6zo4svc.dll and vx2.betterinternet

Discussion in 'adware, spyware & hijack cleaning' started by TReaper808, Apr 14, 2004.

Thread Status:
Not open for further replies.
  1. TReaper808

    TReaper808 Registered Member

    Apr 14, 2004
    I've got a file called 6zo4svc.dll in windows\system32 that adaware keeps saying is related to vx2.betterinternet and it will remove on restart but hasn't yet. I've tried to close all services and processes I could but it still says it's in use. I've also tried to unregister it manually but it won't let me. Here is my HijackThis log, hopefully it will provide some insight to my problem.

    StartupList report, 4/14/2004, 7:39:20 PM
    StartupList version: 1.52
    Started from : F:\HijackThis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Showing rarely important sections

    Running processes:

    E:\Program Files\Internet Explorer\iexplore.exe
    E:\Program Files\Yahoo!\Messenger\YPager.exe


    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = E:\WINDOWS\system32\userinit.exe,


    Autorun entries from Registry:

    nwiz = nwiz.exe /install
    NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
    PPMemCheck = E:\PROGRA~1\PESTPA~1\PPMemCheck.exe


    Autorun entries from Registry:

    Yahoo! Pager = E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    ctfmon.exe = E:\WINDOWS\System32\ctfmon.exe


    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    StubPath = E:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = E:\WINDOWS\System32\Rundll32.exe E:\WINDOWS\System32\mscories.dll,Install


    Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*


    Checking for EXPLORER.EXE instances:

    E:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    E:\WINDOWS\Explorer\Explorer.exe: not present
    E:\WINDOWS\System\Explorer.exe: not present
    E:\WINDOWS\System32\Explorer.exe: not present
    E:\WINDOWS\Command\Explorer.exe: not present
    E:\WINDOWS\Fonts\Explorer.exe: not present


    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden


    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = E:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = E:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Update Class]
    InProcServer32 = E:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38048.4933217593

    [YahooYMailTo Class]
    InProcServer32 = E:\WINDOWS\Downloaded Program Files\ymmapi.dll
    CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

    [Shockwave Flash Object]
    InProcServer32 = E:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    enodpl: System32\drivers\enodpl.sys (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    SetupNT: \SystemRoot\system32\SetupNT.sys (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    tandpl: System32\drivers\tandpl.sys (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: e:\recycler\s-1-5-21-1409082233-1659004503-725345543-1004\de37.dll


    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
    CDBurn: E:\WINDOWS\system32\SHELL32.dll
    WebCheck: E:\WINDOWS\System32\webcheck.dll
    SysTray: E:\WINDOWS\System32\stobject.dll

    End of report, 9,210 bytes
    Report generated in 0.203 seconds
  2. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    can you post the standard hijackthis log please rather than a start up list at this stage
  3. TReaper808

    TReaper808 Registered Member

    Apr 14, 2004
    Sorry about that. Here is my standard HijackThis logfile.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:04:20 PM, on 4/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\Program Files\Yahoo!\Messenger\ypager.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38048.4933217593
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  4. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    I can't see anythin in the logs

    adaware has just had an update this morning to deal wiyth new versions of this pest so
    please update adaware & run adaware again

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R293 15.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"


    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"


    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    I suggest running it in safe mode that way any files it finds will not be in use and can be easily deleted
  5. lapochka

    lapochka Guest


    I have the same problem. My AdAware is updated with the latest file. I just updated it yesterday (4/16/04). I have files called aflui.cpy.dll and aflui.dll that AdAware cannot remove, I can't remove them manually, even in safe mode, I get the same message that the file is protected or in use. Any help would be greatly appreciated! SpyBot doesn't even detect them, only AdAware, but AdAware can't fix it, even though it says it will fix it at the next startup.

    Thanks for all your responses in advance.
  6. shinchikudo

    shinchikudo Guest

    Well I have the same problem , either . :( . My Adware updated . The Adware detected file 3lvx.cpy.dll and adware cant remove it , even in Safe Mode . It can detected it but cant remove ,the adware say this is vx2.betterinternet and always show popup when i go to internet . some one help me !!!
    Thank you in advance
  7. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
  8. toebar

    toebar Guest

  9. lcc

    lcc Guest

    RE: I had the same two files and the way I got rid of them was to insert my XP cd and select 'R' for repair. This puts you into a DOS box and you can delete the dll(s).
  10. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK

    unfortunately just deleting the dll's doesn't solve the problem

    it's very easy to delete them with many methods but this pest actually changes privileges and prevents you running certain programs or doing somethings with the computer when it's removed incorrectly. It also leaves you wide open to reinfection because it gives itself the super- admin privilege that is what is difficult to cure in XP home
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.