• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
ynot12

VX2.betterinternet

12 posts in this topic

I have ran sbybot 1.3, ad aware, spy sweeper and spy cleaner numerous times. I got something on a porn site because i had about 250 hits in ad aware after a deep computer slow down. I got rid of all but a few and since then i run the ad programs get rid of them and then they come back. The main probelms seem to be vx2.betterinternet which is detected in ad aware (but not the other three programs). The vx2 changes its dll in windows\system32\kjcom.dll to something very similar and can't be deleted untill rebot computer then changes dll name by a letter ie. ktcom.dll I have tried the advise in your FAQ section and have ran highjack this. I also had a trojan bikini desk but that seems to have gone away after numerous deletes with ad programs. ANy help would be appreciated thank you

Share this post


Link to post
Share on other sites

The Kill2Me tool is for older versions of the look2me hijack. We will need to use some different tools.

 

Download the VX2 finder tool that is appropriate for your operating system.

 

XP and 2K

http://www.downloads.subratam.org/VX2Finder.exe

 

ME and 9x

http://www.downloads.subratam.org/VX2Finder9x.exe

 

Open VX2 finder

Click the find vx2 button

then click the make log button.

 

Post the log along with your hijackthis log.

Share this post


Link to post
Share on other sites

Thank-you very much for your help, I have been fighting this one for about four days and at this point i am lost.

 

Logfile of HijackThis v1.97.7

Scan saved at 9:53:14 PM, on 6/11/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\QuickClean\PlgUni.exe

C:\WINDOWS\System32\wuauclt.exe

C:\PROGRA~1\COOLDR~1\knobflag.exe

C:\Program Files\MProcessor\mprocessor.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Anthony\Local Settings\Temporary Internet Files\Content.IE5\O9ARC5YF\VX2Finder[1].exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\Documents and Settings\Anthony\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [imonitor] "C:\Program Files\McAfee\QuickClean\PlgUni.exe" /START

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

O9 - Extra button: AIM (HKLM)

 

 

 

Log for VX2.BetterInternet File Finder

 

Files Found---

C:\WINDOWS\System32\bqotvid.dll

C:\WINDOWS\System32\ktcom.dll

 

 

Guardian Key--- is called: GuardianWMUXG

Asynchronous 000

DllName C:\WINDOWS\system32\bqotvid.dll

Impersonate 000

Logon WinLogon

Logoff WinLogoff

Version 124

ID {B83D08C6-EA32-4288-8779-36963DCC55B6}

IDex CS3

 

User Agent String---

{B83D08C6-EA32-4288-8779-36963DCC55B6}

Share this post


Link to post
Share on other sites

I tired the Kill2me software along with all the others on that page nothing helped, it said i was not infected with it. I run ad aware and spy cleaner and sbybot and I get rid of all the other programs its intstalling on my computer but then it just reinstalls them again. I am running out of ideas any help.

Share this post


Link to post
Share on other sites

The kill2me tool anly works for look2me infections up to version 121. As you can see by the VX2 finder log you have version 124.

 

The first thing I need you to do is download and install adaware. Check to make sure you have the current updates.

 

http://www.computercops.biz/downloads-file-292.html

 

Open the VX2 finder program again.

Click "Click To find Find VX2.Abetterinternet" button.

Select all the files found.

Click the 'Delete These Files' button

 

The program will delete all files but one that will be deleted on reboot.

Allow program to reboot.

 

Once Restarted:

Click 'Guardian.reg'.

Click 'User Agent'.

Click 'Restore Policy'.

 

You need to answer yes to the popups following each of these.

 

Close VX2 finder.

Open adaware.

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys.

Right-click in that pane and choose "select all"

Now press "Next" again.

It will ask you whether you'd like to remove all checked items. Click OK.

 

Then reboot and post your new VX2 finder log and another hijackthis log.

Share this post


Link to post
Share on other sites

OK the computer already seems better... That is the first time i seen ad aware actually run on start up. Thank you very for your help, i might still need more help not sure but if not post here to tell me how to make up the time you have spent helping me....Here are the log

 

Logfile of HijackThis v1.97.7

Scan saved at 10:06:41 PM, on 6/12/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Anthony\Local Settings\Temp\Temporary Directory 8 for hijackthis[1].zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

 

 

 

Log for VX2.BetterInternet File Finder

 

Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

Share this post


Link to post
Share on other sites

I got rid of the VX@.betterinternet but now i have a IBIS mining that adaware says it can't delete and will try on reboot but doesn't rid of it.

Share this post


Link to post
Share on other sites

Your VX2 log looks good.

 

Go to Add/remove programs;find:

"Window Search" And "WinTools" and remove (uninstall) them.

If you are given a security code to insert, do so

And reboot when done.

 

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

Then reboot into safe mode and delete these folders.

C:\Program Files\Common files\WinTools

 

You may have to enable hidden files to find all the files.

 

Then reboot and lets see one more hijackthis log.

 

What is the exact message you are getting from adaware.

Share this post


Link to post
Share on other sites

I did everything you said. Ad aware is not showing the "can not delete these files anymore". I ran ad aware on start up and only 3 files were infected. Previous there would be like 10 and some were registry values or programs. Now there was a IBIS file and people on file.

 

Logfile of HijackThis v1.97.7

Scan saved at 12:36:55 PM, on 6/13/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\System32\MtqaY.exe

C:\WINDOWS\System32\NqiX.exe

C:\Documents and Settings\Anthony\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O4 - HKLM\..\Run: [2WCYCJA4F@297P] C:\WINDOWS\System32\Rydo84km.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

Share this post


Link to post
Share on other sites

THe internet explorer is running slow but ad aware and the others are showing no infected files. During both ad aware and spy cleaner a mcAfee virus warning pops up stating that ther is a virus (called Downloader-KL )

In C:/System volume Information\_restor{b45a2085-99da-4a27-b8f8-45800193252}\rp620\a0039160.exe

ANy worries with this virus. Mcafee can't delete or quartine it

Share this post


Link to post
Share on other sites

Your still running hijackthis from a temp folder. This is not a good idea.

 

Did you by chance add any items to your hijackthis ignore list?

 

You are infected with the peper trojan. Run this uninstaller, reboot when finished.

 

http://downloads.subratam.org/PeperFix.exe

 

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

O4 - HKLM\..\Run: [2WCYCJA4F@297P] C:\WINDOWS\System32\Rydo84km.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

Then reboot into safe mode and delete these folders.

C:\Program Files\Common files\WinTools

 

You may have to enable hidden files to find all the files.

 

Then reboot and lets see another hijackthis log.

 

You may need to clear your system restore points. Your antivirus may be detecting the trojan/virus in your system restore, but cannot remove it from there.

 

To flush the XP system Restore Points.

 

Go to Start>Run and type msconfig click enter.

 

When msconfig opens, click the Launch System Restore Button.

On the next page, click the System Restore Settings Link on the left.

 

Check the box labeled Turn off System restore on all Drives.

 

 

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Edited by Racktracker

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0