Vx2 malware help

my computer has been infected by vx2 malware. Ive tried to remove it with adaware, but when i scan again it comes back. I have even installed the vx2 cleaner add-on but it says my pc is clean. How do u remove it? Its driving me nuts. Help would be appreciated.

 

Hi Bhulk,

Let's see what a HijackThis log has to say . . . . Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis ! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I will try to check back as time permits.

PP

 

ok here is the log

 

You forgot to do the above - Very Important!

Also, you have a number of additional issues in that log, so please do the following:

-- FIRST: Please run the uninstaller here: http://www.mypctuneup.com/

-- THEN: Run through the steps in the link below and then attach a fresh HJT Log and we'll manually remove whatever remains.

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

I'll check back as time permits.

Best Luck
PP

 

ok, i copied it to the folder

 

Be sure to extract HJT - Don't run it from the ZIP

 

ok, here is the new log

 

i am going to run hijack this again, i forgot to do the instructions that u said

 

AllRightyThen! Log looks much better - Just a few issues remain.

Also, navigate to this folder and tell me what is in it --> F:\WINDOWS\SYSTEM\DRIVER

Will wait for new log before posting any steps.

PP

 

in the folder there is a text doucument file names "Copy (5) of 3" and it doesnt say anything. there is another text file named "New Text Document (5)" and it has a bunch of letters and numbers. The oher things that are in ther is win32.dll, Driver32.dll, schost.dll, and win32.dll~

 

Those look and sound like malware to me - I'm leaning toward asking you to delete the entire folder.

Can you rightclick them and get Property and Version info (if any)?
Or, submit a few of those files here for a quick scan: kaspersky - scanforvirus

Let me know what they say + Don't forget that fresh HJT log and we'll finish this up.

These definitely need to be removed, but I want to err on the side of caution before removing that entire folder . . . . .
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - F:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - F:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - F:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe

PP

 

they dont have any property or version info. Also, when i try to upload them for a scan, i type in the file name, but it says not found. I am about to go to the safe mode part of those instructions u gave me.

 

OK -There really was not much left to fix in that last log, other than those 023s and F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe

Check and see if this is still on machine F:\WINDOWS\Nail.exe

I am cutting out for a while . . . .

PP

 

Ok i hve followed your directions, Here is the fresh new htj logfile

 

OK! It is up to you if you want to remove that entire F:\WINDOWS\SYSTEM\DRIVER Folder.

All that is left to do is the following:

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

ntuser.exe

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - F:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - F:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - F:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

F:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
F:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
or the folder as you see fit.

NEXT:
Run CCleaner and Spybot S&D (from the READ ME FIRST Sticky Post ) and have Spybot fix what it finds.


Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. Are there any problems that remain?
I will try to check back when time permits - Likely Sunday.

Best luck
PP

 

I have a problem, when i try to scan with spybot in safemode, an error message pops up and says "There is no disk in drive. Please instert a disk into drive."

 

here is the new log, i dont know if its clean or not.

 

The new HJT Log looks OK to me.
Are you having any further problems? Were you able to get SpyBotSD to function properly?

PP

 

I am still not able to run adaware, or spybot in safemode without the error message coming up, but i can with spysweeper. Atleast my computer is clean. Thanks a ton, you rock!

 

Happy to help!

Have you tried reinstalling Ad-aware and Spybot? Do they run in normal boot?

And, while it doesn't address that problem, you might try ewido security suite ! I am liking it a lot these days, moreso than some of the other popular tools . . . .

PP

 

Yes, they still work in normal boot mode. I have tried reinstalling them to, it still doesn't work. Thanks again for the help, ill try out ewido.

 

Good - I think you'll like it!

I hate to say it, but I do not know why Spybot and Ad-aware do not run in Safe Mode. I'm sure the answer is somewhere in the back of my brain, but I'm drawing a blank. I've dealt with many occasion where they fail to complete a scan, but the error message you describe eludes me. Sorry!

You might find an answer here: SpyBot S&D Forum --- Ad-aware Forum

They would be the best places to find the solution.

Best luck
PP