Zesty Find Issues

Discussion in 'adware, spyware & hijack cleaning' started by Sysko, May 17, 2004.

Thread Status:
Not open for further replies.
  1. Sysko

    Sysko Registered Member

    Joined:
    May 17, 2004
    Posts:
    7
    Location:
    Essex UK
    VX2 BetterInternet + Zesty Find Problems

    Hi there

    I have been trying in vain to fix a neighbours PC, I spent roughly 8 hours yesterday cleaning it up for them.
    However I still seem to be having a real problem with Zesty Find.
    If for example I open up Google, and search for something then not only do I get the Google results, I also get a new search window from Zesty.

    I have downloaded, updated and run the following :

    Lavasoft Adaware
    Spybot 1.3
    CW Shredder
    HijackThis

    Also installed and updated AVG antivrus and have run McAfee online virus scanner.

    Please find below details from hijackthis.log :

    Logfile of HijackThis v1.97.7
    Scan saved at 23:33:45, on 16/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\halwser.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\julie green\Desktop\Darren\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [qs4X37e] halwser.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8115.3611921296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab


    Any advice will be most welcome on what I can delete or edit from this list

    Thanks in advance
    Sysko
     
    Last edited: May 27, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Sysko,


    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [qs4X37e] halwser.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Then reboot into safe mode
    and delete:
    C:\Program Files\TV Media <= entire folder
    c:\installer\id53.exe
    C:\WINDOWS\System32\halwser.exe

    I hope that is enough. If not, post back.

    Regards,

    Pieter
     
  3. Sysko

    Sysko Registered Member

    Joined:
    May 17, 2004
    Posts:
    7
    Location:
    Essex UK
    Hi Pieter

    Thanks for the quick reply yesterday!

    Ok I did exactly what you recommended and fixed the items you specified.
    Then I booted into safe mode and manually deleted the requested files/folders.

    Then restarted the PC, fired up Google and searched for something.
    I got the google results, but also the Zesty Find window :doubt:

    So I then ran (and checked for updates) Adaware, Spybot 1.3 and CW Shredder.
    Rebooted and checked google once more and the Zesty Find search window seems to have gone.
    I then got a new HijackThis log which looks better then yesterday, but I am wondering what the soap.exe file was?


    Logfile of HijackThis v1.97.7
    Scan saved at 18:49:32, on 17/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\lexpps.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Documents and Settings\julie green\Desktop\Darren\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38115.3611921296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Any advice welcome
    Thanks in advance
    Sysko
     
  4. Sysko

    Sysko Registered Member

    Joined:
    May 17, 2004
    Posts:
    7
    Location:
    Essex UK
    Update:

    Still have some issues with this, but the main thing now is that I cannot get online :'(

    The problem is that the PC keeps rebooting itself, so I had a closer look.
    This is a new machine running XP home and the problem seems to occur when the PC boots up and gets to the user login screen.
    The moment you click on a Users identity the PC then reboots.

    My first thought was that maybe it was a graphics related problem, so I tried to boot into safe mode and have a look round.
    However the same thing occured in Safe mode.

    I then had a look at the back of the PC, checking cables that sort of thing.
    I thought I would disconnect the unecessary cables (printer, speakers and Cable modem) one by one.
    The moment I disconnected the USB Cable Modem and attempted to login the PC booted as it should.
    If I then plugged the USB cable modem back in the PC would almost immediately reboot.

    Now I am thinking that maybe this could be virus or worm related ??
    The system is running up to date AVG and XP ICF, but I am struggling to do an online virus scan due to the rebooting problems.

    Just wondered if anyone here had any gut feelings as to what this might be?

    Thanks in advance
    Sysko
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  6. Sysko

    Sysko Registered Member

    Joined:
    May 17, 2004
    Posts:
    7
    Location:
    Essex UK
    Hi Pieter

    Thanks for all the help you have been giving me ;)

    Here is the VX2 log as requested:

    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINDOWS\System32\bbotvid.dll
    C:\WINDOWS\System32\bdotvid.dll
    C:\WINDOWS\System32\bfotvid.dll
    C:\WINDOWS\System32\bgotvid.dll
    C:\WINDOWS\System32\bhotvid.dll
    C:\WINDOWS\System32\biotvid.dll
    C:\WINDOWS\System32\bjotvid.dll
    C:\WINDOWS\System32\bmotvid.dll
    C:\WINDOWS\System32\bnotvid.dll
    C:\WINDOWS\System32\bpotvid.dll
    C:\WINDOWS\System32\bqotvid.dll
    C:\WINDOWS\System32\bsotvid.dll
    C:\WINDOWS\System32\btotvid.dll
    C:\WINDOWS\System32\buotvid.dll
    C:\WINDOWS\System32\bvotvid.dll
    C:\WINDOWS\System32\bwotvid.dll
    C:\WINDOWS\System32\bxotvid.dll
    C:\WINDOWS\System32\byotvid.dll
    C:\WINDOWS\System32\bzotvid.dll
    C:\WINDOWS\System32\kgcom.dll
    C:\WINDOWS\System32\kjcom.dll
    C:\WINDOWS\System32\kkcom.dll
    C:\WINDOWS\System32\kqcom.dll
    C:\WINDOWS\System32\krcom.dll
    C:\WINDOWS\System32\kscom.dll
    C:\WINDOWS\System32\ktcom.dll
    C:\WINDOWS\System32\kucom.dll
    C:\WINDOWS\System32\kwcom.dll
    C:\WINDOWS\System32\kycom.dll
    C:\WINDOWS\System32\la32.dll
    C:\WINDOWS\System32\lc32.dll
    C:\WINDOWS\System32\ld32.dll
    C:\WINDOWS\System32\lf32.dll
    C:\WINDOWS\System32\lg32.dll
    C:\WINDOWS\System32\lh32.dll
    C:\WINDOWS\System32\li32.dll
    C:\WINDOWS\System32\lj32.dll
    C:\WINDOWS\System32\lk32.dll
    C:\WINDOWS\System32\ll32.dll
    C:\WINDOWS\System32\lm32.dll
    C:\WINDOWS\System32\ln32.dll
    C:\WINDOWS\System32\lp32.dll
    C:\WINDOWS\System32\lq32.dll
    C:\WINDOWS\System32\lr32.dll
    C:\WINDOWS\System32\ls32.dll
    C:\WINDOWS\System32\lt32.dll
    C:\WINDOWS\System32\lu32.dll
    C:\WINDOWS\System32\lx32.dll
    C:\WINDOWS\System32\ly32.dll
    C:\WINDOWS\System32\mir.dll
    C:\WINDOWS\System32\ngdeapi.dll
    C:\WINDOWS\System32\nmdeapi.dll
    C:\WINDOWS\System32\nodeapi.dll
    C:\WINDOWS\System32\oaesvr32.dll
    C:\WINDOWS\System32\oaethk32.dll
    C:\WINDOWS\System32\obecli32.dll
    C:\WINDOWS\System32\obecnv32.dll
    C:\WINDOWS\System32\obesvr32.dll
    C:\WINDOWS\System32\ocecli32.dll
    C:\WINDOWS\System32\oeecli32.dll
    C:\WINDOWS\System32\ofecnv32.dll
    C:\WINDOWS\System32\ofesvr32.dll
    C:\WINDOWS\System32\ogecli32.dll
    C:\WINDOWS\System32\ogecnv32.dll
    C:\WINDOWS\System32\onecnv32.dll
    C:\WINDOWS\System32\ooecli32.dll
    C:\WINDOWS\System32\opecli32.dll
    C:\WINDOWS\System32\orecli32.dll
    C:\WINDOWS\System32\orecnv32.dll
    C:\WINDOWS\System32\oresvr32.dll
    C:\WINDOWS\System32\osecli32.dll
    C:\WINDOWS\System32\otecli32.dll
    C:\WINDOWS\System32\ouecli32.dll
    C:\WINDOWS\System32\ovethk32.dll
    C:\WINDOWS\System32\owecnv32.dll
    C:\WINDOWS\System32\oxecli32.dll
    C:\WINDOWS\System32\ozethk32.dll
    C:\WINDOWS\System32\piofmap.dll
    C:\WINDOWS\System32\ptofmap.dll
    C:\WINDOWS\System32\sec.dll
    C:\WINDOWS\System32\soc.dll
    C:\WINDOWS\System32\vca.dll
    C:\WINDOWS\System32\vdrsion.dll
    C:\WINDOWS\System32\vla.dll
    C:\WINDOWS\System32\vlrsion.dll
    C:\WINDOWS\System32\vma.dll
    C:\WINDOWS\System32\vmrsion.dll
    C:\WINDOWS\System32\vqrsion.dll
    C:\WINDOWS\System32\vra.dll
    C:\WINDOWS\System32\vsrsion.dll
    C:\WINDOWS\System32\vwrsion.dll
    C:\WINDOWS\System32\vzrsion.dll
    C:\WINDOWS\System32\wd2help.dll
    C:\WINDOWS\System32\wg2_32.dll
    C:\WINDOWS\System32\wj2_32.dll
    C:\WINDOWS\System32\wk2_32.dll
    C:\WINDOWS\System32\wqigest.dll
    C:\WINDOWS\System32\wx2_32.dll


    Guardian Key--- is called: GuardianAJCBM
    Asynchronous 000
    DllName C:\WINDOWS\system32\krcom.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {33736948-06DA-4A5F-B7F8-D2E2B45999DC}
    IDex VT02

    User Agent String---
    {33736948-06DA-4A5F-B7F8-D2E2B45999DC}

    Hope this is ok.... looking forward to your replies

    Thanks
    Sysko
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Open VX2Finder it and click on the *click to find VX2.BetterInternet* button.

    Then select the *Delete these files* button.
    You will be left with notice about one to be deleted on reboot.
    It will ask to reboot on deletion of the last file (do that)

    After that last file is gone go to
    Start > run > type regedit > enter and in the regsitry editor navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianAJCBM

    (Note : the five letters in caps at the end may have changed [AJCBM] but it will still start with Guardian)

    Right click on the Guardiano_O?? key and select delete.
    Close Regedit.
    Reboot.

    Open VX2Finder again and select:
    User Agent$ > yes to confirm delete.
    and then
    Restore Policy

    Exit and reboot.

    Regards,

    Pieter
     
  8. Sysko

    Sysko Registered Member

    Joined:
    May 17, 2004
    Posts:
    7
    Location:
    Essex UK
    Hi Pieter

    Ok when I am in VX2 Finder and I attempt to delete the above files I can get rid of all of them bar one.

    C:\WINDOWS\System32\krcom.dll

    However it doesn't give me the option of deleting it on reboot as you mentioned in your previous post
    All it has is a pop up box saying "Can't delete this one"

    Any other ways round this?

    Thanks as always :)
     
  9. Sysko

    Sysko Registered Member

    Joined:
    May 17, 2004
    Posts:
    7
    Location:
    Essex UK
    OK another Update:

    I searched these forums for advice on maybe getting rid of the last vx2 entry
    I found this post :

    https://www.wilderssecurity.com/showpost.php?p=178130&postcount=4

    This gave me a perfect step by step guide to deleting that last entry

    Now when I scan with VX2 Finder it is clean :)

    Now I am going to try and see if the pc is still rebooting....

    Be back soon and thanks Pieter ;)
     
  10. Sysko

    Sysko Registered Member

    Joined:
    May 17, 2004
    Posts:
    7
    Location:
    Essex UK
    OK after much testing last night, it looks like everything is back to normal.

    No more reboot loops, VX2 Finder is coming up clean, managed to get on Windows update and install 4 critical updates, also updated Spybot and Adaware and rescanned.

    All looks good, so I think it is time to give this PC back to my neighbour :D

    Just a couple of things left to say:

    1- Can someone tell me exactly what this "VX2 Betterinternet" is?
    Is it a worm, malware, hijacker? I am finding it hard to explain exactly what was on her system.

    2- Big Thanks to Pieter who has helped me through this from start to finish!
    Great member of the team, I will be recommending this site to many other people ;)

    Thanks once more
    Sysko
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
Thread Status:
Not open for further replies.