EvilAardvark
asked on
Very Pesky Spyware Problem... VX2.BetterInternet?
Alright... Here's what i've got... Every 5 minutes or so, i get an IE popup. The sites vary, but the most common ones are:
http://www.xzoomy.com
http://69.20.56.3/yyy10.html
http://69.20.62.53/yyy10.html
http://www.ad-w-a-r-e.com/cgi-bin/PopupV2?ID={BCA284CF-8715-4592-BB7D-4
http://www.888.com (This one only comes up once, when i first start my computer, as a popup right after I open IE for the first time)
It happens more often when i'm at the computer than when i'm not, or so it seems. That could be me just noticing it more and getting pissed off.
My full (Yes, full) Hijack this log:
Logfile of HijackThis v1.98.2
Scan saved at 1:17:42 PM, on 9/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\rundll
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSP
D:\D-Tools\daemon.exe
D:\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Exe Files\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O17 - HKLM\System\CCS\Services\T
I looked around and found that some people with the yyy10.html popups had something called VX2.betterinternet. I downloaded a fix for that (VX2Finder.exe), ran it and it found a key, but no files to delete. Here's the log from that.
Log for VX2.BetterInternet File Finder
Files Found---
Guardian Key--- is called:
User Agent String---
{BCA284CF-8715-4592-BB7D-4
That user agent string is the same ID that's in the URL for one of the popups, so i know they're linked somehow. VX2Finder gives me 2 options, Restore Policy and User Agent$, and neither of them do anything. I've run a virus scan locally, from housecall.trendmicro.com, run the latest Hijackthis, CWShredder, Spybot, and Adaware all in safe mode. Nothing seems to stick out. 500 points for this, as it's REALLY bothering me. Please help!
http://www.xzoomy.com
http://69.20.56.3/yyy10.html
http://69.20.62.53/yyy10.html
http://www.ad-w-a-r-e.com/cgi-bin/PopupV2?ID={BCA284CF-8715-4592-BB7D-4
http://www.888.com (This one only comes up once, when i first start my computer, as a popup right after I open IE for the first time)
It happens more often when i'm at the computer than when i'm not, or so it seems. That could be me just noticing it more and getting pissed off.
My full (Yes, full) Hijack this log:
Logfile of HijackThis v1.98.2
Scan saved at 1:17:42 PM, on 9/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\rundll
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSP
D:\D-Tools\daemon.exe
D:\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Exe Files\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O17 - HKLM\System\CCS\Services\T
I looked around and found that some people with the yyy10.html popups had something called VX2.betterinternet. I downloaded a fix for that (VX2Finder.exe), ran it and it found a key, but no files to delete. Here's the log from that.
Log for VX2.BetterInternet File Finder
Files Found---
Guardian Key--- is called:
User Agent String---
{BCA284CF-8715-4592-BB7D-4
That user agent string is the same ID that's in the URL for one of the popups, so i know they're linked somehow. VX2Finder gives me 2 options, Restore Policy and User Agent$, and neither of them do anything. I've run a virus scan locally, from housecall.trendmicro.com, run the latest Hijackthis, CWShredder, Spybot, and Adaware all in safe mode. Nothing seems to stick out. 500 points for this, as it's REALLY bothering me. Please help!
ASKER
I've been logged in on the other user account for about 5-10 minutes with no popups. It seems to work fine over here.
ASKER
scratch that.. Just got a popup to http://69.20.62.53/yyy10.html
ASKER
I'm definitely getting the same popups regardless of which account i'm on.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It picks them up and deletes them, they come back even in safe mode.
I have the IE popup blocker, and still get the pop ups.
Yes, system restore is off.
I think i fixed the problem on my own... Here's what i did:
I checked the filenames that kept coming back, and found there was a file with the same last modified date/time and same size as those in my windows/system32 directory, hidden, by the name of aeaamon.dll. I couldn't delete it because it was "in use" (even in safe mode), so i went into my recovery console and found i still couldn't delete it... SOOOOO I renamed it to "stupidfile.dmb" and restarted. I deleted stupidfile.dmb in windows (Normal mode) and it deleted fine. I ran spybot, adaware and all the others again and cleaned all the remnants. Looks like i beat it!
I have the IE popup blocker, and still get the pop ups.
Yes, system restore is off.
I think i fixed the problem on my own... Here's what i did:
I checked the filenames that kept coming back, and found there was a file with the same last modified date/time and same size as those in my windows/system32 directory, hidden, by the name of aeaamon.dll. I couldn't delete it because it was "in use" (even in safe mode), so i went into my recovery console and found i still couldn't delete it... SOOOOO I renamed it to "stupidfile.dmb" and restarted. I deleted stupidfile.dmb in windows (Normal mode) and it deleted fine. I ran spybot, adaware and all the others again and cleaned all the remnants. Looks like i beat it!
that's great ^_^
that's the benefit of having ur system infront of u where u can look and search all the inches of system !! ;-D
Happy Computing and Cheers =)
that's the benefit of having ur system infront of u where u can look and search all the inches of system !! ;-D
Happy Computing and Cheers =)
Try this:
http://www.downloads.subratam.org/VX2Finder.exe
The latest Look2Me Fix for Win2K/XP
Also this:
http://downloads.subratam.org/VX2Finder(126).exe
New Version for L2M
Zee
Create a New User Account and check there for these problems..... post back results and we will move further from there !! :)