis. C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Video AX Object\smmain.exe C:\Program Files\Video AX Object\bpmon.exe C:\WINDOWS\explorer.exe C:\Program Files\Video AX Object\bpmini.exe C:\Program Files\Video AX Object\smmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Desktop\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Desktop\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brett Schriever »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brett Schriever\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND ! C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BRETTS~1\FAVORI~1 C:\DOCUME~1\BRETTS~1\FAVORI~1\Online Security Test.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\Video AX Object\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{4233ac08-a2c4-4742-a0b4-83719613d62c}"="grassily" [HKEY_CLASSES_ROOT\CLSID\{4233ac08-a2c4-4742-a0b4-83719613d62c}\InProcServer32] @="C:\WINDOWS\system32\ilmpjy.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4233ac08-a2c4-4742-a0b4-83719613d62c}\InProcServer32] @="C:\WINDOWS\system32\ilmpjy.dll" »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Broadcom 54g MaxPerformance 802.11g - Packet Scheduler Miniport DNS Server Search Order: 68.12.16.30 DNS Server Search Order: 68.12.16.25 DNS Server Search Order: 68.2.16.30 HKLM\SYSTEM\CCS\Services\Tcpip\..\{16F6E901-3EA2-4208-9D8E-F6131AFA80A9}: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 HKLM\SYSTEM\CS1\Services\Tcpip\..\{16F6E901-3EA2-4208-9D8E-F6131AFA80A9}: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 HKLM\SYSTEM\CS3\Services\Tcpip\..\{16F6E901-3EA2-4208-9D8E-F6131AFA80A9}: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Also am getting a Malware found from AVG for Bideo AX Object. Am awaiting instructions. BSR822

    Advertisements

Register to Remove

#2 Bschriever

Bschriever

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 25 April 2007 - 08:30 AM

I went ahead and ran the self help and here are my logs: AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 7:38:36 AM 4/25/2007 + Scan result: C:\RECYCLER\NPROTECT014844.ini -> Adware.Qworke : Cleaned. ::Report end SmitFraudFix v2.171 Scan done at 0:50:10.42, Wed 04/25/2007 Run from C:\Documents and Settings\Brett Schriever\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{4233ac08-a2c4-4742-a0b4-83719613d62c}"="grassily" [HKEY_CLASSES_ROOT\CLSID\{4233ac08-a2c4-4742-a0b4-83719613d62c}\InProcServer32] @="C:\WINDOWS\system32\ilmpjy.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4233ac08-a2c4-4742-a0b4-83719613d62c}\InProcServer32] @="C:\WINDOWS\system32\ilmpjy.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{16F6E901-3EA2-4208-9D8E-F6131AFA80A9}: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 HKLM\SYSTEM\CS1\Services\Tcpip\..\{16F6E901-3EA2-4208-9D8E-F6131AFA80A9}: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 HKLM\SYSTEM\CS3\Services\Tcpip\..\{16F6E901-3EA2-4208-9D8E-F6131AFA80A9}: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.12.16.30 68.12.16.25 68.2.16.30 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{4233ac08-a2c4-4742-a0b4-83719613d62c}"="grassily" [HKEY_CLASSES_ROOT\CLSID\{4233ac08-a2c4-4742-a0b4-83719613d62c}\InProcServer32] @="C:\WINDOWS\system32\ilmpjy.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4233ac08-a2c4-4742-a0b4-83719613d62c}\InProcServer32] @="C:\WINDOWS\system32\ilmpjy.dll" »»»»»»»»»»»»»»»»»»»»»»»» End <_<

#3 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 26 April 2007 - 03:25 PM

Running the Clean

Warning: running option #2 on a non infected computer will remove your Desktop background.


Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

Posted Image


The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware, and run a full scan.
  • IMPORTANT: Do not open any other windows or
    programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab
    then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little
    time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all
    actions    "
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the
    screen and save it as a text file on your Desktop (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and Reboot in Normal Mode.

______________________________
Please post:
1.c:\rapport.txt
2.AVG Anti-Spyware log
3.A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·