6zo4svc.dll and vx2.betterinternet

I've got a file called 6zo4svc.dll in windows\system32 that adaware keeps saying is related to vx2.betterinternet and it will remove on restart but hasn't yet. I've tried to close all services and processes I could but it still says it's in use. I've also tried to unregister it manually but it won't let me. Here is my HijackThis log, hopefully it will provide some insight to my problem.

StartupList report, 4/14/2004, 7:39:20 PM
StartupList version: 1.52
Started from : F:\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\ctfmon.exe
E:\WINDOWS\System32\rundll32.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Yahoo!\Messenger\YPager.exe
F:\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = nwiz.exe /install
NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
PPMemCheck = E:\PROGRA~1\PESTPA~1\PPMemCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
ctfmon.exe = E:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = E:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = E:\WINDOWS\System32\Rundll32.exe E:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=none
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

E:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
E:\WINDOWS\Explorer\Explorer.exe: not present
E:\WINDOWS\System\Explorer.exe: not present
E:\WINDOWS\System32\Explorer.exe: not present
E:\WINDOWS\Command\Explorer.exe: not present
E:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = E:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = E:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Update Class]
InProcServer32 = E:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38048.4933217593

[YahooYMailTo Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\ymmapi.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

[Shockwave Flash Object]
InProcServer32 = E:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
enodpl: System32\drivers\enodpl.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
SetupNT: \SystemRoot\system32\SetupNT.sys (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tandpl: System32\drivers\tandpl.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: e:\recycler\s-1-5-21-1409082233-1659004503-725345543-1004\de37.dll


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
CDBurn: E:\WINDOWS\system32\SHELL32.dll
WebCheck: E:\WINDOWS\System32\webcheck.dll
SysTray: E:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,210 bytes
Report generated in 0.203 seconds

 

Sorry about that. Here is my standard HijackThis logfile.

Logfile of HijackThis v1.97.7
Scan saved at 5:04:20 PM, on 4/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Yahoo!\Messenger\ypager.exe
E:\WINDOWS\System32\ctfmon.exe
E:\WINDOWS\System32\rundll32.exe
F:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38048.4933217593
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Actually,

I have the same problem. My AdAware is updated with the latest file. I just updated it yesterday (4/16/04). I have files called aflui.cpy.dll and aflui.dll that AdAware cannot remove, I can't remove them manually, even in safe mode, I get the same message that the file is protected or in use. Any help would be greatly appreciated! SpyBot doesn't even detect them, only AdAware, but AdAware can't fix it, even though it says it will fix it at the next startup.

Thanks for all your responses in advance.
lapochka

 

Well I have the same problem , either . . My Adware updated . The Adware detected file 3lvx.cpy.dll and adware cant remove it , even in Safe Mode . It can detected it but cant remove ,the adware say this is vx2.betterinternet and always show popup when i go to internet . some one help me !!!
Thank you in advance

 

Thanks! That worked for me...
Cheers

 

RE: I had the same two files and the way I got rid of them was to insert my XP cd and select 'R' for repair. This puts you into a DOS box and you can delete the dll(s).