Jump to content


Photo

VX2.betterinternet


  • Please log in to reply
11 replies to this topic

#1 ynot12

ynot12

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 11 June 2004 - 11:06 AM

I have ran sbybot 1.3, ad aware, spy sweeper and spy cleaner numerous times. I got something on a porn site because i had about 250 hits in ad aware after a deep computer slow down. I got rid of all but a few and since then i run the ad programs get rid of them and then they come back. The main probelms seem to be vx2.betterinternet which is detected in ad aware (but not the other three programs). The vx2 changes its dll in windows\system32\kjcom.dll to something very similar and can't be deleted untill rebot computer then changes dll name by a letter ie. ktcom.dll I have tried the advise in your FAQ section and have ran highjack this. I also had a trojan bikini desk but that seems to have gone away after numerous deletes with ad programs. ANy help would be appreciated thank you

#2 bobdog

bobdog

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 June 2004 - 12:10 PM

I spent a LONG time getting rid of this one.

Download Kill2me at Kill2me at spywareinfo.

You may have to run it more than once. Post back if it doesn't work.

#3 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 11 June 2004 - 08:34 PM

The Kill2Me tool is for older versions of the look2me hijack. We will need to use some different tools.

Download the VX2 finder tool that is appropriate for your operating system.

XP and 2K
http://www.downloads...g/VX2Finder.exe

ME and 9x
http://www.downloads...VX2Finder9x.exe

Open VX2 finder
Click the find vx2 button
then click the make log button.

Post the log along with your hijackthis log.
Posted Image

#4 ynot12

ynot12

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 11 June 2004 - 08:55 PM

Thank-you very much for your help, I have been fighting this one for about four days and at this point i am lost.

Logfile of HijackThis v1.97.7
Scan saved at 9:53:14 PM, on 6/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\QuickClean\PlgUni.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COOLDR~1\knobflag.exe
C:\Program Files\MProcessor\mprocessor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Anthony\Local Settings\Temporary Internet Files\Content.IE5\O9ARC5YF\VX2Finder[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Documents and Settings\Anthony\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\PlgUni.exe" /START
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O9 - Extra button: AIM (HKLM)



Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\bqotvid.dll
C:\WINDOWS\System32\ktcom.dll


Guardian Key--- is called: GuardianWMUXG
Asynchronous 000
DllName C:\WINDOWS\system32\bqotvid.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {B83D08C6-EA32-4288-8779-36963DCC55B6}
IDex CS3

User Agent String---
{B83D08C6-EA32-4288-8779-36963DCC55B6}

#5 ynot12

ynot12

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 June 2004 - 10:44 AM

I tired the Kill2me software along with all the others on that page nothing helped, it said i was not infected with it. I run ad aware and spy cleaner and sbybot and I get rid of all the other programs its intstalling on my computer but then it just reinstalls them again. I am running out of ideas any help.

#6 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 12 June 2004 - 12:05 PM

The kill2me tool anly works for look2me infections up to version 121. As you can see by the VX2 finder log you have version 124.

The first thing I need you to do is download and install adaware. Check to make sure you have the current updates.

http://www.computerc...s-file-292.html

Open the VX2 finder program again.
Click "Click To find Find VX2.Abetterinternet" button.
Select all the files found.
Click the 'Delete These Files' button

The program will delete all files but one that will be deleted on reboot.
Allow program to reboot.

Once Restarted:
Click 'Guardian.reg'.
Click 'User Agent'.
Click 'Restore Policy'.

You need to answer yes to the popups following each of these.

Close VX2 finder.
Open adaware.
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.

Then reboot and post your new VX2 finder log and another hijackthis log.
Posted Image

#7 ynot12

ynot12

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 June 2004 - 09:14 PM

OK the computer already seems better... That is the first time i seen ad aware actually run on start up. Thank you very for your help, i might still need more help not sure but if not post here to tell me how to make up the time you have spent helping me....Here are the log

Logfile of HijackThis v1.97.7
Scan saved at 10:06:41 PM, on 6/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Anthony\Local Settings\Temp\Temporary Directory 8 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe



Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

#8 ynot12

ynot12

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 June 2004 - 09:07 AM

I got rid of the VX@.betterinternet but now i have a IBIS mining that adaware says it can't delete and will try on reboot but doesn't rid of it.

#9 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 13 June 2004 - 10:22 AM

Your VX2 log looks good.

Go to Add/remove programs;find:
"Window Search" And "WinTools" and remove (uninstall) them.
If you are given a security code to insert, do so
And reboot when done.

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

Then reboot into safe mode and delete these folders.
C:\Program Files\Common files\WinTools

You may have to enable hidden files to find all the files.

Then reboot and lets see one more hijackthis log.

What is the exact message you are getting from adaware.
Posted Image

#10 ynot12

ynot12

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 June 2004 - 11:58 AM

I did everything you said. Ad aware is not showing the "can not delete these files anymore". I ran ad aware on start up and only 3 files were infected. Previous there would be like 10 and some were registry values or programs. Now there was a IBIS file and people on file.

Logfile of HijackThis v1.97.7
Scan saved at 12:36:55 PM, on 6/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\MtqaY.exe
C:\WINDOWS\System32\NqiX.exe
C:\Documents and Settings\Anthony\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [2WCYCJA4F@297P] C:\WINDOWS\System32\Rydo84km.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

#11 ynot12

ynot12

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2004 - 04:52 PM

THe internet explorer is running slow but ad aware and the others are showing no infected files. During both ad aware and spy cleaner a mcAfee virus warning pops up stating that ther is a virus (called Downloader-KL )
In C:/System volume Information\_restor{b45a2085-99da-4a27-b8f8-45800193252}\rp620\a0039160.exe
ANy worries with this virus. Mcafee can't delete or quartine it

#12 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 16 June 2004 - 07:20 PM

Your still running hijackthis from a temp folder. This is not a good idea.

Did you by chance add any items to your hijackthis ignore list?

You are infected with the peper trojan. Run this uninstaller, reboot when finished.

http://downloads.sub...rg/PeperFix.exe

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

O4 - HKLM\..\Run: [2WCYCJA4F@297P] C:\WINDOWS\System32\Rydo84km.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

Then reboot into safe mode and delete these folders.
C:\Program Files\Common files\WinTools

You may have to enable hidden files to find all the files.

Then reboot and lets see another hijackthis log.

You may need to clear your system restore points. Your antivirus may be detecting the trojan/virus in your system restore, but cannot remove it from there.

To flush the XP system Restore Points.

Go to Start>Run and type msconfig click enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore on all Drives.


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Edited by Racktracker, 16 June 2004 - 07:22 PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button