First - thanks for helping me to get rid of my hijacked IE 2 weeks ago - Crunchie - you were amazing.

I have another PC in my home - a laptop, that one of my kids got a hold of and went someplace on the net. I now get pop-up ads that I can not seem to get rid of. I have run CWShredder (usually comes up clean) and Ad-aware (have found 1 data miner object from VX2) but as this pc has continuous access to the net, I get these annoying pop-ups on a continual basis!

Running MS XP-Professional, IE 6.0. Will post any and all logs requested.
Can someone please lend a hand!

Thanks in advance
- - Aaron

Can you download the following app & run it.

Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.
Put a check beside all files.
Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

Once back in Windows

Open VX2Finder again and click on these buttons in the right pane:

user agent, Guardian.reg, restore policy

Exit and reboot.

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here with a fresh HijackThis log please.

Crunchie - As always - thanks for the help -

I ran the VX2 finder and here is the final info it posted:
Files Found---

Guardian Key--- is called:
User Agent String---

Also - here is the Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 9:12:44 AM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\documents and settings\gavzya\local settings\temp\qYSwk6.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\GavzyA\Desktop\CLEAN-UP\VX2Finder.exe
C:\Documents and Settings\GavzyA\Desktop\CLEAN-UP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [qYSwk6.exe] C:\documents and settings\gavzya\local settings\temp\qYSwk6.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O9 - Extra button: Research (HKLM)
O16 - DPF: JT's Blocks -
O16 - DPF: Sametime Meeting Room Client ST31 -
O16 - DPF: Toki Toki Boom -
O16 - DPF: Yahoo! Klondike Solitaire -
O16 - DPF: Yahoo! MahJong Solitaire -
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: Yahoo! Reversi -
O16 - DPF: Yahoo! Towers 2.0 -
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =

Let me know what's next - and again - THANKS

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)

O4 - HKLM\..\Run: [qYSwk6.exe] C:\documents and settings\gavzya\local settings\temp\qYSwk6.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\documents and settings\gavzya\local settings\temp< folder contents
C:\Program Files\AutoUpdate< folder

C:\WINDOWS\System32\dp-him.exe< file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally.

Please go here for Wintools removal instructions.

Post new log plz. Off to bed now so will catch up on the morrow.

Everything seems to have been cleared



Everything seems to have been cleared


See You NExt TIme!!!;)

Stay clean & it will be only a check-up :)