Zesty Find Issues

VX2 BetterInternet + Zesty Find Problems

Hi there

I have been trying in vain to fix a neighbours PC, I spent roughly 8 hours yesterday cleaning it up for them.
However I still seem to be having a real problem with Zesty Find.
If for example I open up Google, and search for something then not only do I get the Google results, I also get a new search window from Zesty.

I have downloaded, updated and run the following :

Lavasoft Adaware
Spybot 1.3
CW Shredder
HijackThis

Also installed and updated AVG antivrus and have run McAfee online virus scanner.

Please find below details from hijackthis.log :

Logfile of HijackThis v1.97.7
Scan saved at 23:33:45, on 16/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\halwser.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\julie green\Desktop\Darren\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [qs4X37e] halwser.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8115.3611921296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab


Any advice will be most welcome on what I can delete or edit from this list

Thanks in advance
Sysko

 

Hi Sysko,


Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [qs4X37e] halwser.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

Then reboot into safe mode
and delete:
C:\Program Files\TV Media <= entire folder
c:\installer\id53.exe
C:\WINDOWS\System32\halwser.exe

I hope that is enough. If not, post back.

Regards,

Pieter

 

Hi Pieter

Thanks for the quick reply yesterday!

Ok I did exactly what you recommended and fixed the items you specified.
Then I booted into safe mode and manually deleted the requested files/folders.

Then restarted the PC, fired up Google and searched for something.
I got the google results, but also the Zesty Find window

So I then ran (and checked for updates) Adaware, Spybot 1.3 and CW Shredder.
Rebooted and checked google once more and the Zesty Find search window seems to have gone.
I then got a new HijackThis log which looks better then yesterday, but I am wondering what the soap.exe file was?


Logfile of HijackThis v1.97.7
Scan saved at 18:49:32, on 17/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\julie green\Desktop\Darren\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38115.3611921296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Any advice welcome
Thanks in advance
Sysko

 

Update:

Still have some issues with this, but the main thing now is that I cannot get online

The problem is that the PC keeps rebooting itself, so I had a closer look.
This is a new machine running XP home and the problem seems to occur when the PC boots up and gets to the user login screen.
The moment you click on a Users identity the PC then reboots.

My first thought was that maybe it was a graphics related problem, so I tried to boot into safe mode and have a look round.
However the same thing occured in Safe mode.

I then had a look at the back of the PC, checking cables that sort of thing.
I thought I would disconnect the unecessary cables (printer, speakers and Cable modem) one by one.
The moment I disconnected the USB Cable Modem and attempted to login the PC booted as it should.
If I then plugged the USB cable modem back in the PC would almost immediately reboot.

Now I am thinking that maybe this could be virus or worm related ??
The system is running up to date AVG and XP ICF, but I am struggling to do an online virus scan due to the rebooting problems.

Just wondered if anyone here had any gut feelings as to what this might be?

Thanks in advance
Sysko

 

Hi Sysko,

Can you surf to this site http://download.broadbandmedic.com/ and download
VX2.BetterInternet Finder (List & Log)
Click on the *Click to find VX2 files* button and post the contents please.

Soap: http://www.systemsoap.com/
Remove it if you did nopt install it yourself.

Regards,

Pieter

 

Hi Pieter

Thanks for all the help you have been giving me

Here is the VX2 log as requested:

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\bbotvid.dll
C:\WINDOWS\System32\bdotvid.dll
C:\WINDOWS\System32\bfotvid.dll
C:\WINDOWS\System32\bgotvid.dll
C:\WINDOWS\System32\bhotvid.dll
C:\WINDOWS\System32\biotvid.dll
C:\WINDOWS\System32\bjotvid.dll
C:\WINDOWS\System32\bmotvid.dll
C:\WINDOWS\System32\bnotvid.dll
C:\WINDOWS\System32\bpotvid.dll
C:\WINDOWS\System32\bqotvid.dll
C:\WINDOWS\System32\bsotvid.dll
C:\WINDOWS\System32\btotvid.dll
C:\WINDOWS\System32\buotvid.dll
C:\WINDOWS\System32\bvotvid.dll
C:\WINDOWS\System32\bwotvid.dll
C:\WINDOWS\System32\bxotvid.dll
C:\WINDOWS\System32\byotvid.dll
C:\WINDOWS\System32\bzotvid.dll
C:\WINDOWS\System32\kgcom.dll
C:\WINDOWS\System32\kjcom.dll
C:\WINDOWS\System32\kkcom.dll
C:\WINDOWS\System32\kqcom.dll
C:\WINDOWS\System32\krcom.dll
C:\WINDOWS\System32\kscom.dll
C:\WINDOWS\System32\ktcom.dll
C:\WINDOWS\System32\kucom.dll
C:\WINDOWS\System32\kwcom.dll
C:\WINDOWS\System32\kycom.dll
C:\WINDOWS\System32\la32.dll
C:\WINDOWS\System32\lc32.dll
C:\WINDOWS\System32\ld32.dll
C:\WINDOWS\System32\lf32.dll
C:\WINDOWS\System32\lg32.dll
C:\WINDOWS\System32\lh32.dll
C:\WINDOWS\System32\li32.dll
C:\WINDOWS\System32\lj32.dll
C:\WINDOWS\System32\lk32.dll
C:\WINDOWS\System32\ll32.dll
C:\WINDOWS\System32\lm32.dll
C:\WINDOWS\System32\ln32.dll
C:\WINDOWS\System32\lp32.dll
C:\WINDOWS\System32\lq32.dll
C:\WINDOWS\System32\lr32.dll
C:\WINDOWS\System32\ls32.dll
C:\WINDOWS\System32\lt32.dll
C:\WINDOWS\System32\lu32.dll
C:\WINDOWS\System32\lx32.dll
C:\WINDOWS\System32\ly32.dll
C:\WINDOWS\System32\mir.dll
C:\WINDOWS\System32\ngdeapi.dll
C:\WINDOWS\System32\nmdeapi.dll
C:\WINDOWS\System32\nodeapi.dll
C:\WINDOWS\System32\oaesvr32.dll
C:\WINDOWS\System32\oaethk32.dll
C:\WINDOWS\System32\obecli32.dll
C:\WINDOWS\System32\obecnv32.dll
C:\WINDOWS\System32\obesvr32.dll
C:\WINDOWS\System32\ocecli32.dll
C:\WINDOWS\System32\oeecli32.dll
C:\WINDOWS\System32\ofecnv32.dll
C:\WINDOWS\System32\ofesvr32.dll
C:\WINDOWS\System32\ogecli32.dll
C:\WINDOWS\System32\ogecnv32.dll
C:\WINDOWS\System32\onecnv32.dll
C:\WINDOWS\System32\ooecli32.dll
C:\WINDOWS\System32\opecli32.dll
C:\WINDOWS\System32\orecli32.dll
C:\WINDOWS\System32\orecnv32.dll
C:\WINDOWS\System32\oresvr32.dll
C:\WINDOWS\System32\osecli32.dll
C:\WINDOWS\System32\otecli32.dll
C:\WINDOWS\System32\ouecli32.dll
C:\WINDOWS\System32\ovethk32.dll
C:\WINDOWS\System32\owecnv32.dll
C:\WINDOWS\System32\oxecli32.dll
C:\WINDOWS\System32\ozethk32.dll
C:\WINDOWS\System32\piofmap.dll
C:\WINDOWS\System32\ptofmap.dll
C:\WINDOWS\System32\sec.dll
C:\WINDOWS\System32\soc.dll
C:\WINDOWS\System32\vca.dll
C:\WINDOWS\System32\vdrsion.dll
C:\WINDOWS\System32\vla.dll
C:\WINDOWS\System32\vlrsion.dll
C:\WINDOWS\System32\vma.dll
C:\WINDOWS\System32\vmrsion.dll
C:\WINDOWS\System32\vqrsion.dll
C:\WINDOWS\System32\vra.dll
C:\WINDOWS\System32\vsrsion.dll
C:\WINDOWS\System32\vwrsion.dll
C:\WINDOWS\System32\vzrsion.dll
C:\WINDOWS\System32\wd2help.dll
C:\WINDOWS\System32\wg2_32.dll
C:\WINDOWS\System32\wj2_32.dll
C:\WINDOWS\System32\wk2_32.dll
C:\WINDOWS\System32\wqigest.dll
C:\WINDOWS\System32\wx2_32.dll


Guardian Key--- is called: GuardianAJCBM
Asynchronous 000
DllName C:\WINDOWS\system32\krcom.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {33736948-06DA-4A5F-B7F8-D2E2B45999DC}
IDex VT02

User Agent String---
{33736948-06DA-4A5F-B7F8-D2E2B45999DC}

Hope this is ok.... looking forward to your replies

Thanks
Sysko

 

Open VX2Finder it and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (do that)

After that last file is gone go to
Start > run > type regedit > enter and in the regsitry editor navigate to :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianAJCBM

(Note : the five letters in caps at the end may have changed [AJCBM] but it will still start with Guardian)

Right click on the Guardian?? key and select delete.
Close Regedit.
Reboot.

Open VX2Finder again and select:
User Agent$ > yes to confirm delete.
and then
Restore Policy

Exit and reboot.

Regards,

Pieter

 

Hi Pieter

Ok when I am in VX2 Finder and I attempt to delete the above files I can get rid of all of them bar one.

C:\WINDOWS\System32\krcom.dll

However it doesn't give me the option of deleting it on reboot as you mentioned in your previous post
All it has is a pop up box saying "Can't delete this one"

Any other ways round this?

Thanks as always

 

OK another Update:

I searched these forums for advice on maybe getting rid of the last vx2 entry
I found this post :

https://www.wilderssecurity.com/showpost.php?p=178130&postcount=4

This gave me a perfect step by step guide to deleting that last entry

Now when I scan with VX2 Finder it is clean

Now I am going to try and see if the pc is still rebooting....

Be back soon and thanks Pieter

 

OK after much testing last night, it looks like everything is back to normal.

No more reboot loops, VX2 Finder is coming up clean, managed to get on Windows update and install 4 critical updates, also updated Spybot and Adaware and rescanned.

All looks good, so I think it is time to give this PC back to my neighbour

Just a couple of things left to say:

1- Can someone tell me exactly what this "VX2 Betterinternet" is?
Is it a worm, malware, hijacker? I am finding it hard to explain exactly what was on her system.

2- Big Thanks to Pieter who has helped me through this from start to finish!
Great member of the team, I will be recommending this site to many other people

Thanks once more
Sysko

 

1) It is incredibly hard to remove adware:
http://www.pcsympathy.com/article379.html

2) Your thanks would be beter directed at Option^Explicit and FreeAtLast who tackle every new version of this selfcensoredware and come up with a working solution.

Please read https://www.wilderssecurity.com/showthread.php?t=27971
to help avoid getting infected again.

Regards,

Pieter