Solved

Vx2 and Twain-Tech

Posted on 2004-07-31
41
1,842 Views
Last Modified: 2010-08-05
I have noticed that there are two persistent spyware programs keep coming back over and again. I used Spy Sweeper. It seems to find these two then I delete them etc. but they keep coming back. i used then Adware 6.0 .. I used the Vx2 Plugin. I also was quite surprised to see that when I first used Adware.. it found like some 52 spyware entries of all sorts. Strange indeed since I that Spy Sweeper has been doing wonderful job all along. Now i am really skeptical of these so called spyware eliminaters. I bet if I use another program it will too find a few others. Anyway, my question is how to completely and permanently remove these two Twain-Tech and Vx2 spyware. And what spyware killer programs should I use to protect my computer. Thanks.
0
Comment
Question by:falcon051997
  • 17
  • 9
  • 7
  • +4
41 Comments
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!

First, go to the following and download HijackThis:
http://www.zerosrealm.com/downloads/hjt.zip
Or:
http://www.subratam.org/?page=removal
Install it into a permanent folder of it's own, do not install it directly on your Desktop or
into a temp folder.
Run it - do not fix anything -
Post a log file here.
Regard...
RF
0
 

Author Comment

by:falcon051997
Comment Utility
Logfile of HijackThis v1.98.0
Scan saved at 9:36:17 AM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\WINDOWS\System32\LXSUPMON.EXE
D:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\WINDOWS\System32\pcznxr.exe
D:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\PROGRA~1\AIM\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\Program Files\Qualcomm\Eudora\Eudora.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
D:\Program Files\Internet Explorer\iexplore.exe
F:\My Documents\ChessBase\Twic\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - D:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [LXSUPMON] D:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Acronis True Image Monitor] D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nbtbszocrwho] D:\WINDOWS\System32\pcznxr.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [alchem] D:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - Startup: Registration-InstantCopy.lnk = D:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!  falcon!

Disable "System Restore".
Make sure "Show all Files and Folders", including hidden and system, is enabled.
Go to Add/Remove Programs in Control Panel, and look for an entry pertaining to "Twain-tec" -
uninstall it.

Start Task Manager, and in the list of running processes look for the following:
pcznxr.exe
Kill it.

Reboot you're computer into "Safe" mode, and search your computer for any instances of:
twaintech.dll
twaintec.ini
pcznxr.exe
Delete all that you find.
It's possible that twaintec.dll may still be in use - if that is the case, rename it (to twaintec.old, for instance) -
Clean out ALL your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Then reboot your computer into "Normal" mode and delete the renamed twaintec file(s).

Go to the following and download these 2 tools:
http://www.subratam.org/?page=removal
9. (i) VX2.BetterInternet Finder XP/2k - The latest Look2Me Fix brought out by Option Explicit. This one is effective but O^E will be continously updating it here if new versions out.

(ii) Version Msg126 - New Version for L2M is out and it is autoupdating to Msg126. If the user has "old L2M" VX2Finder will do the job, but it is better we run this tool first now, as because we know L2M autoupdates.

Run the Version Msg126 tool.
Click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Copy and paste the contents of the log and post it back here.

Good luck!
RF
0
 

Author Comment

by:falcon051997
Comment Utility
Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

0
 

Author Comment

by:falcon051997
Comment Utility
Comment:
When I used the version 126 I found the following files

Log for VX2.BetterInternet File Finder (msg126)

Files Found---
 
Additional Files---
 
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---



By the way the Twain Tech appears to be gone for now. But does this mean it wont come back again? what precautions can I take. Thanks.
0
 

Expert Comment

by:kkrazyykkidd
Comment Utility
If I were you, I would buy the professional version of ad-aware 6.0 and make sure you get the ad-watch feature.
Also try Spybot search and destroy.

Hope this helps,
kkrazyykkidd
0
 

Author Comment

by:falcon051997
Comment Utility
comment kkrazyykkidd
Did it work for you? I have tried many so called spyware killers. I tried spybot, spy sweeper, adware... etc.. the problem is that the spyware keeps coming back. Some times the spyware killers slows the computer too. And If I use very high security oon IE options, I cant browse at all.. there is no solution it appears.
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!   falcon

Still something left to do with VX2.
---------------
Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with a notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)
-----------------
Once back in Windows

Open VX2Finder again and click on these buttons in the right pane:

user agent, Guardian.reg, restore policy

Exit and reboot.

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here with a fresh HijackThis log please.

I'll have some info on how to prevent this spyware garbage - for right now:
let's see if we can get your system cleaned.

Good luck!
RF
0
 

Author Comment

by:falcon051997
Comment Utility
comment to RF
The problem i am facing is this. When I run VX2.BetterInternet.... it finds a bunch of files. However, I cannot delete them. The delete button is grayed out.

Please also note that I have increased the points to the question. I realized the solution is much more complicated than I originally thought. Thanks.
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!

OK - post the list of files it found here - and:
With all browser windows closed run HijackThis and post a new log file here.
Good luck!
RF
0
 

Author Comment

by:falcon051997
Comment Utility
comment to RF:
Here is Hijackthis log.
Logfile of HijackThis v1.98.0
Scan saved at 2:58:33 PM, on 8/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\WINDOWS\System32\LXSUPMON.EXE
D:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
F:\My Documents\ChessBase\Twic\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.0002.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [LXSUPMON] D:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Acronis True Image Monitor] D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - Startup: Registration-InstantCopy.lnk = D:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

Here is VX2 log.
Log for VX2.BetterInternet File Finder (msg126)

Files Found---
 
Additional Files---
 
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---

0
 

Expert Comment

by:kkrazyykkidd
Comment Utility
Comment to falcon.

Yes I actually had the exact same spyware! I got rid of it by using SpyBot S&D!
All i had to do was restart my computer, scan before windows starts, then, BAM, no spyware. I scanned a day later, nothing was there (except another type of spyware)

kkrazyykkidd

what is Avant?
0
 

Author Comment

by:falcon051997
Comment Utility
wow? How can you scan using spybot, before windows start? Makes no sense to me!

"what is Avant? "  ????
0
 

Expert Comment

by:kkrazyykkidd
Comment Utility
Its a feature on spybot when something is found it will ask you to automatically startup before windows starts... you can also ask it to startup before windows starts-- dude, you dont have to be so flip... Im only trying to help you.


Avant... spyware?
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm

kkrazyykkidd
0
 

Expert Comment

by:kkrazyykkidd
Comment Utility
0
 
LVL 5

Expert Comment

by:AshuraKnight
Comment Utility
Avant is AvantBrowser i presume :)
another type of browser out there :)
0
 
LVL 5

Expert Comment

by:AshuraKnight
Comment Utility
try read this link

http://crazyone.tekmasters.com/malwaretools.html

And what's
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE

Do you have Lexmark unit installed ?


And if you can't delete certain files but you sure that's the problem
then why don't you try delete it from safemode ?
or even dos if it's under fat32 fs :)
0
 

Expert Comment

by:kkrazyykkidd
Comment Utility
go here too: www.sysinfo.org... this may help ALOT
0
 

Expert Comment

by:kkrazyykkidd
Comment Utility
D:\WINDOWS\system32\LEXPPS.EXE

For Lexmark printers. From Lexmark: "This enables bi-directional printing over a peer to peer network. If the printer is connected directly to your PC, the file is not used, (or should not be used) at all". It is known that firewalls can however alert you to "lexpps.exe" requesting server privileges
0
 

Author Comment

by:falcon051997
Comment Utility
"And if you can't delete certain files but you sure that's the problem
then why don't you try delete it from safemode ?
or even dos if it's under fat32 fs :)"

I have not faced this problem yet.

The list I provided is for RF' Request. I still dont know what to make out of that list anyways.

I do have Lexmark printer. I dont have Avant Browser. It was on some time ago but I hated it so I removed it.
The lists I provided are made by Hijack and VX2 programmes...
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:falcon051997
Comment Utility

 
Comment from kkrazyykkidd  feedback
Date: 08/02/2004 06:35AM PDT
 Comment  


go here:
 


http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

DId that. It said my computer is protected for now. It didnt find anything bad I guess.
0
 
LVL 5

Expert Comment

by:AshuraKnight
Comment Utility
" comment to RF
The problem i am facing is this. When I run VX2.BetterInternet.... it finds a bunch of files. However, I cannot delete them. The delete button is grayed out."

That's why I posted my comment like that :)

Plz try read on this link : http://crazyone.tekmasters.com/malwaretools.html

And try to uncheck all startup items via msconfig
See which files put itself back on startup

0
 

Author Comment

by:falcon051997
Comment Utility
Comment Ashuraknight..
Ok. I see where you are coming from. I checked the link you posted. It has a ton of useful information.
However all this is pertianing to Hijack program... not with VX2..
I am not sure whether I can delte from Hijact list or not.. Since I did not try that one. RF suggested not to delete anything but just paste the list over here. He only asked me to remove VX2 listed files.
None of the spyware programs reporting VX2 or Twain-tech anymore. May be they are all gone!
I have used so far Adaware pro, Spy Hunter, spy sweeper, Spyware stormer etc... Found that each one is a bit different and not all will find everything either.
0
 
LVL 5

Expert Comment

by:AshuraKnight
Comment Utility
So it might be that your problem already solved ! :D

And why don't you use other browser rather than iexplorer ?
I'm using mozilla and it's great :)
Note that mostly virus, trojan, spyware etc attacking iexplorer for first priority target :)

0
 
LVL 5

Expert Comment

by:AshuraKnight
Comment Utility
And about Adware, is it really good ?
Because I just d/l the free scan and I got 7 stuff identified in my system :D
0
 

Author Comment

by:falcon051997
Comment Utility
Comment to Ashuraknight:

I did use other browsers in past. I believe it was Avant and Opera.. I found both to be quite lousy in performance. And ofcourse I used Netscape too another piece of crap.. All browsers except IE are bad!
the so called spyware killers also really not that good. Because the spy ware keeps coming back no matter what you do. I have Adwatch and spy sweeper constantly watching.. but so what the spy ware keep showing up. So i dont believe in them.
Best way to avoid is to never really browse anything...
My two cents worth of suggestion after completely gotten frustrated with spyware.
0
 

Expert Comment

by:kkrazyykkidd
Comment Utility
not true... Mozilla firefox is one of the best browsers out.

goto www.mozilla.org and download... try for yourself
0
 

Author Comment

by:falcon051997
Comment Utility
I will give it a try right now infact. Thanks.
0
 

Expert Comment

by:kkrazyykkidd
Comment Utility
no problem

-kkrazyykkidd
0
 

Expert Comment

by:kkrazyykkidd
Comment Utility
how do you like it?
0
 

Author Comment

by:falcon051997
Comment Utility
comment to kkrazyy...
I have been using Mozilla Firefox now for a few hours already. it is extremely nice. several thems of looks and skins. Very nice feature indeed. But now I see it leaves behind pop up windows which I see once I close the main windows. They are left behind by "Mozilla".. so I switched from IE Pops up to Mozilla Pops Up.. About spyware cookies I am not sure yet. I have done some clean up with Ad aware.. My feeling is the number of spy cookies appear to have reduced. I will closely monitor its behavior and performance for a few days. But thanks again for introducing me to such a nice browser indeed!
0
 

Author Comment

by:falcon051997
Comment Utility
comment to  rossfingal
Hey i have been waiting for your response. You asked me to post the list from VX2.betterinternet tool and I did.
0
 

Author Comment

by:falcon051997
Comment Utility
Comment to Rossfingal
Where are you man? I need you. You still have to tell me how to get rid of VX2 related stuff.
0
 

Author Comment

by:falcon051997
Comment Utility
Comment Rossfingal
I am still waiting for your next step.
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
There's seems to be so many people that are commenting on this thread - that have so much to say -
maybe, you should listen to them.
I'm sure that  kkrazyykkidd or AshuraKnight can "steer you" in the right direction.
By the way, it looks like VX2 is gone - hope so!
Regards...
RF
0
 

Author Comment

by:falcon051997
Comment Utility
ROssfingal:
You didnt tell me what I do with the files VX2 found and I posted here!
In anycase you solved the main problem. Othters suggested what I can do in future to reduce further problems
I have been using Mozilla for ex. now over a month. And i love it.
But adaware still finds everyday two or three spyware and I remove them
No permanent solution it appears.
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 200 total points
Comment Utility
Hi!  falcon

Don't do anything with VX2, as far as the files it finds - leave them (for now).
As far as Ad-Aware goes - anytime you go out on the Internet; there's a good chance that you're going
to pick up something - that's why you should run Ad-Aware and Spybot Search and Destroy - so that you can
clean up your computer.
Glad to see you're running Mozilla!
Regards...
RF
0
 

Expert Comment

by:moslance
Comment Utility
From: Mike

I do not have Win Xp Service Pack 2 installed. I do have VX2.
I have a Win XP Pro, Norton, Adaware, and CyGate Firewall.

My DSL connection gets lost after a few minutes. Is this part of VX2? I have updated virus definitions and am clean on that score.

0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!  Mike

I've seen VX2 do all kinds of "interesting" (read bad!) things -
including things similar to your problem.
However, losing your connection could be caused by other things.
If you're having problems post a question in the Security,
Windows Security, or Browser Issues topic areas (just one area, though!).
There are variants of VX2 that are very difficult to clean.

Good luck!

RF
0
 
LVL 48

Expert Comment

by:Mikal613
Comment Utility
I had vx2 and went through every step to get rid of it.

I formatted my computer
0
 

Expert Comment

by:netlanhou
Comment Utility
In order to remove VX2, there are two options for removal that I have found.  The first one is to remove the hard disk from the infected system and make note of the file names that are VX2 related, slave the drive on another machine and manually remove from the file system.  The next option is make note of the VX2 related files, boot up into safe mode, find the files, delete them and (do not shutdown the computer via start; shutdown; resart;) cut power to the machine.  Either pull the plug or hit hard power switch.  The reason why this works is VX2 masks itself in the netlogon service and checks to see if the file has been removed when you shut down.  You might have to kill the explorer service before you can delete the file in safe mode.(I can't remember which service it is, but I think it's explorer service.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now