Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vx2 Pest


  • Please log in to reply
8 replies to this topic

#1 jgags

jgags

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 11 February 2006 - 09:36 PM

Hello everyone,
I've been attempting to delete a VX2 file from my system with no luck. I've tried SPYBOT,ADAWARE and NORTON with no luck. Even when I go into safe mode, I cant delete it. Any ideas?

BC AdBot (Login to Remove)

 


#2 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:03:36 AM

Posted 11 February 2006 - 10:09 PM

I hope this will be what you need. I could re-write it but whymess with perfection.

http://www.bleepingcomputer.com/forums/t/34408/how-to-remove-the-aurora-nailexe-svcprocexe-epolvy-hijacker/
"2007 & 2008 Windows Shell/User Award"

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:36 AM

Posted 12 February 2006 - 05:25 AM

Hi jgags

I'm not too sure but that tutorial that acklan offered won't actually fix the VX2 file - 2 different infections. Most likely you have a Look2Me file lurking on your computer. The best scanner for removing orphaned VX2 files is the VX2 ad-ware plugin. You can find it here.

Let me know if that removes the file. If it doesn't you may have a larger infection that will need special attention. Can you tell me if you get pop-ups?

David

#4 jgags

jgags
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 12 February 2006 - 03:57 PM

David,
I tried the VX2 plugin from Adware to no avail. When I run the plugin I get this message:
Possible new variant found, please submit the file contained in
C:\vx2logs.txt for analysis.
It will only let me close out of the plugin afterwards.
As to popups, I must get at least 10 an hour, even when I am not online... there just goes another
Any ideas?

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:36 AM

Posted 12 February 2006 - 04:16 PM

Hi jgags

Here is what i recommend we do. As you seem pretty eager to get this infection removed, i would like you to try this brand new fix. After that i am going to get you to post a HijackThis log, but i will give instructions later.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log by using AddReply -function.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
So post the log it makes and we can go from there :thumbsup:
David

#6 jgags

jgags
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 12 February 2006 - 10:33 PM

Ok, completed the LOOK2ME - DESTROYER scan.
Here's what I got.
Look2Me-Destroyer V1.0.1

Scanning for infected files.....
Scan started at 2/12/2006 10:20:49 PM

Infected! C:\WINDOWS\system32\p24u0ch9ef4.dll
Infected! C:\WINDOWS\system32\wvhatm.dll
Infected! C:\WINDOWS\system32\jt8o07l3e.dll
Infected! C:\WINDOWS\system32\f4j2le1o1h.dll
Infected! C:\WINDOWS\system32\m2polc731f.dll
Infected! C:\WINDOWS\system32\p24u0ch9ef4.dll
Infected! C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP543\A0133802.dll
Infected! C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP543\A0133803.dll
Infected! C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP543\A0133804.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\p24u0ch9ef4.dll
C:\WINDOWS\system32\p24u0ch9ef4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wvhatm.dll
C:\WINDOWS\system32\wvhatm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jt8o07l3e.dll
C:\WINDOWS\system32\jt8o07l3e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f4j2le1o1h.dll
C:\WINDOWS\system32\f4j2le1o1h.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\m2polc731f.dll
C:\WINDOWS\system32\m2polc731f.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\p24u0ch9ef4.dll
C:\WINDOWS\system32\p24u0ch9ef4.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP543\A0133802.dll
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP543\A0133802.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP543\A0133803.dll
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP543\A0133803.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP543\A0133804.dll
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP543\A0133804.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reliability

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A53B5CEA-D81B-4EE7-AE8D-D63B369693FF}"
HKCR\Clsid\{A53B5CEA-D81B-4EE7-AE8D-D63B369693FF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3BCB21CF-E833-4D3D-868A-ED0EEA6F548F}"
HKCR\Clsid\{3BCB21CF-E833-4D3D-868A-ED0EEA6F548F}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring Administrator SeDebugPrivileges

What's next?

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:36 AM

Posted 13 February 2006 - 04:40 AM

Hi jgags

Well done, are you still getting pop-ups?

I want you to follow the HijackThis preparation guide which can be found here. It is important that you follow the guide closely. A number of scans will be run which may well fix your problem.

As the guide says, after you have completed the scans that are recommended, please post your "HijackThis" log in a new topic in the forum found here. Please add your system infomation and also what problems you are having. Please be patient, and a HJT team member will help you to clean up your system

David

#8 jgags

jgags
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 13 February 2006 - 10:55 PM

David,
Thank you for your time and help in trying to get rid of this virus. It seems so far so good. I have not had any pop-ups and the AD-Aware and Spy Doctor programs do not pickup any signs of the virus. I posted a Hijack this log to the other forum that you said. Once again thank you.

Sincerely, John

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:36 AM

Posted 14 February 2006 - 04:56 AM

Anytime :thumbsup: Please be patient, and a HJT team member will help you to clean up your system

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users