# VX2 malware - how do I get rid of it!



## joey16g (Aug 21, 2004)

*Please help, I have this VX2 malware according to Ad-Aware (I have all the latest updates) and I keep trying to remove it. I clear the recycle bin, reboot and it keeps coming back, how do I get rid of it?????? Any suggestions...my computer is downloading all sorts of stuff...

OK, I just found out about the VX2.Finder from another posting and downloaded and executed it, here is my log, could someone please tell me what to do next???????????????????

Log for VX2.BetterInternet File Finder (msg126)

Files Found---
C:\WINDOWS\System32\6vo4svc.dll
C:\WINDOWS\System32\aoptif.dll

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
Tracing
wlballoon

Guardian Key--- is called: Tracing
Asynchronous 000
DllName C:\WINDOWS\system32\6vo4svc.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 126
ID {5FB29EBB-00C2-459C-86E9-B4E8900D1454}
IDex VT00

User Agent String---
{5FB29EBB-00C2-459C-86E9-B4E8900D1454} 

*


----------



## joey16g (Aug 21, 2004)

Logfile of HijackThis v1.98.2
Scan saved at 2:03:37 AM, on 11/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SED\SED.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\sony\giga pocket\reservemodule.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Joseph F. Gotowko\Desktop\VX2Finder(126).exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Timer Recording Manager.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ConferenceRoom Java Client - http://www.camzchat.com/java/cr.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100933715187
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab


----------



## joey16g (Aug 21, 2004)

*can Anyone Help Me????????????????????????????*


----------



## joey16g (Aug 21, 2004)

*can Anyone Help Me????????????????????????????*


----------



## Flrman1 (Jul 26, 2002)

*IMPORTANT!*: Before you run this tool please close *ALL* running programs. Sign off and stay off the internet until the entire procedure is complete.

Now run VX2Finder again and click on the *Find VX2.Betterinternet button*. It will display the entries as before. Select all these files

*C:\WINDOWS\System32\6vo4svc.dll
C:\WINDOWS\System32\aoptif.dll*

This time click on the *Delete these files* button. It will give you a message about one file to be deleted on reboot. 
It will ask to reboot to delete the last file. Go ahead and *Restart the computer*

After it reboots run VX2Finder again and click on the *User Agent * button and it will delete the user agent string.

Next click on the *Guardian.reg* button and it will delete the Guardian Key.

Finally click the *Restore Policy* button to restore the Debug policy altered in the look2Me installation.

*Restart your computer*

Download the Hoster from *here* . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

Run VX2Finder again and save the log as you did before. Come back here and post that log.

Also please do this:

First create a permanent folder somewhere like in My Documents and name it Hijack This.

Now *Click here* to download Hijack This. Download it and click "Save". Save it to the Hijack This folder you just created.

Click on Hijackthis.exe to launch the program.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

The log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Post that log and another VX2Finder log.


----------



## Cookiegal (Aug 27, 2003)

Download the LPS Fix:

http://cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of *calsp.dll* and *aklsp.dll* (and nothing else), and move them to the "Remove" pane. 
Then click Finish.

Now start your computer in Safe Mode and delete:

The C:\windows\system32\*calsp.dll * - file
C:\windows\system32\*aklsp.dll* - file

Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here along with a new Hijack This log and wait for further instructions.

http://www.subratam.org/?page=removal


----------



## joey16g (Aug 21, 2004)

Thanks for the reply, here are the new logs after what you told me to do...One question, using the hosts file program, should I make it "read only"?

Logfile of HijackThis v1.98.2
Scan saved at 3:37:23 PM, on 11/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\sony\giga pocket\reservemodule.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\HJT\HijackThis.exe

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Timer Recording Manager.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ConferenceRoom Java Client - http://www.camzchat.com/java/cr.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100933715187
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---

*DOES THIS MEAN THAT VX2 is GONE?*


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll*

Restart your computer.


----------



## joey16g (Aug 21, 2004)

*I now have the following log...is VX2 Clean?????????????? Also, I have bargain.exe which Norton cannot delete. Thanks.*

Logfile of HijackThis v1.98.2
Scan saved at 5:32:21 PM, on 11/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm47.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Timer Recording Manager.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ConferenceRoom Java Client - http://www.camzchat.com/java/cr.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100933715187
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab


----------



## Flrman1 (Jul 26, 2002)

Boot to safe mode and delete bargain.exe.

How to start your computer in safe mode


----------



## joey16g (Aug 21, 2004)

*I deleted "bargains.exe" while in winXP but Im having a horrible problem with this whole thing, I go into safe mode and Ad-aware doesnt find it. I tried to delete everything I thought was associated with it while in Safe Mode. When I restart in winXP it is there again, over 130 malicious entries. Also, Spybot catches it as "eXact Advertisting.BargainsBuddy". What should I DO? I've tried everything, I'm at my wits end....thanks....*


----------



## joey16g (Aug 21, 2004)

I think that worked, here are my logs:

Logfile of HijackThis v1.98.2
Scan saved at 12:59:35 PM, on 11/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~2\navw32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Timer Recording Manager.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ConferenceRoom Java Client - http://www.camzchat.com/java/cr.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100933715187
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---

*Now, I'm having a different problem, I deleted "bargains.exe" while in winXP but Im having a horrible problem with this whole thing, I go into safe mode and Ad-aware doesnt find it. I tried to delete everything I thought was associated with it while in Safe Mode. When I restart in winXP it is there again, over 130 malicious entries. Also, Spybot catches it as "eXact Advertisting.BargainsBuddy". What should I DO? I've tried everything, I'm at my wits end....thanks....*


----------



## Flrman1 (Jul 26, 2002)

*Click here* to download getservice.zip and unzip it to your desktop. Open the Getservice folder and click on the getservices.bat file. A notepad will open up with a long list of Services. Please save that notepad file and attach it to your next reply to this thread. It will be easier to attach it rather than copy and paste because it will be too long to paste in one post.


----------



## Cookiegal (Aug 27, 2003)

The log looks good.

Did you not fix it with Spybot?

Go to Control Panel - Add/Remove and remove anything that looks like:

BargainBuddy
CashBack
NaviSearch


----------



## joey16g (Aug 21, 2004)

I do that with Spybot and Ad-aware but this bargain buddy stuff keeps coming back...any new advice?


----------



## joey16g (Aug 21, 2004)

Here is my "Startup List" and "GetService" list. Please help me, I still have been unable to eradicate this from my machine...

Thanks.


----------



## Cookiegal (Aug 27, 2003)

Please do this. Click here http://forums.techguy.org/attachment.php?attachmentid=38105 to download getservice.zip and unzip it to your desktop. Open the Getservice folder and click on the getservice.bat file. A notepad will open up with a long list of services. Please save that notepad file and attach it to your next reply to this thread. It will be easier to attach it rather than copy and paste because it will be too long to paste in one post.


----------



## joey16g (Aug 21, 2004)

here you go:


This looks particularly suspicious to me "AGRSMMSG.exe", do you know what that is, it is in the windows folder, also the stuff in system32 folder, can you explain that stuff?


----------



## joey16g (Aug 21, 2004)

This looks particularly suspicious to me "AGRSMMSG.exe", do you know what that is, it is in the windows folder, also the stuff in system32 folder, can you explain that stuff?


----------



## Flrman1 (Jul 26, 2002)

There is nothing in either of those. I need you to tell me exaclty what is being found and the exact locations that it is being found in. I need all the details or I am not going to be able to help you remove it.


----------



## Cookiegal (Aug 27, 2003)

The file you asked about is a modem driver. You can do a Google search for any of the others to get an explanation of what they are.

Did you find anything in the Control Panel relating to Bargain Buddy?


----------



## joey16g (Aug 21, 2004)

No, everything there has been removed that I thought was suspicious, did you find anything in what I sent you?


----------



## joey16g (Aug 21, 2004)

why would the modem driver be running? I have ethernet, just curious...anyways...this sucks, i cant find this damn thing anywhere huh...


----------



## joey16g (Aug 21, 2004)

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager
Adobe Photoshop Elements 2.0
Adobe Premiere 6 LE
Advanced Networking Pack for Windows
Agere Systems Ac'97 Modem
AOL Instant Messenger
Art Explosion Greeting Card Factory
Click to DVD 1.3
DeductionPro 2003
DirectX 9 Hotfix
DivX 4.12 Codec
DVD Decrypter
DVgate
Easy Thumbnails
Experience Vaio
Forte Agent
Giga Pocket 5.0
HighMAT Extension to MS Windows
iDEN CompanionPro
iDEN Packet Data Applet
iDEN Phonebook Manager
Internet Explorer Q867801
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Logitech Desktop Messenger
Logitech iTouch Software
Logitech MouseWare 9.79.1
Lucent Technologies Soft Modem AMR
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Microsoft .NET Framework 1.1
Microsoft Data Access Components
Microsoft Money 2004
Microsoft Office 2000 SR-1 Pro
Motion JPEG Software Decoder
MovieShaker 3.3
Mozilla (1.6)
MSN Music Assistant
Music Visualizer Library 1.4.00
Nero 6 Ultra Edition
Norton AntiVirus 2004
Norton SystemWorks2003
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
OpenMG Secure Module 3.1
Outlook Express
PhotoMax Pro
PicoPlayer
PicoPlayer Demo
PicoPlayerSplashScreen
PictureGear Studio 1.0
POP Peeper
PowerDVD
Quicken 2002 New User Edition
Quicktime
RealOne Player
RealProducter Basic 8.5
Recommended Hotfix
Savings Bond Wizard
Screenblast ACID 2.0a
Screenblast Sound Forge 1.0b
Sis Compatable VGS V2.09a
SonicStage 1.5.00
Sony Certificate PCH
Sony DV Shared Library
Spybot - Search and Destroy 1.3
SpywareBlaster v3.2
Support Actions WinXP
TaxCut 2003
Trend Micro PC-cillin 90-Day Trial Period Patch
VAIO Edit Components LE
VAIO Help and Support
VAIO Media 2.0
VAIO Media Installer 2.0
VAIO Media Music Server 2.0
VAIO Media Photo Server 2.0
VAIO Media Platform 2.0
VAIO Registration
VAIO Support
VERITAS RecordNow DX
VERITAS RecordNow DX Update Manager
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VX2 Cleaner plug-in for Ad-Aware SE
Windows Blaster Worm Removal Tool
Windows Media Format Runtime
Windows Media Player 10
(2) Windows Media Player Hotfixes
(A bunch of) Windows XP Hotfixes
WinRAR archiver
Yahoo! Address AutoComplete
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar
yEnc32


----------



## joey16g (Aug 21, 2004)

any news on this list? I think that it is clean, but im still getting the damn bargain buddy!


----------



## joey16g (Aug 21, 2004)

using spybot I have found:

Double Click 1 entry
DSO Exploit 5 entries
eXact Advertising.BargainBuddy 2 entries

under bargian buddy the files are:

C:\Windows\System32\msexreg.exe
C:\Windows\System32\instsrv.exe


Ad-aware also finds Bargain Buddy and fails to get rid of it.


----------



## joey16g (Aug 21, 2004)

Should I try deleting these files in safe mod? I'm just hesitant about it because I dont know what they do...thanks


----------



## dvk01 (Dec 14, 2002)

I have merged both your threads taht are about the same problem

Do not start a nerw thread when someone is helping you it makes it impossible to keep up with what has been done


----------



## Flrman1 (Jul 26, 2002)

joey16g said:


> Should I try deleting these files in safe mod?


Yes.


----------



## joey16g (Aug 21, 2004)

allright, ill give it a shot and repost my log, sorry about the 2 posts...ill get back to you in a few mins


----------



## joey16g (Aug 21, 2004)

I've been trying a few different things and I think that I got it. I think that ZEsoft was something BAD so I deleted it entirely and that was a good thing. AdAware and Spybot dont find anything when I boot up XP normally now and I'll share with you my HJT log below. What do you think then? Has it been eridicated? Should I breathe easy now? Let me know, I hope that you feel better and have a good Thanksgiving:

Logfile of HijackThis v1.98.2
Scan saved at 1:43:32 AM, on 11/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\sony\giga pocket\reservemodule.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Timer Recording Manager.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100933715187
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab


----------



## Flrman1 (Jul 26, 2002)

Clean! :up:


----------



## joey16g (Aug 21, 2004)

A couple more things:

1) would you recommending deleting the SONY VAIO support software. It loads up on bootup and gives me and icon in the system tray and I'm all not to sure about it.

2) how do you get rid of the recycle bin on the desktop in WINXP. I have it in my menu and I'm trying to clear off the desktop.

I think that the spyware is gone though. Thanks.


----------



## Flrman1 (Jul 26, 2002)

1) You don't really need to delete the Vaio software. You can just disable it in msconfig so that it doesn't load at startup.

2) http://www.petri.co.il/delete_recycle_bin_icon_from_the_desktop_in_xp_2003.htm


----------



## joey16g (Aug 21, 2004)

Thanks about the recycle bin, thats cool. About the SONY stuff, Im looking in my ADD/DELETE programs list and wondering about a few things that I could get rid of and some of the stuff that came with the install disks that I don't use. Can you please confirm for me that deleting this stuff wont mess anything up and may help? I tried deleting this PC Chillin thing too (Came with SONY software, and I think that I deleted the original program but the patch remains) and it says it needs a disk, doh. Anyways, I'll bold the stuff in the list that I want to delete. Please check it out when you get a chance, and thanks so much. Also, do you know what MSN Music Assistant does? I don't think that I want that either...

Joe G

ADD/REMOVE Programs List:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager
Adobe Photoshop Elements 2.0
Adobe Premiere 6 LE
Advanced Networking Pack for Windows
Agere Systems Ac'97 Modem
AOL Instant Messenger
Art Explosion Greeting Card Factory
*Click to DVD 1.3*
DeductionPro 2003
DirectX 9 Hotfix
DivX 4.12 Codec
DVD Decrypter
*DVgate*
*Easy Thumbnails*
*Experience Vaio*
Forte Agent
Giga Pocket 5.0
HighMAT Extension to MS Windows
iDEN CompanionPro
iDEN Packet Data Applet
iDEN Phonebook Manager
Internet Explorer Q867801
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Logitech Desktop Messenger
Logitech iTouch Software
Logitech MouseWare 9.79.1
Lucent Technologies Soft Modem AMR
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Microsoft .NET Framework 1.1
Microsoft Data Access Components
Microsoft Money 2004
Microsoft Office 2000 SR-1 Pro
Motion JPEG Software Decoder
*MovieShaker 3.3*
Mozilla (1.6)
*MSN Music Assistant*
Music Visualizer Library 1.4.00
Nero 6 Ultra Edition
Norton AntiVirus 2004
Norton SystemWorks2003
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
OpenMG Secure Module 3.1
Outlook Express
PhotoMax Pro
*PicoPlayer*
*PicoPlayer Demo*
*PicoPlayerSplashScreen*
*PictureGear Studio 1.0*
POP Peeper
PowerDVD
*Quicken 2002 New User Edition*
Quicktime
RealOne Player
RealProducter Basic 8.5
Recommended Hotfix
Savings Bond Wizard
Screenblast ACID 2.0a
Screenblast Sound Forge 1.0b
Sis Compatable VGS V2.09a
SonicStage 1.5.00
Sony Certificate PCH
Sony DV Shared Library
Spybot - Search and Destroy 1.3
SpywareBlaster v3.2
Support Actions WinXP
TaxCut 2003
*Trend Micro PC-cillin 90-Day Trial Period Patch*
*VAIO Edit Components LE
VAIO Help and Support
VAIO Media 2.0
VAIO Media Installer 2.0
VAIO Media Music Server 2.0
VAIO Media Photo Server 2.0
VAIO Media Platform 2.0
VAIO Registration
VAIO Support*
VERITAS RecordNow DX
VERITAS RecordNow DX Update Manager
VX2 Cleaner plug-in for Ad-Aware SE
Windows Blaster Worm Removal Tool
Windows Media Format Runtime
Windows Media Player 10
(2) Windows Media Player Hotfixes
(A bunch of) Windows XP Hotfixes
WinRAR archiver
Yahoo! Address AutoComplete
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar
yEnc32


----------



## joey16g (Aug 21, 2004)

Thanks, ... I am trying to uninstall the SONY VAIO stuff but it gives me errors for missing files in the ADD/REMOVE programs window and keeps them there. I'm thinking that maybe I deleted some stuff along the way and I don't know what to do now to completely wipe the stuff...

This is the ERROR I'm getting for each:

Error loading C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll


----------



## joey16g (Aug 21, 2004)

I'm having an additional problem. I made a folder for the desktop in which I was storing all my HJT logs. I was clearing out the desktop, got rid of the recycle bin and this was the last folder left. Now when I move it or try to delete it my whole background turns blue and is unrecoverable. If I move the folder back, the background comes back. Any ideas? This one is really driving me mad...thanks...


----------



## joey16g (Aug 21, 2004)

OK, its not the folder itself but the last item that leaves the desktop makes the screen go blue...what is the deal? Do you have any idea?


----------



## joey16g (Aug 21, 2004)

Fixed the problem with the desktop, It was something in advanced properties for displays...

Anyways, I'm happy about that, and just wondering about the startup now using msconfig...I disabled 2 things that didn't have descriptions by them...I'm curious as to why they might not, any ideas? I also disabled quicktime task as I don't think that I need that running can you confirm?

Lastly, do you know what ezSP_PX.exe is and why it is running, thanks !


----------



## dvk01 (Dec 14, 2002)

http://www.windowsstartup.com/wso/detail.php?id=933


----------



## joey16g (Aug 21, 2004)

So this is OK to keep running? Things seem fine now, I appreciate all your help for this!


----------



## joey16g (Aug 21, 2004)

I was trying to clean up my Inbox in MS Office 2000 SR-1 Pro and I can't delete certain messages in my inbox - i get the following message:

The messaging interface has returned an unknown error. If the problem persists, restart Outlook.

i have a LOT of email here, and i can't just delete it all (that is, start over with a new pst file). i've already tried the inbox repair tool.

any help would be GREATLY appreciated.

Thanks!


----------

