Remove VX2.cc. Description and removal instructions

I can only say this to the people affected by VX2 : get Spy Sweeper Retail! It erases any Spyware with considerable ease. Even the dll files which other programs can't remove are erased easily. The trick is that Spy Sweeper removes them before Windows loads on rebooting!

i let someone use my computer and now they have me on limited login, how can i get my adminstrator account back, also the other party for got the pass word they used

Anyone know about restoring the OS Administrator privileges on XP pro after removing this spyware?

oh buy the way im running firefox browser not going trew vx2 pain again

close internet connection and try ewido security suite
go to google and type it it should give you the link it work for me

This spyware is really a pain iv done everything above but still cant remove it. Safe mode didnt help. I even tried registry even that didnt work kept on popping back up on restart.
HELP

frustrated XP user

is it safe to go online banking with this on youre system concern.

everything you guys are saying about this virus is true to my situation EXCEPT two key points.
there is no guard.tmp in my system32 folder and all the ranomly generated files dont have numbers in them.

perhaps i have a totally different virus?

also, who the hell is waffy!?!?

http://www.direct-revenue.com/remove.php

Does this even hurt my comp? i know i have it but the only thing it seems to effect is yahoo because it makes yahoo messenger disconnect , unless i delete the VX2 temporarily with Xoftspy. When the VX2 comes back, sometimes yahoo messenger will close out again. I also get some pop ups but i have a pop up blocker now so only like one pops up everyday. Im not about to go and do something time consuming like reformat my comp, im just trying to find a fast way to get rid of the VX2, the file is called vllkzl.(something) and its in my system32 file, when i delete it from the registy it just comes back...

The VIRUS VX2 couldnt be removed manually or with tools like adaware (with plugins) on a ME puter. Adaware and didnt even recognize that it was infected. Spybot S&D did, but crashed when trying to remove. I olso Tried the steps mensioned here with no luck. Hoping some spyware/malware guru will read this and make a better tool..

Or even death penalty to the creator(s)!!! >;)

has anyone come up with any other options for getting rid of this. I have tried all the suggestions except for Doug.That will be my tomorrow project. Nothing seems to work. Everytime I think I have it, it pops up again??
Have tried all the listed programs and still there. Finding all kinds of crap which must be from this bug. I run scans on all my machines regularly so I know all these corrupt files were not there before.
Can I delete the file manually? And if so how do I know which are which?
Thank you for any help you can offer in removing this PIA.

you are lucky to be able to restore your comp to an earier date, the vx2 has control om my restore, it wont go back past april 1st, got this f ing bug march 31st. I have downloaded and tried everything. only thing left to do now is kill myself

This bug is stupid! Whoever made this should go to hell!

Remove VX2 steps

I have pinched a lot of this from a previous contributor (Matneee) and tried to detail the steps as a lot of contributors still seem unable to delete this infection.
I am not completely sure which of the steps were the crucial ones, but this worked for me. Some of the steps may be extra, but you have got to make sure with this one. The files may disappear quicker than expected when you work through the deletion steps.

Steps to Detection of VX2 (Not really required if you know you have got it)

I noticed my computer running slowly
I downloaded and Ran Lavasoft Adaware (free version)
VX2 was listed after the scan
I went to the lavasoft site and downloaded their VX2 remover and installed it, but no luck.

Go to
http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za and download and install the free version of ZONEALARM (unless you have a firewall installed already)
The VX2 infection is characterised by Zonealarm popups showing various .exe programs asking permission to connect to the internet – refuse all permissions unless it is a program that you recognise (e.g. Microsoft software)
Then run Zonealarm and click on “Alerts and Logs� .Select “program� for the alert type
What should be seen if VX2 is present is winlogon or rundll.exe (or was it rundll32.exe?) repeatedly trying to connect to the internet every few seconds – do not give permission
If they have already been allowed to connect go to the Zonwealarm program control menu and deny permissions to these 2 programs (right click on them and select the red cross)

More Detection Steps
Download the freeware program CMDLINE from:
http://www.diamondcs.com.au/index.php?page=console-cmdline or search on Google for it.
Unzip it to get CMDLINE.EXE
From the Windows START menu (win XP) select - All programs, Accessories, Command prompt
Note down the directory that is pointed to e.g. c:Documents and SettingsDoug>
Close the command prompt window
Now copy the CMDLINE.EXE program to this directory using windows explorer
From the Windows START menu (win XP) select - All programs, Accessories, Command prompt
Type DIR (return) to check cmdline.exe is there
Type cmdline (return) to run the cmdline program

The key lines were 1976 - C:WINDOWSsystem32rundll32.exe
rundll32.exe "C:WINDOWSsystem32uibui.dll",UMonitor
This showed that the rundll32.exe program was being called by C:WINDOWSsystem32uibui.dll. The name of the dll will be different from this and will change each time you boot the computer. Also note the UMonitor label

The VX2 Problem

The Problem - The big problem seems to be this version of VX2 works due to the relationship between 3 files in the windowssystem32 file - 2 .dll files and one called Guard.tmp. The problem is that you cannot delete the .dll files while the pc is on (you are told they are in use, hence AdAware has to try and delete on next boot), and these dll files seem to rename themselves randomly on startup. If you go to the windows/system32 file (well, in XP anyway - not tried it on other O/S) and sort all files by date modified, you should see them. They will have names like h6j4lg1q16.dll , On2a5o1d.dll and so on (although I can not stress enough that these file names are seemingly random - check for dlls with the latest timestamp to find them). You should also find the Guard.tmp file there. This is pretty clever in that if you delete it or re-name it, another guard.tmp file will appear before your very eyes after about 30 seconds.

Now, I am not totally certain about this, but it seems that the guard.tmp file acts as a sort of seed for the next generation of randomly named dll files and something (presumably in one of the dll files) writes the guard.tmp file. This is pretty clever I suppose, as they seem to protect each other.

The .dlls (there was usually 2 of them) did not replicate, but changed name each time the computer was booted, so date stamp (using windows explorer details) as the key factor in spotting the programs as they had the date and time of when the computer was last booted. File size was usually about 227kb.

Steps to Deletion
1 - Install (unless you did so above) AdAwareSE and update it.
2 - As with any other spyware removal, delete all temporary IE files and cookies, disable system restore on your PC, empty the recycle bin, run the disc-cleanup wizard and unplug any network/internet connections.
3 - Reboot the computer in Safe Mode (hold down F8 key whilst computer boots).
Hold down Ctrl and Alt keys together then press Del key (Delete) and if rundll.exe or rudll32.exe is running, click on it and then click “End Process�.
Run AdAware. Delete everything it finds.
4 - Run Windows Explorer. Open the C:windowssystem32 folder.
From the menu select View, Details. Click the “Date Modified� column header twice (slowly) This should put the 2 dlls to delete near the top of the list, with times of when you last booted the computer.
Also look for the guard.tmp file near the top of the list. (if you can not see it, go to Tools, Folder options, click on the view tab and select “Show hidden files and folders�.
5 - Rename the Guard.tmp file to e.g. GU.tmp
6 - Right-click on guard.tmp (now called GU.tmp) and open it with notepad. Delete all the text you can see there and replace it with the word "dummy". Save this. Right clicking on the gu.tmp file should now show it to be about 7 bytes long - write protect it as well (right click on it and select properties to change this).
7 - Reboot the computer in Safe Mode again (hold down F8 key whilst computer boots).
8 – Run windows explorer and now delete the file GU.tmp as well as the two .dll files if you can.
9 - Reboot to safe mode again. I found this seemed to take a very long time when I did it. Looking in the system32 folder, you should now see a new dll with a similar random name to those mentioned above, but this time it will only be about 7 bytes long - it seems that the guard.dll file you edited has become the new dll file, although since you re-wrote it, it will no longer contain the correct instructions to continue the cycle. In effect, you have broken the chain.
Hold down Ctrl and Alt keys together then press Del key (Delete) and if rundll.exe or rudll32.exe is running, click on it and then click “End Process�.
Run windows explorer and now delete the file GU.tmp as well as the two .dll files if they are still there and if you can.
10 - Run AdAware. It will again tell you it will delete vx2 on next boot.
11 - Reboot to safe mode (again...)
Hold down Ctrl and Alt keys together then press Del key (Delete) and if rundll.exe or rudll32.exe is running, click on it and then click “End Process�.
Run windows explorer and now delete the file GU.tmp as well as the two .dll files if they are still there and if you can.
12 - Run Adaware again. This time it should show up as clean.

Check for Success
Check zonealarm – if no attempts by winlogon or rundll.exe to connect to internet then success

Try this software off eBay:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&rd=1&item=7132679925&ssPageName=STRK:MEWN:IT

Something from this pacakge worked, after weeks of pain.

paul

What at you Windows version? How the behaviour VX2 is shown?
(I have successfully coped with a problem on my windows 2000 server)

Im ready to believe that nothing works and that the people that claimed it works are faking it or it worked as a fluke. Ive tried the following with updated definitions,

Ad-aware (with vx2 plugin).... nothing.
Spy Sweeper.... nothing.
Trojan Remover.... nothing.
Spyware Doctor.... nothing.
Spybot Search & Destroy.... nothing.

As well as other little tools like VX2Finder.exe, and Hijackthis.... nothing.

When the sh*t hit the fan, nothing worked. Ive tried all of the solutions granted here, with special attention to Waffys solution (took my time doing it) and nothing.

Ive tried other forums,and nothing.

In any case, there are two solutions I havent tried yet.

1. suicide
2. reformat computer

I dont know which one is worse. I have 300GB hard drive and a whole lot of stuff to back up. I guess I leanred my lesson about backing up sooner, eh?

Whoever came up with this VX2 filth, should be burned alive.

can't find the guard file. Nothing shows on adaware scans. Nothing on the add-on. Followed all directions in this blog and yet as soon as I restart my other comp, It freezes my comp and I can do nothing. HELP !!!!!!!!!!

Outside of reformatting -- what can I do?

I have vx2.transponder and a browser plug-in installed. I ran ad-aware 5 times in safe mode and it deletes it, then in normal mode i ran it, and it's gone. But when i relogin in normal mode and go to the internet, vx2 is there again!!! any suggestions how do i remove it permanently and what am i doing wrong??