Vx2.better internet - can't get rid of this

I just got in on this thread today, and wondered if you had tried to uninstall the Superbar, since it was listed as a program. If it carried the payload, deleting it would probably just leave the garbage behind anyway. But it's junk that should have been removed as soon as it was noticed. Am also wondering why no one has suggested editing this nasty little piece of business out of the registry and be done with it?

It would seem that simply opening REGEDIT and navigating to the keys mentioned in the scans and deleting the values would stop the thing from doing it's business. Removing the strings highlighted in red below should accomplish that. As always, before playing with the registry, back it up !!!

HKEY_CLASSES_ROOT
Object : CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

HKEY_CLASSES_ROOT
Object : CLSID\{56208780-355E-11D8-8736-0020E0626331}

HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Value : {DDFFA75A-E81D-4454-89FC-B9FD0631E726}

 

Unfortunately, the .vbs and autoexec.bat approach didn't work. As for regedit, I can only find 1 of the keys (the CLSID one), and it just comes back after I delete it.

Do I need to look into upgrading the OS?

 

However, in the registry there are 2 similar folders under HKEY_LOCAL_MACHINE:

SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

and

SOFTWARE\Microsoft\Windows\CurrentVersion\ShellExtensions\Approved

(one has a space between shell & extensions)

Is that normal?

 

We have done this over and over. Removed the file and then the registry entries. They keep returning. Another Expert member at Spywareinfo has found a utility to remove the file and has had success removing L2M from Windows 98.

There is also another utility, but lets try hers.

Go here and get her instructions. See if they take this time. Removing the file during a reboot and then removing the registry entries after a return to Windows.

http://www.spywareinfoforum.com/index.php?showtopic=23715&view=findpost&p=132649

 

You will find the name of the file by looking in the registry here:

HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}\InProcServer32

Highlight InProcServer32 in the left pane and look in the right for the defualt value. The filename will be there.

 

Cool. I ran that program. I'm not sure if I understand the last post, but I went to the registry, and {DDFFA75A-E81D-4454-89FC-B9FD0631E726} is not in the HKEY_CLASSES_ROOT\CLSID folder anymore. I'm going to run Ad-Aware again....

 

IT WORKED! I CANNOT BELIEVE IT!

This is awesome. Thank you so much. Ad-Aware came up with 0 objects, the registry keys are gone, and the c:\windows\system\msg{b.s.} file is no longer in explorer. I'm going to go online for the final test, and hopefully nothing will happen - fingers crossed.

Since I have to do this at home, I'll update you on the results tomorrow.

YOU ROCK!

 

You're welcome. I'll let freeatlast know it worked. She found this utility.

 

Thanks Mo (and FAL)

It's good to have a few ladies teach us guys what makes their computers tick.

Regards,

Pieter

 

Yes, and please let anyone else who worked on this know how much I appreciate it - VERY much. Mosaic, Tony, Pieter, freeatlast - the time and energy you spend for others is inspiring. My wife thanks you as well. You all saved us a whole lot of time and $$$....and we got to learn a little in the process.

Peace to all, and have a Happy New Year!