Help! Can't Delete VX2 Malware

Please help. I have run Trend Micro's Virus Scan, Symantec Security Check, AVERT Stinger, Ad-Aware (including VX2Cleaner add-on), Spybot, and CWShredder several times. I cannot delete VX2 Malware which is using Aurora software. If you can advise me, I would greatly appreciate your help. I am a novice and will need detailed instructions. Thank you!

 

have you tried this? Also, after you run it, try rebooting to safemode and run it again. Then see if your problem still exists.

 

I downloaded the file abiemover.zip, unzipped it, and tried to run it in safe mode on my computer (Windows XP) but I think it was stopped. I also ran McAfee AVERT Stinger, Ad-Aware, Spybot, CWShredder, and Ccleaner again. When I rebooted in normal mode, I ran Ad-Aware again and came up with the following: MRU List (11 objects), VX2 (19 objects), Windows (1 object), eBates Money Maker (24 objects), Tracking Cookie (4 objects). I tried to run ABIremover again and I think it was stopped. Please help. The problems seem to be getting worse. papertrail

 

Download the following file, after download is complete run the uninstaller. When uninstall is complete reboot and post a current HJT log.

Download Uninstaller


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Please forgive my computer ignorance. I downloaded uninstaller to c:/program files and tried to run it. I got two messages: "Could not communicate to the Network Server" and "The file C:/Documents and Settings/........./Temp/thunst.exe could not be opened." Now what? Also, how can I be sure that programs are closed before running hijack this? Thanks for your help!

 

Just download it again and this time save it to your desktop and run it.

Just close ALL browsers and any other programs like Word or messengers.

 

I tried several times to run uninstaller from the desktop and it was blocked the same as before. I ran it from the website and it appeared to be successful. I am posting my Hijack This log. Thank you for your help.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsm3CC.dll

O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitelvx32.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\Maureen\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [pzxednr] c:\windows\system32\ocdigj.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rzrkzm.exe reg_run
O4 - HKCU\..\Run: [fo28RVJtQ] inegntfy.exe

O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0002.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\rzrkzm.exe

C:\WINDOWS\system32\nsm3CC.dll

C:\WINDOWS\system32\elitelvx32.exe <-- Look for other files starting with ELITE and ending with .exe There could be as many as 10 more.

C:\WINDOWS\system32\ocdigj.exe

C:\WINDOWS\system32\rzrkzm.exe

inegntfy.exe <-- Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log and also follow the below and attach these logs as well.

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post both logs as attachments.

 

Thank you for your help. I carefully followed all of the instructions from the last post. I believe there is still a problem, but it seems to be improving--no pop-ups so far on-line. I have attached two of the requested files and will attempt to attach the third requested file with another message.

 

Attached is the third file requested. Thanks again for your help.

 

Download Pocket KillBox
(Don't run it yet)


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\pxpixhi.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\quqau.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\rzrkzm.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\See04152005.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\supdate.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\uci.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\temperror32.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\elitelvx32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now allow Killbox to reboot your system. After you have rebooted attach 3 new logs.

 

I downloaded PocketKillbox, pasted in the files, and followed the instructions in your last post. Attached are the new Qoologic and RKTool logs. The new Hijack This log will be posted in a separate message. Thank you!

 

The nw HiJack This Log is attached.

 

Before you begin this fix, disable ALL antivirus and antispyware programs so it will not block anything.

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitelvx32.exe
O4 - HKLM\..\Run: [pzxednr] c:\windows\system32\ocdigj.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rzrkzm.exe reg_run
O4 - HKCU\..\Run: [fo28RVJtQ] inegntfy.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

NEXT:
Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file popfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the popfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Be sure you check the box "End Explorer Shell While Killing File" for each file below. Also, for the DLL file, be sure you check the box "End Explorer Shell While Killing File" and "Unregister DLL before deleting".

Now, Copy and Paste C:\WINDOWS\SYSTEM32\pxpixhi.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\quqau.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\rzrkzm.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\elitelvx32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\ocdigj.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\inegntfy.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dadk.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. After you have rebooted and windows has loaded, attach 3 new logs.

 

Two new log files attached--the other will be posted separately. If there are further instructions, please let me know if the computer should be in safe or normal mode. (You can assume that I know nothing about this.) Thanks so much for your help.

 

Attached is a new HijackThis log. Two other logs are attached to a separate message.

 

Your logs are now clean!

Are you having any further problems?

 

Wow. That's the news I've been waiting for! The computer still seems to be running hot and the fan is going high speed at times--the same as when I realized something bad was being downloaded, but maybe I'm just paranoid now. I'll keep running Spybot and Adaware to check for problems and will post again if something shows up. Thanks so much for using your expertise to help people rather than cause harm as some others do.

 

Your Welcome!

About the heating problem, check all of the fans, make sure they are all working properly. Vacuum any dust from the inside and on the fans. Just a few things to help air move in to keep the PC cool.

Also you should see this article on How to Protect yourself from malware!

 

Good advice. Thank you. I ran Spybot and Adaware again. Spybot came up with nothing, but Adaware showed MRUs and Tracking Cookies. Should I be concerned about these?

 

No, thats normal when your surf the web. Unless you run CCleaner everytime you get off the web you will have MRU's and cookies.

 

Sorry to bother you again. I was enjoying my "clean" computer but now the problems are returning. Today I was fooled by a spoofing email and now I have VX2 and other problems again. I ran through Adaware, Spybot, Trend Micro, and Avert Stinger. Everthing was okay except Adaware which showed FizzleBar (2 objects), Softomate Toolbar (4 objects) and VX2 (3 objects). Whoever is doing this is driving me crazy. I appreciate any help you can offer.

 

Attach a current HJT log.

 

Here's the log. THANK YOU!!

 

Ad-Aware has a addon called Ad-Aware VX2 Cleaner Plug-In 1.03 which will find VX2 malware on your computer and delete them.

controlmind

 

Run this online scan and attach the log.

Panda Online Scan

After you run the above, scan with the Qoologic & Rkfiles Tools once again and attach both logs.

 

Here's the Panda log. The other two logs will be attached to a separate message.

 

Qoologic and RKTool logs attached. The Panda log is attached to a separate message. Thank You!!

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\SYSTEM32\pxpixhi.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\cacnarn.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\quqau.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\rzrkzm.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\supdate.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Allow Killbox to reboot your system! After you have rebooted and windows has loaded attach a fresh HJT log along with 2 new logs from the tools.

 

New HJT log attached.

 

New RKTools log attached. I could not attach a second file--will try in a separate message.

 

When I try to attach the new Qoologic log, a message appears telling me that it has already been attached to another message. It doesn't show up with the previous message. Please let me know if you received it.

 

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Be sure you check the box "Unregister dll before deleting"

Now, Copy and Paste C:\WINDOWS\SYSTEM32\supdate.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Reboot and attach 2 new logs from the tools. If you get an error of the same file being uploaded then rename the files to something you havnt used.

 

New RKTool log attached. I changed the name of the Qoologic file and still can't attach it.

 

Okay, that was the bad log..it is now clean. Attach me one last HJT log and we will go from there.

 

New HJT log attached.

 

Reboot into Safe Mode, scan with HJT and have it fix the below entry:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rzrkzm.exe reg_run

After you remove the above entry, run CCleaner and then reboot into normal mode. After you have rebooted into normal mode attach one last HJT log.

 

The latest HJT Log attached.

 

Your HJT log is clean, are you having any further problems?

 

So far, everything seems fine. Now I'm going to attempt to remove Microsoft Java and replace it with Sun Java, then replace Internet Explorer with FireFox as recommended. Can you tell me how to change the default browser for AOL?

Thank you again for your help and patience!! It's nice to know there are good people in the world.

 

I can't believe this. I ran Adaware this evening and VX2 showed up again! I was on-line earlier and I think something was downloaded. I have anti-virus and anti-spyware software installed and I've switched to Sun Java. I'm trying to figure out how to change my browser to FireFox. What can I do to permanently stop this? I'm very frustrated and I'm sure you must be tired of dealing with this problem!

 

Attach the Ad-Aware log so I can see exactly whats its finding.

 

Thank you for responding to my latest message. (I wouldn't blame you if you didn't!) Adaware is showing only MRUs and Tracking Cookies now--no VX2. This is exactly what happened the last time. I ran Panda ActiveScan and there were 30+ infected files. I saved the log and will attach it if requested. Thanks again!

 

Just to be safe and sure nothing is hiding let give the below a shot!

Download the following utility:

Generic Detection Tool - NT/2000/XP


NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

 

Should I run this in safe mode?

 

Generic Detection Tool Log attached.

 

There are a few dat files im not 100% sure about, I will get a second opinion before I have you remove those. For the time being,

Download Pocket KillBox
(Don't run it yet)

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file VX2FIX.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the VX2FIX.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\SYSTEM32\redit.cpl into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your computer. After you have rebooted and windows has loaded attach a fresh HJT log along with a new log from the utility.

 

The HJT log is attached. You also requested a log from "the utility." Which utility are you referring to?

 

Generic Detection Tool

Your HJT log is clean!