More VX2 Variant Troubles

Re: VX2 is killing me

I'm having a problem like that too. Here is my HTJ this log and another log from the Generic thing.

 

Hi Whereishelpicon,

I gave you your own thread. Unfortunately, the FindIt log is incomplete - Sometimes this happens.

Please download the following tools and have them handy:

http://www.downloads.subratam.org/DllCompare.exe

http://www.downloads.subratam.org/VX2Finder.exe

http://www.downloads.subratam.org/KillBox.zip


I see a boatload of Norton running, plus Anti-Vir. Also, McAfee shows up in services. You should run only ONE A/V - Many possible conflicts. Before we can proceed, you must address this.

Also, when you scan or fix with HijackThis, ALL browser windows and nonessential items should be closed. You had FireFox and IE running.

Before we can start, please have HijackThis fix the following entries. I know some will come back:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvjxa32.exe

O15 - Trusted IP range: (HKLM)

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.9.5.37/superbingo/superbingo-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-5.9.5.30/squelchies/squelchies-ob-assets.cab

Again, ALL browser windows must be closed when you click fix.

Delete the following in safe mode - You will need to Enable the Viewing of hidden files:

C:\WINDOWS\EliteToolBar --> The Folder
C:\windows\system32\kalvjxa32.exe

Let me know how you fare with the above and we can move on to the VX2 variant. I'll try to check back when I gat some free time - Awfully busy these days.

Best
PP

 

k here is my updated Hijack This log and my Findit log that I'm not sure worked this time either.

 

Hi Whereishelpicon,

I am not seeing the data I need to see.

Please attach a Fresh HijackThis Log.
Also, please run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log as well.

I'll check back when I can get some free time.

PP

 

k here are more updated logs

 

Hi Whereishelpicon,

For an idea of how the removal process works, check out his thread:

what else can I do for this?

I will use pretty much the same instructions:

FIRST:
Please be sure your version of Pocket KillBox is v2.0.0.76 – If not, please download a new copy from the link below and extract it to the folder of your choice.
http://www.downloads.subratam.org/KillBox.zip

Off we go! Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this. Probably a good idea to Print Out these instructions.


Before you start, look in C:\WINDOWS\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINDOWS\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. If you do not find this, please continue with the other instructions.

This fix will take a couple of steps. I will keep it very simple, so please excuse the repetition. Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

First, open Pocket KillBox, Select Tools and Delete Temp Files.

Now, run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\dhskio.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

DO THE SAME FOR EACH OF THE FOLLOWING ENTRIES:

C:\WINDOWS\SYSTEM32\en6ol1~1.dll
C:\WINDOWS\SYSTEM32\g2402c~1.dll
C:\WINDOWS\SYSTEM32\gniplus.dll
C:\WINDOWS\SYSTEM32\gp22l3~1.dll
C:\WINDOWS\SYSTEM32\irpql5~1.dll
C:\WINDOWS\SYSTEM32\irrsl5~1.dll
C:\WINDOWS\SYSTEM32\k4080e~1.dll
C:\WINDOWS\SYSTEM32\k4620e~1.dll
C:\WINDOWS\SYSTEM32\m6nqlg~1.dll
C:\WINDOWS\SYSTEM32\mwvcp70.dll
C:\WINDOWS\SYSTEM32\myawt.dll
C:\WINDOWS\SYSTEM32\n6n6lg~1.dll
C:\WINDOWS\SYSTEM32\rssutils.dll
C:\WINDOWS\SYSTEM32\swlgntfy.dll

FINALLY, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

Allow your machine to reboot after the final entry and scan again with DLL Compare. Hopfully, it'll be clean and we can move on to step 2. If not, repeat the process on All new entries created ON or AFTER Dec.19, 2004. Remember to check Replace on Reboot and Use Dummy for each. Always end with C:\WINDOWS\SYSTEM32\guard.tmp.

Once the DLL Compare log is clean, please attach it along with a fresh FindIt.bat log.

Also, look again for C:\WINDOWS\SYSTEM32\guard.tmp and, if it remains, fire up KillBox and Delete it using Standard File Kill option.

Let me know if you have any problems with the above - I'll try to check back when time permits.

Best Luck
PP