Remove VX2.cc. Removal instructions

Seen in numerous incarnations.

I have tried several times to remove the vx2. The registry files referred to above do not appear in my registry. There are no listed browser helper objects. I have used the Adaware vx2 plugin to no avail.
Any suggestions?

Try booting in safe mode run the scans and then boot up normally

This fuckin thing is impossible to get rid of.

I removed the computer from the network, turned off the restore feature, ran ad-aware twice, renamed the two .dll files it could not delete (6b04svc.dll & ajctres.dll - altho these could have been random names) shut down the computer and will hope for the best tomorrow.

apperhently this is a new variant. Ad-aware can see it, but cannot dispose of it. It renames itself every time you reboot so Ad-aware cannot delete it. I am stuck also and am thinking I will have to rebuild from scratch, long overdue anyway, but what a pain.

have the same problem...no clue how to get rid of this new variant!

Same thing.. This goddamn spy cant be removed! I tried every single spyware program available to end-users. No registry, no BHO, no dll, no exe, nothing! Its fucking embedded into the system.

add me to the list. same damn thing.

Yo, I can't get rid of the VX2 thing either. Pop-ups a-plenty. Let's do one of 3 things:

1) figure out a way to delete it
2) Sue the piss out of the company
3) Firebomb the headquarters, take CEO hostage.

Contact me for help oliver@netflare.ca. Adware and spyware are the hardest to find and remove. Every hacker out there seams to have 20 or more trojans under thier belt. Professional adware/spyware is even more complicated. Mcafee norton

have no hope in hell of keeping up. But I can.

If anyone has any bright ideas please post them, I'm in the same boat as all of you.

This thing is in there good and I am stumped!

Send an email to every advertiser that pops up and tell them that a class action lawsuit has been filed against VX2 and Twain tech and if they do not stop advertising with them immediately they will be added to the suit and be responsible for damages.

The only way is to format your computer, that'll kill it for sure.. lol

Let's do all 3 of #10 comment! I can't get rid of this VX2 either. Tried every trick I know of outside reformating the damn thing. Anyone had any luck?

from the Control Panel - remove the Recommended Hotfix {0421701D-CF13-4E70-ADF0-45A953E7CB8B} or look for Recommended Hotfix - 421701D. Also remove from the registry any and all of these: NetworkEssentials, Medialoads Enhanced, Updater, Hopper.

this thing is insidious - count me in on the class action - does anyone have a tool to rid this thing?

Just removed vx2 variant. Used AD-aware se.

Remove all temp internet files, your profile and anyone elses.empty recycle bin.

Restart in safe mode. Run ad-aware se use full scan. When scan is complete select next. In scanning results window, select the "scan summary" tab. check box for each "target family" you wish to remove. click next, click ok.

next click on ADD-ONs run VX2 cleaner.

When done shut down/restart and run a full scan.

Yes, thank you waffy.. I was very close to going on a murderous rampage until I saw your post and got rid of it.. Thanks again.

After a month of trying everything to get rid of this b#stard it's finally gone thanks to this page ... cheers!

Waffy, you were right on the money. I was about to re-image my entire computer before I found your post. THis really works, as safe mode lets you manipulate these types of programs without initial re-installation. THANK YOU!!

Sorry, delete vx2 in safe mode with ad-aware and vx2 cleaner was successful.

Thanx for Safe Mode info above from Waffy, it finally killed my VX2 infestation... But I only noticed that I had a problem because my DivX rips suddenly started losing AV sync, and in trying to find an answer I instead discovered VX2 lurking. Anyone else seem similar issues? Don't know if it is connected or not, and haven't had a spare few hours to re-rip to see if it fixed it, but it might give you guys food for thought, and maybe help someone else out there...!

Thank you so much for posting the directions for removing VX2. Unfort. I am not good with Windows and I was wondering how to remove temp Internet files and delete profiles. I figured out the rest.

Thanks v much!

"Remove all temp internet files, your profile and anyone elses.empty recycle bin."

This vx2 virus bs has disabled my computer from even connecting to the internet, it shows my network card as having limited/no connection. It won't allow me to obtain an ip address to get online. Everything I have tried has failed to remove this virus. I only have regular AAW and it won't remove vx2. I've tried wiffy's suggestion and that has also failed. Any suggestions?
P.S. I'm on my mom's comp incase you were wondering

im planning a class action lawsuit against vx2.. all interested parties please email me at understated_dj@yahoo.com... hopefully we can put an end to this madness

I have had some success removing the vx2 bug.
1. Run adaware or spybot and determine what apps it installed and the associated .dlls. Stop the Rundll32.exe process. Delete the dlls that adaware can't remove. While your computer is running - don't shutdown - Unplug your computer from the wall or remove your laptob battery and boot up. Run adaware and spybot again. It should be removed.

I just didn't know what to do, I had spent a couple of hours trying to get rid off this VX2 Shitt.

Thanks waffy

1 Click "Start" in the task bar, then select "Control Panel" "Control Panel" Window is opened

2 In "Control Panel" window select "ADD/REMOVE Programs" Look For "BlackStone" "BlackStone" should be found in the "ADD/REMOVE Programs"

3 If "BlackStone" is found Select it and click the "Remove" button to remove it "BlackStone" should be removed.

4 If "BlackStone" is not present in the "ADD/REMOVE Programs" close any open Web browsers. All the browsers should be closed.

5 Click "Start", select the Search button and search for "IEHelper.dll" in the "C: drive". "IEHelper.dll" file should be found.

6 Delete "IEHelper.dll" "IEHelper.dll" file should be deleted.

7 Click "Start", select the Search button and search for "domlst.cch" in the "C: drive". "domlst.cch" file should be found.

8 Delete "domlst.cch" "domlst.cch" should be deleted.

9 IF the system does not permit the file to be deleted... Select "START" then select "Run", type "regedit" and press "ok". A new "Registry Editor" window is opened.

10 In the left side of the Registry Editor, select the key and its subkeys as follows.

HKEY_LOCAL_MACHINE-----SOFTWARE-----Microsoft--

---Windows---CurrentVersion-----Explorer-----BrowserHelperObjects

You should find the "{00000000-5eb9-11d5-9d45-009027c14662}" key

11 Delete the key:

HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Explorer Browser Helper Objects {00000000-5eb9-11d5-9d45-009027c14662} The key is deleted.

12 Reboot the computer. Click "Start", then click "Search". Search for "IEHelper.dll" You should able to find the "IEHelper.dll" file now.

13 Now delete IEHelper.dll The "IEHelper.dll" should be able delete now.

14 Reboot the computer now, and search again for "IEHelper.dll" You should not be able to find the "IEhelper.dll" file any where in your system.

15 Click Start button on the task bar and click the "Run...". a Run window is opened at the down left corner of the desktop.

16 Type "regedit" in the Run window and press "ok" A new "Registry Editor" window is opened.

17 Search for HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Explorer Browser Helper Objects {00000000-5eb9-11d5-9d45-009027c14662}

If the key if still found, proceed to the next step. You should not find the HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Explorer Browser Helper Objects {00000000-5eb9-11d5-9d45-009027c14662}

key.

18 Follow from step 5 to step 10.

after much fiddel faddel, I used this :VX2Finder.
That worked.

what does waffy mean by delete profile?

hey i've just spent hours trying all the stuff above but i still couldn't seem to get rid of the stupid vx2 thing. Then i found this simple program that got rid of it in seconds with one click of a button just go to http://downloads.subratam.org/VX2Finder(126).exe
I don't know if had just some minor vx2 but I doubt it cos none of the above was working i just urge anyone suffering from a vx2 to try this first it may well work and it will save u a lot of tears of fustration.

"Remove all temp internet files, your profile and anyone elses.empty recycle bin."

He means delete all Temporary Internet Files in your profile and in anyone elses profile (i.e. the other profiles set up on your OS) , and empty the recycle bin.

I did what waffy said... twice
once on administrator and once on my own user profile
in safe mode, vx2 isnt found at all
but after the reboot back to normal bootup, i run the deep scan with adaware se personal and the stupid vx2 thing pops up again...

Anyone able to offer any help? It's really annoying... and strange that it can't be found in safe mode, but only in regular bootup. And when I run the vx2 cleaner plug-in, it says that my system is clean... I honestly have no idea what else to do but reformat. :(

after a month of trying to get rid of vx2 and my system on its knees i ran the program from the nice gentleman above whom i owe a drink
http://downloads.subratam.org/VX2Finder(126).exe

Step 1: Raid VX2 headquarters and steal their I.T. guy. Hopefully he'll get this damn thing outta my computer . . . OR ELSE (undisclosed amounts of pain).
Step 2: Hunt down the team responsible for creating this Piece of S**T and send them to Iraq for my version of "Justice".
Step 3: Try everything that I've seen in the above posts.

Ok. I get it. This damn thing doesn't like me and I don't like it. I've tried everything in the above posts and spent countless hours (and many a sleepless night) searching EVERYTHING on my HD and registry. Looking at machine code for hours does certain things to your perception of reality, TRUST ME! I'm formating my HD and installing everything new. I've had it. If the RIAA and MPAA didn't get me to stop pirating software, THIS DID!

However, you have to admit there is a certain beauty and elegance to this new strain. As much as I loathe it, I have to respect and admire the software creators and the program. They'll get my respect before I send them to Iraq.

I've cracked many a program and seen many a virus and this one has certainly earned it's way near the top. Sadly, I must admit defeat.

I have been combing the boards for days now trying to find something to get rid of this VX2. I have finally found it. When you do a Regedit *Find* do the search for a PBAKKI and guess what. You will find the entry in the reg where it renames its self and where it is in start up. I was able to find this by using MSCONFIG and going into startup and diabling that file there. This is how i removed it.



1. Run Adaware first and try and removed everything. Then tell adaware to run during next reboot.



2. Did a Reg Find on the word PBAKKI and removed every key out there for that word



3. At this point I rebooted



4. Run a FULL system scan with adaware, then go into windows and run adaware again but just in a smart scan. Nothing is there.



Using the MSCONFIG I was able to narrow down the file and remove all the entrys that VX2 did. Then what I did was really dumb and double clicked on that PBAKKI file in c:windowssystem32 where i watched it rename its self to iupbbm.dll and where i couldent removed it.

delete file pbakki.exe because it is still there and adaware doesn't pick it up that its Spyware

Then i followed the steps above and POOF the file is now gone.



WEEEE



Good luck

This method worked for me.

I have Windows XP Pro and got rid of VX2 by running Spysweeper.

Go to www.webroot.com, download the trial version of SpySweeper and run the program.

When you're done, it will reboot your computer and remove the spyware from memory- unlike Lavasoft's Ad-aware.

Run Ad-aware (VX2 Cleaner) after your computer reboots to see if you still have VX2.

That is all! Good luck and post your results!

-mvpee

Finally....after hours of fruitless pursuits, your fix worked waffy.

MjB

Thanks, Spy Sweeper did the job. I have win 2000.

Don't waste time with those other links UNLESS you want to PAY $$$$$. Why should you pay for a prvacy violation? According to Allen B. the President of VirtumunDO ,..He sent me the e-mail I posted stateding the true VIOLATORS of this VX2 (virtual Bouncer) and variants is VIRTUMONDE AS IN ---> virtumonde
send pop-ups out of controll on your windows systems... aaahhhh! I have been trying for several weeks and finally I read Waffy's post..gonna try it now so look for my new post
http://pets.allhere.com

gets VX2 buuuuuuuuut leaves at least *.exe files permanatley from the VX2,vundo,webstat, 6gfnu5.exe etc....
help?

after trying to remove this strain of adware for a few hours with no sucess finally it is gone!!

wafyy BIG thanks!!

what i still dont understand is why adaware would not remove it in safe mode when i tried intially, but when u go to scan summary and delte it as a "family" it removed???

none the less it is now gone!!

thanks again!

This b**tard runs in safe mode so the usual safe mode fixes don't work.

1 Find vx2 using whatever and make a careful note of the infected filename

2 Ensure no disk activity and Pull the computers plug

3 Restart with F8 and start up in Safe Mode Command Prompt only. VX2 doesn't run in this mode.

Navigate to the folder (cd...) and delete the file noted in step 1 (del) you may need to make the file visible using attrub filename.exe -h -s -r first.

Restart the machine normally and run whatever again to find its non active backups which should then delete without problem.

Who is responsible for VX2? Corporate name? Location?

The VX2 and intellegent explorer witch is usally attached to it comes from MICROSOFT!!!! thats right every time microsoft downloads an update to your computer it will show up again. I finally got rid of it and then its back on because of microsoft. Screw microsoft im switching to Linix

Use this blessed little tool to save you from this little piece of hell...

http://www.lavasoftsupport.com/index.php?showtopic=54511

i tried it on my own computer and it killed the damn thing. Note that I, using xp home, had to install and autoexe.nt file to my system32 directory to make his programs work. Also you'll want to use hijackthis to get rid of any host files if you can. oh and do what he says in safe mode. i tried it in normal and it flipped out.

when are these spywhere people gonna realize that if i was gonna buy your crap i wouldn't be trying so hard to get rid of your goddamn program. i assume they're trying to sell to idiots who can't uninstall it with adaware. so why both making the ultimate unbeatable thing like this? just so that half of us have to format our computers.???

on a side note... I will never ever use ie again.... firefox is the way to go....

Here is how I got rid of it:
1. Run ad-aware and find what dll is infected (this thing will rename itself on every reboot!)
2. Run regedit, search for that dll, you'll find it in a winlogon section of the registry.
(specific folder.... HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify)
3. Goto the folder above for the entries listed where the DLL is, goto permissions, and DENY access to everyone/thing except administrators
4. Run ad-aware again and have it "clean-up" everything it finds... It will tell you u have to reboot....
5. DONT close ad-aware OR REBOOT.... This sucks, but just TURN THE PC OFF... if you logoff, the program will rename/hide itself AGAIN...
6. On reboot, Ad-aware will load again, scan 1 more time and you'll find some remainders, delete them and you are done...

Best of luck all, almost had to reload system until I did the above...

Just wanted to say thank you, thank you, thank you to poster 49 for the fix. After 5 days of trying trying to rid my machine of VX2 his fix WORKED!
1. Run ad-aware and find what dll is infected (this thing will rename itself on every reboot!)
2. Run regedit, search for that dll, you'll find it in a winlogon section of the registry.
(specific folder.... HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify)
3. Goto the folder above for the entries listed where the DLL is, goto permissions, and DENY access to everyone/thing except administrators
4. Run ad-aware again and have it "clean-up" everything it finds... It will tell you u have to reboot....
5. DONT close ad-aware OR REBOOT.... This sucks, but just TURN THE PC OFF... if you logoff, the program will rename/hide itself AGAIN...
6. On reboot, Ad-aware will load again, scan 1 more time and you'll find some remainders, delete them and you are done...

Do it and take your machine BACK!

Hey post 49
I need help with this awful VX problem. I follow your instructions and find the .dll but there is no way to set permission as you instruct. If I just turn off the machine I keep getting the same .dll back again
I'm running 200 pro - any ideas would eb welcome

after much trouble i fixed it also, here is how;
tried all the stuff above . did not fix it.
deleted all temp files in temporary internet and temp directories under all user profiles
emptied all rubbish bins

run adaware se
this locates the infected files. DONT delete them. make a note of the locations or print them out from the log.
Pull the plug on the computer.
dont exit adaware dont log off dont shut down. pull the power cord out of the computer
wait a bit and re start pressing f8 at start up
start up in safe mode , then run regedit
use the "find" feature to look for the infected files in the registry. one of them will be in there somewhere. its name changes every time adaware tries to delete it.
navigate down the registry until you get to the entry containing the infected dll . then go to permissions and deny all permissions except to administrator.

now you ought to be able to delete it with adaware

i found the trick was not to use adaware for deletion until you had nailed this file. I think its the one which immediately does some kind of soft reboot after adaware has attempted deletion. I could see my screen flicker for a second and the programs shut down and re start one after another. its at this time that the virus replicates and changes its name. once this has happed you have to start from square one again

i also found that the files names and registry entries referred to above just did not exist on my infected machine . the names and locations change all the time and adaware will show you where they are. sometimes the files are actually hidden so you cant navigate to them even in command prompt and you are always denied access rights even if you do find them . the file is always "in use " by another program and cant be touched.
knock out the registry entry first , then go get the other files. but dont ever shut down adaware or log off until the system is clean . if you need to re start , pull the plug and re start using f8 to enter safe mode either in command prompt or normal safe mode
I also played around with the attrib [not attrub] command which was refered to above. dont actually know if that helped or not...


good luck to you all

i assume the corporate payed scum bags who designed this bit of crap are reading posts like this and adapting the new versions to evade destruction. well, thats nothing that could not be fixed by a 9mm to the base of the skull. So much more effective than a class action.

I used CWScrubber and it fixed my problem!!!

I would not try to remove the files with Adaware. Use it to find them, but then use the registry to restrict the permissions, then delete the individual files. Otherwise, it just restarts as Adaware tries to delete them.

im not sure if this helps, but ive built a tests system and purposefully downloaded the vx2 trojan on it.

Please note that dissaembling programs is a hobby, and you shouldn't call microsoft about it.

I say its a trojan becasue of the nature of the program itself. it uses an authorized active scripting command to copy itself from the system32 folder to the system volume information area. this area is originally built to house things like file lookup tables, the restore images, dlls in use, and other bits and pieces that shouldn't be in the pagefile.

the vx2 trojan locks itself into the sysvolinf area by using the admin process 'rundll32.exe' this is not an allowed process, merely a clone since the real rundll32 doesn't show up in the process tree to begin with (service pack 1 allows it to be seen by admins). This process locks the 2 key strings so that they cannot be deleted or changed by anyone or anything.

it then propagates to the system dll cache and monitors activities using its own code.

upon careful analysis, i have found the perfect solution. be prepared for some involvement.

install a new copy of your operating system on a new hard disk. set this to the master drive.

use your original harddrive as a slave (keeping the dlls quiet because only 1 sysvolinf area can be used at a time) thereby disabling the virus.

turn off system restore on all drives and remove all but the latest restore)

run adaware or delete the following strings:

/System32/ iOssvcs.dll
/System32/iTshlpr.dll
/System32/iVssam.dll
/System Volume Information/_restoreBE8A08A2-826F-476B-B751-88FBE59340BC/RP70/A0007645.dll
/System Volume Information/_restoreBE8A08A2-826F-476B-B751-88FBE59340BC/RP70/A0007646.dll

please note that the drive you are deleting from is the slave (infected) drive, not the current one.

vx2finder(126).exe is a wonderful utility that accomplishes what i just instructed automatically. the only exception is that it cant unlock the restore area.

hope this helps,
MS Tech Support

My computer was infected with three different viruses. I tried to get different programs to remove them , but they would not allow themselves to be deleted. I finally partioned the c drive, then reloaded the windows system on to the new d drive. I then ran the virus program on the systems and windows section of c, this time it did get rid of them. It allowed me to save the music. programs and other things I was not wanting to delete. Just for thought as a different way to do this. Playing with the registry was getting too confusing with me, plus it was not working with me battling three different ones

After 3 days I finally fixed the problem. Thanks to all the suggestions I found one that worked. Here's what I did:

I emptied my temp files, temp internet files, cookies. Be sure you can access and delete hidden files.

1- run Adaware to find the .dll file that shows up
2- find the locatin of the .dll, when you find the file right click on it and go to properties
3- go to security feature and set file so it has administrative privileges only ... deny priviliges to eveything else.
4- unplug computer ... do not turn off ... unplug it
5- turn on computer in safe mode and go back to the .dll file. You should be able to delete now. Look for files in system32 that were created the same day or around the same day as the .dll file. Delete the one's that look like they don't belong. Be sure to delete the guard file.
6- run Adaware again and everything should be fine.

Good luck ... I hope this works for you

I was hit around Dec 16. I had the latest Norton and Ad-Aware SE running with VX2 Cleaner. Every scan revealed a VX@ dll that it couldn't remove. It would ask if I wanted it to be deleted at the next boot. But each boot would generate a new insidious DLL. I download and ran CWS Shedder, Hijack This, Spybot, SpyDoctorand a half dozen other similar programs, Nothing worked. I tried the solutions prior to #57, none worked using Safe Mode. The trick was 57's suggestion to limit adminstrative rights to me and to delete other files bearing similar date. But here's what happened. I was able to delete the dll most recently identified by Ad-Aware in safe mode. Then I began deleting every dll generated in December that had a screwy name. When I came to the last one I wanted to delete, it would let me. I thought, oh no! I scanned again still in safe mode with Ad-Aware and ran the VX2 add-on. It deleted that file which I wasn't able to delete manually. I can't tell you what it was like to run a scan and find nothing, zero. Thank you #57 and for all who contribute here. I've tackled many major problems since the early 80's, but no application, no freeware, no main stream program, no tech support site, solved this problem until I came here late yesterday. Merry Christmas!

I am an IT professional, and this is one of the nastier bug's I've fought. I tried just about everything above, and nothing worked untill #57. I assume the earlier solutions worked with earlier versions of VX2, but the evil programmers writing this stuff are probably reading my post right now, and making appropriate changes to the next version. I don't know how they sleep at night, honestly. Anyway, just to let everyone know, I needed one slight modification to #57. I removed all permissions from the appropriate files in system32 (It wouldn't let me delete the guard file untill I did this, and I was an admin with ownership, so I was able to put permissions back as necessary). I also searched for guard.tmp in the registry and deleted every entry. Thanks to everyone in this post who helped me in my 5 hour battle against VX2.

I think #59 may have meant #58, not 57? Anyway #58 worked for me. VX2 had also taken away my quicklaunch bar, even though it was enabled. I used BCWipe to wipe the files instead of a delete. PestPatrol claims to remove this, but I didn't try it. Thanks.

I just finished getting rid of this new VX2 variant. It keeps it files under the %systemroo%system32 directory. It poloymorphs and changes names when rundll32.exe gets re-initiated. About the only consistant file was guard.tmp. These dlls and between 222,000 and 227,000 bytes in lengeth. They also can get evil and hide as system or hidden files. I benched marked with Ad-Aware to see what files were currently in use. It would not remove this varient, but at least showed me the live files. I dir ed these files and copied them to a notepad which a printed off. I then rebooted to my install CD and mounted the NTFS partition. From there I had to attrib -r to get rid of the read-only attribute and remove these files individually. Once removed I rebooted and used Ad Adware to verify that the system was clean. Also removed the bad entries from the host file. Here is a list of changed file name dlls that were hidden on my system to give you an idea of how these constantly change. Good luck!!!

12/11/2004 12:17 AM 223,906 e4020edoeh0c0.dll
12/11/2004 12:25 AM 223,702 mlupgrd.dll
12/12/2004 11:04 AM 224,594 t2r80c9uef.dll
12/12/2004 11:12 AM 225,516 l4j8le1u1h.dll
12/12/2004 06:17 PM 223,702 n6n6lg5s16.dll
12/12/2004 06:17 PM 223,749 mbidntld.dll
12/12/2004 07:00 PM 225,655 l60ulgd9160.dll
12/13/2004 05:05 PM 223,749 h00q0ad5ed0.dll
12/17/2004 09:14 AM 224,360 dnj6011se.dll
12/17/2004 09:22 AM 224,676 aza6011se.dll
12/17/2004 09:29 AM 223,891 h24m0ch1ef4.dll
12/17/2004 09:36 AM 223,749 gsmf32.dll
12/17/2004 05:25 PM 226,207 fpl0033me.dll
12/17/2004 05:25 PM 226,174 wpssvc.dll
12/18/2004 04:43 PM 222,519 jtnm0751e.dll
12/18/2004 05:00 PM 222,630 pygfilt.dll
12/18/2004 05:25 PM 222,630 r28slcl71fq.dll
12/18/2004 06:59 PM 222,630 llcalui.dll
12/19/2004 09:36 AM 222,630 ir6ml5j11.dll
12/19/2004 09:37 AM 222,630 mfsnap.dll
12/21/2004 05:57 PM 224,542 o2480chuef480.dll
12/22/2004 11:05 PM 224,409 hr4005hme.dll
12/22/2004 11:16 PM 224,364 pkpusd.dll
12/23/2004 01:27 PM 224,725 l08m0al1edq.dll
12/23/2004 03:57 PM 226,239 gp84l3lq1.dll
12/23/2004 04:42 PM 226,239 g4402ehmgh4a2.dll
12/23/2004 09:44 PM 226,239 en8sl1l71.dll
12/24/2004 03:11 PM 222,620 hr2805fue.dll
12/24/2004 03:12 PM 226,239 k0pmla711d.dll
12/24/2004 03:26 PM 226,239 dpvx_xx07.dll
12/24/2004 04:02 PM 222,723 f0l0la3m1d.dll
12/24/2004 07:48 PM 226,253 cysyn32.dll
12/25/2004 10:49 AM 226,253 hr0005dme.dll
12/25/2004 12:50 PM 223,075 q8860ilse8q60.dll
12/25/2004 01:47 PM 222,239 i2600cjmefoa0.dll
12/25/2004 04:32 PM 0 p0p60a7sed.dll
12/25/2004 07:18 PM 226,253 guard.tmp

Hi. I tried most of the methods posted here. I ran Adaware SE and noted the locations of the files. Then I ran regedit and denied access to the appropriate .dll file. Without exiting anything, I unplugged the computer and restarted in Safe Mode. But I couldn't delete the .dll file in Safe Mode.

So I tried #46 - starting up in Safe Mode Command - but when I went into the C:WindowsSystem32 directory, it couldn't find the .dll file. But it would show up in normal safe mode.

#46 said to use "attrub filename.exe -h -s -r" if the file doesn't show up. How do I do this? What is "attrub filename.exe -h -s -r"? I'm familiar with only very basic naviagation in a DOS prompt ("cd", "cd..." del xxxxx.exe", etc.).

Any help appreciated. Thanks...

Wow, I can hardly believe it.
I seem to have finally deleted this f*****g thing with Pest Patrol. I've been trying to get rid of this thing for weeks.

I downloaded the trial version of the corporate Pest Patrol programme. They don't seem to have a home user trial version. So I registered as a business user.

I''m running Hitman Pro now (combines CW, SpySweeper, AdAware etc.) to get rid of anything that may be left behind.

I'm working on a friend's laptop that has XP Home (so I can't go in and set permissions, etc) and I can't attach the disk drive to another machine either. Any hope for me?

Doug

I believe that the easiest way to remove the VX2 spyware, or any other persistent spyware, from a WinXP system that will not run Ad-aware on reboot, is to remove the HDD and install it as a slave on a Win98 or Win2K system that will run Ad-aware on reboot. However, it probably won't be necessary for the reboot run, since the infested/infected drive is installed as a slave.

ebob2k

HAVE TRYED EVERYTHING ABOVE WITH NO SUCCESS PLZ PLZ SOMEONE HELP ME.
im ganna go crazy soon, the only way i am able to even use my computer is because ad-watch is preventing and edits at the moment but no program or solution above is working, when i watch ad-watch it prevents 1000 registry edits a minute, its insane i have no idea what to do. HELP ME someone.

Have just removed VX2 after weeks of trying tried all above on this forum have justed used pc BugDoctor and it's gone now just need to remove www coolsearch crap

Have today removed VX2 after many weeks of trying used PC Bug Doctor and it cleaned it out complety

I had the latest iteration of VX2 on a machine that adaware could not remove and the add-in tool didn't even show. When adaware would run it would show it, and ask to remove the files at next boot, but of course, since the names change, it could not remove them. Here is the soulution I found.
* Make sure you know the administrator password as you will need it. If you don't know it, but you have administrator privilages, reset the administrator password so you will know it later.
** Have a Win2000 or WinXP install disk handy. You will need it for part of this proceedure
1) Run Adaware from safe mode using the full system scan option and when it shows
the list of files it could not remove, WRITE THEM ALL DOWN with the FULL PATH.
2) Start your computer using the Win2000 or WinXP install disk. When prompted to install or repair, chose R for repair.
3) When prompted to repair using the console or automatic, chose C for console
4) Login in to the default windows - This is where you need the admin password
5) Now delete the files one by one that Adaware gave you earlier by using either
del /path/path/filename or cd to the appropriate directory(s) and delete the files.
6) Reboot as normal and run Adaware again using the Full System Scan option.

That should do it. I have not found a system yet that this did not work on.

Does anyone have any information on the vx2.zserv variant? I've searched every where and feel like I've done all of these things with no luck. Suggestions?

the post 13 down (titled Evil!!!!) from mine worked. i couldn't get a client's pc clean until i found the .dlls with an adaware scan in safe mode, removed all permissions, even the local admin, and took ownership of the files as local admin. then i pulled the plug, went into safe mode and deleted the files, then scanned with adaware. i still had to manually scan the registry for ebates moe money, virtual bouncer and elite sidebar. this is the nastiest spyware app i've ever seen. it's as destructive as most viruses. everyone at Vx2 should be tarred and feathered in front of a web cam for the whole world to see.

I have had all sorts of trojans and spyware on various PCs since Q4 2004. I currently have VX2, I was just wondering if that's all that I have. From time to time my cursor appears to develop an athletic regime of its own, either hopping up and down (medium impact aerobics) or swimming lengths across the monitor. I have seen similar behavious with some other thing on another PC -- I think it was CWS. Are these cursor gymnastics part of VX2 as well?

My computer is so messed up.. I can't get rid of the VX2 no matter what I try. I hope the person that is responsible for this software gets run over by a truck and dragged for 100 feet, only to live through it as a quadrapalegic.

Well, I too was infected with that nasty VX2 bug and with the advice of several people on this forum, I was finally able to get rid of the VX2 that was hiding on my computer. The procedure I had to use was to run Ad-Aware in SAFE mode, identify the VX2 files, clean up the registry and after about the umpteenth time, was finally able to erase the suspected .dll files. I even searched all the dll files in the System32 folder for a date of 2005. I renamed them with a dl$ and finally was able to delete all of them. It is a tricky and time consuming operation, but I am happy to finally be rid of that nasty uninvited guest. The only question I have remaining, is at one point, the instructions mentioned to change the access restrictions to just the administrator. After you are rid of the VX2 bugs, is it safe or wise to reverse that and change the access restrictions to what they were before I changed them. Thanks again. I am glad that this forum was here to help me and hopefully, it will help others.

To remove VX2 Use windows XP disk, boot into recovery console, locate the file guard.tmp in the C:windowssystem 32 dir, change the attributes (attrib -s-h-r guard.tmp), then write down the file size in bytes should be 224xxx, locate all dlls that have this exact size, change their attributes and erase them. use the erase command, not delete, when done erase guard,tmp, reboot machine and use ad aware to remove the registry entries and remnants of the vx2 adware.

i cant seem to locate guard.tmp in my system32 folder. i even checked show hidden files/folders and still cant find it. but when i run adaware se, vx2 still shows up. please help.

nevermind...i finally got rid of it!! i hope the person created this will slip and fall on his face only to get his good popped by a sharp rock.

So how did you gt rid of it. I cannot find it either. When I goto say the Trend Micro Housecall to do a virus scan, the first thing to show up is a pop-up ad of a fly (as a virus) and a frog (as a anti-virus). It's driving me nutz.

Any help out there guys?

Kev

it took me long hours. at first i didnt even know this thing was that bad so i just scanned it with adaware for about 10 times and it kept showing up! before you do anything, go to download.com and download spy sweeper and you should have adaware. scan your computer with spysweeper and remove the nonsense found by it. clear out your temporary internet files and cookies. then read this forum http://www.lavasoftsupport.com/index.php?showtopic=54511 . that was a great help. just be sure to kill guard.tmp in your system32 folder as they will tell you to do so. and the second method on that forum helped me deleted randreco.exe which kept running. after all that scan it with spy sweeper again to make sure nothing is found. then scan it with adaware. if vx2 is still detected, write down the registry path. then go to start > run > type in regedit > go to the path of the registry file > set permission of ADMIN only. then reboot your computer in safe mode (run msconfig > boot.ini > check safemode). in safe mode, run adaware and remove all the files that are found. then do a normal reboot. you should scan it with spysweeper and adaware again just to make sure. but that should take care of it. atleast thats how i did it anyways

How do i know if the VX2 thin is gone.....
do i just scan and see if it has showed up in the list at then end??? or is their another way to find out and be tottaly sure?

help.................is this software the best to remove vx2

Have you guys run across a process called "yacwlkbl.exe"? I can't kill this blasted thing

I have:
1. run adaware, spysweeper, and spybot. (in safe mode)
2. manually deleted all the files that came onto my computer in the previous two days, except those in quarantine. (one by one in killbox)

The spyware removal programs no longer show anything, however it is still there... I cannot manually delete the remaining files because there is a process keeping windows from recognizing I have a hard drive when I try and get to a command prompt. I have stopped the program from recreating itself at each boot... however, I cannot see the recycle bin, nor am I able to manually delete anything left...

there are four files left:

c:docume~1zaclocals~1 empDFxxxx.tmp (3 of these) and a kb.log file in the same directory.

I think part of the problem with this is that it installs about 10 different spyware programs... all of which reinstall all the others... this is by far the worst spyware I have encountered...

still looking for suggestions... not even sure if I can reformat at this point...

Does System Restore not work if you go back before you were infected?

I have not been able to remove vx2 and its various dll, exe, and whatever files. Killbox seems to be helping, but I have spent, on-and-off, over a week on this and have not been able to get rid of it. I am getting ready to reformat my harddrive. Any suggestions are welcome. paul

I want to Thank everyone that had an input into this problem............. I just got rid of that really nasty VX2 Bug...... I tired everything that everyone posted, but none of it worked for me..... But I did use pieces of everyone's advice and made my own solution. Here's what I did to rid of it.........



1. Run Ad-Aware SE Professional in normal mode...



2. Write down all of the infected files reported by Ad-Aware.... pay special attention to the files that ends with ".dll"........ (DO NOT delete those file using Ad-Aware) This bug is a really smart one, it'll regenerate itself by rename the file right when you delete the bug using Ad-Aware....... So leave everything AS IS...... DO NOT Close down Ad-Aware or any other processes you may be running...



3. UNPLUG your computer from the power outlet...... (This means DO NOT.. go Start then shut down.....) Just kill the power........



4.This next step... you can do it in two different ways...

a. get a second hard-drive, and install a fresh new O.S. into it, then this hard-drive is going to be your primary hard-drive.. install the INFECTED hard-drive as a secondary hard-drive...... Now you can go to the files and manually DELETE them..



b. If you have a second computer that you have access to, install your INFECTED hard-hard into that computer as a secondary hard-drive.... make sure you set both hard-drives to their appropriate settings...... Now you can go to the infected files and manually delete them....



5. Install your hard-drive back into your computer... Bootup your computer in normal Mode..... Run Ad-Aware again to clean up the left over mess.......



6. You should repeat step 5 a couple of times just to be really sure everything is cleaned up.....



Hopefully that helps........



Again I would like to thank everyone that was involved with this really nasty bug.....

I have been trying to remove VX2 and Euniverse
I have ran ad-aware, MSantispyware, Symantec add-on.. Nothing is working it is always back . I have played in the registry , a liitle aprehensive , I hope I did not do too much further damage . Can anyone sent me detailed steps to remove . I a not a computer wiz but can manage .
thanks

Hey Rosie,

Did you do the following instruction I have posted below on Feb 7..... that will get rid of your vx2 Bug..... That instruction also rid of your Euniverse... your spyware dectection software just have to recognize the bug...... and make sure you write down the complete directory location of the virus/bug to manually delete.......... Just read my instruction posted on Feb 7, 2005....

Hope that helps...

Hey Just me..
I do not have a second drive . My pc is super slow and f***ed up . Iexplore is at a crawl. What a pain this is . I wish all these companies that publish adware ,malware,spyware detection/removal could come up with something that works.

Hey Rosie,

Since you don't have a second hard-drive... do you have access to a second computer.... like a friends computer or your siblings....... There must be someone out there that you know and has a computer...... And don't worry about infected their computer.... its not contageous.........

And make sure your spyware can detect those infected files.........

or there is the last and not the most desirable way.. is just reformat your computer... save all of your important files to a DVD or CD.......

Hope that helps

I would suggest some class action suit against that damn company. This is one of the hardest things I have ever seen, very hard to remove. It is a good reason to change my PC for a mac.

I agree. This company and its programmers deserve nothing less than death. I wonder how these mofos sleep at night. If I got a job working as a programming these s h i t, I'd kill myself. This was one my most hard-fought viruses/spyware ever.

Seriously, class action suit all the way.

u guys are a great help thanks so much i still got adware but i dont think it this 1 well i found some of the files and they deleted and thanks for that

ok, I tried ged rid of this buggy shit, tried remove it via safe mode/console, but was not successful. Here is REAL, and FREE way, how to REMOVE LAST VERSION of VX2: http://www.techsupportforum.com/archive/index.php/t-31306.html ENJOY and write here, if it helps you :)

I am a disablesd person that works from home on my computer in the Scottish Highlands. These people have ruined my machine with the vx2. Giant antispyware says that its gone after a full system scan but the vx2 re-installs on reboot. I got it from looking at a song lyrics website. i think people that do things like that should be prosecuted. Its sick.

Commiserations to John Hamilton on his battle
with VX2. I have spent 24 elapsed hours on
fighting this spyware and finally removed it following the brilliant advice given in this forum,
For those interested, here's what I did:

0) Ensure you know how to take your machine into Safe mode upon power-up. It was F8 on my Dell laptop but check this out first.
1) Let ad-aware find all the infected places (full scan)
2) Write the locations down on a piece of paper
3) Kill power on the machine (had to use a paperclip to hit the reset button on my Dell laptop)
4) Reboot the machine into safe mode so that you have a DOS prompt
5) Change directory ("cd") to all the infected places and "erase" all the infected files. If you don't see a file in a directory it is because it is hidden and therefore you need to use the "attrib" DOS command to unhide it. Something like "attrib xyz -h -s -r" to remove (minus) the Hidden, System and Readonly attributes on the file xyz.
6) Reboot as normal and re-run adaware with a
full scan.

I wish the VX2 authors a painful death for causing me a loss of 24 hours in order to scrub my machine. I've now reset my account as a humble end user and have set my firewall to block out a substantial chunk of internet addresses in the vain hope that this will put off further accidental downloads.
All this because a close relative accidentally accepted some loaded offer whilst browsing...
Dunno if Firefox will help me but I hope it is more
secure than IE.

Further feedback requested if I am way off the mark

Regards

Mungo Henning (based in the Scottish Lowlands if John needs close-geographic cameraderie :-)

Still trying to remove VX2. Not very experienced at this sort of thing. How do you turn the "restore" to off as has been suggested? I am going to use another hard drive as a master and hammer on my original in slave mode. I think I should be able to remove VX 2 this way? Well see. paul

i work for a small cahrity in London and some kids have been in and installed this mess on my machines, I have wasted a week over this and still not clean. I hate these people.

re...5. FREE WAY HOW TO REALLY REMOVE VX2 bullshit by Brano. 14/02/2005. 04:02:57

DUDE IT WORKED!!!! Beleive me, i thought at first it wouldn't but i had nothing to loose, well, cut a long story short...it workded.

The Ad-Aware add-on "VX2 Cleaner" worked for me. Ad-Aware 1.0.5 with the definition file dated 16 Feb 05 cleaned all but two VX2 DLLs. The "VX2 Cleaner" seemed to get rid of the last two. http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml

I also tried the instructions at http://www.techsupportforum.com/archive/index.php/t-31306.html which did not work. I got a list of DLLs that "Windows does not See or cannot Access". I tried to remove them using the "Killbox" app as described in the article but no! VX2 survived with its loathsome godlike powers of immutability.

On a side note, pretty soon I expect all new malware will follow VX2's magnificent example. Then everything we have to deal with will be "Files that Windows does not See or cannot Access". Well done, Bill G. Ad-Aware is going to descend into a morass of special cases and one-off fix tools. Internet Explorer? Forget it. Firefox? Too popular. Go for Mozilla Internet Suite and use the Navigator browser.

I downloaded the ad-aware vx2 cleaner. I ran ad-ware and it said the vx2 process was in there. THEN I ran cleaner and the damn thing did not work. I am about to cry....

I almost went to reformatting my harddrive. I couldn't get rid of this monster. Then I bought this CD off eBay for about $11 with shipping out of blind hope. It has several nuke 'em programs: antispyware, virus detection, and I through the works at my harddrive, so I am not sure which from this CD worked, but I was finally able to rid myself of VX2. What a bastard of a piece of spyware!
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&rd=1&item=7132679925&ssPageName=STRK:MEAFB:IT

or search in eBay
"BEST SPYWARE VIRUS TROJAN REMOVER " and make sure you see the red cross.

I dont have a browser helper object key..what else can I do?

This method requires Lavasoft AdAware & about 10 minutes of free time.

There's a rather persistent permutation of this that seems to be immune to AdAware and it's VX2 removal tool PlugIn - it says it'll delete it on next boot but never manages. Unfortonately, I found this on my pc one day and decided to set aside a few minutes to rid myself of it. 2 Hours later...

The big problem seems to be this version of VX2 works due to the relationship between 3 files in the windowssystem32 file - 2 dll files and one called Guard.tmp. The problem is that you can't delete the dll files while the pc is on (you're told they're in use, hence AdAware has to try and delete on next boot), and these dll files seem to rename themselves randomly on startup. If you go to the windows/system32 file (well, in XP anyway - not tried it on other O/S) and sort all files by date modified, you should see them. They'll have names like h6j4lg1q16.dll , On2a5o1d.dll and so on (although I can't stress enough that these file names are seemingly random - check for dll's with the latest timestamp to find them). You should also find the Guard.tmp file there. This is pretty clever in that if you delete it or re-name it, another guard.tmp file will appear before your very eyes after about 30 seconds.

Now, I'm not totally certain about this, but it seems that the guard.tmp file acts as a sort of seed for the next generation of randomly named dll files and something (presumably in one of the dll files) writes the guard.tmp file. This is pretty clever I suppose, as they seem to protect eachother. Anyway, here's how I got rid of it (on XP Pro, at any rate. Not sure about other operating systems)..

1- Firstly, instal AdAwareSE and update it.
2- As with any other spyware removal, delete all temporary IE files and cookies, disable system restore on your PC, empty the recycle bin, run the disc-cleanup wizard and unplug any network/internet connections.
3- Boot to Safe Mode. Run AdAware. Delete everything it finds.
4- Open the C:windowssystem32 file. Sort everything by date modified. Look for the guard.tmp file right at the end of the list. (if you can't see it, try the 'view hidden files' approach). Right-click in guard.tmp and open it with notepad. Delete all the text you can see there and replace it with the word "dummy". Save this. Right clicking on the guard.tmp file should now show it to be about 7bytes long - write protect it as well.
5-reboot to safe mode again. I found this seemed to take a very long time when I did it. Looking in the system32 folder, you should now see a new dll with a similar random name to those mentioned above, but this time it will only be about 7 bytes long - it seems that the guard.dll file you edited has become the new dll file, although since you re-wrote it it will no longer contain the correct instructions to continue the cycle. In effect, you've broken the chain.
6-Run AdAware. It'll again tell you it will delete vx2 on next boot.
7-Reboot to safe mode (again...)
8- Run Adaware again. This time it should show up as clean.

Anyway, this worked for me. I hope it helps some others out there...

VX2 Removal
New variant detected but not removed by Lavasoft VX2 add-in
The following combination was able to eliminate VX2 from the computer.

1) Turn off system restore
2) Do full scan with Lavasoft Ad-ware and before removal, write down all files and paths.
3) Unplug the computer. DO not shutdown
4) Move hard drive to second computer and install as secondary drive
5) Look at files listed by ad-ware. Note they may be system or hidden files use /AH and /AS options on dir command
6). Note the sizes
7) Search the hard drive for other files with the sames sizes. Delete all these files. Files will have strange names combo of letters and numbers .dll
8) Searh for the file guard.tmp and remove it
9) Search for the following special files. They may be hidden and system
windowssystem32esbuzn.dll
windowssystem32wqroyg.exe
windowssystem32wqroyg.dll
documents and settingsall usersstart menuprogramsstartuphftpyi.exe
10) Delete each of these files and put a dummy text file in their place with the same name. Make the dummy file read-only, hidden and system.
11. Also make a dummy text file for
windowssystem32esbuzn.exe
documents and settingsall usersstart menuprogramsstartuphftpyi.dll
12) Put harddrive back in original computer, boot up and do full ad-ware scan. Should not find any more running VX2 process. Delete all files ad-ware finds.
13) Do a full virus-scan
14) Turn restore on and make a new restore point.

The current ugly variant pretty much won't let you do anything. I got three copies at about one-week intervals. The killbox tools listed in other notes here seem not to work on my WIN 98 system and AdAware's VX2 plugin does not install successfully. The following seems to have cleaned it up without too much hard work. YMMV.

1. Find a DLL in WINDOWS/SYSTEM with the date of corruption. 35-40 k in the variants I encountered, but growing steadily as development continues. If unable to do this step (Explorer is dead), continue with step 2.
2. Be sure no disk activity, then unplug.
3. Replug, boot from STARTUP diskette.
4. Use DOS-like interface to change the file type of the file located in step 1, viz:
a. C:
b. cdWINDOWS/SYSTEM
c. If you could not do step 1, use dir *.dll /p and just keep looking until you find the right file, as above.
d. rename endgmo.dll endgmo.dlx
(Subsitute the name you found for 'endgmo.')
5. Remove diskette, reboot.
6. Run AdAware and get rid of everything you're not sure about, including about:blank -- that page was hijacked by my variant.
7. Clean all cookies, empty recycle. Reboot.
8. If you get an error message during startup about a missing file, use MSCONFIG to keep it from being used, viz:
START/RUN/MSCONFIG -> Startup. Look for a RUNDLL32 for a DLL, mine was named 'sp' and the file was 'se.dll' in WINDOWS/TEMP; this is the file you got the error message about. Uncheck the box so no attempt will be made to run this file.
9. More skilled users than I can substitute cleaning up in the Registry for step 8.

Salt in 1000 cuts, tying on anthills, and such is too good for the scum that develop and distribute this stuff. I'm thinking in terms of the rest of their lives married to my ex-wife.

Two points:

1. An alternate to step 3 in my note below would be to reboot the hard drive but use F8 to get into the DOS interface. The key thing is you don't want to let the VX2 startup process rename its files and load the memory resident portion.

I wouldn't count on the hard drive DOS interface always being available; VX2 mutates constantly and we can count on the DOS interface being disabled at some point in the future. The Startup (or recovery) diskette is a completely independent system that will do the key job; for most of us it's a lot easier to use that than to remove the HDD and install it as a slave on another system.

2. The procedure in my following note leaves a junk file (the one you renamed); this should be deleted once you're sure everything is working again.

Class action lawsuit *and* eternity married to my ex-wife. (Call the later an 'uncivil penalty.' There are plenty of targets for a class action, too -- very profitable U.S. companies that make money from knowingly using or distributing VX2 components.

After spending the entire afternoon working with this virus infection, I found a relatively good method to eradicate VX2. I went (manual) after Spybot, Adaware, Spyferret, Microsoft Anti-Spy failed to remove this pesky critter. This is a very nasty virus constantly changing and adapting. Even in safe mode it will still run as a hidden process, however you can get to the files (exe and dll) in safe mode with the command prompt. One of the most important indicators of infected files is their date. If you know when your computer was infected, then identifying infected files becomes easier. then First step is to boot the computer in safe mode with the command prompt. then delete all the files in the windows/temp directory and prefetch directory. Run task manager and look for any rundll32. Stop this process. Second is to list all the files in the /system and /system32 directory for all .exe .dll .txt .tmp For those unfamilar with DOS the command is DIR *.exe /a /p Substitute the .exe for other file names.
Notice the dates and names. Look for guard.tmp and other files created the date of infection also other files with 0 for size. The main exe file on my computer was an encrytped file that appeared as M?CONFIG.exe. The only way to access this file was to reset the attributes by typing at the command prompt >attrib -s -h -r m*con*.e*. For people unfamiliar with DOS, the stars tell the program to ignore any characters represented by the stars. This was the only way I could delete this exe!!!! The designers of this virus are very clever indeed. After removing the attributes you can delete the exe by typing >del m*con*.e*
Other files linked to this infection did not have this elaborate protection and were easier to delete. Once I deleted this exe, erased the temp file and erased the other files in system and system32 directories. Oh, I fogot to mention, to remove system permission on the exe before you reboot and go into the command prompt

i try every single option discribe. but i found that if you use adaware to find the files and only delete those that are not VX2. just pull the power cord out of the computer. wait about 5 minutes and reconect the cord to the computer and turn it on. go an run "regedt32" find the file "guard.tmp" remove all permission except administrator and default user. run again the adaware under each user ( stay under safe mode for each user) use the disk clean up under each user. you will find out that the VX2 will disaper. took me around 3 weeks to clean up my system. but finally is working fine. be aware that you can get this adware downloading free mp3 files or aol messanger icons.

before you conect your system back to the network and the internet, run the adaware for each user in regular mode one more time.

i hope this can help user for windows 2000. the versions and files are really different from xp to 2000.

Si encuentro el "guard.tmp", lo borro?

no es tan facil como suena,

corra el adware, pongale ciudado no lo deje simplemente corriendo y vuelva mas tarde.

lo que tiene que hacer es:
1- ARRANQUE EL COMPUTADOR COMO ADMINISTRADOR. abra el ad-aware, mire las opciones dentro de cada submenu y selecione todo(pasa de x roja a "bueno marca" verde.
2- corra el anty-spy de yahoo (companion toolbar), si no la tiene le recomiendo que la instale. actualizela seleccione "scan for tracking cookies" DESCONECTE EL COMPUTADOR DEL INTERNET Y DE LA RED(NETWORK. desactive la opcion de "autorecovery" de windows.(windows 2000 no la tiene)
3- corra el anti-spy de yahoo
4- borre todo. pongale cuidado si no le deja borrar algo(anote el nombre de lo que no se deja borrar)
5- corra el limpiador del disco duro
6- corra el ad-aware. seleccione "Perform fully system scan"
7- pongale cuidado cuando ad-aware esta corriendo si la pantalla parpadea. si lo hace este prevenido que tiene el VX2. si cualquier ventana abre diciendo cualquier tipo de error o informacion no la toque (el virus esta tratando de apagar el sistema) recuerde que los archivos ban a cambiar de nombre cada vez que el computador arranca.
8-caundo el ad-aware temine y le muestre los archivos y "key_entries" solo seleccione esos que no son de clase VX2 (no borre nada todavia)
9-no cierre el ad-aware todavia. vaya a windowssystem32 busque los .dll archivos con la misma fecha de creacion que el dia en que esta. son entre dos y 4 archivos.
10- abra los archivos con notepad, borre todo lo que encuentre y cambielo por "dummy protect it" y grabelo con el mismo nombre NO LOS BORRE.simpre va a haber uno que no se deja tocar.no cierre la ventana.
11- vaya al "proccess runing" y mire cualquier proceso que tenga nombre raro y terminelo.
12- vuelva a la ventana donde esta mirando el system32 y el "desktop", mire por archivos con iconos llamativos como corazones, cartas, etc. borrelos
13- recurede que si abre una ventana o programa no lo puede cerrar. regrese a la ventana de ad-ware y borre las lineas que no son VX2 y cierre el ad-aware.
14- corra el programa "regedit" o "regedt32" use el que tiene la opcion de seguridad en el menu.
15- utilize la opcion de encontrar "find" y busque por "guard.tmp" (trate Grupo por grupo hasta que lo encuentre) quitele todas las opciones de acceso y deje que solo el administrador sea el que pueda modificarlo o leerlo. corra el limpiador del disco duro.
16- no cierre ninguna ventana y desconecte el computador, no lo apage, coja el cable y desconectelo. espere cinco minutos y arranque el computador denuevo como administrador.
17- espere hasta que el computador carga completamente. corra el ad-aware denuevo.
18 - ahora en este punto el resultado de ad-aware debe dar como resultado negativo para archivos y "key_entries" tipo VX2. ahora corra el ad-aware bajo cada usuario para estar seguro que el sistema esta completamente limpio. si lo encuentra bajo otro ususario tiene que repetir todo el proceso bajo ese usuario.
19 - despues que esta seguro que el sistema esta limpio abra el antivirus (norton, mcafry, etc) actualize las definiciones y escane el computador, repita este paso baja cada ususario.

listo ahora se puede decir que borro el "guard.tmp" archivo.

i managed to remove vx2 last night.
many thanks to people who posted suggestions on this site.

in the end i had to use a variation of a number of the posts.

this is what i did:
1. boot into safe mode
2. run adaware se - this seemed to allow the creation of guard.tmp
3. try to remove all infected files. it should come up with 2 infectred file it cannot delete - it says they are system protected.
4 say yes to delete after reboot DON'T RESTART this will reset them and they will change name again.
5. next run killbox. in the file name type in the path and file name for guard.tmp - it should be in the windowssystem32 folder.
6. at the bottom left there should be a radio button that says replace on reboot. - click on that also click use dummy file.
7. create a text file containing to word dummy.and make a note of the directory path
8. in the box under the path to guard.tmp type the path to the dummy file you just created.
9. before you press the delete (the x button) you must unload the rundll32.dll process as guard.tmp piggybacks itself on it..
10. next you must restart into safe mode again.
11. next do a search for guard.tmp. if it has worked you should have two copies of it have a look (i.e edit) the one in the system32 folder it should contain the word dummy and a message left by killbox saying this file is safe to delete. DON'T delete it. make the file read-only.
12. delete the other guard.tmp
13. rerun adaware se and tell it to dele infected files. and the two .dll s on restart.
14. restart into safe mode and run adaware se.

your computer should now be clean. all that remains is to remove the .dlls .

note: i also denied acess to guard.tmp in the registry to everybody but the administrator. don't know if that is needed or not.

sorry it's so long but i hope it helps.

sorry for such english, but
my expirence VX2 under windows 2000 server:
=== run w2k under debug mode under administrative
= run some Process Explorer (from www.sysinternals.com f.e.)
= kill rundll32 tree process
= suspend winlogon tree process
= remove from HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
branch with vx2 dll ( with DLL value full path and unusualy mixed numberalphared dll name)
= remove from registry all branch with "guard.tmp" value (substring search) (about 6-7 times)
= remove guard.tmp from /system32
= some waiting
=== power off
= boot normaly
= remove all vx'ed-strange dll ( with mixed alphanumerical name and fixed-around size)
= run adaware and clear system
= that's all

great thanks for all!

Thanks to Matnee -it worked, i've copied his/her notes and added comments

first time I've ever wanted to get a hold of the toerags that put such code together

This method requires Lavasoft AdAware & about 10 minutes of free time.

• Zonealarm popups - VX2 infection characterised by various .exe programs asking permission to connect to the internet

There's a rather persistent permutation of this that seems to be immune to AdAware and it's VX2 removal tool PlugIn - it says it'll delete it on next boot but never manages. Unfortonately, I found this on my pc one day and decided to set aside a few minutes to rid myself of it. 2 Hours later...

The big problem seems to be this version of VX2 works due to the relationship between 3 files in the windowssystem32 file - 2 dll files and one called Guard.tmp. The problem is that you can't delete the dll files while the pc is on (you're told they're in use, hence AdAware has to try and delete on next boot), and these dll files seem to rename themselves randomly on startup. If you go to the windows/system32 file (well, in XP anyway - not tried it on other O/S) and sort all files by date modified, you should see them. They'll have names like h6j4lg1q16.dll , On2a5o1d.dll and so on (although I can't stress enough that these file names are seemingly random - check for dll's with the latest timestamp to find them). You should also find the Guard.tmp file there. This is pretty clever in that if you delete it or re-name it, another guard.tmp file will appear before your very eyes after about 30 seconds.

Now, I'm not totally certain about this, but it seems that the guard.tmp file acts as a sort of seed for the next generation of randomly named dll files and something (presumably in one of the dll files) writes the guard.tmp file. This is pretty clever I suppose, as they seem to protect eachother. Anyway, here's how I got rid of it (on XP Pro, at any rate. Not sure about other operating systems)..

• DF – run the freeware program CMDLINE and this shows the process running and also the program that calls the process. It showed that rundll.exe was called by a program with Umonitor at the end. e.g. c:windowssystem32
arsel.dll�, UMonitor�
• the .dlls (there was usually 2 of them) did not replicate, but changed name each time the computer was booted, so date stamp (using windows explorer details) as the key factor in spotting the programs as they had the date and time of when the computer was last booted. File size was usually about 227kb.
•
1- Firstly, instal AdAwareSE and update it.
2- As with any other spyware removal, delete all temporary IE files and cookies, disable system restore on your PC, empty the recycle bin, run the disc-cleanup wizard and unplug any network/internet connections.
3- Boot to Safe Mode. Run AdAware. Delete everything it finds.
4- Open the C:windowssystem32 file. Sort everything by date modified. Look for the guard.tmp file right at the end of the list. (if you can't see it, try the 'view hidden files' approach). Right-click in guard.tmp and open it with notepad. Delete all the text you can see there and replace it with the word "dummy". Save this. Right clicking on the guard.tmp file should now show it to be about 7bytes long - write protect it as well.
5-reboot to safe mode again (hold down F8 whilst computer boots). I found this seemed to take a very long time when I did it. Looking in the system32 folder, you should now see a new dll with a similar random name to those mentioned above, but this time it will only be about 7 bytes long - it seems that the guard.dll file you edited has become the new dll file, although since you re-wrote it it will no longer contain the correct instructions to continue the cycle. In effect, you've broken the chain.
DF – following seemed to work although I also renamed the Guard.tmp file to GU.tmp as well as changing the data inside as above. I also deleted it manually in safe mode from windows explorer
6-Run AdAware. It'll again tell you it will delete vx2 on next boot.
7-Reboot to safe mode (again...)
8- Run Adaware again. This time it should show up as clean.

I also opened the .dll files with hexmad file viewer to confirm content (scrolling down did not seem to work as it does in proper Microsoft .dll’s)

DF - remember no real DOS in XP and DOS start-up disk cannot read NTFS drives

Anyway, this worked for me. I hope it helps some others out there...

• DF - Check zonealarm – if no attempts by winlogon or rundll.exe to connect to internet then success
• DF - also ctrl alt del and rundll.exe should not be running as a process in the background

when I try to save guard.tmp after deleted everything in it and replacing with dummy, it wont let me. It says, It can't create it. make sure path and file name are correct. Can someone plz help me? I'm not good at removing adware and spyware. Never had a problem with ad-aware removing anything before so this is totally new for me. Thanks!

before suspend or kill process "rundll32" and "winlogon"

I'm rumming win98 and I can't get rid of VX2. It keeps comming up in my system files as "forcuw". Please help...please. I try using Ad Aware Se but when I hit delete it freezes the process...help

Hey guys I've tried all of this stuff and just about put a gun to my head. So I did a system restore back to a month ago on XP and guess what it's gone!!!!!!!!

Vx2 is a pain in the butt. I deleted it on Ad Aware SE a million times, but it would never go away. It would always say that it couldn't delete a component unless I rebooted. But I was able to use the net and research on it to find this. I guess it helps. (0=

I have vx2.transponder and a browser plug-in installed. I ran ad-aware 5 times in safe mode and it deletes it, then in normal mode i ran it, and it's gone. But when i relogin in normal mode and go to the internet, vx2 is there again!!! any suggestions how do i remove it permanently and what am i doing wrong??

can't find the guard file. Nothing shows on adaware scans. Nothing on the add-on. Followed all directions in this blog and yet as soon as I restart my other comp, It freezes my comp and I can do nothing. HELP !!!!!!!!!!

Outside of reformatting -- what can I do?

Im ready to believe that nothing works and that the people that claimed it works are faking it or it worked as a fluke. Ive tried the following with updated definitions,

Ad-aware (with vx2 plugin).... nothing.
Spy Sweeper.... nothing.
Trojan Remover.... nothing.
Spyware Doctor.... nothing.
Spybot Search & Destroy.... nothing.

As well as other little tools like VX2Finder.exe, and Hijackthis.... nothing.

When the sh*t hit the fan, nothing worked. Ive tried all of the solutions granted here, with special attention to Waffys solution (took my time doing it) and nothing.

Ive tried other forums,and nothing.

In any case, there are two solutions I havent tried yet.

1. suicide
2. reformat computer

I dont know which one is worse. I have 300GB hard drive and a whole lot of stuff to back up. I guess I leanred my lesson about backing up sooner, eh?

Whoever came up with this VX2 filth, should be burned alive.

What at you Windows version? How the behaviour VX2 is shown?
(I have successfully coped with a problem on my windows 2000 server)

Try this software off eBay:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&rd=1&item=7132679925&ssPageName=STRK:MEWN:IT

Something from this pacakge worked, after weeks of pain.

paul

Remove VX2 steps

I have pinched a lot of this from a previous contributor (Matneee) and tried to detail the steps as a lot of contributors still seem unable to delete this infection.
I am not completely sure which of the steps were the crucial ones, but this worked for me. Some of the steps may be extra, but you have got to make sure with this one. The files may disappear quicker than expected when you work through the deletion steps.

Steps to Detection of VX2 (Not really required if you know you have got it)

I noticed my computer running slowly
I downloaded and Ran Lavasoft Adaware (free version)
VX2 was listed after the scan
I went to the lavasoft site and downloaded their VX2 remover and installed it, but no luck.

Go to
http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za and download and install the free version of ZONEALARM (unless you have a firewall installed already)
The VX2 infection is characterised by Zonealarm popups showing various .exe programs asking permission to connect to the internet – refuse all permissions unless it is a program that you recognise (e.g. Microsoft software)
Then run Zonealarm and click on “Alerts and Logs� .Select “program� for the alert type
What should be seen if VX2 is present is winlogon or rundll.exe (or was it rundll32.exe?) repeatedly trying to connect to the internet every few seconds – do not give permission
If they have already been allowed to connect go to the Zonwealarm program control menu and deny permissions to these 2 programs (right click on them and select the red cross)

More Detection Steps
Download the freeware program CMDLINE from:
http://www.diamondcs.com.au/index.php?page=console-cmdline or search on Google for it.
Unzip it to get CMDLINE.EXE
From the Windows START menu (win XP) select - All programs, Accessories, Command prompt
Note down the directory that is pointed to e.g. c:Documents and SettingsDoug>
Close the command prompt window
Now copy the CMDLINE.EXE program to this directory using windows explorer
From the Windows START menu (win XP) select - All programs, Accessories, Command prompt
Type DIR (return) to check cmdline.exe is there
Type cmdline (return) to run the cmdline program

The key lines were 1976 - C:WINDOWSsystem32rundll32.exe
rundll32.exe "C:WINDOWSsystem32uibui.dll",UMonitor
This showed that the rundll32.exe program was being called by C:WINDOWSsystem32uibui.dll. The name of the dll will be different from this and will change each time you boot the computer. Also note the UMonitor label

The VX2 Problem

The Problem - The big problem seems to be this version of VX2 works due to the relationship between 3 files in the windowssystem32 file - 2 .dll files and one called Guard.tmp. The problem is that you cannot delete the .dll files while the pc is on (you are told they are in use, hence AdAware has to try and delete on next boot), and these dll files seem to rename themselves randomly on startup. If you go to the windows/system32 file (well, in XP anyway - not tried it on other O/S) and sort all files by date modified, you should see them. They will have names like h6j4lg1q16.dll , On2a5o1d.dll and so on (although I can not stress enough that these file names are seemingly random - check for dlls with the latest timestamp to find them). You should also find the Guard.tmp file there. This is pretty clever in that if you delete it or re-name it, another guard.tmp file will appear before your very eyes after about 30 seconds.

Now, I am not totally certain about this, but it seems that the guard.tmp file acts as a sort of seed for the next generation of randomly named dll files and something (presumably in one of the dll files) writes the guard.tmp file. This is pretty clever I suppose, as they seem to protect each other.

The .dlls (there was usually 2 of them) did not replicate, but changed name each time the computer was booted, so date stamp (using windows explorer details) as the key factor in spotting the programs as they had the date and time of when the computer was last booted. File size was usually about 227kb.

Steps to Deletion
1 - Install (unless you did so above) AdAwareSE and update it.
2 - As with any other spyware removal, delete all temporary IE files and cookies, disable system restore on your PC, empty the recycle bin, run the disc-cleanup wizard and unplug any network/internet connections.
3 - Reboot the computer in Safe Mode (hold down F8 key whilst computer boots).
Hold down Ctrl and Alt keys together then press Del key (Delete) and if rundll.exe or rudll32.exe is running, click on it and then click “End Process�.
Run AdAware. Delete everything it finds.
4 - Run Windows Explorer. Open the C:windowssystem32 folder.
From the menu select View, Details. Click the “Date Modified� column header twice (slowly) This should put the 2 dlls to delete near the top of the list, with times of when you last booted the computer.
Also look for the guard.tmp file near the top of the list. (if you can not see it, go to Tools, Folder options, click on the view tab and select “Show hidden files and folders�.
5 - Rename the Guard.tmp file to e.g. GU.tmp
6 - Right-click on guard.tmp (now called GU.tmp) and open it with notepad. Delete all the text you can see there and replace it with the word "dummy". Save this. Right clicking on the gu.tmp file should now show it to be about 7 bytes long - write protect it as well (right click on it and select properties to change this).
7 - Reboot the computer in Safe Mode again (hold down F8 key whilst computer boots).
8 – Run windows explorer and now delete the file GU.tmp as well as the two .dll files if you can.
9 - Reboot to safe mode again. I found this seemed to take a very long time when I did it. Looking in the system32 folder, you should now see a new dll with a similar random name to those mentioned above, but this time it will only be about 7 bytes long - it seems that the guard.dll file you edited has become the new dll file, although since you re-wrote it, it will no longer contain the correct instructions to continue the cycle. In effect, you have broken the chain.
Hold down Ctrl and Alt keys together then press Del key (Delete) and if rundll.exe or rudll32.exe is running, click on it and then click “End Process�.
Run windows explorer and now delete the file GU.tmp as well as the two .dll files if they are still there and if you can.
10 - Run AdAware. It will again tell you it will delete vx2 on next boot.
11 - Reboot to safe mode (again...)
Hold down Ctrl and Alt keys together then press Del key (Delete) and if rundll.exe or rudll32.exe is running, click on it and then click “End Process�.
Run windows explorer and now delete the file GU.tmp as well as the two .dll files if they are still there and if you can.
12 - Run Adaware again. This time it should show up as clean.

Check for Success
Check zonealarm – if no attempts by winlogon or rundll.exe to connect to internet then success

This bug is stupid! Whoever made this should go to hell!

you are lucky to be able to restore your comp to an earier date, the vx2 has control om my restore, it wont go back past april 1st, got this f ing bug march 31st. I have downloaded and tried everything. only thing left to do now is kill myself

has anyone come up with any other options for getting rid of this. I have tried all the suggestions except for Doug.That will be my tomorrow project. Nothing seems to work. Everytime I think I have it, it pops up again??
Have tried all the listed programs and still there. Finding all kinds of crap which must be from this bug. I run scans on all my machines regularly so I know all these corrupt files were not there before.
Can I delete the file manually? And if so how do I know which are which?
Thank you for any help you can offer in removing this PIA.

The VIRUS VX2 couldnt be removed manually or with tools like adaware (with plugins) on a ME puter. Adaware and didnt even recognize that it was infected. Spybot S&D did, but crashed when trying to remove. I olso Tried the steps mensioned here with no luck. Hoping some spyware/malware guru will read this and make a better tool..

Or even death penalty to the creator(s)!!! >;)

Does this even hurt my comp? i know i have it but the only thing it seems to effect is yahoo because it makes yahoo messenger disconnect , unless i delete the VX2 temporarily with Xoftspy. When the VX2 comes back, sometimes yahoo messenger will close out again. I also get some pop ups but i have a pop up blocker now so only like one pops up everyday. Im not about to go and do something time consuming like reformat my comp, im just trying to find a fast way to get rid of the VX2, the file is called vllkzl.(something) and its in my system32 file, when i delete it from the registy it just comes back...

http://www.direct-revenue.com/remove.php

everything you guys are saying about this virus is true to my situation EXCEPT two key points.
there is no guard.tmp in my system32 folder and all the ranomly generated files dont have numbers in them.

perhaps i have a totally different virus?

also, who the hell is waffy!?!?

is it safe to go online banking with this on youre system concern.

This spyware is really a pain iv done everything above but still cant remove it. Safe mode didnt help. I even tried registry even that didnt work kept on popping back up on restart.
HELP

frustrated XP user

close internet connection and try ewido security suite
go to google and type it it should give you the link it work for me

oh buy the way im running firefox browser not going trew vx2 pain again

Anyone know about restoring the OS Administrator privileges on XP pro after removing this spyware?

i let someone use my computer and now they have me on limited login, how can i get my adminstrator account back, also the other party for got the pass word they used

I can only say this to the people affected by VX2 : get Spy Sweeper Retail! It erases any Spyware with considerable ease. Even the dll files which other programs can't remove are erased easily. The trick is that Spy Sweeper removes them before Windows loads on rebooting!

GH

好