6zo4svc.dll and vx2.betterinternet

TReaper808 · #1 April 14th, 2004, 02:09 AM

I've got a file called 6zo4svc.dll in windows\system32 that adaware keeps saying is related to vx2.betterinternet and it will remove on restart but hasn't yet. I've tried to close all services and processes I could but it still says it's in use. I've also tried to unregister it manually but it won't let me. Here is my HijackThis log, hopefully it will provide some insight to my problem.

StartupList report, 4/14/2004, 7:39:20 PM
StartupList version: 1.52
Started from : F:\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\ctfmon.exe
E:\WINDOWS\System32\rundll32.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Yahoo!\Messenger\YPager.exe
F:\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = nwiz.exe /install
NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
PPMemCheck = E:\PROGRA~1\PESTPA~1\PPMemCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
ctfmon.exe = E:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = E:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = E:\WINDOWS\System32\Rundll32.exe E:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=none
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

E:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
E:\WINDOWS\Explorer\Explorer.exe: not present
E:\WINDOWS\System\Explorer.exe: not present
E:\WINDOWS\System32\Explorer.exe: not present
E:\WINDOWS\Command\Explorer.exe: not present
E:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = E:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = E:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/s...irector/sw.cab

[Update Class]
InProcServer32 = E:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.co...048.4933217593

[YahooYMailTo Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\ymmapi.dll
CODEBASE = http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll

[Shockwave Flash Object]
InProcServer32 = E:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
enodpl: System32\drivers\enodpl.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
SetupNT: \SystemRoot\system32\SetupNT.sys (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tandpl: System32\drivers\tandpl.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: e:\recycler\s-1-5-21-1409082233-1659004503-725345543-1004\de37.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
CDBurn: E:\WINDOWS\system32\SHELL32.dll
WebCheck: E:\WINDOWS\System32\webcheck.dll
SysTray: E:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,210 bytes
Report generated in 0.203 seconds

dvk01 · #2 April 14th, 2004, 03:33 AM

can you post the standard hijackthis log please rather than a start up list at this stage

TReaper808 · #3 April 14th, 2004, 11:05 PM

Sorry about that. Here is my standard HijackThis logfile.

Logfile of HijackThis v1.97.7
Scan saved at 5:04:20 PM, on 4/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Yahoo!\Messenger\ypager.exe
E:\WINDOWS\System32\ctfmon.exe
E:\WINDOWS\System32\rundll32.exe
F:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...048.4933217593
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

dvk01 · #4 April 15th, 2004, 02:30 AM

I can't see anythin in the logs

adaware has just had an update this morning to deal wiyth new versions of this pest so
please update adaware & run adaware again
Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least 01R293 15.04.2004 or a higher number/later date

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again

I suggest running it in safe mode that way any files it finds will not be in use and can be easily deleted

#5 April 17th, 2004, 12:47 PM

Actually,

I have the same problem. My AdAware is updated with the latest file. I just updated it yesterday (4/16/04). I have files called aflui.cpy.dll and aflui.dll that AdAware cannot remove, I can't remove them manually, even in safe mode, I get the same message that the file is protected or in use. Any help would be greatly appreciated! SpyBot doesn't even detect them, only AdAware, but AdAware can't fix it, even though it says it will fix it at the next startup.

Thanks for all your responses in advance.
lapochka

#6 April 17th, 2004, 01:48 PM

Quote:

Originally Posted by lapochka

Actually,

I have the same problem. My AdAware is updated with the latest file. I just updated it yesterday (4/16/04). I have files called aflui.cpy.dll and aflui.dll that AdAware cannot remove, I can't remove them manually, even in safe mode, I get the same message that the file is protected or in use. Any help would be greatly appreciated! SpyBot doesn't even detect them, only AdAware, but AdAware can't fix it, even though it says it will fix it at the next startup.

Thanks for all your responses in advance.
lapochka

Well I have the same problem , either .

. My Adware updated . The Adware detected file 3lvx.cpy.dll and adware cant remove it , even in Safe Mode . It can detected it but cant remove ,the adware say this is vx2.betterinternet and always show popup when i go to internet . some one help me !!!
Thank you in advance

dvk01 · #7 April 17th, 2004, 01:56 PM

At this time we do not have a fix for vx2.betterinternet that is guaranteed in any version of windows except windows 200 & XP pro

this is the latest advice
http://www.wilderssecurity.com/showp...75&postcount=4

#8 April 19th, 2004, 07:46 AM

Quote:

Originally Posted by dvk01

At this time we do not have a fix for vx2.betterinternet that is guaranteed in any version of windows except windows 200 & XP pro

this is the latest advice
http://www.wilderssecurity.com/showp...75&postcount=4

Thanks! That worked for me...
Cheers

#9 April 24th, 2004, 12:45 PM

Quote:

Originally Posted by lapochka

Actually,

I have the same problem. My AdAware is updated with the latest file. I just updated it yesterday (4/16/04). I have files called aflui.cpy.dll and aflui.dll that AdAware cannot remove, I can't remove them manually, even in safe mode, I get the same message that the file is protected or in use. Any help would be greatly appreciated! SpyBot doesn't even detect them, only AdAware, but AdAware can't fix it, even though it says it will fix it at the next startup.

Thanks for all your responses in advance.
lapochka

RE: I had the same two files and the way I got rid of them was to insert my XP cd and select 'R' for repair. This puts you into a DOS box and you can delete the dll(s).

dvk01 · #10 April 24th, 2004, 01:12 PM

Quote:

Originally Posted by lcc

RE: I had the same two files and the way I got rid of them was to insert my XP cd and select 'R' for repair. This puts you into a DOS box and you can delete the dll(s).

unfortunately just deleting the dll's doesn't solve the problem

it's very easy to delete them with many methods but this pest actually changes privileges and prevents you running certain programs or doing somethings with the computer when it's removed incorrectly. It also leaves you wide open to reinfection because it gives itself the super- admin privilege that is what is difficult to cure in XP home

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search