VX2 BetterInternet

Computing.Net > Forums > Security and Virus > VX2 BetterInternet

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

VX2 BetterInternet

Name: the_0ne
Date: May 24, 2004 at 13:43:13 Pacific
OS: Win2000
CPU/Ram: Intel 2.2 around 256 meg

Comment:

I am having a heck of a time with this spyware. I have tried Spybot, Ad-Aware, Spy Seeker and even the Trend-Micro virus scanner to get rid of it and can not seem to. Each time I clean the machine and then restart it, it's back.
I was going to post the hijackthis log, but when adding this post it told me not to. I can if needed. I did find a lot of other spyware and a few viruses on this machine that are now clean. I just can not get rid of the VX2 BetterInternet spyware stuff.
I've looked over the posts on this page and tried several things people have tried, all to have it pop up again when I reboot.
Thanks in advance.

Sponsored Link

Ads by Google

Response Number 1

Name: blender
Date: May 24, 2004 at 19:28:27 Pacific

Reply:

the_0ne
Hello,
Please post your hijackthis log and the log from the following program:
You are running Windows 2000 right?..if so...(asking to make sure because this tool only works on win2000/xp; need a different one for other operating systems)
Download the following tool and install it in its own folder:
VX2Finder.exe
Press 'Click to Find VX2.BetterInternet.
Press 'Make Log' and post it in this thread for review.
(*** Do Not Delete Any Files At This Time ***(
Thanks.
I never give up!
Windows Update

Response Number 2

Name: the_0ne
Date: May 24, 2004 at 21:38:54 Pacific

Reply:

Thanks for the reply. Yes, this machine is Windows 2000 Pro. edition. Here's my hijackthis log...
Logfile of HijackThis v1.97.7
Scan saved at 12:24:42 AM, on 5/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\SOUNDMAN.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\system32\yusfhm.exe
C:\Program Files\X-PRO\X-PRO.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
C:\Program Files\SHARP\Sharpdesk\sdFTP.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Temp\hijackthis1977\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [cepxdf] C:\WINNT\system32\yusfhm.exe
O4 - HKCU\..\Run: [XSC SIP Client] "C:\Program Files\X-PRO\X-PRO.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\SHARP\Sharpdesk\sdFTP.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37677.4151851852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = princelaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{96913E78-37CA-48EF-BA8A-18F629E35A8E}: NameServer = 10.1.1.215,10.1.1.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD8563CC-EB68-432D-A367-5BDDC3CFC902}: NameServer = 10.1.1.215,10.1.1.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = princelaw.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{96913E78-37CA-48EF-BA8A-18F629E35A8E}: NameServer = 10.1.1.215,10.1.1.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = princelaw.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{96913E78-37CA-48EF-BA8A-18F629E35A8E}: NameServer = 10.1.1.215,10.1.1.12
I ran this the way you had posted, however, it doesn't seem to have found anything. Here's what it output...
Log for VX2.BetterInternet File Finder
Files Found---

Guardian Key--- is called:
User Agent String---
Again, thank you for your reply.

Response Number 3

Name: blender
Date: May 25, 2004 at 00:42:12 Pacific

Reply:

the_0ne
Your vx2 log is clean
Start your task manager (ctrl+alt+del) and end task on the following:
yusfhm.exe
Please start hijackthis again and check the following:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll <--this is part of the vx2/transponder gang.
O4 - HKLM\..\Run: [cepxdf] C:\WINNT\system32\yusfhm.exe
The following is optional but recommended to fix as it is a system hog and does not need to be in your startups:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
Once checked, close all open windows and click "fix checked"
Reboot and delete:
c:\winnt\system32\yusfhm.exe <--file only
I'm not sure what version of spybot you have but it has recently been upgraded to 1.3
Ad-aware also needs to be "tweaked" to work its best.
* After updating, shutdown and restart Ad-aware.
*Temporarily disable antivirus to prevent conflicts.

Ad-aware is ready to scan and clean your system following these steps:
* Under Ad-aware 6 > Settings (gear at top) > Press scanning at right, Check All you can in there.
* Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
* Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
* Press "proceed" to save settings

* Press "Scan Now"
* Check option "Use Custom scanning options"
* Check option "Activate In-Depth Scan"
* Press "Select drives\folders to scan"
* Select the active partition which is usually C:
* Press "Next" to let Ad-aware scan your drives...
* If it finds "bad" files and registry keys, press "Next" again
* Right-click in that pane and choose "select all"
* Press "next"
* When it asks to remove all checked items, Press "OK"
Close Ad-aware and reboot your system.
Please post a new hijack log when done.
Thanks.

I never give up!
Windows Update

Response Number 4

Name: the_0ne
Date: May 25, 2004 at 06:55:26 Pacific

Reply:

Strange, it looks like the entry I deleted from hijackthis is still there...
O4 - HKLM\..\Run: [cepxdf] C:\WINNT\system32\yusfhm.exe
The file is gone from c:\winnt\system32 though.
New hijackthis log...
Logfile of HijackThis v1.97.7
Scan saved at 9:51:51 AM, on 5/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\SOUNDMAN.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\X-PRO\X-PRO.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
C:\Program Files\SHARP\Sharpdesk\sdFTP.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Temp\hijackthis1977\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [cepxdf] C:\WINNT\system32\yusfhm.exe
O4 - HKCU\..\Run: [XSC SIP Client] "C:\Program Files\X-PRO\X-PRO.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\SHARP\Sharpdesk\sdFTP.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37677.4151851852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = princelaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{96913E78-37CA-48EF-BA8A-18F629E35A8E}: NameServer = 10.1.1.215,10.1.1.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD8563CC-EB68-432D-A367-5BDDC3CFC902}: NameServer = 10.1.1.215,10.1.1.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = princelaw.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{96913E78-37CA-48EF-BA8A-18F629E35A8E}: NameServer = 10.1.1.215,10.1.1.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = princelaw.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{96913E78-37CA-48EF-BA8A-18F629E35A8E}: NameServer = 10.1.1.215,10.1.1.12

Response Number 5

Name: the_0ne
Date: May 25, 2004 at 07:03:15 Pacific

Reply:

Oh yeah, forgot to try this before I posted back. I just ran ad-aware again and it found 0 objects. I'm going to reboot one more time and try all 3 spy "bot" programs I have and see what I come up with. Thanks.

microsoft kernel wave audio mixer download usbehci.sys usbstor.sys	swmidi.sys download ubuntu service autostart remote registry port
See More

Response Number 6

Name: blender
Date: May 25, 2004 at 11:31:47 Pacific

Reply:

the_0ne
That entry may have come back if the process restarted itself before you got the chance to fix with hijack or it just re-wrote the run registry key value...not uncommon.
The file is gone now so you should be able to fix it again with hijackthis...reboot after.
O4 - HKLM\..\Run: [cepxdf] C:\WINNT\system32\yusfhm.exe
Other than that...your log looks good.
I will be waiting for your "bot" scan results. :)

I never give up!
Windows Update

Response Number 7

Name: the_0ne
Date: May 26, 2004 at 06:27:55 Pacific

Reply:

Well, it's not totally clean, at least by what Web Sweeper is reporting. For some reason this registry entry keeps coming back and Spy Sweeper is reporting it to be part of Twain-Tech.
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{000020dd-c72e-4113-af77-dd56626c6c42}
Actually we've already decided to wipe this machine, just trying to get some time to do it. However, between things I'm doing I'd like to still figure out how to get rid of this entry. I even tried deleting it by hand and it shows up right after I reboot again. Ad-aware and SpyBot both report no hijackers found (well except for the DSO bug in spy bot).
I'll post a new hijackthis log, just in case.
Logfile of HijackThis v1.97.7
Scan saved at 9:22:38 AM, on 5/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\SOUNDMAN.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\X-PRO\X-PRO.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
C:\Program Files\SHARP\Sharpdesk\sdFTP.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Temp\hijackthis1977\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [cepxdf] C:\WINNT\system32\yusfhm.exe
O4 - HKCU\..\Run: [XSC SIP Client] "C:\Program Files\X-PRO\X-PRO.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\SHARP\Sharpdesk\sdFTP.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37677.4151851852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = princelaw.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{96913E78-37CA-48EF-BA8A-18F629E35A8E}: NameServer = 10.1.1.215,10.1.1.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD8563CC-EB68-432D-A367-5BDDC3CFC902}: NameServer = 10.1.1.215,10.1.1.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = princelaw.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{96913E78-37CA-48EF-BA8A-18F629E35A8E}: NameServer = 10.1.1.215,10.1.1.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = princelaw.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{96913E78-37CA-48EF-BA8A-18F629E35A8E}: NameServer = 10.1.1.215,10.1.1.12
I just noticed that this is still there...
O4 - HKLM\..\Run: [cepxdf] C:\WINNT\system32\yusfhm.exe
I know I used hijackthis to delete this entry and I just did again and it's back. Maybe this is why the browser-helper object keeps showing up?

Response Number 8

Name: blender
Date: May 26, 2004 at 18:03:50 Pacific

Reply:

the_0ne
Hmmm...lets see if we can find how else it is loading up.
Can you please post a startup list please?
Start hijackthis> click "config"> click "misc tools"> Under generate startup list log check both (full)(complete) options> click "generate startup list log"
When it pops up in notepad, copy and paste results here.
Also to see if we can find where that registry entry keeps loading from...
Start the registry editor, hit ctrl+f keys.
The find box will pop up.
In the find box paste the following:
000020dd-c72e-4113-af77-dd56626c6c42
Hit enter.
That should bring you right to the key itself.
Now we need to export that key.
Right click the (should be hilighted already) clsid at the left> export> call it twain1> save it to desktop.
Hit f3 to search again...if any others come up, export those too. call them twain2, twain3 etc so you dont get the "do you want to replace file prompt"
You may have more than 1 result...keep doing f3 until find tells you it is done searching. (there shouldn't be too many)
Those keys you exported; open them in notepad (right click> open with> notepad), copy and paste their info here.
Once you have done that...you can delete those exported files from your desktop.
Thanks.
I never give up!
Windows Update

Response Number 9

Name: the_0ne
Date: May 27, 2004 at 19:55:38 Pacific

Reply:

Sorry, didn't see your post until now. The staff member that uses this computer turned it off before they left, so I can't remote into it. I'll try to get the info you requested tomorrow. Thanks.

Response Number 10

Name: wiktor256
Date: May 27, 2004 at 20:51:33 Pacific

Reply:

This is what worked for me:
1. Take any text file you can find and rename it to twaintec.dll. Copy this file to c:\winnt. If you can't delete the original c:\winnt\twaintec.dll, just rename it.
2. Logout and log back in. You should get an error message on startup that c:\winnt\twaintec.dll is an invalid dll file. Don't close this error message. In the title of that message you should find a name of the exe file that attempts to open twaintec.dll.
3. Run Process Explorer (you can download it for free from the Internet). Search for the exe file from the error message.
4. You will find a process that has dependency on that exe. In my case it was lcimcws.
5. Kill that process.
6. Open regedit. Search for that process name in registry, and delete all entries you can find with it.
7. Clean up your temp directory c:\Documents and Settings\<user>\Local Settings\Temp.
8. Run Spybot to do final cleanup.

Response Number 11

Name: the_0ne
Date: May 28, 2004 at 07:53:53 Pacific

Reply:

Thanks for the info, my problem there is I have no twaintec.dll file located anywhere in my WINNT or WINNT/system32 directories. I do have a twain.dll and a twain_32.dll. Do those have any significance to cleaning this up?

Response Number 12

Name: the_0ne
Date: May 28, 2004 at 07:56:49 Pacific

Reply:

Here's my start-up list from hijackthis...
StartupList report, 5/28/2004, 10:39:32 AM
StartupList version: 1.52
Started from : C:\Temp\hijackthis1977\HijackThis.exe
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v5.00 SP1 (5.00.2920.0000)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\SOUNDMAN.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\X-PRO\X-PRO.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
C:\Program Files\SHARP\Sharpdesk\sdFTP.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Program Files\Gaim\gaim.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird\thunderbird.exe
C:\Program Files\Mozilla Sunbird\MozillaSunbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Temp\hijackthis1977\HijackThis.exe
---------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\jeidam\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Printer Status Monitor.lnk = C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
Start Network Scanner Tool.lnk = C:\Program Files\SHARP\Sharpdesk\sdFTP.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
---------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager = mobsync.exe /logon
SoundMan = SOUNDMAN.exe
AtiPTA = atiptaxx.exe
WinVNC = "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
WinampAgent = "C:\Program Files\Winamp3\winampa.exe"
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
XSC SIP Client = "C:\Program Files\X-PRO\X-PRO.exe"
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
---------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
---------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINNT\System32\mshta.exe "%1" %*
---------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
---------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
---------------------
Load/Run keys from C:\WINNT\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
---------------------
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
---------------------
Checking for EXPLORER.exe instances:
C:\WINNT\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present
---------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
---------------------
Verifying REGEDIT.exe integrity:
- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
---------------------
Enumerating Browser Helper Objects:
(no name) - (no file) - {000020DD-C72E-4113-AF77-DD56626C6C42}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
---------------------
Enumerating Task Scheduler jobs:
*No jobs found*
---------------------
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd
[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37677.4151851852
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab
---------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
---------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Service for Avance AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtaa: System32\DRIVERS\ati2mtaa.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Bluetooth Audio: system32\DRIVERS\btaudio.sys (manual start)
Bluetooth Virtual Communications Driver: system32\DRIVERS\btport.sys (manual start)
Bluetooth LAN Access Server: system32\DRIVERS\btwdndis.sys (manual start)
WIDCOMM USB Bluetooth Driver: System32\Drivers\btwusb.sys (manual start)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
3Com Fast EtherLink 59x Adapter Driver: System32\DRIVERS\el59x.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
VIA Rhine Family Fast Ethernet Adapter Driver: System32\DRIVERS\fetnd5b.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Messenger: %SystemRoot%\System32\services.exe (autostart)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NTSIM: \??\C:\WINNT\System32\ntsim.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
High-Capacity Floppy Disk Drive: System32\DRIVERS\sfloppy.sys (manual start)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB 2.0 Root Hub Support: System32\DRIVERS\usbhub20.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
VIA USB Filter: \SystemRoot\System32\Drivers\viausb.sys (manual start)
viaide: System32\DRIVERS\viaide.sys (system)
VIAPFD: \SystemRoot\System32\Drivers\VIAPFD.SYS (system)
Windows Time: %SystemRoot%\System32\services.exe (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WDM Virtual Wave Driver (WDM): system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
VNC Server: "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

---------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
---------------------
Enumerating ShellServiceObjectDelayLoad items:
Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
---------------------
End of report, 26,832 bytes
Report generated in 0.101 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I only found one key matching that string, it was here...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

Sponsored Link

Ads by Google

Cable Modem Security Issu...

AVG anti-virus help forum...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: VX2 BetterInternet

VX2 betterinternet and ibis malware

Summary

www.computing.net/answers/security/vx2-betterinternet-and-ibis-malware/12261.html

VX2/? What is this? Am I secure??

Summary

www.computing.net/answers/security/vx2-what-is-this-am-i-secure/8408.html

AdAware Update

Summary

www.computing.net/answers/security/adaware-update/12102.html

From the Geek Dictionary
ROD - leading blog for gay men. <name is rod duh>

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes Today.
Discuss in The Lounge
Poll History

Recent Posts
Adapters for monitor cables

What PSU????

converting video

windows 7 on a non active partion

Dos and sata

All Awaiting Reply

Tom's News
New Final Fantasy XIII Trailer is 5 Minutes Long

TV Market to Launch Cross-Platform App Store

Used ATM Machines for Sale on Craigslist

Rival Publishers Collaborate on iTunes-type Store

Guy Quits Job With Error Message

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE