Vx2.better internet - can't get rid of this

Hi emosty,

Do you have any NetZero software running like for example SpyBan?

Anyway, please boot into safe mode
and delete:
msg{81b6c660-e430-11d5-8736-0020e0626331}0115.dll
Then scan again and see if AdAware succeeds this time.

Keep us posted,

Pieter

 

I can't delete this even in safe mode. It says cannot delete specified file being used by windows.

 

And no, I don't think I have anything like NetZero spyban. I have a free popup stopper that's always running though. You think it could be imbedded in that? Sorry, I probably sound rediculous - I really have no idea what's going on, so I'll quit with the suggestions.

 

About the script I asked you to run in that Spywareinfo thread, I talked this over with Mosaic1 who created it, and we agreed it won't do the trick on Win9x systems.

So lets try a new one created especially for Win 98 and ME. It ought to work:

It will get the Look2Me filename, and then creates two files: Fix.reg & fix.bat in C:\
Fix.bat deletes the L2M file and runs the registry file. Then it cleans up. It self deletes and also deletes fix.reg

Here's the deal:
Copy the contents of the Quote box to Notepad. Name as Remove L2m.vbs
Save in C:\ as type 'all files'.

Now doubleclick L2m.vbs in order to execute it.

You will be asked to restart your computer when the script has run, and you'll need to.

 

Hi Tony, good to hear from you again! Okay, I may be doing something wrong here:

Run - notepad /autoexec.bat
type C:\Remove L2m.vbs under the rest of the list
reboot
remove C:\Remove L2m.vbs from autoexec.bat
reboot

The file is still there... I think I'm not doing this properly bc/ I don't recall being prompted to reboot.

 

No, skip the Notepad bit. We think it won't work that way.
Just run the new script I just posted. It ought to do do everything for yiou.

 

Sorry, I need reading lessons. Okay, I have DOUBLE CLICKED the file, got the prompt, and rebooted. It looks like it is gone. Running Ad-Aware again.

 

Well, Ad-Aware still pulls all 3 items up, and says it can't delete msg{.....
What now

 

This is what it says I can't delete:

c:\windows\system\msg{81b6c660-e430-11d5-8736-0020e0626331}0115.dll

It gets seems to get rid of the other 2 (because it doesn't say that it couldn't) but they just come right back after reboot.

 

Well, Mosaic's script ought to get rid of that file, and the associated Registry keys. This really is a most obnoxious little b*gger...

 

I'm going to save the script again and re-run it. I don't know what else to do.

 

Well shoot, that didn't work. I feel like we're so close... I have run HJT, Spybot S&D, and Ad-Aware; successfully removed over 750 objects on my system, and now there are 3. Normally, I would be content to just deal with the popups, but these are more than just a nuisance because 50 more objects end up on my system every time I get online.

 

Hi emosty,

Can you try this program on that msg{1m@p$o'cr@p}007.dll
DrDelete.

I think once we get rid of that file, the rest is kindergarten stuff.

Regards,

Pieter

 

Still there.

 

Hi emosty,

Can you download and install WhatsHappening and see if you can find out which program is keeping that dll occupied?

Regards,

Pieter

 

It's Explorer.exe

 

l2m is a shell extension. So that's why explorer.

I wonder if there is a reinstaller at work here.

Give me a few minutes to read this thread in its entirety to get up to speed. Not sure if I can help.

 

I'd like to see a new HijackThis log please.

 

Anything will help. I'm sure other people are getting this thing - that's scary.

 

Sure....

Logfile of HijackThis v1.97.7
Scan saved at 3:26:36 PM, on 12/23/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\9X8START.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EnsoniqMixer] 9x8start.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://206.107.70.6/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37958.7823148148

 

I checked out teh SpywareInfo thread too and posted there as well. I would clean out the temp folder.
VX2.BetterInternet Object recognized!
Type : File
Data : bw.exe
Object : c:\windows\temp\
FileSize : 28 KB
FileVersion : 1, 0
ProductVersion : 1, 0
Copyright : Copyright


CompanyName : BundleWare.com
FileDescription : BundleWare.com
InternalName : BundleWare.com
OriginalFilename : BundleWare.com
ProductName : BundleWare.com
Created on : 12/17/2003 6:30:04 PM
Last accessed : 12/17/2003 6:00:00 AM
Last modified : 12/17/2003 6:30:06 PM

 

After you clean out the temp folder, please run the vbs again and reboot.

Let us know how that goes.

 

I got rid of bw.exe before. What should I be looking for in the Temp folder to get rid of?

 

Select all and then delete. Run the vbs and then reboot.

Can we also see a StartupList?
Open HijackThis and click Config >Misc Tools.
Check both boxes under the generate Startuplist button.

Then click the button and paste in the results here

 

Alrighty, 120 files outta here. You want that startup list before or after I rerun the vbs and reboot?