Jump to content


Photo

Passthrough Starting Toolbar


  • Please log in to reply
19 replies to this topic

#1 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 May 2004 - 08:40 PM

Hi, I had previosuly posted a while back and all the spyware is cleared. The one and only problem now is this toolbar that keeps coming up. I have got rid of it through HijackThis but it keeps coming back. My normal IE start page is http://news.google.com/ but this spyware automatically changes it to http://searchexe.com...ews.google.com/ and this annoying toolbar comes up. Please Help!

**Note: I always delete these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com...ews.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
But they keep coming back**

Here is the latest log file...

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PLATFO~1\Byte open.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\K-Lite Codec Pack\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com...ews.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [owns dart] C:\PROGRA~1\PLATFO~1\Byte open.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7867.4311226852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab

#2 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 26 May 2004 - 07:34 PM

Bump

#3 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 27 May 2004 - 05:14 PM

Bump

#4 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 28 May 2004 - 02:32 PM

Bump

#5 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 29 May 2004 - 12:49 PM

Bump

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 29 May 2004 - 01:49 PM

Please download Lspfix
Unzip and run it. Check all instances of inetadpt.dll (and nothing else) , and move them to the "Remove" pane.
You will have to click the "I know what I'm doing" button.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com...ews.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch

O4 - HKLM\..\Run: [owns dart] C:\PROGRA~1\PLATFO~1\Byte open.exe

Reboot, and delete the folder C:\PROGRA~1\PLATFO~1

These may be hidden files. See HERE for how to show hidden files.

please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#7 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 31 May 2004 - 10:06 AM

Happy Memorial Day! Thank you for your help!

That annoying toolbar is gone, but know I am having an excessive amount of pop ups even when IE is closed. Do you see anything in the logfile? Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 11:06:49 AM, on 5/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\qarxt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BB93DFB3-12AB-55E2-85CD-1F9617540B8C} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [nbjat] C:\WINDOWS\qarxt.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7867.4311226852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.c...abs/budicon.cab

#8 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 01 June 2004 - 04:27 PM

Bump

#9 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 02 June 2004 - 08:01 PM

Bump

#10 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 03 June 2004 - 08:53 PM

Bump

#11 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 04 June 2004 - 08:13 PM

Bump

#12 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 06 June 2004 - 06:49 PM

Bump

#13 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 10 June 2004 - 01:35 PM

Hello again isylvetsky, :D

It's been awhile since we last saw a hijackthis log. Can you post an updated hijackthis log please?? Also, please download this utility from this site and save it to your desktop:
http://tools.zerosre...m/VX2Finder.exe

Once downloaded, double click the Vx2Finder.exe file on your desktop, then click the Click to Find Vx2.BetterInternet button. Click the Make Log button, copy and paste that log back into this thread, along with the updated hijackthis log.

#14 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 12 June 2004 - 08:21 AM

Thank you! Both logs are below

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\2adsrch.cpy.dll
C:\WINDOWS\System32\2bdsrch.cpy.dll
C:\WINDOWS\System32\2bdsrch.dll
C:\WINDOWS\System32\2cdsrch.cpy.dll
C:\WINDOWS\System32\2ddsrch.cpy.dll
C:\WINDOWS\System32\2ddsrch.dll
C:\WINDOWS\System32\2edsrch.cpy.dll
C:\WINDOWS\System32\2edsrch.dll
C:\WINDOWS\System32\2fdsrch.cpy.dll
C:\WINDOWS\System32\2gdsrch.cpy.dll
C:\WINDOWS\System32\2hdsrch.cpy.dll
C:\WINDOWS\System32\2idsrch.cpy.dll
C:\WINDOWS\System32\2kdsrch.cpy.dll
C:\WINDOWS\System32\2kdsrch.dll
C:\WINDOWS\System32\2ldsrch.cpy.dll
C:\WINDOWS\System32\2ldsrch.dll
C:\WINDOWS\System32\2mdsrch.cpy.dll
C:\WINDOWS\System32\2odsrch.cpy.dll
C:\WINDOWS\System32\2odsrch.dll
C:\WINDOWS\System32\2pdsrch.cpy.dll
C:\WINDOWS\System32\2pdsrch.dll
C:\WINDOWS\System32\2qdsrch.dll
C:\WINDOWS\System32\2rdsrch.cpy.dll
C:\WINDOWS\System32\2rdsrch.dll
C:\WINDOWS\System32\2sdsrch.cpy.dll
C:\WINDOWS\System32\2sdsrch.dll
C:\WINDOWS\System32\2tdsrch.cpy.dll
C:\WINDOWS\System32\2tdsrch.dll
C:\WINDOWS\System32\2udsrch.cpy.dll
C:\WINDOWS\System32\2udsrch.dll
C:\WINDOWS\System32\2vdsrch.cpy.dll
C:\WINDOWS\System32\2vdsrch.dll
C:\WINDOWS\System32\2wdsrch.cpy.dll
C:\WINDOWS\System32\2wdsrch.dll
C:\WINDOWS\System32\2xdsrch.cpy.dll
C:\WINDOWS\System32\2xdsrch.dll
C:\WINDOWS\System32\2ydsrch.cpy.dll
C:\WINDOWS\System32\2ydsrch.dll
C:\WINDOWS\System32\2zdsrch.cpy.dll
C:\WINDOWS\System32\3dvx.dll
C:\WINDOWS\System32\3pvxVfWCodec.dll
C:\WINDOWS\System32\3uvxVfWCodec.dll
C:\WINDOWS\System32\3vvxVfWCodec.dll
C:\WINDOWS\System32\6go4svc.dll
C:\WINDOWS\System32\arstream.dll
C:\WINDOWS\System32\avlui.dll
C:\WINDOWS\System32\axptif.dll


Guardian Key--- is called:

User Agent String---

---------------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 9:21:08 AM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\egnyu.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\Wast.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\rzisxpgn.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ian\Desktop\VX2Finder.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin\apuc.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O3 - Toolbar: (no name) - {55910916-8B4E-4C1E-9253-CCE296EA71EB} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [nbjat] C:\WINDOWS\egnyu.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\Wast
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [kgpkotoun] C:\WINDOWS\System32\rzisxpgn.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Ian\LOCALS~1\Temp\djtopr1150.exe"
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7867.4311226852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab

#15 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 14 June 2004 - 09:07 PM

Hi isylvetsky,

Thanks! First, go to Add/Remove programs and uninstall Internet Optimizer and WinTools.

Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin\apuc.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O3 - Toolbar: (no name) - {55910916-8B4E-4C1E-9253-CCE296EA71EB} - (no file)
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [nbjat] C:\WINDOWS\egnyu.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\Wast
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [kgpkotoun] C:\WINDOWS\System32\rzisxpgn.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab


Configure your computer to show hidden files.

Then reboot your computer in safe mode and delete the following files:
C:\WINDOWS\egnyu.exe
C:\WINDOWS\ARUpdate.exe
C:\WINDOWS\System32\rzisxpgn.exe
C:\WINDOWS\alchem.exe

And delete the following folders:
C:\WINDOWS\Wast
C:\Program Files\Web_Rebates

Then while still in safe mode, run Vx2Finder.exe again and click the Click to Find Vx2.BetterInternet button again. Place check marks next to each file and click the Delete these Files button. Click OK to each confirmation message. In this case, you might get a message that 1 or 2 cannot be deleted (might not since the Guardian Key is empty). Let me know if you are able to delete all the files.

Reboot your computer, run hijackthis again, save a fresh log and post it back into this thread along with a Vx2Finder log.

#16 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 15 June 2004 - 05:14 PM

Thank you for your help!

*All of the Vx2Finder.exe files were deleted
*I could not delete C:\Windows\egnyu.exe It said acess was denied

Log Files:

Logfile of HijackThis v1.97.7
Scan saved at 6:13:12 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7867.4311226852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.ho...ex/HMAtchmt.ocx

-----------------------------------------------------------------------------------

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

#17 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 18 June 2004 - 09:38 AM

Thank you for your help!

*All of the Vx2Finder.exe files were deleted
*I could not delete C:\Windows\egnyu.exe It said acess was denied
*And I still am having pop up problems :hmmm:

Log Files:

Logfile of HijackThis v1.97.7
Scan saved at 10:36:22 AM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\K-Lite Codec Pack\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7867.4311226852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.ho...ex/HMAtchmt.ocx

-----------------------------------------------------------------------------------

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

#18 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 21 June 2004 - 08:53 AM

Hi isylvetsky,

There is more stuff in here now, which explains your pop-up problem.

Go to Add/Remove Programs and uninstall WinTools. Be sure to follow the prompts very carefully. If you get an error while uninstalling it, please boot into safe mode and uninstall it while in safe mode.

Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe


Reboot your computer and post a fresh hijackthis log.

#19 isylvetsky

isylvetsky

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 08:11 PM

Help!
My computer is full of ads........
What is the logic behind pop ups. Is anyone really going to buy something from something that pops up every 3 minutes and bugs the heck out of them?

Logfile of HijackThis v1.97.7
Scan saved at 9:10:36 PM, on 6/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\PROGRA~1\PLATFO~1\Byte open.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\K-Lite Codec Pack\Kazaa Lite K++\KazaaLite.kpp
C:\hijackthis[1]\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [owns dart] C:\PROGRA~1\PLATFO~1\Byte open.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7867.4311226852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.ho...ex/HMAtchmt.ocx

#20 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 25 June 2004 - 08:51 PM

Hi again, isylvetsky

You'd be surprised. A lot of the popups are whats called pay-per-click; meaning companies get paid when someone clicks on an ad.

Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

O4 - HKLM\..\Run: [owns dart] C:\PROGRA~1\PLATFO~1\Byte open.exe

Do you know what this is??
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

Have you run msconfig recently?? There's at least one process running here that is not in your hijackthis log. If you have, please place check marks in ALL entries and reboot, then post a fresh log.

It looks like you have Look2Me again. Run Vx2Finder again and paste that log back here along with an updated hijackthis log. Also, tell me what you know about that mprocessor.exe program.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button