• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Ladyfox

Where do I go for help? Spyware can't be removed

8 posts in this topic

Ok newbie here. I read the instructions on posting and I am lost on where to post what until I saw this forum.

 

I just moved and changed from dial up to cable internet.

I have scan with Adware and Search and destroy and I keep getting certain spyware back everytime I scan like "VX2.Betterinternet" and there are some stuff that it won't remove which I do not know what they are or where to start. All of a sudden I see things downloading on the bottom toolbar of my computer like//69.00....etc.

 

This is what keeps coming back do I have to do that System restore option or the Hijack log HELP:

 

Some objects could not be removed, Try closing all open brwoser windws prior

to the removal. If this does not help, reboot and run Ad-ware again

c:\windows\system32\avlui.dll

 

Vendor: VX2.BetterInternet

Category: Data Miner

Size: v316776 Bytes

Location: c:\windows\system32\avlui.dll

Last Activity: 6-5-2004 8:06:38 PM

Risk Level Low

 

Vendor: Possible Browser Hijack attempt

Category: Data Miner

Object Type: RegData

Share this post


Link to post
Share on other sites

Hi Ladyfox

You don't want to do a system restore for this problem.

Go here for Hijack This

Unzip,update and scan. The scan button will turn into a save log button. Save it,copy and paste it back into this thread. Don't fix anything yet because most of it is needed.Make sure you place HJT into a folder of it’s own. You may need to restore an item and you will not be able to from a temp. dir

After we get you fixed up you need to read and pay attention to this. It really helps.

So how did I get infected in the first place? By Tony Klein

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 11:28:48 PM, on 6/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\Program Files\Logitech\ImageStudio\LogiTray.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\PROGRA~1\NEWMOD~1\01 kind phone.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\msiexec.exe

C:\Documents and Settings\Kitty\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: grim exit - {BF9C2B8A-00A2-0107-934C-09879CA00006} - C:\PROGRA~1\WEBSEC~1\Film Platform.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [rreg] C:\Program Files\Common Files\System\rreg.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [obj axis] C:\PROGRA~1\NEWMOD~1\01 kind phone.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185

O9 - Extra button: Whistle (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) - http://sessa.isprime.com:81/tel2net/CABEDialer.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

Share this post


Link to post
Share on other sites

Hi

Download this: http://www.downloads.subratam.org/VX2Finder.exe and run it

 

1-Click "Click To find Find VX2.Abetterinternet"

 

2-Delete all files found

You will get a message about "cannot delete this one" matching the same name in the Guardian Key.

 

3-Click "Open regedit" will take you right to the Guardian Key(no need to search for it)

 

4-Hilite "Guardian", RightClick and choose Security/permissions, you'll get another window with 'advanced'...

DE-select (uncheck) the lower box with "inheritable permissions"

Hit 'ok' and 'remove' on the following security prompts.

 

Restart computer.

 

5-On restart use VX2Finder again, select + delete the last file, click "User Agent$" will remove that entry from the registry.

 

6-Click "Open regedit" again, this time restoring the checkmark in "inheritable permissions"

 

7-Click "Guardian.reg" in VX2Finder Deletes the Guardian Key.

 

8-Use Find again should produce a clean log of blank values.

 

9-Click "Restore Policy" to restore the Debug policy altered in the look2Me installation.(requires reboot to apply, but not immediatley neccessary)

 

Post another log when finished.

Edited by OlTramp

Share this post


Link to post
Share on other sites

Hey there Oltramp,

Ok I got lost on #3 where do I click "Open regedit"? :scratchhead:

and do I run this application once in a while or only when I get those type of spywares?

 

Thanks :)

Share this post


Link to post
Share on other sites

Hi

Here is the newest fix -

Download VX2Finder from this link:

http://www.downloads.subratam.org/VX2Finder.exe

 

 

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

 

Copy and paste the contents of the log into your next reply here.

--------------------------------

 

Sign off and stay off the internet until the entire procedure is complete.

 

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

 

Then select the *Delete these files* button.

You will be left with notice about one to be deleted on reboot.

It will ask to reboot on deletion of the last file (Reboot)

 

-----------------

Once back in Windows

 

 

Open VX2Finder again and click on these buttons in the right pane:

 

user agent, Guardian.reg, restore policy

 

Exit and reboot.

 

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Post it here with a fresh HijackThis log please.

Share this post


Link to post
Share on other sites

These are the results. Let me know if I did them correctly. The results for the VX2finder were the same so I might have done something wrong?

 

 

Much thanks.

 

Log for VX2.BetterInternet File Finder

 

Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

 

Log for VX2.BetterInternet File Finder

 

 

 

Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 6:55:20 PM, on 6/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\Logitech\ImageStudio\LogiTray.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\PROGRA~1\NEWMOD~1\01 kind phone.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\Kitty\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...B_PVER}&ar=home

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {E7E8BB22-4A05-B2CF-681C-AE5EC90219FC} - C:\PROGRA~1\WEBSEC~1\Base Amok.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: grim exit - {BF9C2B8A-00A2-0107-934C-09879CA00006} - C:\PROGRA~1\WEBSEC~1\Base Amok.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [rreg] C:\Program Files\Common Files\System\rreg.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [obj axis] C:\PROGRA~1\NEWMOD~1\01 kind phone.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185

O9 - Extra button: Whistle (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) - http://sessa.isprime.com:81/tel2net/CABEDialer.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

Share this post


Link to post
Share on other sites

Hi

Log isn't showing VX2. Close all browsers and rerun HJT. Check and click fix checked for the following-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...B_PVER}&ar=home

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {E7E8BB22-4A05-B2CF-681C-AE5EC90219FC} - C:\PROGRA~1\WEBSEC~1\Base Amok.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: grim exit - {BF9C2B8A-00A2-0107-934C-09879CA00006} - C:\PROGRA~1\WEBSEC~1\Base Amok.dll

O4 - HKLM\..\Run: [rreg] C:\Program Files\Common Files\System\rreg.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [obj axis] C:\PROGRA~1\NEWMOD~1\01 kind phone.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

This if you did not place it-

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) - http://sessa.isprime.com:81/tel2net/CABEDialer.cab

Restart your computer in safe mode and delete-

C:\PROGRA~1\MYWEBS~1 <=Folder

C:\Program Files\Common files\WinTools <=Folder

C:\Program Files\VBouncer <=Folder

 

 

Then find and post properties on both of these

C:\Program Files\Common Files\System\rreg.exe

C:\PROGRA~1\NEWMOD~1\01 kind phone.exe

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0