So i have just recovered from a very persistent VX2 abetterinternet malware, each time you rebooted it would rename making it impossible to hunt down. It would also continually re-install spyware, adware etc. This i teh advice i recieved from a very very helpful guy.
A step by step guide to removing the stuff. Perhaps worth a sticky???
Don't worry - you just need to follow certain procedures. Read on........
Sorry to hear you have the VX2 bug. The good news I have for you is you are about to send it packing! I've successfully removed it from three systems in the last week. One of them was my parents system. I'm pretty good at getting rid of spyware and such - I'm a computer technician by trade - done a lot of research in the last year because more and more of my customer's systems were completely infected. I needed to learn how bring systems back to working order.
Then I discovered the fix. As I stated before, the problem stems from various dll files in the system32 folder. These dll's cannot be deleted by conventional means (clicking on them and pressing delete) and also rename themselves after every boot as a means of protecting their identity and thus making it difficult for you and I to delete them. They also add three lines to your hosts file which is found in the system32\drivers\etc folder. However, using DLLCompare (http://downloads.sub.../DllCompare.exe) and Pocket Killbox (http://www.bleepingc...les/killbox.php), anyone can finally git rid of it. The best thing is it actually works and they are both free! Can't beat that.
Oh yeah - here's another tip for you - Try Webroot's Spysweeper - I've had good luck with that. Free for 30 days - 30 or 40 bucks after that if you like it - found a bunch of stuff that my usual tools didn't fiind. I always use Spybot, Ad-Aware, Hijackthis, also fond of Pest Patrol. Spysweeper is very helpful in most cases. Haven't found any one product that takes care of everything though. I also like the new Microsoft Antispyware - does more than git rid of spyware - actually notifies you when chages are about to take place and lets you intervene with registry changes, etc.. And, it's free as well. Worth a look!
Well, good luck! Let me know if you have any questions. I will always help anyone in need at no cost! Always glad to see someone get free from VX2.
Regards - Jim Ahlstrand
Deep breath and here goes...........
-Remove as much as possible using Ad-aware with the most recent reference file. reboot and have these 2 utilities ready.
Dllcompare (version(188.8.131.52)which will scan for locked files created by VX2)
Killbox (version 184.108.40.206, which will be responsible for removing the files found)
Copy the dllcompare.exe to your desktop, don't just run it from the download site.
it is preset to scan the System32 directory, so nothing other than you clicking the [Run locate.com] button is required.
When the scan is complete, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the [Compare] button.
It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete *in blue Completed
Click the button [Make a Log of what was Found]
To identify suspected VX2 files, look at the dates in the log, all will have been created in the last month or so. There are other legitimate files that may also be there, so just dont delete everything in the list either
* DLLCompare Log version(220.127.116.11)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
D:\WINDOWS\SYSTEM32\dad8.dll Mon Dec 13 2004 3:24:48a ..S.R 223,232 218.00 K
D:\WINDOWS\SYSTEM32\enp2l1~1.dll Mon Dec 13 2004 3:09:08a ..S.R 223,232 218.00 K
D:\WINDOWS\SYSTEM32\hr0u05~1.dll Sun Dec 12 2004 10:36:04p ..S.R 224,137 218.88 K
D:\WINDOWS\SYSTEM32\hrp805~1.dll Mon Dec 13 2004 3:24:48a ..S.R 224,107 218.85 K
D:\WINDOWS\SYSTEM32\irrml5~1.dll Sun Dec 12 2004 10:14:28p ..S.R 224,427 219.16 K
D:\WINDOWS\SYSTEM32\lmexpand.dll Sun Dec 12 2004 10:36:04p ..S.R 223,232 218.00 K
D:\WINDOWS\SYSTEM32\oabcp32r.dll Mon Dec 13 2004 3:10:04a ..S.R 224,362 219.10 K
1,108 items found: 1,108 files (7 H/S), 0 directories.
Total of file sizes: 190,775,194 bytes 181.93 M
Administrator Account = True
Now, most IMPORTANT that you do not reboot until all files can be entered into Killbox
Copy Killbox to your Desktop (Do not run from the download site)
Settings for Killbox
From the menu bar click the "About" and ensure you have version 18.104.22.168 or better.
Select Option Replace on Reboot
From the Dllcompare log copy & paste each full path into the Killbox topmost box.
ie: a fullpath from our sample log would be
With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Do this for every file you have matching the VX2 criteria, in the dllcompare log.
*in the sample file here, every file matches VX2 parameters and would be input into Killbox.
ie: Top line in Killbox would have the path
the bottom line would show a dummy file in user Temp directory
D:\Documents and Settings\User\Local Settings\Temp\kbdummy.1
Do this same step for every file in the dllcompare log, (Or each file one of the forum experts/helpers etc. tell you to)
When you get to the last file in the Dllcompare log, also add in one additional file
*Be careful to include the correct path to the system32 folder, as drive letters & windows folder names change slightly from system to system
If this is an issue, click the [Browse] button in Killbox and navigate to the guard.tmp manually. (it will always be in the System32 directory, and may need to have File & Folder options to "unhide system files" enabled)
On that last file, close all programs and Reboot your computer.
After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty.
At worst, it will show many less files, and you may have to repeat the step 2 again one more time.
Guard.tmp, may still exist as it creates on Shutdown, but is unprotected at this point.
Open Killbox again, paste the path to guard.tmp into the first box.
This will only require a "Standard File Kill" default setting of Killbox.
If the file does exist, you will see the name guard.tmp in Blue appear. Click the Red X to delete it.
Providing the Dllcompare log is free of offending VX2 .dll files you now need to repair some of the damages done to your system.
Open Killbox and Copy & Paste the path to the Desktop.ini for recycle bin.
Click Red X to delete it.
Simply Browse to the Directory under C:(root) called RECYCLER
In killbox you will see in blue also the term Directory
Click the Red X to delete it.
*Either of these methods will fix the bug where no files are shown in recycle bin, and no option to store files into recycle bin.
For ease of use, download the VX2Finder
Click the [Restore Policy] button, this will restore the removed Debug privilege for Administrators, otherwise some utilities will not function properly.
You will also need to remove the UserAgent from the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
*Use VX2Finder [UserAgent$] button will remove this
and the Load dll for VX2 under the Notify key.
under this key will be a sub key holding the name of the VX2 dll file, and will need to be removed.
That Subkey could be called just about anything and will be different for every System.
Windows Registry Editor Version 5.00
At this point, your system will be *clean enough* to allow the other utilities such as Ad-aware & HiJackThis to remove the multiple other auto downloaded & unwanted applications you will have.
From the Killbox menu bar, click Tools & select Hosts File
It will open in Notepad, just highlite the offending entries, or basically everthing under the entry
*Hijackthis will also remove these.
Info current as of Jan 5th