I wanted to start by saying I love Spybot, I think it is incredibly useful and very powerful. It has not been able to clean my system of these two extremely annoying virii (or whatever they are). I guess I will start from the top, and see if anyone has advice for me.

I noticed my system was acting strange a couple weeks ago when I wasn't able to get into 'msconfig' 'regedit' or even some non-system configuration tools (like AudioCatalyst or Disc Juggler). I can try to load any of these, but they would close immediately, without input from me. I knew something was up, so I looked at my process list and discovered grwwxgp.exe and vnwbekj.exe were running. Usually if I find a program running that I don't recognize, I just do a google search to see what comes up. Everytime I would type in the full file name (with the exe part) it would CLOSE Firefox or Opera or IE, didn't matter! Somehow these processes know when I am trying to remove them. If I tried to kill one of them in the windows process list, the other one would close the process list and reboot whatever process I killed. This was really annoying... so I checked with spybot and it cleaned some of my system, but not these two files. I managed to get Teatimer to recognize these process in the startup registry values, and I prevented them from running at startup anymore. However, whenever I explore any hard drives other that C: they would run anyway... so frustrating.

I surrendered to leaving Spybot running so I could quickly go to the process list and kill them at the same time (in Spybot you can kill multiple processes with one click, so it works... unlike MS's process list where you can only kill one at a time and they just protect each other from that).

What I would like to do is get these files off my computer. If this is not an option, fine, but I don't want the processes to run ever again. I don't know how to get them on my teatimer black list though... if anyone can help with that I would really appreciate it. Here is some info about my system....

First, my System Process list as provided by Spybot...

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-11-12 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-11-14 Includes\Cookies.sbi
2007-10-31 Includes\Dialer.sbi
2007-11-14 Includes\DialerC.sbi
2007-11-07 Includes\Hijackers.sbi
2007-11-14 Includes\HijackersC.sbi
2007-10-04 Includes\Keyloggers.sbi
2007-11-14 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2007-11-07 Includes\Malware.sbi
2007-11-14 Includes\MalwareC.sbi
2007-10-24 Includes\PUPS.sbi
2007-11-14 Includes\PUPSC.sbi
2007-11-14 Includes\Revision.sbi
2007-05-30 Includes\Security.sbi
2007-11-14 Includes\SecurityC.sbi
2007-11-07 Includes\Spybots.sbi
2007-11-14 Includes\SpybotsC.sbi
2007-11-06 Includes\Tracks.uti
2007-11-14 Includes\Trojans.sbi
2007-11-14 Includes\TrojansC.sbi
2007-06-06 Plugins\TCPIPAddress.dll

PID: 0 ( 0) [System]
PID: 508 ( 4) \SystemRoot\System32\smss.exe
PID: 596 ( 508) \??\C:\WINDOWS\system32\csrss.exe
PID: 624 ( 508) \??\C:\WINDOWS\system32\winlogon.exe
PID: 668 ( 624) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 680 ( 624) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 832 ( 668) C:\WINDOWS\System32\Ati2evxx.exe
size: 376832
MD5: 60D2D92BD2390C50BCE4106113F8B83B
PID: 844 ( 668) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 920 ( 668) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 984 ( 668) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1024 ( 668) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1160 ( 668) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1232 ( 668) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1344 ( 668) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: 7435B108B935E42EA92CA94F59C8E717
PID: 1388 ( 668) c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
size: 109344
MD5: 995D0B52870C7A5CAF3EA165FD674A35
PID: 1548 ( 624) C:\WINDOWS\system32\Ati2evxx.exe
size: 376832
MD5: 60D2D92BD2390C50BCE4106113F8B83B
PID: 1616 (1576) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 1768 (1616) C:\Program Files\Winamp\Winampa.exe
size: 12288
MD5: 3184895910411AC3E34599C44DBC5964
PID: 1776 (1616) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 344064
MD5: A3CDF2CCDB6ACB3D2FC84FD9F8FC03D7
PID: 1784 (1616) C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
size: 132496
MD5: 896E712A34D654A337C8CBB9DEB07200
PID: 1832 (1616) C:\Program Files\D-Tools\daemon.exe
size: 81920
MD5: 804FBB66EC6CA862B840D173EFC638A7
PID: 1872 (1616) C:\WINDOWS\SOUNDMAN.EXE
size: 90112
MD5: 3996AB635B3F87D708BC9DE4FE49ADEC
PID: 1884 (1616) C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
size: 49152
MD5: 2E72D7C07F48A8FBA76241A43B19E3BF
PID: 1892 ( 668) C:\Program Files\Bonjour\mDNSResponder.exe
size: 229376
MD5: 73686FE0B2E0469F89FD2075BE724704
PID: 1908 (1616) C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
size: 488984
MD5: 022DB38BECB5A44DA6F7E27923457624
PID: 1916 (1616) C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
size: 774168
MD5: 6B84B11CFAD4173733DD96C810D9BC6F
PID: 1972 (1616) C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
size: 401491
MD5: 67A6951DA793E24BC876F1F380E25AC7
PID: 2028 (1616) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 240 (1616) C:\Program Files\Google\Google Updater\GoogleUpdater.exe
size: 126136
MD5: 8D89B60FD56F70813DA50C01E232C8FB
PID: 256 (1616) C:\Program Files\Logitech\SetPoint\SetPoint.exe
size: 688128
MD5: 0450EC2579CF6CFD962D49878E0A9378
PID: 232 (1616) C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
size: 623720
MD5: 4872FEEA595DBB7D4F84C4F2880489D0
PID: 380 ( 844) C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
size: 252704
MD5: AD7503D6857DBFFC7E5F2E96BC9CC283
PID: 1124 ( 668) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
size: 138680
MD5: D213C2B1CE0FAEAB59EC0C55B4493F94
PID: 2084 ( 668) C:\WINDOWS\System32\HPZipm12.exe
size: 69632
MD5: 9D84376931440F3679BEEF2A414FA493
PID: 2216 ( 668) C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
size: 275968
MD5: B1691AF4A072CB674D600DB16DD7308E
PID: 2232 ( 668) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 2264 ( 668) C:\Program Files\Viewpoint\Common\ViewpointService.exe
size: 24652
MD5: 5F974FDE801C73952770736BECDE11E7
PID: 2292 ( 668) C:\WINDOWS\system32\ZoneLabs\vsmon.exe
size: 914528
MD5: 1F1E20A12C61BAC28EB49A8D8A0EDD4B
PID: 2464 ( 844) C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
size: 230936
MD5: 4F97F4BE05F1DBF89E493ED85EC1013B
PID: 3164 (1616) C:\Program Files\AIM95\aim.exe
size: 66672
MD5: 1C4429C1AA8F638B55508C90EC4402BA
PID: 3120 (1616) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7649128
MD5: 451F674EA11D8570690E5150C86FA2F7
PID: 8916 (1616) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System
PID: 7300 (5056) C:\Program Files\Common Files\System\grwwxgp.exe
size: 32237
MD5: B48BFE19C9F06251F2BD90A74898D34F
PID: 7268 (5056) C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe
size: 32237
MD5: B48BFE19C9F06251F2BD90A74898D34F


The last two listed there are the culprits. If these are running, I can't even browse to the file location. If I kill the processes, I can get to those directories, but the files are not visible.

If anyone can offer any help, I would greatly appreciate it. I am at the end of my rope here... I just don't want them running anymore. Thanks a ton in advance.

Hello.

The exes' appear to be random, someone should take a closer look at the system. :)

Follow the procedure in this link:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Spybot-S&D is now at Version 1.5

Spybot - Search & Destroy Version 1.5 Download (http://www.spybot.info/en/download/index.html)



Uninstall previous version (http://www.safer-networking.org/en/howto/uninstall.html)



Tutorial (http://www.spybot.info/en/tutorial/index.html)


Available as a Beta which resolves some minor issues found in the first release: http://forums.spybot.info/showthread.php?t=20250

Beta Forum: http://forums.spybot.info/forumdisplay.php?f=12

Regards.

sooo.irritating ... you can deactivate until next restart by - taskmanager
- end process tree on the on that starts with v first... although they switch up every so often but only once... or you can search them in regedit and delete them then your anti spyware will recognize them as new programs which allows them to be erased easier... as far as i know theyre surrveilance programs that come in with mp3's or porn .. relitivily harmless but annoying .. the problem ive had twice but couldnt pin point their arrival.... whats worse is the new antispyware xp virus pack ... mmmmmm hours of fun ... hope this helps.. by the way i used twister anti blah blah to delete it ... comes with handy reg repair... cool .. dont get square eyes ...

This is quite a old thread, almost a year old. Do you have any questions or trouble, grimy?

I would suggest or even begin to recommend beginner or novice users to manually edit the registry unless they really know what they are doing.

Safe surfing.