1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Adware keeps coming back!

Discussion in 'Virus & Other Malware Removal' started by ccrsems5, Jun 23, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. ccrsems5

    ccrsems5 Thread Starter

    Joined:
    Jun 23, 2004
    Messages:
    10
    I have tried spybot, Ad-aware, even the purchased version of pest patrol corporate edition. This computer of one of my employees at work continues to have some spyware on it I simply cannot remove
    11 Each program finds things, but I keep getting zestysearch, and popups. I tried doing them in safe mode with Sys res off. I manually deleted a directory called 64 32 Joy, after I killed a process that had something like love dumb..... now It says there are 2 dlls I need to remove, but I can't delete them. Here is a Hijack this log. Thanks to anyone that can help!!

    Logfile of HijackThis v1.97.7
    Scan saved at 7:10:48 PM, on 6/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\nancy.CCRS.000\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://CCRS-SBS:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Heck Vga File - {FBC87ACB-4C7F-EDC4-32D8-7521083FC5E3} - C:\PROGRA~1\MIXREC~1\curb date.dll (file missing)
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ccrs.local
    O17 - HKLM\Software\..\Telephony: DomainName = ccrs.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ccrs.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ccrs.local
     
  2. caperjack

    caperjack

    Joined:
    Jan 2, 2003
    Messages:
    236
    Important: Create a folder on the C: drive called C:\HJT.
    You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
    Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.


    Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O3 - Toolbar: Heck Vga File - {FBC87ACB-4C7F-EDC4-32D8-7521083FC5E3} - C:\PROGRA~1\MIXREC~1\curb date.dll (file missing)


    Reboot and post fresh hijackthis log
     
  3. ccrsems5

    ccrsems5 Thread Starter

    Joined:
    Jun 23, 2004
    Messages:
    10
    Here is the log after I did as you suggested and rebooted.
    Thanks for your help. This has been driving me CRAZY!!

    Logfile of HijackThis v1.97.7
    Scan saved at 7:51:33 PM, on 6/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINDOWS\system32\userinit.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://CCRS-SBS:8080
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ccrs.local
    O17 - HKLM\Software\..\Telephony: DomainName = ccrs.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ccrs.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ccrs.local
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi ccrsems5

    Welcome to TSG! :)

    I don't see anything in your log. Is everything OK now?
     
  5. ccrsems5

    ccrsems5 Thread Starter

    Joined:
    Jun 23, 2004
    Messages:
    10
    Well, it seems ok, but just as I thought all was ok, a window popped up! I have been using Google toolbar because I like how well it normally blocks popups. Any suggestion about that? Thanks again.
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Click Here and download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.
     
  7. ccrsems5

    ccrsems5 Thread Starter

    Joined:
    Jun 23, 2004
    Messages:
    10
    here is the log from the VX2 finder.

    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINDOWS\System32\6wo4svc.dll
    C:\WINDOWS\System32\6yo4svc.dll


    Guardian Key--- is called: GuardianMETOV
    Asynchronous 000
    DllName C:\WINDOWS\system32\6yo4svc.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {DB029B3C-45BA-41B0-8698-2E95885FC82D}
    IDex DS3

    User Agent String---
    {DB029B3C-45BA-41B0-8698-2E95885FC82D}
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    IMPORTANT!: Before you run this tool please close ALL running programs. Sign off and stay off the internet until the entire procedure is complete.


    Now run VX2Finder again and click on the Find VX2.Betterinternet button. It will display the entries as before. Select all these files

    C:\WINDOWS\System32\6wo4svc.dll
    C:\WINDOWS\System32\6yo4svc.dll


    This time click on the Delete these files button. It will give you a message about one file to be deleted on reboot.
    It will ask to reboot to delete the last file. Go ahead and Restart the computer

    After it reboots run VX2Finder again and click on the User Agent button and it will delete the user agent string.

    Next click on the Guardian.reg button and it will delete the Guardian Key.

    Finally click the Restore Policy button to restore the Debug policy altered in the look2Me installation.

    Restart computer and come back here and post another VX2 Finder log.
     
  9. ccrsems5

    ccrsems5 Thread Starter

    Joined:
    Jun 23, 2004
    Messages:
    10
    I did as you said, and each time I ran it, there were more files. Anyway, here is the log file. Also, the main thing that keeps popping up is something called zestyfind.
    Thanks again for helping.
    Also, should I do any of this in safe mode?

    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINDOWS\System32\6bo4svc.dll
    C:\WINDOWS\System32\6ro4svc.dll
    C:\WINDOWS\System32\6wo4svc.dll
    C:\WINDOWS\System32\6yo4svc.dll


    Guardian Key--- is called: GuardianWKRNB
    Asynchronous 000
    DllName C:\WINDOWS\system32\6yo4svc.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {DB029B3C-45BA-41B0-8698-2E95885FC82D}
    IDex DS3

    User Agent String---
    {DB029B3C-45BA-41B0-8698-2E95885FC82D}
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Try it again.
     
  11. ccrsems5

    ccrsems5 Thread Starter

    Joined:
    Jun 23, 2004
    Messages:
    10
    ok, I think you got it this time! I was being an idiot, and didn't select any the first time, just hit delete! Hahaha Anyway, thanks again for your time. Here's the log for that.

    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called:

    User Agent String---
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! :)

    Is everything OK now.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/242353

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice