TechSpot

Help with HijackThis log

By kylita
Feb 21, 2005
  1. Hi,
    I have been having some trouble the past week or so with Adware and trojans. I followed the directions on this site on how to remove Begin2Search/CoolWebSearch from my computer and it seems to be working a lot better now. I was wondering if anyone could check my log to make sure that I got everything. Any help would be much appreciated.
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Are you sure you followed the directions? It doesn't look like it at all!

    Go to http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml to get the AdAware plug-in for fixing VX2.
    Install but do not yet run it.

    Next, boot in Safe Mode
    Switch System Restore off
    Press ctrl/alt/del and in Taskmanager try to STOP:

    ALL the xxx.exe files from the O4 group BELOW, as well as:
    SYSCHECKBOP32(.exe)
    SYSMONNT(.exe)

    O4 - HKCU\..\Run: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT ==>> VX2 infection <<==
    Now run Adaware ->Add-ons and select VX2 Cleaner. Click Run Tool and OK to start it. If it's clean, it'll say Status System Clean. If not, click the Clean button to remove the VX2 infection.

    Next, get rid of this junk, by trying to UNinstall anything to do with:
    C:\Progra~1\YMVLTCUB\YMVLTCUB.exe
    C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
    C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
    C:\PROGRAM FILES\NOADS\NOADS.EXE
    C:\PROGRA~1\SPYWAR~1\SpyWareWall.exe
    C:\Program Files\PopUpWall\PopUpWall.exe
    C:\PROGRAM FILES\FLASHGET\JETCAR.EXE

    Next, run HJT on its own and let it 'fix':
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://216.130.185.122/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://216.130.185.122/sidesearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netscape.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://216.130.185.122/sidesearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.bu.edu/proxy/crc.pac
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: SDWin32 Class - {202EDC9A-9F8D-4CBB-B5E5-17F0D6EEA011} - C:\WINDOWS\SYSTEM\ESIZR.DLL
    O2 - BHO: SDWin32 Class - {755C36B2-C06D-4CFC-80C2-9CC143CF7923} - C:\WINDOWS\SYSTEM\VRXFX.DLL
    O2 - BHO: ohb Class - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\SYSTEM\IC2_WIN.DLL
    O2 - BHO: LinkBHO.cIExplorer - {CC924BD1-7382-4619-A706-070CB00F2325} - C:\WINDOWS\ALL USERS\APPLICATION DATA\LINKBHO\LINKBHO.DLL
    O2 - BHO: (no name) - {2BCA368C-FC1E-4361-A359-7C081E9A60AC} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {5DDD2E8F-F62C-481B-9B66-3AEC219B8A47} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {05D7E34D-C239-4C49-9479-4821176AAAF7} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {9E6356E3-F81C-4AB8-A578-D8864B868FD8} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {A5F994C9-2B7F-4C77-B5BE-1677803746C9} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {2C4EDE48-379C-4134-A5F4-6FD3136A7E5F} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {2F467B95-65B5-4DF5-A52F-1E64F44E8241} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {CFF7FE36-64AC-4936-B90C-3DE192ECDDCD} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {00D62B0B-4B50-4D84-AAFA-423B2022F1F6} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {9AD59B0E-CF68-44C2-AA67-0B5D9118CD4D} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {044D702C-C6D2-4775-804F-A3AAC881D9B8} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {2AAB6DBA-6E84-4F2E-B9C6-B98943FDD1E9} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {0EC48F30-CBFF-4B65-AC77-2A0AE483885E} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {8F130F5A-BFE0-41F1-9EEC-6208095E8C2D} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {05AC3A58-C713-4B7E-8594-67984E3364C7} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {9462A5A0-0EDF-4A1D-AE68-EECD2C8E8B6D} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {D3653463-533A-4A39-9128-1DA4E1EAC271} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {CC3BD418-FCFE-4EEE-96EF-002A294A937F} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL (file missing)
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL (file missing)
    O2 - BHO: (no name) - {955AE9CE-109E-4465-8CDC-6563B3E57104} - C:\PROGRAM FILES\YMVLTCUB\YMVLTCUB.dll
    O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\SYSTEM\IC2_WIN.DLL
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\VAUGHO.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
    O4 - HKLM\..\Run: [qpedbmoe] c:\windows\system\qpedbmoe.exe
    O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SYSCHECKBOP32
    O4 - HKLM\..\Run: [esizrc] C:\WINDOWS\SYSTEM\esizrc.exe
    O4 - HKLM\..\Run: [vrxfxc] C:\WINDOWS\SYSTEM\vrxfxc.exe
    O4 - HKLM\..\Run: [p4mW37Q] SFP_32.EXE
    O4 - HKLM\..\Run: [YMVLTCUB] \Progra~1\YMVLTCUB\YMVLTCUB.exe
    O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
    O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
    O4 - HKCU\..\Run: [SYSMONNT] C:\WINDOWS\SYSTEM\SYSMONNT
    O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~1\SpyWareWall.exe
    O4 - HKCU\..\Run: [Y356RXc6l] RPCTHK32.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: popupwall.lnk = C:\Program Files\PopUpWall\PopUpWall.exe
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
    O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://education.dellnet.com/ (file missing) (HKCU)

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

    Reboot in normal mode. If all OK, switch System Restore back on.

    To get a reliable, fast, free and ad-free downloader, go to www.stardownloader.com
    Don't use IE anymore, except for windoze-updates.
    Go to www.getfirefox.com and use that from now on. It has a perfect popup- and other adware-stopper built in.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.