can't get rid of Vx2.Serv

I have followed the directions in thread 35407 and I still can not get rid of a trojan called Vx2.Serv. When I tried to use the plug-in for Ad-Aware called VX2 Cleaner Plug-In, it just says "Bad Entry Point" and I can't use it. Other than that, I'm following the instructions and I think I'm going to need to post a Hijack This log. I know I can't do that unless it's by invitation.

Does anyone have any suggestions? I've used SpyBot, immunized, Ad-Aware SE, AVERT Stinger, CCleaner, CWShredder, Kill2me, about:Buster and HSRemove in safe mode on an XP client with SP2 installed.

Thanks in advance for any help

E Shaw

 

Welcome

If you have done everything in the TUTORIAL I believe PP or Chaslang would ask you to submit a HJT log.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

I have run Hijack This and had it analyzed online. I have checked the box beside the 02-BHO ZServObj Class (Zserv.dll) but when I reboot, it comes back. I only have a few items on here I'm not sure about

O4 - HKLM\..\Run: [qhqhfspyzurc] C:\WINDOWS\system32\evwbezkh.exe

O4 - HKLM\..\Run: [lOMEHYaq3.exe] C:\documents and settings\alisa burnet.michmab\local settings\temp\lOMEHYaq3.exe

O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE

The rest are either verified as safe by the online analyze or I know what they are.

Please help. It seems clear that there are registry settings and some file on disk that are driving me mad. And getting me mad, too.

Thanks

 

O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
For this take a look at this link
http://www.liutilities.com/products/wintaskspro/processlibrary/SM1BG/

O4 - HKLM\..\Run: [qhqhfspyzurc] C:\WINDOWS\system32\evwbezkh.exe
O4 - HKLM\..\Run: [lOMEHYaq3.exe] C:\documents and settings\alisa burnet.michmab\local settings\temp\lOMEHYaq3.exe
These 2 are probably a problem.

PP or Chaslang will try and look at it when they get a chance. They are much more knowledgable then myself. Don't delete until talking with one of them.

 

have run Hijack This and had it analyzed online. I have checked the box beside the 02-BHO ZServObj Class (Zserv.dll) but when I reboot, it comes back.
This link confirms BAD.
http://computercops.biz/clsid-1655.html

 

Good catch, OldThug! The DoxDesk link should explain Transponder/VX2 pretty well.

ESHAW - Your hunches were correct!

Please try to end this process in Task Manager, if found:
evwbezkh.exe

Then, scan with HijackThis and check the boxes for the following:

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll

O4 - HKLM\..\Run: [lOMEHYaq3.exe] C:\documents and settings\alisa burnet.michmab\local settings\temp\lOMEHYaq3.exe
O4 - HKLM\..\Run: [qhqhfspyzurc] C:\WINDOWS\system32\evwbezkh.exe

Make sure ALL Browser Windows are Closed when you Click FIX.

Now, boot to Safe Mode with the Viewing of Hidden Files Enabled and DELETE the following:

C:\WINDOWS\ZServ.dll
C:\documents and settings\alisa burnet.michmab\local settings\temp\lOMEHYaq3.exe
C:\WINDOWS\system32\evwbezkh.exe

Now, run CCleaner and SpybotSD and have Spybot fix what it finds.

Then, attach a fresh HJT Log and tell us hoe things are working.

PP

 

OK, I followed your instructions. Two odd things: 1) the IOMEHYaq3.exe was nowhere to be found and 2) I could not kill the evwbezkh.exe process in Task Manager. It just kept coming back.

When I was done with your instructions and reran HJT, the evwbezkh.exe was showing in WINDOWS\SYSTEM32 so I checked it and hit 'fix', re-booted and ran HJT (log attached) and it did not show up.

So far so good. It's been running for about 1/2 hour without showing up again. I'll keep my fingers crossed!

 

Your HJT Log looks OK.

Were you able to DELETE C:\WINDOWS\system32\evwbezkh.exe? Fixing with HJT does not delete this file. . . . .

PP

 

Yes, I had removed C:\WINDOWS\system32\evwbezkh.exe before running HJT. That's what was so strange about it. It wasn't in the directory after I got the HJT log that said it was there. Hmmm. But right now, I'm just glad to have it over with. The computer ran without even one message from MS Anti-spyware all day.

You are awesome major geeks! Thank you!!! Thank you!!! Thank you!!!

 

You're Welcome Happy we could help!

While you are here, please take a peek at Chaslang's Suggestions!

Happy Computing
PP