1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

VX2 problem

Discussion in 'Virus & Other Malware Removal' started by jbrohn, Feb 15, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. jbrohn

    jbrohn Thread Starter

    Joined:
    Feb 5, 2005
    Messages:
    14
    I run adaware and it continues to find VX2. I'm am having many popups and slow internet. Plus websites appear and then get diverted to another site. Here is the log. Thanks in advance.


    Logfile of HijackThis v1.99.0
    Scan saved at 1:00:23 PM, on 2/15/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\@Home\tioga\bin\tgcmd.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\System32\winupdt.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\yn2w495v\yn2w495v.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\Vwosgn.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\WINDOWS\System32\vmss\vmss.exe
    C:\windows\system32\msnavc32.exe
    C:\WINDOWS\System32\syntmler.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\sysmonnt.exe
    C:\WINDOWS\System32\swlycc.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\winbgbk32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\prutpct.exe
    C:\WINDOWS\System32\prutpct.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O2 - BHO: (no name) - {06743EB8-C7B4-41C0-BB67-F0669EECD414} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0FBE3BF9-EFC8-4499-A060-4E38B899E8A2} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
    O2 - BHO: (no name) - {1908C032-79CD-4FB7-9B37-E37E98E67806} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: (no name) - {3C9C5785-7B2A-445E-B4AA-DC6711DF6507} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: (no name) - {5BE0E123-96FD-43F7-AB63-1F5111AA9C26} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: (no name) - {88BA3D91-CB10-4A44-9CB0-7D0E501907A0} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll (file missing)
    O2 - BHO: (no name) - {A9D327B2-AEF6-4F41-9771-00F4695E9645} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: (no name) - {B011F7C0-4AB5-409B-A4AB-8CFAAF4C09A7} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: (no name) - {B48CCD4F-5182-4CAA-9BD1-DA27215753E8} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: (no name) - {C7C74CC7-8A09-4CFD-BC32-10826E863C4D} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: (no name) - {CF9C886B-9AA2-4174-94AE-5AF2AAD9CF35} - C:\Program Files\yn2w495v\yn2w495v.dll
    O2 - BHO: SDWin32 Class - {DCBBDCEF-5230-453C-9E51-D4FDEDC274B9} - C:\WINDOWS\System32\odnnv.dll
    O2 - BHO: SDWin32 Class - {DCD9735D-136F-4B96-975C-ADCFA5C43652} - C:\WINDOWS\System32\spbfp.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\System32\AHIEHelp.DLL
    O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll (file missing)
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [TgAddServer] "C:\@Home\tioga\bin\tgfix" /fds "http://www/download/tioga"
    O4 - HKLM\..\Run: [Tgcmd] "C:\@Home\tioga\bin\tgcmd.exe" /server /nosystray
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [yn2w495v] C:\Program Files\yn2w495v\yn2w495v.exe
    O4 - HKLM\..\Run: [spbfpc] C:\WINDOWS\System32\spbfpc.exe
    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Kzhmzp.exe
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Vwosgn.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [odnnvc] C:\WINDOWS\System32\odnnvc.exe
    O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
    O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
    O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
    O4 - HKLM\..\Run: [3s9h3Fj] syntmler.exe
    O4 - HKLM\..\Run: [gmjalfd] c:\windows\system32\gmjalfd.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
    O4 - HKCU\..\Run: [IBqnRPHEe] swlycc.exe
    O4 - HKCU\..\Run: [prutpct] C:\WINDOWS\System32\prutpct.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  2. dugq

    dugq

    Joined:
    Jul 16, 2004
    Messages:
    2,653
    Have a look at the lavasoft site, theres a VX2 removal tool there in the addons section
     
  3. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  4. jbrohn

    jbrohn Thread Starter

    Joined:
    Feb 5, 2005
    Messages:
    14
    thanks- I downloaded the add-ons and found no vx2. the anti-virus program found 42 trojan horses. I rebooted and then ran adaware and it found 91 infected files including a vx2.

    When I tried to access a website it was hijacked by something called linkshare and sent me to another website.
     
  5. dugq

    dugq

    Joined:
    Jul 16, 2004
    Messages:
    2,653
    I think its probably best you get a moderator to move the thread to the security section (click on the red exclamation mark in the top right hand corner) VX2 is a nightmare to remove but the security guys know of a procecure that should work.
     
  6. Shadow2531

    Shadow2531

    Joined:
    Apr 30, 2001
    Messages:
    2,636
    I recently worked on a computer where the person kept getting ads on their desktop.

    Ended up having 82 viruses, over 500 instances of spyware, 12 porn dialers, browser hijackers etc. etc.

    VX2 was one of them that would not come off. The Adaware vx2 remove said that vx2 was not on there, but adaware itself would detect it.

    I used a million different programs to clean the system and all of them said that the system was clean. (I scanned every file). Microsoft Antispyware was one of the programs that really helped get rid of some of the crap that kept respawning itself.

    Basically to remove some of the things, I had to kill the rundll process in the task manager and quickly use MS Anti-spyware to remove the file before it came back.

    Anyway, everything said the system was clean except adaware, which still reported vx2. It was almost like run adaware was causing the reinstall of vx2.

    Anyway, turns out that system restore was undetectably infected and was reinstalling crapp in the system volume information folder after a restart. I had to disable system restore and reclean the system.

    system restore was still infected though and I couldn't reenable it without it infecting the system and the vx2 would still show in adaware.

    They didn't want me to wipe things out so that was as good as I got it. I put sygate on there, locked the hosts file and did a whole bunch of things to keep the thing safe.

    Well the person used aol with a cable modem. He let aol through sygate and within 5 seconds, he were reinfected with everything know to man.

    So the person brought it back and I wiped it out wiht killdisk and reinstalled everything. I got his XP fully updated, using Opera through sygate and everything else blocked. He's been alright since.

    That vx2 would just not come off there without wiping out the hard drive. Not even in safe mode. I even shutdown the computer and turned it back on instead of restarting as it looked like it was surviving reboots. (unlikey, but you never know). VX2 always generated a different file on restart too.

    So if you got the VX2 I dealt with, forget it and wipe things entirely out. As usual, Norton didn't detect any of the viruses, but avg and avast did.

    Consider browsing the net with a limited account if you don't already. That may help prevent things later.

    Once it's on there, you're in trouble and even if you can eventually get it off there, there's no sense it waisting your time.
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Let's have this moved to Security.

    I'm sure a Moderator can help remove the vx2
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,027
    Click here: http://forums.techguy.org/attachment.php?attachmentid=46183 to download Find It NT-2K-XP.zip.

    Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

    Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

    http://www.downloads.subratam.org/VX2Finder.exe
     
  9. jbrohn

    jbrohn Thread Starter

    Joined:
    Feb 5, 2005
    Messages:
    14
    Thanks so much. Here is the log file from output.txt

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    Find.bat is running from: C:\Documents and Settings\Bruce\Desktop\Find It NT-2K-XP\Find It NT-2K-XP

    ------- System Files in System32 Directory -------
    Volume in drive C has no label.
    Volume Serial Number is BC3D-8C9F

    Directory of C:\WINDOWS\System32

    02/15/2005 07:43 PM <DIR> dllcache
    0 File(s) 0 bytes
    1 Dir(s) 34,022,776,832 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is BC3D-8C9F

    Directory of C:\WINDOWS\System32

    02/15/2005 07:43 PM <DIR> dllcache
    02/13/2005 08:50 AM <DIR> vmss
    02/13/2005 08:50 AM <DIR> wsxsvc
    01/01/2005 05:20 PM 488 WindowsLogon.manifest
    01/01/2005 05:20 PM 488 logonui.exe.manifest
    01/01/2005 05:20 PM 749 sapi.cpl.manifest
    01/01/2005 05:20 PM 749 cdplayer.exe.manifest
    01/01/2005 05:20 PM 749 wuaucpl.cpl.manifest
    01/01/2005 05:20 PM 749 ncpa.cpl.manifest
    01/01/2005 05:20 PM 749 nwc.cpl.manifest
    7 File(s) 4,721 bytes
    3 Dir(s) 34,022,776,832 bytes free

    ---------- Files Named "Guard" -------------

    Volume in drive C has no label.
    Volume Serial Number is BC3D-8C9F

    Directory of C:\WINDOWS\System32


    --------- Temp Files in System32 Directory --------

    Volume in drive C has no label.
    Volume Serial Number is BC3D-8C9F

    Directory of C:\WINDOWS\System32

    08/03/2004 11:56 PM 151,552 scrrun.dll.tmp
    08/03/2004 11:56 PM 1,236,480 ~GLH0011.TMP
    06/25/2002 01:37 PM 2,577 CONFIG.TMP
    3 File(s) 1,390,609 bytes
    0 Dir(s) 34,022,768,640 bytes free

    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "MSOCD"="MSOCDInstall"
    "AtHome020"="[email protected]"


    ------------ Keys Under Notify ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    ------------------ Locate.com Results ------------------

    C:\WINDOWS\SYSTEM32\
    cdplay~1.man Sat Jan 1 2005 5:20:12p A..HR 749 0.73 K
    logonu~1.man Sat Jan 1 2005 5:20:18p A..HR 488 0.48 K
    ncpacp~1.man Sat Jan 1 2005 5:20:12p A..HR 749 0.73 K
    nwccpl~1.man Sat Jan 1 2005 5:20:12p A..HR 749 0.73 K
    sapicp~1.man Sat Jan 1 2005 5:20:12p A..HR 749 0.73 K
    window~1.man Sat Jan 1 2005 5:20:18p A..HR 488 0.48 K
    wuaucp~1.man Sat Jan 1 2005 5:20:12p A..HR 749 0.73 K

    7 items found: 7 files, 0 directories.
    Total of file sizes: 4,721 bytes 4.61 K

    ------------ Strings.exe Qoologic Results ------------


    -------------- Strings.exe Aspack Results -------------


    ----------------- HKLM Run Key ------------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
    "TgAddServer"="\"C:\\@Home\\tioga\\bin\\tgfix\" /fds \"http://www/download/tioga\""
    "Tgcmd"="\"C:\\@Home\\tioga\\bin\\tgcmd.exe\" /server /nosystray"
    "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
    "Lexmark X74-X75"="\"C:\\Program Files\\Lexmark X74-X75\\lxbbbmgr.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
    "winupdtl"="C:\\WINDOWS\\System32\\winupdt.exe"
    "yn2w495v"="C:\\Program Files\\yn2w495v\\yn2w495v.exe"
    "spbfpc"="C:\\WINDOWS\\System32\\spbfpc.exe"
    "98D0CE0C16B1"="rundll32.exe D0CE0C16B1,D0CE0C16B1"
    "version"="C:\\WINDOWS\\System32\\Kzhmzp.exe"
    "secure"="C:\\WINDOWS\\System32\\Vwosgn.exe"
    "Dvx"="C:\\WINDOWS\\System32\\wsxsvc\\wsxsvc.exe"
    "vmss"="C:\\WINDOWS\\System32\\vmss\\vmss.exe"
    "odnnvc"="C:\\WINDOWS\\System32\\odnnvc.exe"
    "App32dll"="C:\\windows\\system32\\msnavc32.exe lee0105"
    "SystemCheck"="C:\\WINDOWS\\SysCheckBop32"
    "RSync"="C:\\WINDOWS\\System32\\netsync.exe"
    "3s9h3Fj"="syntmler.exe"
    "WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
    "Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
    "Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
    "MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
    "AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
    "C:\\WINDOWS\\qblzd.exe"="C:\\WINDOWS\\qblzd.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"


    


    Log for VX2.BetterInternet File Finder (ALL)

    Files Found---

    Additional Files---

    Keys Under Notify---
    crypt32chain
    cryptnet
    cscdll
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    termsrv
    wlballoon


    Guardian Key--- is called:

    Guardian Key--- :

    User Agent String---
    AtHome020 [email protected]
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,027
    You don't have the new version of VX2 but you do have a Transponder which is a variant and it probably what is being picked up.

    Go to Control Panel - Add/Remove programs and remove any of these that you find there:

    E2Give Broswer Add on
    Browser aid
    Cash Toolbar
    Web Toolbar
    Viewpoint


    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html

    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll

    O2 - BHO: (no name) - {06743EB8-C7B4-41C0-BB67-F0669EECD414} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: (no name) - {0FBE3BF9-EFC8-4499-A060-4E38B899E8A2} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll

    O2 - BHO: (no name) - {1908C032-79CD-4FB7-9B37-E37E98E67806} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

    O2 - BHO: (no name) - {3C9C5785-7B2A-445E-B4AA-DC6711DF6507} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: (no name) - {5BE0E123-96FD-43F7-AB63-1F5111AA9C26} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: (no name) - {88BA3D91-CB10-4A44-9CB0-7D0E501907A0} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll (file missing)

    O2 - BHO: (no name) - {A9D327B2-AEF6-4F41-9771-00F4695E9645} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: (no name) - {B011F7C0-4AB5-409B-A4AB-8CFAAF4C09A7} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: (no name) - {B48CCD4F-5182-4CAA-9BD1-DA27215753E8} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: (no name) - {C7C74CC7-8A09-4CFD-BC32-10826E863C4D} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: (no name) - {CF9C886B-9AA2-4174-94AE-5AF2AAD9CF35} - C:\Program Files\yn2w495v\yn2w495v.dll

    O2 - BHO: SDWin32 Class - {DCBBDCEF-5230-453C-9E51-D4FDEDC274B9} - C:\WINDOWS\System32\odnnv.dll

    O2 - BHO: SDWin32 Class - {DCD9735D-136F-4B96-975C-ADCFA5C43652} - C:\WINDOWS\System32\spbfp.dll

    O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll (file missing)

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe

    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C

    O4 - HKLM\..\Run: [yn2w495v] C:\Program Files\yn2w495v\yn2w495v.exe

    O4 - HKLM\..\Run: [spbfpc] C:\WINDOWS\System32\spbfpc.exe

    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1

    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Kzhmzp.exe

    O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Vwosgn.exe

    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

    O4 - HKLM\..\Run: [odnnvc] C:\WINDOWS\System32\odnnvc.exe

    O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105

    O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32

    O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe

    O4 - HKLM\..\Run: [3s9h3Fj] syntmler.exe

    O4 - HKLM\..\Run: [gmjalfd] c:\windows\system32\gmjalfd.exe

    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe

    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt

    O4 - HKCU\..\Run: [IBqnRPHEe] swlycc.exe

    O4 - HKCU\..\Run: [prutpct] C:\WINDOWS\System32\prutpct.exe


    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    C:\WINDOWS\BTGrab.dll - file
    C:\WINDOWS\System32\rsyncmon.dll - file
    C:\Program Files\E2G - folder
    C:\Program Files\yn2w495v - folder
    C:\WINDOWS\System32\odnnv.dll - file
    C:\WINDOWS\System32\spbfp.dll - file
    C:\Program Files\Viewpoint - folder
    C:\WINDOWS\System32\winupdt.exe - file
    E6F1873B.DLL - file
    D9EBC318C.dll - file
    C:\Program Files\yn2w495v\yn2w495v.exe - folder
    C:\WINDOWS\System32\spbfpc.exe - file
    D0CE0C16B1.dll - file
    C:\WINDOWS\System32\Kzhmzp.exe - file
    C:\WINDOWS\System32\Vwosgn.exe - file
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe - file
    C:\WINDOWS\System32\vmss\vmss.exe - file
    C:\WINDOWS\System32\odnnvc.exe - file
    C:\windows\system32\msnavc32.exe - file
    C:\WINDOWS\SysCheckBop32.exe - file
    C:\WINDOWS\System32\netsync.exe - file
    syntmler.exe - file
    c:\windows\system32\gmjalfd.exe - file
    C:\WINDOWS\farmmext.exe - file
    swlycc.exe - file
    C:\WINDOWS\System32\prutpct.exe - file

    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Reboot and post another Hijack This log please.
     
  11. golferbob

    golferbob

    Joined:
    May 18, 2004
    Messages:
    3,896
  12. jbrohn

    jbrohn Thread Starter

    Joined:
    Feb 5, 2005
    Messages:
    14
    thanks so much for the help. computer was really slow and many pop-ups, so it took awhile to perform tasks. It is running a lot better. Here is the logfile:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:47:22 PM, on 2/16/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\@Home\tioga\bin\tgcmd.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\haliui.exe
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\filtapi.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Bruce\Local Settings\Temp\Temporary Directory 2 for hijackthis2.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2E4D7C80-CA50-406E-AF0D-DDA5515E6DCB} - C:\Program Files\yn2w495v\yn2w495v.dll (file missing)
    O2 - BHO: SDWin32 Class - {4A58794C-B669-4523-B1A8-3EBEBACBDC07} - C:\WINDOWS\System32\spbfp.dll (file missing)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {A3BAA434-8705-4A77-AE9C-6F4220D9426D} - C:\Program Files\yn2w495v\yn2w495v.dll (file missing)
    O2 - BHO: LinkBHO.cIExplorer - {CC924BD1-7382-4619-A706-070CB00F2325} - C:\Documents and Settings\All Users\Application Data\linkbho\LinkBHO.dll
    O2 - BHO: (no name) - {F6A3FB3C-6B4E-49F1-B669-81AD7A46785F} - C:\Program Files\yn2w495v\yn2w495v.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\System32\AHIEHelp.DLL
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [TgAddServer] "C:\@Home\tioga\bin\tgfix" /fds "http://www/download/tioga"
    O4 - HKLM\..\Run: [Tgcmd] "C:\@Home\tioga\bin\tgcmd.exe" /server /nosystray
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\qblzd.exe] C:\WINDOWS\qblzd.exe
    O4 - HKLM\..\Run: [3s9h3Fj] haliui.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IBqnRPHEe] filtapi.exe
    O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~1\SpyWareWall.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
     
  13. jbrohn

    jbrohn Thread Starter

    Joined:
    Feb 5, 2005
    Messages:
    14
    I haven't seen vx2 come up on any of the security scans I have done lately, but I am having problems with SearchRedirect taking over web pages.
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,027
    Go to Control Panel - Add/Remove programs and remove:

    WinTools or WinTools for IE Service

    Rescan with Hijack This and have it fix these entries:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

    O2 - BHO: (no name) - {2E4D7C80-CA50-406E-AF0D-DDA5515E6DCB} - C:\Program Files\yn2w495v\yn2w495v.dll (file missing)

    O2 - BHO: SDWin32 Class - {4A58794C-B669-4523-B1A8-3EBEBACBDC07} - C:\WINDOWS\System32\spbfp.dll (file missing)

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O2 - BHO: (no name) - {A3BAA434-8705-4A77-AE9C-6F4220D9426D} - C:\Program Files\yn2w495v\yn2w495v.dll (file missing)

    O2 - BHO: LinkBHO.cIExplorer - {CC924BD1-7382-4619-A706-070CB00F2325} - C:\Documents and Settings\All Users\Application Data\linkbho\LinkBHO.dll

    O2 - BHO: (no name) - {F6A3FB3C-6B4E-49F1-B669-81AD7A46785F} - C:\Program Files\yn2w495v\yn2w495v.dll (file missing)

    O4 - HKLM\..\Run: [C:\WINDOWS\qblzd.exe] C:\WINDOWS\qblzd.exe

    O4 - HKLM\..\Run: [3s9h3Fj] haliui.exe

    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

    O4 - HKCU\..\Run: [IBqnRPHEe] filtapi.exe

    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe


    In safe mode and with all other browser windows closed, locate and delete:

    C:\PROGRA~1\COMMON~1\WinTools - folder
    C:\Documents and Settings\All Users\Application Data\linkbho- folder
    C:\WINDOWS\qblzd.exe - file
    C:\WINDOWS\System32\haliui.exe - file
    C:\WINDOWS\System32\filtapi.exe - file

    Is this a program that you just downloaded or did it show up on its own? I'm not familiar with it:

    O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~1\SpyWareWall.exe

    Do a couple of on-line virus scans at these links:

    http://housecall.trendmicro.com/ - be sure to check “auto clean” before scanning

    http://www.pandasoftware.com/activescan/

    Reboot and post another log please.
     
  15. jbrohn

    jbrohn Thread Starter

    Joined:
    Feb 5, 2005
    Messages:
    14
    i did not download spywarewall and have removed it twice with add/remove.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330910

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice