VX2 Removal help please

Hi
I am having difficulty removing some stuff that redirects me to various iritating webpages.

I have followed your sticky thread at the top for removing spyware and all went well apart from I was unable to delete two things:
c:\windows\system32\jtrm0791e.dll
c:\windows\system32\guard.tmp

Having read several threads on here it looks like VX2.

I have run HijackThis and FindIt.bat which shows a load of dll files. My question is should I just try and remove these with Pocket KillBox or do you need to take a look and make sure that I'm not wrecking my pc!

Many thanks
Velv

 

I have HJT and Findit output ready if it helps

Thanks
Velv

 

Hang in there - There are only a couple of us offering advice here and our weekends are pretty tied up

Once you submit a Find.bat,you MUST NOT reboot. Please bear this in mind - I will probably not be able to deal with new threads until Monday Night. Only so much free time. . . .

PP

 

Two things,

First: Welcome to the forums.

Second:
Do not fret, Chaslang, or one of our other experts will come and help you as soon as they can. In the mean time, please read the following sticky if you haven't already done so. But, please don't mess with any files, unless you are absolutely certain that it shouldn't be there.

http://forums.majorgeeks.com/showthread.php?t=38752

 

Thank you both (Tigeray and PhilliePhan)!

I understand your time pressures. Not sure looking at all the help you give how you fit it in!

I am in the UK so my timezone (in terms of evenings!) is somewhat different to yours. I will keep checking back, regularly, so let me know when you are ready for any hjk or findit logs, although I may have to rerun again because of having to reboot (or crashing as my pc has a tendancy to do at the moment!)

Thanx in advance
Velv

 

Go ahead and attach your logs for me Sunday evening. I'm a few hours behind you. I'll try to post a fix by a resonable hour, but don't hold me to it

Remember, you can't reboot after posting the logs.

PP

 

Attached are my hjt and findit logs.

I can see from reading the hjt tutorial that there is some stuff I can get hjt to sort but have left it for completeness.

I will leave my pc on and check back regularly.

Thanks a lot

Velv

 

Hi Velv,

Please make sure that you have fresh downloads of these tools:

VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox


Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Before you start, look in C:\WINDOWS\SYSTEM32 for guard.tmp and make sure that the correct path is C:\WINDOWS\SYSTEM32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. If you do not find this, please continue with the other instructions & ENTER IT ANYWAY when instructed to do so.

Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\o266lcjs1fo6.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\e4202efmgh2a2.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINDOWS\SYSTEM32\hrp2057oe.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

You get the idea . . . Now do the same for the rest of these:

mhlbui.dll
tXpi32.dll
g8220ifoe82c0.dll
e620lgfm162a.dll
ugeg.dll
l8n4li5q18.dll
miiole16.dll
adthz.dll


Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .


NEXT:
Doublecheck to make sure that guard.tmp has been removed. If it remains, feed it to Pocket KillBox and Delete it using Standard File Kill.

C:\WINDOWS\SYSTEM32\guard.tmp


AnyHoo, once guard.tmp is gone, run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A9207305-62EC-4297-8EF0-A6C2014D3C3C}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]



Now:
Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Finally, attach another Find.bat log and a Fresh HJT log and we'll finish this up! Let me know if you had any trouble with the above instructions.

As always, I will try to check back when time permits.

PP

 

Hi PP

Thats all done. Attached are fresh FindIt and HJT logs

PC already much speedier. Hurray!!

Thanx again
Velv

 

Hi Velv,

Looks like we are making some progress! A few more steps remain.

Please scan with HijackThis and check the boxes for the following:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
Make sure ALL Browser Windows are Closed before you click FIX.


THEN:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it 2fixvx2.reg


REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]


Now:
Click on the 2fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Attach another Find.bat log and a Fresh HJT log and we'll finish see if we got it all this time.

As usual, I'll try to check back as time permits.

PP

 

Hi PP,

OK, Done that now and new logs attached.

No rush because I am off to bed - work tomorrow.

Once again, many many thanx

 

You're Welcome Everything looks OK to me!

You might, however, want to take a look in your HJT Log at the 016 DPF entries and make sure that they are all wanted and have been put there knowingly by you.

Also, have a peek at Chaslang's suggestions: Safeguarding your computer against Malware!!

Happy Computing!

PP

 

PP,

You sir, are a gentleman, a scholar and probably a fine judge of a horse!

I have already started looking at chaslang's thread to protect the pc and will be implementing as much as I can.

Thank you very much and thanks MajorGeeks - what a great forum.

Velv

 

Indeed! My only question is, Why did it take so long for someone to notice this??!

Thanks for the good words! Stick around and enjoy the site - I learn something new every day here.

Regards,
PP