Jump to content


Photo

vx2.betterinternet - help clean this beast


  • Please log in to reply
21 replies to this topic

#1 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 26 June 2004 - 12:17 AM

I usually feel pretty confident about tools and removal but this one has me at a loss. I read the FAQ on when / what / how to post and think I have followed the rules.

I downloaded Ad-Aware and updated files. I ran the Ad-Aware and cleaned several other spyware but this one it can't seem to kill.

Then I dnld SpyBot S&D again it found things that Ad-Aware did not and cleaned those but did not kill this one.

Now I have dnld HijackThis and Would sure appreciate a hand.

THANKS!!!
Alan

#2 JCD

JCD

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 June 2004 - 07:03 AM

I fought tooth and nail for three nights trying to remove the VX2.betterinternet bug from my wife's machine, and what I found to be effective I posted here. http://www.spywarein...showtopic=10306 I'm not a helper at this forum, so approach what I posted with a bit of skepticism.

JC

#3 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 26 June 2004 - 07:51 AM

Could you click here to download HijackThis by Merijn Bellekom. Doubleclick the file, click Unzip and it will save the application to C:\HijackThis. Run it from there to scan your computer.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Save the log, Ctrl-A to Select All and post it here for examination. Don't fix anything yet as most of what it lists will be harmless.

Also, click here to download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.
Posted Image

#4 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 28 June 2004 - 05:31 PM

I seem to not be able to post new or replies
hoping this works

VX2 log


Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\aolui.dll


Guardian Key--- is called: GuardianGENMH
Asynchronous 000
DllName C:\WINDOWS\system32\aolui.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {6513A67D-877E-410B-A001-906813AC3E22}
IDex DS3

User Agent String---
{6513A67D-877E-410B-A001-906813AC3E22}

#5 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 28 June 2004 - 05:51 PM

I cant get the HJT log to post as a reply

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 29 June 2004 - 09:01 AM

OK do this - stay off the Internet until complete. Open VX2Finder again. Click on the Click to Find VX2.Betterinternet button again. This time delete all files found - you will get a message about "cannot delete this one" matching the same name in the Guardian Key.

Restart your computer, click User Agent$ to remove that entry from the registry, then click Guardian.reg to delete the Guardian Key. Click Restore Policy to restore the Debug policy altered in the look2Me installation and reboot.

When you click on the Click to Find VX2.Betterinternet button this time you should get a clean log of blank values.

Open HJT and scan your computer. When the scan is finished, the "Scan" button will change into a "Save Log" button. Save the log, Ctrl-A to Select All and post it here for examination. Don't fix anything yet as most of what it lists will be harmless.
Posted Image

#7 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 06:40 PM

As I indicated, the server will not allow me to post the HJT Log - I think it is too large. so I am going to post bits of it - if i can

Edited by aschoeff, 29 June 2004 - 07:08 PM.


#8 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 06:47 PM

Logfile of HijackThis v1.97.7
Scan saved at 6:25:55 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\QuickTime\qttask.exe

Edited by aschoeff, 29 June 2004 - 07:08 PM.


#9 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 06:48 PM

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe

#10 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 06:53 PM

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com

#11 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 06:54 PM

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.227.70.21 exch01
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

#12 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 06:57 PM

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c

#13 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 07:00 PM

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

#14 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 07:02 PM

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

#15 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 07:04 PM

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldw...ut/brickout.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldw...shape/shape.cab

#16 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 07:05 PM

O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/...gx/GrooveAX.cab
O16 - DPF: {90B7E2B3-2E56-4571-9E54-823E33C4B4B4} (TracMan Control) - http://mirror.worldw...man/tracman.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....21/cpbrkpie.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v41/sol/sol.cab

#17 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 07:05 PM

O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8015.4526736111
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yaho...alls/yab_af.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldw...ty/tilecity.cab

#18 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 07:06 PM

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_1us.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab

#19 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 June 2004 - 07:07 PM

O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldw...sol/golfsol.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldw...darts/darts.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe

#20 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 30 June 2004 - 01:14 AM

:weee:

What happened when you did the VX2Finder fix?
Posted Image

#21 aschoeff

aschoeff

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 June 2004 - 06:29 PM

THAT particular problem is, as you suggested, cleaned up.
But looking at the HJT Log I see what might be others

#22 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 01 July 2004 - 03:49 PM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.227.70.21 exch01
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

Reboot when done, rescan with HJT and post a new log here for a final check over.
Posted Image




1 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


    Bing (1)
Member of ASAP and UNITE
Support SpywareInfo Forum - click the button