1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] vx2 Malware. Need H/T help plz!

Discussion in 'Virus & Other Malware Removal' started by esbee, Sep 11, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. esbee

    esbee Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    4
    Last night, I started getting pop-ups like crazy on my machine and several programs started installing themselves. I got rid of all the programs, ran Spybot S&D and Adaware w/ updated definitions. Spybot found 29 problems and I fixed them all. When adaware ran the first time after this happened it found over 400 critical objects. I deleted them, but now when I run it, it will find some, but when deleting, the program will freeze. The majority of the objects recognized are entitled VX2. Here is my H/T logfile that I just ran.
    Your help is greatly appreciated.

    Logfile of HijackThis v1.98.2
    Scan saved at 3:44:21 AM, on 9/11/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\45Q3KHAN\HIJACKTHIS[1].EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
    O3 - Toolbar: Search - {1060366E-C992-AB52-A0FB-CDD1299F676A} - C:\WINDOWS\Auxdlvbu.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
    O4 - HKLM\..\Run: [mxgasrfoinhq] C:\WINDOWS\SYSTEM\ljdvrbo.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
     
  2. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Move HijackThis to it's own permanent folder such as c:\HJT\HijackThis.exe <-----Very important; needed to keep/maintain backups in
    Click My Computer, then C:\
    In the menu bar, File->New->Folder.
    That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

    Print these instructions as you need to have IE closed from all of the fixes listed below.

    Please check your settings so that you are able to Show Hidden Files and Folders

    With ONLY HijackThis running
    Place a check next to these entries:
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL (file missing)
    O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
    O3 - Toolbar: Search - {1060366E-C992-AB52-A0FB-CDD1299F676A} - C:\WINDOWS\Auxdlvbu.dll
    O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
    O4 - HKLM\..\Run: [mxgasrfoinhq] C:\WINDOWS\SYSTEM\ljdvrbo.exe

    THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

    Reboot to safe mode (instructions)

    Find and delete the following files/folders:-
    C:\PROGRAM FILES\SED\ <----ENTIRE FOLDER!!
    C:\WINDOWS\SYSTEM\ljdvrbo.exe
    Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
    [*]C:\Windows\Temp\

    [*]C:\Temp\

    [*]Empty your "Recycle Bin"

    [*]Empty you TIF by Control Panel>Internet Options>General(tab)>Delete files(button)>check box to "remove all off line content">OK>Apply


    Reboot

    Download VX2Finder from HERE

    Run Vx2Finder click on the click to find VX2.BetterInternet. Then click make log.

    Copy and paste the contents of the log back to this thread.

    Post a fresh HijackThis log back to this thread also.
     
  3. esbee

    esbee Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    4
    Thanks for your help. When I booted in safe mode C:\PROGRAM FILES\SED or C:\WINDOWS\SYSTEM\ljdvrbo.exe could not be found. I deleted everything else though as specified.

    VX2 Finder Log:

    Files Found---
    C:\WINDOWS\SYSTEM\IdSETUP.DLL
    C:\WINDOWS\SYSTEM\RbCLTC5.DLL


    User Agent String---
    {202D4681-133F-4E95-95A2-661CFC218537}

    HJT log:

    Logfile of HijackThis v1.98.2
    Scan saved at 5:47:02 AM, on 9/11/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\JAHLYZUF\VX2FINDER9X(126)[1].EXE
    C:\HJT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Close ALL running programs and windows except VX2Finder. Sign off and stay off the internet until the entire procedure is complete.


    Run VX2Finder and check off all those files found and click the Delete these Files button.
    (for as many as you have)

    Next click the UserAgent$ button (to remove that reg value)

    Then click the Import.reg (to repair QuickLaunch Toolbar)

    Finally click the Restore Desktop ...to restore the desktop (Explorer.exe will end while doing this fix)
     
  5. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    80,441
    First Name:
    Frank
    Esbee:

    Make sure that you're using the newest version of Ad-Aware SE Personal(which is 1.04), and make sure to install the newest release of its VX2 cleaner plug-in(which is 1.03). You can download them from here.
     
  6. esbee

    esbee Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    4
    I really appreciate all of your help. Hopefully this will have taken care of my problems. It seems to be ok so far. I ran adaware and spybot again & deleted all of the problems, so hopefully this thing will not come back. Thanks again.
     
  7. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    It should have. Like Flavallee said..get the VX2 plug in for AAW and as long as no more files/user agent strings show up in the VX2Finder you downloaded earlier you log looks good...Wanna keep it that way?? Beside AAW and Spybot S&D here are a couple more recomendations...

    Congratulations, your log is clean.

    To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

    SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

    SpywareBlaster Spyware Guard

    IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

    IE Spyads

    Check out SpoofStick HERE
    it's a great new anti-phishing tool *** Note*** I don't think it will work on IE5.5

    And also see TonyKlein's good advice in
    So how did I get infected in the first place?

    Is there any particular reason you haven't went to the more secure IE6SP1??
     
  8. esbee

    esbee Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    4
    Thanks for the add'l info. I will check out those tools.

    I just got my system up and running again after a HDD failure. When I first attempted to update to IE6SP1, it wouldn't let me, so I forgot about it, but I just went & updated.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272849

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice