falcon051997
asked on
Vx2 and Twain-Tech
I have noticed that there are two persistent spyware programs keep coming back over and again. I used Spy Sweeper. It seems to find these two then I delete them etc. but they keep coming back. i used then Adware 6.0 .. I used the Vx2 Plugin. I also was quite surprised to see that when I first used Adware.. it found like some 52 spyware entries of all sorts. Strange indeed since I that Spy Sweeper has been doing wonderful job all along. Now i am really skeptical of these so called spyware eliminaters. I bet if I use another program it will too find a few others. Anyway, my question is how to completely and permanently remove these two Twain-Tech and Vx2 spyware. And what spyware killer programs should I use to protect my computer. Thanks.
ASKER
Logfile of HijackThis v1.98.0
Scan saved at 9:36:17 AM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.e xe
D:\WINDOWS\system32\winlog on.exe
D:\WINDOWS\system32\servic es.exe
D:\WINDOWS\system32\lsass. exe
D:\WINDOWS\system32\svchos t.exe
D:\WINDOWS\System32\svchos t.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCE S.EXE
D:\WINDOWS\system32\spools v.exe
D:\WINDOWS\system32\LEXPPS .EXE
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\Smtray.ex e
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\WINDOWS\System32\LXSUPM ON.EXE
D:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.ex e
D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
D:\Program Files\Acronis\TrueImage\Tr ueImageMon itor.exe
D:\Program Files\Common Files\Acronis\Schedule2\sc hedhlp.exe
D:\Program Files\Common Files\Real\Update_OB\reals ched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\WINDOWS\System32\pcznxr .exe
D:\Program Files\MSN Apps\Updater\01.02.0002.10 01\en-us\m snappau.ex e
D:\Program Files\Yahoo!\Messenger\ypa ger.exe
D:\PROGRA~1\AIM\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\ctfmon .exe
D:\WINDOWS\System32\RUNDLL 32.EXE
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Common Files\Acronis\Schedule2\sc hedul2.exe
D:\PROGRA~1\NORTON~1\NORTO N~4\GHOSTS ~2.EXE
D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\NORTON~1\NORTO N~2\NPROTE CT.EXE
D:\WINDOWS\System32\nvsvc3 2.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
D:\PROGRA~1\NORTON~1\NORTO N~2\SPEEDD ~1\NOPDB.E XE
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\Program Files\Qualcomm\Eudora\Eudo ra.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
D:\Program Files\Internet Explorer\iexplore.exe
F:\My Documents\ChessBase\Twic\h ijackthis\ HijackThis .exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-D D56626C6C4 2} - D:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - D:\PROGRA~1\SPYBOT~1\SDHel per.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-4 74BF36AF6E 4} - D:\Program Files\MSN Apps\ST\01.02.0002.1001\en -xu\stmain .dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - d:\program files\google\googletoolbar 2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en -us\msntb. dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - D:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en -us\msntb. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - d:\program files\google\googletoolbar 2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.ex e
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [LXSUPMON] D:\WINDOWS\System32\LXSUPM ON.EXE RUN
O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\System32\PSDrvC heck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.ex e
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Acronis True Image Monitor] D:\Program Files\Acronis\TrueImage\Tr ueImageMon itor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] D:\Program Files\Common Files\Acronis\Schedule2\sc hedhlp.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nbtbszocrwho] D:\WINDOWS\System32\pcznxr .exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.0002.10 01\en-us\m snappau.ex e"
O4 - HKLM\..\Run: [alchem] D:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypa ger.exe -quiet
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon .exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTR AY.DLL,NvT askbarInit
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - Startup: Registration-InstantCopy.l nk = D:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\R egTool.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar 2.dll/cmse arch.html
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.h tm
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar 2.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackLis t.htm
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar 2.dll/cmca che.html
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar 2.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar 2.dll/cmtr ans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - D:\PROGRA~1\YAHOO!\MESSEN~ 1\YPAGER.E XE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - D:\PROGRA~1\YAHOO!\MESSEN~ 1\YPAGER.E XE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-0 0C04F8EF46 6} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0 D37298F068 9} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2 A8997E3D68 A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0 F47A330807 8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7 C6C9569B8C 7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
Scan saved at 9:36:17 AM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.e
D:\WINDOWS\system32\winlog
D:\WINDOWS\system32\servic
D:\WINDOWS\system32\lsass.
D:\WINDOWS\system32\svchos
D:\WINDOWS\System32\svchos
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCE
D:\WINDOWS\system32\spools
D:\WINDOWS\system32\LEXPPS
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\Smtray.ex
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\WINDOWS\System32\LXSUPM
D:\Program Files\Java\j2re1.4.2_03\bi
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.ex
D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
D:\Program Files\Acronis\TrueImage\Tr
D:\Program Files\Common Files\Acronis\Schedule2\sc
D:\Program Files\Common Files\Real\Update_OB\reals
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\WINDOWS\System32\pcznxr
D:\Program Files\MSN Apps\Updater\01.02.0002.10
D:\Program Files\Yahoo!\Messenger\ypa
D:\PROGRA~1\AIM\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\ctfmon
D:\WINDOWS\System32\RUNDLL
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Common Files\Acronis\Schedule2\sc
D:\PROGRA~1\NORTON~1\NORTO
D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\NORTON~1\NORTO
D:\WINDOWS\System32\nvsvc3
D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
D:\PROGRA~1\NORTON~1\NORTO
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\Program Files\Qualcomm\Eudora\Eudo
D:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
D:\Program Files\Internet Explorer\iexplore.exe
F:\My Documents\ChessBase\Twic\h
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-D
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-4
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-6
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-6
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.ex
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [LXSUPMON] D:\WINDOWS\System32\LXSUPM
O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\System32\PSDrvC
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_03\bi
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.ex
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Acronis True Image Monitor] D:\Program Files\Acronis\TrueImage\Tr
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] D:\Program Files\Common Files\Acronis\Schedule2\sc
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nbtbszocrwho] D:\WINDOWS\System32\pcznxr
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.0002.10
O4 - HKLM\..\Run: [alchem] D:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypa
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTR
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - Startup: Registration-InstantCopy.l
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.h
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackLis
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-0
O16 - DPF: {B3872502-F9FD-4E96-93FF-0
O16 - DPF: {BAC01377-73DD-4796-854D-2
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
Hi! falcon!
Disable "System Restore".
Make sure "Show all Files and Folders", including hidden and system, is enabled.
Go to Add/Remove Programs in Control Panel, and look for an entry pertaining to "Twain-tec" -
uninstall it.
Start Task Manager, and in the list of running processes look for the following:
pcznxr.exe
Kill it.
Reboot you're computer into "Safe" mode, and search your computer for any instances of:
twaintech.dll
twaintec.ini
pcznxr.exe
Delete all that you find.
It's possible that twaintec.dll may still be in use - if that is the case, rename it (to twaintec.old, for instance) -
Clean out ALL your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
<=This will delete all your cached internet content including cookies.
This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Then reboot your computer into "Normal" mode and delete the renamed twaintec file(s).
Go to the following and download these 2 tools:
http://www.subratam.org/?page=removal
9. (i) VX2.BetterInternet Finder XP/2k - The latest Look2Me Fix brought out by Option Explicit. This one is effective but O^E will be continously updating it here if new versions out.
(ii) Version Msg126 - New Version for L2M is out and it is autoupdating to Msg126. If the user has "old L2M" VX2Finder will do the job, but it is better we run this tool first now, as because we know L2M autoupdates.
Run the Version Msg126 tool.
Click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Copy and paste the contents of the log and post it back here.
Good luck!
RF
Disable "System Restore".
Make sure "Show all Files and Folders", including hidden and system, is enabled.
Go to Add/Remove Programs in Control Panel, and look for an entry pertaining to "Twain-tec" -
uninstall it.
Start Task Manager, and in the list of running processes look for the following:
pcznxr.exe
Kill it.
Reboot you're computer into "Safe" mode, and search your computer for any instances of:
twaintech.dll
twaintec.ini
pcznxr.exe
Delete all that you find.
It's possible that twaintec.dll may still be in use - if that is the case, rename it (to twaintec.old, for instance) -
Clean out ALL your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
<=This will delete all your cached internet content including cookies.
This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Then reboot your computer into "Normal" mode and delete the renamed twaintec file(s).
Go to the following and download these 2 tools:
http://www.subratam.org/?page=removal
9. (i) VX2.BetterInternet Finder XP/2k - The latest Look2Me Fix brought out by Option Explicit. This one is effective but O^E will be continously updating it here if new versions out.
(ii) Version Msg126 - New Version for L2M is out and it is autoupdating to Msg126. If the user has "old L2M" VX2Finder will do the job, but it is better we run this tool first now, as because we know L2M autoupdates.
Run the Version Msg126 tool.
Click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Copy and paste the contents of the log and post it back here.
Good luck!
RF
ASKER
Log for VX2.BetterInternet File Finder
Files Found---
Guardian Key--- is called:
User Agent String---
Files Found---
Guardian Key--- is called:
User Agent String---
ASKER
Comment:
When I used the version 126 I found the following files
Log for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
By the way the Twain Tech appears to be gone for now. But does this mean it wont come back again? what precautions can I take. Thanks.
When I used the version 126 I found the following files
Log for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
By the way the Twain Tech appears to be gone for now. But does this mean it wont come back again? what precautions can I take. Thanks.
If I were you, I would buy the professional version of ad-aware 6.0 and make sure you get the ad-watch feature.
Also try Spybot search and destroy.
Hope this helps,
kkrazyykkidd
Also try Spybot search and destroy.
Hope this helps,
kkrazyykkidd
ASKER
comment kkrazyykkidd
Did it work for you? I have tried many so called spyware killers. I tried spybot, spy sweeper, adware... etc.. the problem is that the spyware keeps coming back. Some times the spyware killers slows the computer too. And If I use very high security oon IE options, I cant browse at all.. there is no solution it appears.
Did it work for you? I have tried many so called spyware killers. I tried spybot, spy sweeper, adware... etc.. the problem is that the spyware keeps coming back. Some times the spyware killers slows the computer too. And If I use very high security oon IE options, I cant browse at all.. there is no solution it appears.
Hi! falcon
Still something left to do with VX2.
---------------
Sign off and stay off the internet until the entire procedure is complete.
Open VX2Finder and click on the *click to find VX2.BetterInternet* button.
Then select the *Delete these files* button.
You will be left with a notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)
-----------------
Once back in Windows
Open VX2Finder again and click on these buttons in the right pane:
user agent, Guardian.reg, restore policy
Exit and reboot.
Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here with a fresh HijackThis log please.
I'll have some info on how to prevent this spyware garbage - for right now:
let's see if we can get your system cleaned.
Good luck!
RF
Still something left to do with VX2.
---------------
Sign off and stay off the internet until the entire procedure is complete.
Open VX2Finder and click on the *click to find VX2.BetterInternet* button.
Then select the *Delete these files* button.
You will be left with a notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)
-----------------
Once back in Windows
Open VX2Finder again and click on these buttons in the right pane:
user agent, Guardian.reg, restore policy
Exit and reboot.
Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here with a fresh HijackThis log please.
I'll have some info on how to prevent this spyware garbage - for right now:
let's see if we can get your system cleaned.
Good luck!
RF
ASKER
comment to RF
The problem i am facing is this. When I run VX2.BetterInternet.... it finds a bunch of files. However, I cannot delete them. The delete button is grayed out.
Please also note that I have increased the points to the question. I realized the solution is much more complicated than I originally thought. Thanks.
The problem i am facing is this. When I run VX2.BetterInternet.... it finds a bunch of files. However, I cannot delete them. The delete button is grayed out.
Please also note that I have increased the points to the question. I realized the solution is much more complicated than I originally thought. Thanks.
Hi!
OK - post the list of files it found here - and:
With all browser windows closed run HijackThis and post a new log file here.
Good luck!
RF
OK - post the list of files it found here - and:
With all browser windows closed run HijackThis and post a new log file here.
Good luck!
RF
ASKER
comment to RF:
Here is Hijackthis log.
Logfile of HijackThis v1.98.0
Scan saved at 2:58:33 PM, on 8/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.e xe
D:\WINDOWS\system32\winlog on.exe
D:\WINDOWS\system32\servic es.exe
D:\WINDOWS\system32\lsass. exe
D:\WINDOWS\system32\svchos t.exe
D:\WINDOWS\System32\svchos t.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCE S.EXE
D:\WINDOWS\system32\spools v.exe
D:\WINDOWS\system32\LEXPPS .EXE
D:\Program Files\Common Files\Acronis\Schedule2\sc hedul2.exe
D:\PROGRA~1\NORTON~1\NORTO N~4\GHOSTS ~2.EXE
D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\PROGRA~1\NORTON~1\NORTO N~2\NPROTE CT.EXE
D:\WINDOWS\System32\nvsvc3 2.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
D:\PROGRA~1\NORTON~1\NORTO N~2\SPEEDD ~1\NOPDB.E XE
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\Smtray.ex e
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\WINDOWS\System32\LXSUPM ON.EXE
D:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.ex e
D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
D:\Program Files\Acronis\TrueImage\Tr ueImageMon itor.exe
D:\Program Files\Common Files\Acronis\Schedule2\sc hedhlp.exe
D:\Program Files\Common Files\Real\Update_OB\reals ched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\MSN Apps\Updater\01.02.0002.10 01\en-us\m snappau.ex e
D:\WINDOWS\System32\RUNDLL 32.EXE
D:\WINDOWS\System32\ctfmon .exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
F:\My Documents\ChessBase\Twic\h ijackthis\ HijackThis .exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-4 74BF36AF6E 4} - D:\Program Files\MSN Apps\ST\01.02.0002.1001\en -xu\stmain .dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - d:\program files\google\googletoolbar 2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en -us\msntb. dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - D:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en -us\msntb. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - d:\program files\google\googletoolbar 2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.ex e
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [LXSUPMON] D:\WINDOWS\System32\LXSUPM ON.EXE RUN
O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\System32\PSDrvC heck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.ex e
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Acronis True Image Monitor] D:\Program Files\Acronis\TrueImage\Tr ueImageMon itor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] D:\Program Files\Common Files\Acronis\Schedule2\sc hedhlp.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.0002.10 01\en-us\m snappau.ex e"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTr ay.dll,NvT askbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypa ger.exe -quiet
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon .exe
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - Startup: Registration-InstantCopy.l nk = D:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\R egTool.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar 2.dll/cmse arch.html
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.h tm
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar 2.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackLis t.htm
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar 2.dll/cmca che.html
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar 2.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar 2.dll/cmtr ans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - D:\PROGRA~1\YAHOO!\MESSEN~ 1\YPAGER.E XE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - D:\PROGRA~1\YAHOO!\MESSEN~ 1\YPAGER.E XE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-0 0C04F8EF46 6} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0 D37298F068 9} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2 A8997E3D68 A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0 F47A330807 8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7 C6C9569B8C 7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
Here is VX2 log.
Log for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
Here is Hijackthis log.
Logfile of HijackThis v1.98.0
Scan saved at 2:58:33 PM, on 8/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.e
D:\WINDOWS\system32\winlog
D:\WINDOWS\system32\servic
D:\WINDOWS\system32\lsass.
D:\WINDOWS\system32\svchos
D:\WINDOWS\System32\svchos
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCE
D:\WINDOWS\system32\spools
D:\WINDOWS\system32\LEXPPS
D:\Program Files\Common Files\Acronis\Schedule2\sc
D:\PROGRA~1\NORTON~1\NORTO
D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\PROGRA~1\NORTON~1\NORTO
D:\WINDOWS\System32\nvsvc3
D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
D:\PROGRA~1\NORTON~1\NORTO
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\Smtray.ex
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\WINDOWS\System32\LXSUPM
D:\Program Files\Java\j2re1.4.2_03\bi
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.ex
D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
D:\Program Files\Acronis\TrueImage\Tr
D:\Program Files\Common Files\Acronis\Schedule2\sc
D:\Program Files\Common Files\Real\Update_OB\reals
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\MSN Apps\Updater\01.02.0002.10
D:\WINDOWS\System32\RUNDLL
D:\WINDOWS\System32\ctfmon
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
F:\My Documents\ChessBase\Twic\h
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-4
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-6
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-6
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.ex
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [LXSUPMON] D:\WINDOWS\System32\LXSUPM
O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\System32\PSDrvC
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_03\bi
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.ex
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Acronis True Image Monitor] D:\Program Files\Acronis\TrueImage\Tr
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] D:\Program Files\Common Files\Acronis\Schedule2\sc
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.0002.10
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTr
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypa
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - Startup: Registration-InstantCopy.l
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.h
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackLis
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-0
O16 - DPF: {B3872502-F9FD-4E96-93FF-0
O16 - DPF: {BAC01377-73DD-4796-854D-2
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
Here is VX2 log.
Log for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
Comment to falcon.
Yes I actually had the exact same spyware! I got rid of it by using SpyBot S&D!
All i had to do was restart my computer, scan before windows starts, then, BAM, no spyware. I scanned a day later, nothing was there (except another type of spyware)
kkrazyykkidd
what is Avant?
Yes I actually had the exact same spyware! I got rid of it by using SpyBot S&D!
All i had to do was restart my computer, scan before windows starts, then, BAM, no spyware. I scanned a day later, nothing was there (except another type of spyware)
kkrazyykkidd
what is Avant?
ASKER
wow? How can you scan using spybot, before windows start? Makes no sense to me!
"what is Avant? " ????
"what is Avant? " ????
Its a feature on spybot when something is found it will ask you to automatically startup before windows starts... you can also ask it to startup before windows starts-- dude, you dont have to be so flip... Im only trying to help you.
Avant... spyware?
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
kkrazyykkidd
Avant... spyware?
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
kkrazyykkidd
Avant is AvantBrowser i presume :)
another type of browser out there :)
another type of browser out there :)
try read this link
http://crazyone.tekmasters.com/malwaretools.html
And what's
D:\WINDOWS\system32\LEXBCE S.EXE
D:\WINDOWS\system32\LEXPPS .EXE
Do you have Lexmark unit installed ?
And if you can't delete certain files but you sure that's the problem
then why don't you try delete it from safemode ?
or even dos if it's under fat32 fs :)
http://crazyone.tekmasters.com/malwaretools.html
And what's
D:\WINDOWS\system32\LEXBCE
D:\WINDOWS\system32\LEXPPS
Do you have Lexmark unit installed ?
And if you can't delete certain files but you sure that's the problem
then why don't you try delete it from safemode ?
or even dos if it's under fat32 fs :)
go here too: www.sysinfo.org... this may help ALOT
D:\WINDOWS\system32\LEXPPS .EXE
For Lexmark printers. From Lexmark: "This enables bi-directional printing over a peer to peer network. If the printer is connected directly to your PC, the file is not used, (or should not be used) at all". It is known that firewalls can however alert you to "lexpps.exe" requesting server privileges
For Lexmark printers. From Lexmark: "This enables bi-directional printing over a peer to peer network. If the printer is connected directly to your PC, the file is not used, (or should not be used) at all". It is known that firewalls can however alert you to "lexpps.exe" requesting server privileges
ASKER
"And if you can't delete certain files but you sure that's the problem
then why don't you try delete it from safemode ?
or even dos if it's under fat32 fs :)"
I have not faced this problem yet.
The list I provided is for RF' Request. I still dont know what to make out of that list anyways.
I do have Lexmark printer. I dont have Avant Browser. It was on some time ago but I hated it so I removed it.
The lists I provided are made by Hijack and VX2 programmes...
then why don't you try delete it from safemode ?
or even dos if it's under fat32 fs :)"
I have not faced this problem yet.
The list I provided is for RF' Request. I still dont know what to make out of that list anyways.
I do have Lexmark printer. I dont have Avant Browser. It was on some time ago but I hated it so I removed it.
The lists I provided are made by Hijack and VX2 programmes...
ASKER
Comment from kkrazyykkidd feedback
Date: 08/02/2004 06:35AM PDT
Comment
go here:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
DId that. It said my computer is protected for now. It didnt find anything bad I guess.
" comment to RF
The problem i am facing is this. When I run VX2.BetterInternet.... it finds a bunch of files. However, I cannot delete them. The delete button is grayed out."
That's why I posted my comment like that :)
Plz try read on this link : http://crazyone.tekmasters.com/malwaretools.html
And try to uncheck all startup items via msconfig
See which files put itself back on startup
The problem i am facing is this. When I run VX2.BetterInternet.... it finds a bunch of files. However, I cannot delete them. The delete button is grayed out."
That's why I posted my comment like that :)
Plz try read on this link : http://crazyone.tekmasters.com/malwaretools.html
And try to uncheck all startup items via msconfig
See which files put itself back on startup
ASKER
Comment Ashuraknight..
Ok. I see where you are coming from. I checked the link you posted. It has a ton of useful information.
However all this is pertianing to Hijack program... not with VX2..
I am not sure whether I can delte from Hijact list or not.. Since I did not try that one. RF suggested not to delete anything but just paste the list over here. He only asked me to remove VX2 listed files.
None of the spyware programs reporting VX2 or Twain-tech anymore. May be they are all gone!
I have used so far Adaware pro, Spy Hunter, spy sweeper, Spyware stormer etc... Found that each one is a bit different and not all will find everything either.
Ok. I see where you are coming from. I checked the link you posted. It has a ton of useful information.
However all this is pertianing to Hijack program... not with VX2..
I am not sure whether I can delte from Hijact list or not.. Since I did not try that one. RF suggested not to delete anything but just paste the list over here. He only asked me to remove VX2 listed files.
None of the spyware programs reporting VX2 or Twain-tech anymore. May be they are all gone!
I have used so far Adaware pro, Spy Hunter, spy sweeper, Spyware stormer etc... Found that each one is a bit different and not all will find everything either.
So it might be that your problem already solved ! :D
And why don't you use other browser rather than iexplorer ?
I'm using mozilla and it's great :)
Note that mostly virus, trojan, spyware etc attacking iexplorer for first priority target :)
And why don't you use other browser rather than iexplorer ?
I'm using mozilla and it's great :)
Note that mostly virus, trojan, spyware etc attacking iexplorer for first priority target :)
And about Adware, is it really good ?
Because I just d/l the free scan and I got 7 stuff identified in my system :D
Because I just d/l the free scan and I got 7 stuff identified in my system :D
ASKER
Comment to Ashuraknight:
I did use other browsers in past. I believe it was Avant and Opera.. I found both to be quite lousy in performance. And ofcourse I used Netscape too another piece of crap.. All browsers except IE are bad!
the so called spyware killers also really not that good. Because the spy ware keeps coming back no matter what you do. I have Adwatch and spy sweeper constantly watching.. but so what the spy ware keep showing up. So i dont believe in them.
Best way to avoid is to never really browse anything...
My two cents worth of suggestion after completely gotten frustrated with spyware.
I did use other browsers in past. I believe it was Avant and Opera.. I found both to be quite lousy in performance. And ofcourse I used Netscape too another piece of crap.. All browsers except IE are bad!
the so called spyware killers also really not that good. Because the spy ware keeps coming back no matter what you do. I have Adwatch and spy sweeper constantly watching.. but so what the spy ware keep showing up. So i dont believe in them.
Best way to avoid is to never really browse anything...
My two cents worth of suggestion after completely gotten frustrated with spyware.
not true... Mozilla firefox is one of the best browsers out.
goto www.mozilla.org and download... try for yourself
goto www.mozilla.org and download... try for yourself
ASKER
I will give it a try right now infact. Thanks.
no problem
-kkrazyykkidd
-kkrazyykkidd
how do you like it?
ASKER
comment to kkrazyy...
I have been using Mozilla Firefox now for a few hours already. it is extremely nice. several thems of looks and skins. Very nice feature indeed. But now I see it leaves behind pop up windows which I see once I close the main windows. They are left behind by "Mozilla".. so I switched from IE Pops up to Mozilla Pops Up.. About spyware cookies I am not sure yet. I have done some clean up with Ad aware.. My feeling is the number of spy cookies appear to have reduced. I will closely monitor its behavior and performance for a few days. But thanks again for introducing me to such a nice browser indeed!
I have been using Mozilla Firefox now for a few hours already. it is extremely nice. several thems of looks and skins. Very nice feature indeed. But now I see it leaves behind pop up windows which I see once I close the main windows. They are left behind by "Mozilla".. so I switched from IE Pops up to Mozilla Pops Up.. About spyware cookies I am not sure yet. I have done some clean up with Ad aware.. My feeling is the number of spy cookies appear to have reduced. I will closely monitor its behavior and performance for a few days. But thanks again for introducing me to such a nice browser indeed!
ASKER
comment to rossfingal
Hey i have been waiting for your response. You asked me to post the list from VX2.betterinternet tool and I did.
Hey i have been waiting for your response. You asked me to post the list from VX2.betterinternet tool and I did.
ASKER
Comment to Rossfingal
Where are you man? I need you. You still have to tell me how to get rid of VX2 related stuff.
Where are you man? I need you. You still have to tell me how to get rid of VX2 related stuff.
ASKER
Comment Rossfingal
I am still waiting for your next step.
I am still waiting for your next step.
There's seems to be so many people that are commenting on this thread - that have so much to say -
maybe, you should listen to them.
I'm sure that kkrazyykkidd or AshuraKnight can "steer you" in the right direction.
By the way, it looks like VX2 is gone - hope so!
Regards...
RF
maybe, you should listen to them.
I'm sure that kkrazyykkidd or AshuraKnight can "steer you" in the right direction.
By the way, it looks like VX2 is gone - hope so!
Regards...
RF
ASKER
ROssfingal:
You didnt tell me what I do with the files VX2 found and I posted here!
In anycase you solved the main problem. Othters suggested what I can do in future to reduce further problems
I have been using Mozilla for ex. now over a month. And i love it.
But adaware still finds everyday two or three spyware and I remove them
No permanent solution it appears.
You didnt tell me what I do with the files VX2 found and I posted here!
In anycase you solved the main problem. Othters suggested what I can do in future to reduce further problems
I have been using Mozilla for ex. now over a month. And i love it.
But adaware still finds everyday two or three spyware and I remove them
No permanent solution it appears.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From: Mike
I do not have Win Xp Service Pack 2 installed. I do have VX2.
I have a Win XP Pro, Norton, Adaware, and CyGate Firewall.
My DSL connection gets lost after a few minutes. Is this part of VX2? I have updated virus definitions and am clean on that score.
I do not have Win Xp Service Pack 2 installed. I do have VX2.
I have a Win XP Pro, Norton, Adaware, and CyGate Firewall.
My DSL connection gets lost after a few minutes. Is this part of VX2? I have updated virus definitions and am clean on that score.
Hi! Mike
I've seen VX2 do all kinds of "interesting" (read bad!) things -
including things similar to your problem.
However, losing your connection could be caused by other things.
If you're having problems post a question in the Security,
Windows Security, or Browser Issues topic areas (just one area, though!).
There are variants of VX2 that are very difficult to clean.
Good luck!
RF
I've seen VX2 do all kinds of "interesting" (read bad!) things -
including things similar to your problem.
However, losing your connection could be caused by other things.
If you're having problems post a question in the Security,
Windows Security, or Browser Issues topic areas (just one area, though!).
There are variants of VX2 that are very difficult to clean.
Good luck!
RF
I had vx2 and went through every step to get rid of it.
I formatted my computer
I formatted my computer
In order to remove VX2, there are two options for removal that I have found. The first one is to remove the hard disk from the infected system and make note of the file names that are VX2 related, slave the drive on another machine and manually remove from the file system. The next option is make note of the VX2 related files, boot up into safe mode, find the files, delete them and (do not shutdown the computer via start; shutdown; resart;) cut power to the machine. Either pull the plug or hit hard power switch. The reason why this works is VX2 masks itself in the netlogon service and checks to see if the file has been removed when you shut down. You might have to kill the explorer service before you can delete the file in safe mode.(I can't remember which service it is, but I think it's explorer service.
First, go to the following and download HijackThis:
http://www.zerosrealm.com/downloads/hjt.zip
Or:
http://www.subratam.org/?page=removal
Install it into a permanent folder of it's own, do not install it directly on your Desktop or
into a temp folder.
Run it - do not fix anything -
Post a log file here.
Regard...
RF