Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Falcon2003

54 Posts

14070

June 18th, 2004 19:00

VX2 BetterInternet spyware

I got VX2 BetterInternet spyware. I deleted it by Ad-Aware , McAfee AV and Spy Sweeper, but it comes back after I reboot PC. I cannot rid from it. Please any help!! may be some program or else.

I found in this forum http://download.broadbandmedic.com/VbStuff/OE2.BetterInternet.exe   but this URL dead

Thanks for any help!

Message Edited by Falcon2003 on 06-18-2004 04:40 PM

Texruss

2 Intern

 • 

3.4K Posts

June 19th, 2004 05:00

We need you to download and install an analysis and repair tool called Hijackthis.

Download the zipped file from here: http://tomcoyote.com/hjt

Or....If you prefer an .exe version (saves a lot of time for novices) download the file from here:

http://209.133.47.12/~merijn/files/HijackThis.exe

Please unzip Hijackthis.zip or move the hijackthis.exe file into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place it on the Wallpaper, in a temp folder, or in the root level of the C: drive or the My Documents folder. It will create many backup files and they need to be stored in a unique Hijackthis folder.

Hijackthis FAQ (Frequently Asked Questions) at:

http://russelltexas.com/malware/faqhijackthis.htm

After downloading, and unzipping the hijackthis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run Hijackthis, click on the 'scan' button and then 'save log' button.

Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt

Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. Hijackthis should identify the vast majority of your problems and enable us to help you clean them off your system.


Stay in this thread for continuity. Reply to this message.

HTH (Hope that Helps)

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are
one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)

Falcon2003

54 Posts

June 19th, 2004 11:00

Thanks for reply!

Here is My HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 8:02:16, on 19.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\WINDOWS\dhbrwsr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\WINDOWS\dhsvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
c:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by2fd.bay2.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=F000000001&a=5702ce57578c40f60ca23129aaff35e9&fti=yes
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://by2fd.bay2.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=F000000001&a=5702ce57578c40f60ca23129aaff35e9&fti=yes
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.72.69.17:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] C:\Program Files\Microsoft Money\System\Activation.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/CLEN8100/payload2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38034.7221412037
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C20F7D6F-8761-446E-8D31-2A32D4219822}: NameServer = 207.217.120.83 207.217.77.82

 

Texruss

2 Intern

 • 

3.4K Posts

June 19th, 2004 18:00

Run Hijackthis, scan and check the box left of these numbered line items:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.72.69.17:80
Comments: This IP is blocked for searches from Sam Spade app, so if you didn't put this proxy server in place check it.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Comments: if you didn't put this restriction in place check it
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/CLEN8100/payload2.cab
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) -
Comments: DealHelper adware has a sneaky ActiveX script here

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Reboot to SAFE MODE and Show HIDDEN FILES and folders  (VERY IMPORTANT!)

FAQ 8 and 9 on this page: http://www.russelltexas.com/malware/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders: (some may not be present)

C:\Program Files\TV Media      folder
C:\Program Files\INTERN~2    folder...will be longer foldername
C:\Program Files\Ezula             folder

C:\WINDOWS\DHUpdt.exe               file
C:\WINDOWS\dhbrwsr.exe              file
C:\WINDOWS\bxxs5.dll                     file
C:\WINDOWS\SYSTEM\blank.htm    file

Exit Explorer and immediately empty the Recycle Bin. Reboot to normal mode.

Download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.

Most of the baddies you have can be killed by a one-two punch with Spybot and Adaware assuming these three factors are achieved:

1. Latest version
2. Configured correctly for running options
3. New definitions from update feature

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.

http://www.cjwd.demon.co.uk/spybot-adaware.html

Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.

I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).

Run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleanup completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

Finally....

Download VX2Finder from this link:

http://www.downloads.subratam.org/VX2Finder.exe

Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

Reboot and browse a bit, exit IE, and scan and post a new Hijackthis log.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are
one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)

Falcon2003

54 Posts

June 19th, 2004 22:00

Thanks and I did everything u said... but after last reboot i browse  a bit and it come back again:(( Its killing me- pop up windows)

here is my new log but I can see already some hosts

P.S. O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
and  O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
I didnot delete cause I use this prog for long time  and its ok

Logfile of HijackThis v1.97.7
Scan saved at 19:00:18, on 19.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\tuffguy\My Documents\KurskProgram\Ad-aware\Ad-aware 6\Ad-aware.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\tuffguy\My Documents\KurskProgram\TotalCommander551\totalcmd\TOTALCMD.EXE
c:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by2fd.bay2.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=F000000001&a=5702ce57578c40f60ca23129aaff35e9&fti=yes
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.72.69.17:80
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] C:\Program Files\Microsoft Money\System\Activation.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38034.7221412037
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C20F7D6F-8761-446E-8D31-2A32D4219822}: NameServer = 207.217.120.83 207.217.77.82

Please , stay with me! I`m ready for all your steps

 

Texruss

2 Intern

 • 

3.4K Posts

June 20th, 2004 01:00

Sorry about the Yandex Search engine...my IE hosts blocker programs pegged that site as hostile..must be the Russian URL.

Try running Hijackthis in Safe Mode and fix check the Hosts lines:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Also run Adaware again.

This may not solve your popups...what kinds are you getting? Could be an infector not detectable by Hijackthis.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are
one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)

Falcon2003

54 Posts

June 20th, 2004 10:00

Hello again,Texruss! Thanks for keep helping me!

Ok ... I found few new progs that I dinnot download :

"Window Search"

"Internet Keyword"

I uninstalled it but seems  this progs  come back from time to time.

What pop ups I have? Its differ and they show for few second and than gone:
http://zestyfind.com ( this page try to become  R0 Start page wnen I scan with HJT)

http://allaboutsearching.com/searchbar.html ( (R1 search bar)

http://www.filedistributor.com

autosearch.msn.com

ieautosearch

search.netscape.com

 

It pops differ sites about ads.

I did every thing u said in Safe mode.System restore off

Last time HJT said "Possible Browser Hijack Main Start Page

I cleaned as u said but when start to browse it comes back And I can see some new prog installed on PC, pop ups web pages.

I run VX Finder( betterinternet) as u  told me and it find some files  and I deleted , but after browse  a bit it show again that there are some files belong to VX betterinternet. There is file called aad.dll . This is system file but VX finder every time show this file like unwanted. I cannopt delete this file even in safe mode.

So still hope u guys  help me to rid of this

Texruss

2 Intern

 • 

3.4K Posts

June 20th, 2004 12:00

>aad.dll . This is system file but VX finder every time show this file like unwanted. I cannot delete this file even in safe mode

Stop it in processes in Safe Mode (hit Control-Shift-Escape keys in XP and NT). In Windows Explorer right button click on that file and left button on the box to uncheck Read-only attributes (favorite trick of scum writers). Then delete.

You're doing well...hang in that and run the tool again, followed by a custom scan by Adaware.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are
one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)

Edit: typo for left button

Message Edited by Texruss on 06-20-2004 08:46 AM

Falcon2003

54 Posts

June 20th, 2004 14:00

Texruss I still keep scaning,deleting,rebooting... so far I have same problem.

About aad. dll file:

U said stop it in process.What process? I have no idea because  I cannot see any process like aad....

In safe mode , with unchecked and saved read only i cannot delete this file because it says every time I try delete : " Cannot delete aad.dll . Its being used by another person or program. Close all program and try again"

Texruss, what program? I`m in safe mode and only windows explorer open at this moment. So unable to delete this file.

Texruss I k now  u spend a lot  of time for me but please dont give up

I guees the problem comes from something VX2 betterinternet but  I don`t know where to look for. VX finder  find every reboot  one or two files even if I delete it before,

I set Adaware to custom and all what u said

I have feeling that we need to kill aad.dll because it says unknown application and timed when I got problem and VX finder keep find this file.

So I`m still count on u.

Thanks again

Texruss

2 Intern

 • 

3.4K Posts

June 20th, 2004 15:00

Look for strange processes in Safe Mode and stop them...it may be named something else...

Stop it in processes in Safe Mode (hit Control-Shift-Escape keys in XP and NT). In Windows Explorer right button click on that file and left button on the box to uncheck Read-only attributes (favorite trick of scum writers). Then delete.

HTH,

Texruss

Falcon2003

54 Posts

June 21st, 2004 23:00

aad.dll coming back again every time I go online and open IE

and Hosts auto.search.msn.com and ieautosearch

Message Edited by Falcon2003 on 06-21-2004 07:20 PM

Texruss

2 Intern

 • 

3.4K Posts

June 22nd, 2004 01:00

Post a new log...we may try a different approach.

Texruss

Falcon2003

54 Posts

June 22nd, 2004 20:00

Ok

Logfile of HijackThis v1.97.7
Scan saved at 17:41:01, on 22.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
c:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by2fd.bay2.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=F000000001&a=4e5b84e90a61cebc739b3585681d7c15&fti=yes
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.72.69.17:80
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] C:\Program Files\Microsoft Money\System\Activation.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Translate - http://lingvo.yandex.ru/ie5trans.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yandex &Search - http://lingvo.yandex.ru/ie5search.htm
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38034.7221412037
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C20F7D6F-8761-446E-8D31-2A32D4219822}: NameServer = 207.217.120.83 207.217.77.82

And this is "VX2 Finder" log:

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\aad.dll
C:\WINDOWS\System32\AxTIVEDS.DLL


Guardian Key--- is called: GuardianFTNBT
Asynchronous 000
DllName C:\WINDOWS\system32\aad.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {85A22A11-F144-4354-BD9A-0DB3B86948DE}
IDex CS3

User Agent String---
{85A22A11-F144-4354-BD9A-0DB3B86948DE}

Thanks for reply

 

Texruss

2 Intern

 • 

3.4K Posts

June 23rd, 2004 01:00

In Safe Mode and Hijackthis fix check:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Delete these in Windows Explorer:

C:\WINDOWS\System32\aad.dll
C:\WINDOWS\System32\AxTIVEDS.DLL

Texruss

Falcon2003

54 Posts

June 23rd, 2004 20:00

I did it in Safe mode 10 times.

Coming back any way

Texruss

2 Intern

 • 

3.4K Posts

June 23rd, 2004 23:00

Check your HOSTS file:

http://russelltexas.com/malware/HOSTS.htm

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with malware in general and Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)

Was this post helpful?

View All

No Events found!

Top