Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Please help

  • Please log in to reply
1 reply to this topic

#1 ennellell


  • Members
  • 1 posts
  • Local time:02:43 AM

Posted 05 December 2004 - 07:08 PM

Hi, I hope you can help me. I'm going out of my mind, and feel completely embarrassed that I am overlooking something. I have run every program and fix that I know of, but I'm overlooking something that's probably simple and stupid, and I need help.

I've run adaware, it finds vx2. I downloaded the add-in from Lavasoft and it says my system is clean. It also finds BOOKEDSPACE, EACCELERATION, ELITUM.ELITEBARBHO, IBIS TOOLBAR, NETWORKESSENTIALS, PROMULGATE, SAHAGENT, and VIRTUALBOUNCER. I remove them, they return.

I've run CWShredder, it fixes bootconf, but it returns.

I've run SpySubtract and I removed everything it suggested.

FindNFix turned up some dlls, but nothing reported on them on Google.

I've run SpyBot S&D and deleted what it suggested.

Windows Updates are completely up to date

NortonAV 2005 is running and up to date.

I ran the Housecall online scan - up to date.

System restore is off.

I'm still getting random popups. My system was fine (I usually run Adaware and Spybot on a regular basis) until I visited one website last night and then I got flooded with popups.

Thank you for any help!

Here's my HJT log file.

Logfile of HijackThis v1.97.7
Scan saved at 1:32:56 PM, on 12/5/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O1 - Hosts: auto.search.msn.com
O1 - Hosts: search.netscape.com
O1 - Hosts: ieautosearch
O1 - Hosts: ieautosearch
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FullAudio] "C:\PROGRA~1\MusicNow\WMPImporter.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SFPW] C:\Program Files\Snapfish\Devmon.exe C:\Program Files\Snapfish\Snapfish Photo Wizard.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\INSTAN~1\Presario\XPHNARS3EN\plugin\bin\pchbutton.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates...t/opuc/opuc.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {B9EAA7F1-934A-11D0-958A-0060975AE865} (OFX Parser Class) - http://fdl.msn.com/public/investor/v13/ofx/ofxpb.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

BC AdBot (Login to Remove)


#2 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,649 posts
  • Gender:Male
  • Local time:01:43 AM

Posted 06 December 2004 - 03:15 PM

Hi ennellell,

You've got the brand new version of VX2 that won't be fixed by any of the automated removal tools at this time. The experts are scrambling to find a fix for it. I would like to try a couple of things but I need you to do this first.

You're running an old version of HijackThis. Please update it from this link:

Be sure to extract it then post another log.

Turn System Restore back on.

Open Notepad and save a blank or "test" file to the Desktop. Then delete it. Does it ask for confirmation to move to the Recycle Bin or just delete?

Use Windows Explorer to navigate to C:\WINDOWS\system32 directory. From the view menu sort icons by date modified. Then scroll down to the bottom of the directory and look for all files that have been modified since the time you first noticed the popups. Write down the names of all the files with a .dll and .exe extension and post that information back here. Be careful of the spelling as the ones we're looking for are random and crazy. Also let me know if you can see a file by the name of "guard.tmp."

The thing about people

is they change

when they walk away.--Mipso

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users