VX2 help plz

After trying to do this my self all day I finaly decided to ask for help. I keep on getting a VX2 alert from both trojonhunter and MS antispy. Each time i choose top fix but the problem comes back. I have tried using killbox on the files that it says are infected but there just seems to be more files each time i reboot. here are my hijackthis and findit logs. both were done in normal mode and the comp has not been shut down yet. thanks in advance for all your help.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Thanks again

 

sorry for posting both logs right away, i just need to get this figured out fast. thanx again for any and all help

 

Hang in there - We'll get to you as soon as we can Chas and I have been extra busy lately and that translates to less free time for MGs.

PP

 

Hi Trashguy,

Please Uninstall Microsoft Anti-Spyware before working these steps. It may interfere with them.


Also, please make sure your KillBox is the latest version. Get a fresh one here, and also download VX2Finder:

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox



I'm giving you the "All in one" version of the workthrough in the hope of saving some time. With some luck, things will run smoothly - Otherwise we may have to repeat a few steps!

Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Before you start, look in C:\WINDOWS\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINDOWS\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. Also look for guard.tmp9061.tcf & guard.tmp.tcf - If you do not find these, please continue with the other instructions and ENTER guard.tmp AS DIRECTED ANYWAY.

Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\irjql5151.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\fpl0033me.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\bbowsewm.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

You get the idea. . . Now, do the same for the rest of them:

mmscp.dll
daloader.dll
TPPELIB.DLL
xylehlp.dll
lv0u09d9e.dll
onbccr32.dll
CGPBK32.DLL
q686lgls16q6.dll
o4840elqehqe0.dll
n0r2la9o1d.dll
AWTHZ.DLL
jtn6075se.dll
s0pu0a79ed.dll
gp02l3do1.dll
ir0ml5d11.dll
mvrsl9971.dll
c6000gdme60a0.dll
hr8s05l7e.dll
irp8l57u1.dll
enn2l15o1.dll
fp4o03h3e.dll
m2rmlc911f.dll
d4j00e1meh.dll
SVE.DLL
lvn8095ue.dll
m2460chsef460.dll
en68l1ju1.dll
enj6l11s1.dll
dnnq0155e.dll
m0rmla911d.dll
NILANUI.DLL
mv2ml9f11.dll
k6620gjoe6oc0.dll
ktp6l77s1.dll
CYRSRV.DLL
p08q0al5edq.dll
KYDBR.DLL
hrn4055qe.dll
jt8m07l1e.dll
jtp8077ue.dll
lvjm0911e.dll

Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO .

Next, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp9061.tcf into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO .

Next, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp.tcf into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO .


NOW, you will be entering more items into Pocket KillBox. However, this time just select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:


C:\WINDOWS\system32\gqwcuw.dll
C:\WINDOWS\system32\gqycuy.dll
C:\WINDOWS\system32\pazhuz.exe
C:\WINDOWS\system32\znoepo.dll
C:\WINDOWS\SYSTEM32\qkapua.dat
C:\WINDOWS\SYSTEM32\ygiwui.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yiuhgu.exe


When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NEXT:
Doublecheck to make sure that all versions of guard.tmp have been removed. If anysomehow remain, feed them to Pocket KillBox and Delete them using Standard File Kill.

C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\guard.tmp9061.tcf
C:\WINDOWS\SYSTEM32\guard.tmp.tcf


AnyHoo, once they are gone, run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg



REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{580A614D-36D4-4F24-8C85-1CA40A8F9D26}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-



Now:
Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Finally, attach another Find.bat log and a Fresh HJT log and we'll see where you stand.

Let me know about any problems that you may have run into completing the above! Been very busy lately, but I will try to check back when time permits.

PP

 

here are the new logs thanx again

 

Well, we made a small dent! We'll take another pass at it - I'll copy and paste!
Be sure to follow the steps carefully, even if I seem to be repeating myself!


ALSO: Let me know how you do finding the various GUARD Files


Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Before you start, look in C:\WINDOWS\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINDOWS\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. Also look for guard.tmp9061.tcf & guard.tmp.tcf - If you do not find these, please continue with the other instructions and ENTER guard.tmp AS DIRECTED ANYWAY.

Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\gp02l3do1.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\hr8s05l7e.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\irp8l57u1.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

You get the idea. . . Now, do the same for the rest of them:

enn2l15o1.dll
en68l1ju1.dll
k6620gjoe6oc0.dll
ktp6l77s1.dll
jt8m07l1e.dll


Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO .

Next, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp9061.tcf into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO .

Next, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp.tcf into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO .


NOW, you will be entering more items into Pocket KillBox. However, this time just select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:


C:\WINDOWS\system32\wsxsvc
C:\WINDOWS\system32\vmss
C:\WINDOWS\SYSTEM32\output.txt: C:\WINDOWS\system32\gqwcuw.dll
C:\WINDOWS\SYSTEM32\output.txt: C:\WINDOWS\system32\gqycuy.dll
C:\WINDOWS\SYSTEM32\output.txt: C:\WINDOWS\system32\pazhuz.exe
C:\WINDOWS\SYSTEM32\output.txt: C:\WINDOWS\system32\znoepo.dll
C:\WINDOWS\SYSTEM32\output.txt: C:\WINDOWS\SYSTEM32\qkapua.dat
C:\WINDOWS\SYSTEM32\output.txt: C:\WINDOWS\SYSTEM32\ygiwui.exe
C:\WINDOWS\SYSTEM32\output.txt: C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yiuhgu.exe


When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NEXT:
Doublecheck to make sure that all versions of guard.tmp have been removed. If anysomehow remain, feed them to Pocket KillBox and Delete them using Standard File Kill.

C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\guard.tmp9061.tcf
C:\WINDOWS\SYSTEM32\guard.tmp.tcf


AnyHoo, once they are gone, run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it 2fixvx2.reg



REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-



Now:
DoubleClick on the 2fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Finally, attach another Find.bat log and a Fresh HJT log and we'll see where you stand.

Let me know about any problems that you may have run into completing the above! Again, let me know how you do with Guard.tmp files.

PP