21. by Guest. 2005-03-07 03:03:39
Vx2 is a pain in the butt. I deleted it on Ad Aware SE a million times, but it would never go away. It would always say that it couldn't delete a component unless I rebooted. But I was able to use the net and research on it to find this. I guess it helps. (0=
22. by Guest. 2005-03-06 15:03:02
Hey guys I've tried all of this stuff and just about put a gun to my head. So I did a system restore back to a month ago on XP and guess what it's gone!!!!!!!!
23. by TiTo. 2005-03-04 22:03:04
I'm rumming win98 and I can't get rid of VX2. It keeps comming up in my system files as "forcuw". Please help...please. I try using Ad Aware Se but when I hit delete it freezes the process...help
24. by 2 Kim. 2005-03-02 04:03:51
before suspend or kill process "rundll32" and "winlogon"
25. by Kim. 2005-03-01 14:03:38
when I try to save guard.tmp after deleted everything in it and replacing with dummy, it wont let me. It says, It can't create it. make sure path and file name are correct. Can someone plz help me? I'm not good at removing adware and spyware. Never had a problem with ad-aware removing anything before so this is totally new for me. Thanks!
26. by DF. 2005-02-27 18:02:56
Thanks to Matnee -it worked, i've copied his/her notes and added comments
first time I've ever wanted to get a hold of the toerags that put such code together
This method requires Lavasoft AdAware & about 10 minutes of free time.
• Zonealarm popups - VX2 infection characterised by various .exe programs asking permission to connect to the internet
There's a rather persistent permutation of this that seems to be immune to AdAware and it's VX2 removal tool PlugIn - it says it'll delete it on next boot but never manages. Unfortonately, I found this on my pc one day and decided to set aside a few minutes to rid myself of it. 2 Hours later...
The big problem seems to be this version of VX2 works due to the relationship between 3 files in the windowssystem32 file - 2 dll files and one called Guard.tmp. The problem is that you can't delete the dll files while the pc is on (you're told they're in use, hence AdAware has to try and delete on next boot), and these dll files seem to rename themselves randomly on startup. If you go to the windows/system32 file (well, in XP anyway - not tried it on other O/S) and sort all files by date modified, you should see them. They'll have names like h6j4lg1q16.dll , On2a5o1d.dll and so on (although I can't stress enough that these file names are seemingly random - check for dll's with the latest timestamp to find them). You should also find the Guard.tmp file there. This is pretty clever in that if you delete it or re-name it, another guard.tmp file will appear before your very eyes after about 30 seconds.
Now, I'm not totally certain about this, but it seems that the guard.tmp file acts as a sort of seed for the next generation of randomly named dll files and something (presumably in one of the dll files) writes the guard.tmp file. This is pretty clever I suppose, as they seem to protect eachother. Anyway, here's how I got rid of it (on XP Pro, at any rate. Not sure about other operating systems)..
• DF – run the freeware program CMDLINE and this shows the process running and also the program that calls the process. It showed that rundll.exe was called by a program with Umonitor at the end. e.g. c:windowssystem32narsel.dll�, UMonitor�
• the .dlls (there was usually 2 of them) did not replicate, but changed name each time the computer was booted, so date stamp (using windows explorer details) as the key factor in spotting the programs as they had the date and time of when the computer was last booted. File size was usually about 227kb.
•
1- Firstly, instal AdAwareSE and update it.
2- As with any other spyware removal, delete all temporary IE files and cookies, disable system restore on your PC, empty the recycle bin, run the disc-cleanup wizard and unplug any network/internet connections.
3- Boot to Safe Mode. Run AdAware. Delete everything it finds.
4- Open the C:windowssystem32 file. Sort everything by date modified. Look for the guard.tmp file right at the end of the list. (if you can't see it, try the 'view hidden files' approach). Right-click in guard.tmp and open it with notepad. Delete all the text you can see there and replace it with the word "dummy". Save this. Right clicking on the guard.tmp file should now show it to be about 7bytes long - write protect it as well.
5-reboot to safe mode again (hold down F8 whilst computer boots). I found this seemed to take a very long time when I did it. Looking in the system32 folder, you should now see a new dll with a similar random name to those mentioned above, but this time it will only be about 7 bytes long - it seems that the guard.dll file you edited has become the new dll file, although since you re-wrote it it will no longer contain the correct instructions to continue the cycle. In effect, you've broken the chain.
DF – following seemed to work although I also renamed the Guard.tmp file to GU.tmp as well as changing the data inside as above. I also deleted it manually in safe mode from windows explorer
6-Run AdAware. It'll again tell you it will delete vx2 on next boot.
7-Reboot to safe mode (again...)
8- Run Adaware again. This time it should show up as clean.
I also opened the .dll files with hexmad file viewer to confirm content (scrolling down did not seem to work as it does in proper Microsoft .dll’s)
DF - remember no real DOS in XP and DOS start-up disk cannot read NTFS drives
Anyway, this worked for me. I hope it helps some others out there...
• DF - Check zonealarm – if no attempts by winlogon or rundll.exe to connect to internet then success
• DF - also ctrl alt del and rundll.exe should not be running as a process in the background
27. by russian somebody. 2005-02-27 05:02:16
great thanks for all!
28. by russian somebody. 2005-02-27 05:02:50
sorry for such english, but
my expirence VX2 under windows 2000 server:
=== run w2k under debug mode under administrative
= run some Process Explorer (from www.sysinternals.com f.e.)
= kill rundll32 tree process
= suspend winlogon tree process
= remove from HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
branch with vx2 dll ( with DLL value full path and unusualy mixed numberalphared dll name)
= remove from registry all branch with "guard.tmp" value (substring search) (about 6-7 times)
= remove guard.tmp from /system32
= some waiting
=== power off
= boot normaly
= remove all vx'ed-strange dll ( with mixed alphanumerical name and fixed-around size)
= run adaware and clear system
= that's all
29. by dave. 2005-02-26 10:02:36
i managed to remove vx2 last night.
many thanks to people who posted suggestions on this site.
in the end i had to use a variation of a number of the posts.
this is what i did:
1. boot into safe mode
2. run adaware se - this seemed to allow the creation of guard.tmp
3. try to remove all infected files. it should come up with 2 infectred file it cannot delete - it says they are system protected.
4 say yes to delete after reboot DON'T RESTART this will reset them and they will change name again.
5. next run killbox. in the file name type in the path and file name for guard.tmp - it should be in the windowssystem32 folder.
6. at the bottom left there should be a radio button that says replace on reboot. - click on that also click use dummy file.
7. create a text file containing to word dummy.and make a note of the directory path
8. in the box under the path to guard.tmp type the path to the dummy file you just created.
9. before you press the delete (the x button) you must unload the rundll32.dll process as guard.tmp piggybacks itself on it..
10. next you must restart into safe mode again.
11. next do a search for guard.tmp. if it has worked you should have two copies of it have a look (i.e edit) the one in the system32 folder it should contain the word dummy and a message left by killbox saying this file is safe to delete. DON'T delete it. make the file read-only.
12. delete the other guard.tmp
13. rerun adaware se and tell it to dele infected files. and the two .dll s on restart.
14. restart into safe mode and run adaware se.
your computer should now be clean. all that remains is to remove the .dlls .
note: i also denied acess to guard.tmp in the registry to everybody but the administrator. don't know if that is needed or not.
sorry it's so long but i hope it helps.
30. by lha. 2005-02-25 09:02:16
Si encuentro el "guard.tmp", lo borro?
no es tan facil como suena,
corra el adware, pongale ciudado no lo deje simplemente corriendo y vuelva mas tarde.
lo que tiene que hacer es:
1- ARRANQUE EL COMPUTADOR COMO ADMINISTRADOR. abra el ad-aware, mire las opciones dentro de cada submenu y selecione todo(pasa de x roja a "bueno marca" verde.
2- corra el anty-spy de yahoo (companion toolbar), si no la tiene le recomiendo que la instale. actualizela seleccione "scan for tracking cookies" DESCONECTE EL COMPUTADOR DEL INTERNET Y DE LA RED(NETWORK. desactive la opcion de "autorecovery" de windows.(windows 2000 no la tiene)
3- corra el anti-spy de yahoo
4- borre todo. pongale cuidado si no le deja borrar algo(anote el nombre de lo que no se deja borrar)
5- corra el limpiador del disco duro
6- corra el ad-aware. seleccione "Perform fully system scan"
7- pongale cuidado cuando ad-aware esta corriendo si la pantalla parpadea. si lo hace este prevenido que tiene el VX2. si cualquier ventana abre diciendo cualquier tipo de error o informacion no la toque (el virus esta tratando de apagar el sistema) recuerde que los archivos ban a cambiar de nombre cada vez que el computador arranca.
8-caundo el ad-aware temine y le muestre los archivos y "key_entries" solo seleccione esos que no son de clase VX2 (no borre nada todavia)
9-no cierre el ad-aware todavia. vaya a windowssystem32 busque los .dll archivos con la misma fecha de creacion que el dia en que esta. son entre dos y 4 archivos.
10- abra los archivos con notepad, borre todo lo que encuentre y cambielo por "dummy protect it" y grabelo con el mismo nombre NO LOS BORRE.simpre va a haber uno que no se deja tocar.no cierre la ventana.
11- vaya al "proccess runing" y mire cualquier proceso que tenga nombre raro y terminelo.
12- vuelva a la ventana donde esta mirando el system32 y el "desktop", mire por archivos con iconos llamativos como corazones, cartas, etc. borrelos
13- recurede que si abre una ventana o programa no lo puede cerrar. regrese a la ventana de ad-ware y borre las lineas que no son VX2 y cierre el ad-aware.
14- corra el programa "regedit" o "regedt32" use el que tiene la opcion de seguridad en el menu.
15- utilize la opcion de encontrar "find" y busque por "guard.tmp" (trate Grupo por grupo hasta que lo encuentre) quitele todas las opciones de acceso y deje que solo el administrador sea el que pueda modificarlo o leerlo. corra el limpiador del disco duro.
16- no cierre ninguna ventana y desconecte el computador, no lo apage, coja el cable y desconectelo. espere cinco minutos y arranque el computador denuevo como administrador.
17- espere hasta que el computador carga completamente. corra el ad-aware denuevo.
18 - ahora en este punto el resultado de ad-aware debe dar como resultado negativo para archivos y "key_entries" tipo VX2. ahora corra el ad-aware bajo cada usuario para estar seguro que el sistema esta completamente limpio. si lo encuentra bajo otro ususario tiene que repetir todo el proceso bajo ese usuario.
19 - despues que esta seguro que el sistema esta limpio abra el antivirus (norton, mcafry, etc) actualize las definiciones y escane el computador, repita este paso baja cada ususario.
listo ahora se puede decir que borro el "guard.tmp" archivo.
31. by Lha. 2005-02-25 01:02:23
i try every single option discribe. but i found that if you use adaware to find the files and only delete those that are not VX2. just pull the power cord out of the computer. wait about 5 minutes and reconect the cord to the computer and turn it on. go an run "regedt32" find the file "guard.tmp" remove all permission except administrator and default user. run again the adaware under each user ( stay under safe mode for each user) use the disk clean up under each user. you will find out that the VX2 will disaper. took me around 3 weeks to clean up my system. but finally is working fine. be aware that you can get this adware downloading free mp3 files or aol messanger icons.
before you conect your system back to the network and the internet, run the adaware for each user in regular mode one more time.
i hope this can help user for windows 2000. the versions and files are really different from xp to 2000.
32. by Randall Gregory. 2005-02-22 21:02:51
After spending the entire afternoon working with this virus infection, I found a relatively good method to eradicate VX2. I went (manual) after Spybot, Adaware, Spyferret, Microsoft Anti-Spy failed to remove this pesky critter. This is a very nasty virus constantly changing and adapting. Even in safe mode it will still run as a hidden process, however you can get to the files (exe and dll) in safe mode with the command prompt. One of the most important indicators of infected files is their date. If you know when your computer was infected, then identifying infected files becomes easier. then First step is to boot the computer in safe mode with the command prompt. then delete all the files in the windows/temp directory and prefetch directory. Run task manager and look for any rundll32. Stop this process. Second is to list all the files in the /system and /system32 directory for all .exe .dll .txt .tmp For those unfamilar with DOS the command is DIR *.exe /a /p Substitute the .exe for other file names.
Notice the dates and names. Look for guard.tmp and other files created the date of infection also other files with 0 for size. The main exe file on my computer was an encrytped file that appeared as M?CONFIG.exe. The only way to access this file was to reset the attributes by typing at the command prompt >attrib -s -h -r m*con*.e*. For people unfamiliar with DOS, the stars tell the program to ignore any characters represented by the stars. This was the only way I could delete this exe!!!! The designers of this virus are very clever indeed. After removing the attributes you can delete the exe by typing >del m*con*.e*
Other files linked to this infection did not have this elaborate protection and were easier to delete. Once I deleted this exe, erased the temp file and erased the other files in system and system32 directories. Oh, I fogot to mention, to remove system permission on the exe before you reboot and go into the command prompt
33. by Walt. 2005-02-22 04:02:22
Two points:
1. An alternate to step 3 in my note below would be to reboot the hard drive but use F8 to get into the DOS interface. The key thing is you don't want to let the VX2 startup process rename its files and load the memory resident portion.
I wouldn't count on the hard drive DOS interface always being available; VX2 mutates constantly and we can count on the DOS interface being disabled at some point in the future. The Startup (or recovery) diskette is a completely independent system that will do the key job; for most of us it's a lot easier to use that than to remove the HDD and install it as a slave on another system.
2. The procedure in my following note leaves a junk file (the one you renamed); this should be deleted once you're sure everything is working again.
Class action lawsuit *and* eternity married to my ex-wife. (Call the later an 'uncivil penalty.' There are plenty of targets for a class action, too -- very profitable U.S. companies that make money from knowingly using or distributing VX2 components.
34. by Walt. 2005-02-22 04:02:41
The current ugly variant pretty much won't let you do anything. I got three copies at about one-week intervals. The killbox tools listed in other notes here seem not to work on my WIN 98 system and AdAware's VX2 plugin does not install successfully. The following seems to have cleaned it up without too much hard work. YMMV.
1. Find a DLL in WINDOWS/SYSTEM with the date of corruption. 35-40 k in the variants I encountered, but growing steadily as development continues. If unable to do this step (Explorer is dead), continue with step 2.
2. Be sure no disk activity, then unplug.
3. Replug, boot from STARTUP diskette.
4. Use DOS-like interface to change the file type of the file located in step 1, viz:
a. C:
b. cdWINDOWS/SYSTEM
c. If you could not do step 1, use dir *.dll /p and just keep looking until you find the right file, as above.
d. rename endgmo.dll endgmo.dlx
(Subsitute the name you found for 'endgmo.')
5. Remove diskette, reboot.
6. Run AdAware and get rid of everything you're not sure about, including about:blank -- that page was hijacked by my variant.
7. Clean all cookies, empty recycle. Reboot.
8. If you get an error message during startup about a missing file, use MSCONFIG to keep it from being used, viz:
START/RUN/MSCONFIG -> Startup. Look for a RUNDLL32 for a DLL, mine was named 'sp' and the file was 'se.dll' in WINDOWS/TEMP; this is the file you got the error message about. Uncheck the box so no attempt will be made to run this file.
9. More skilled users than I can substitute cleaning up in the Registry for step 8.
Salt in 1000 cuts, tying on anthills, and such is too good for the scum that develop and distribute this stuff. I'm thinking in terms of the rest of their lives married to my ex-wife.
35. by ellisd@alcasoft.com. 2005-02-21 12:02:28
VX2 Removal
New variant detected but not removed by Lavasoft VX2 add-in
The following combination was able to eliminate VX2 from the computer.
1) Turn off system restore
2) Do full scan with Lavasoft Ad-ware and before removal, write down all files and paths.
3) Unplug the computer. DO not shutdown
4) Move hard drive to second computer and install as secondary drive
5) Look at files listed by ad-ware. Note they may be system or hidden files use /AH and /AS options on dir command
6). Note the sizes
7) Search the hard drive for other files with the sames sizes. Delete all these files. Files will have strange names combo of letters and numbers .dll
8) Searh for the file guard.tmp and remove it
9) Search for the following special files. They may be hidden and system
windowssystem32esbuzn.dll
windowssystem32wqroyg.exe
windowssystem32wqroyg.dll
documents and settingsall usersstart menuprogramsstartuphftpyi.exe
10) Delete each of these files and put a dummy text file in their place with the same name. Make the dummy file read-only, hidden and system.
11. Also make a dummy text file for
windowssystem32esbuzn.exe
documents and settingsall usersstart menuprogramsstartuphftpyi.dll
12) Put harddrive back in original computer, boot up and do full ad-ware scan. Should not find any more running VX2 process. Delete all files ad-ware finds.
13) Do a full virus-scan
14) Turn restore on and make a new restore point.
36. by Matneee. 2005-02-21 09:02:33
This method requires Lavasoft AdAware & about 10 minutes of free time.
There's a rather persistent permutation of this that seems to be immune to AdAware and it's VX2 removal tool PlugIn - it says it'll delete it on next boot but never manages. Unfortonately, I found this on my pc one day and decided to set aside a few minutes to rid myself of it. 2 Hours later...
The big problem seems to be this version of VX2 works due to the relationship between 3 files in the windowssystem32 file - 2 dll files and one called Guard.tmp. The problem is that you can't delete the dll files while the pc is on (you're told they're in use, hence AdAware has to try and delete on next boot), and these dll files seem to rename themselves randomly on startup. If you go to the windows/system32 file (well, in XP anyway - not tried it on other O/S) and sort all files by date modified, you should see them. They'll have names like h6j4lg1q16.dll , On2a5o1d.dll and so on (although I can't stress enough that these file names are seemingly random - check for dll's with the latest timestamp to find them). You should also find the Guard.tmp file there. This is pretty clever in that if you delete it or re-name it, another guard.tmp file will appear before your very eyes after about 30 seconds.
Now, I'm not totally certain about this, but it seems that the guard.tmp file acts as a sort of seed for the next generation of randomly named dll files and something (presumably in one of the dll files) writes the guard.tmp file. This is pretty clever I suppose, as they seem to protect eachother. Anyway, here's how I got rid of it (on XP Pro, at any rate. Not sure about other operating systems)..
1- Firstly, instal AdAwareSE and update it.
2- As with any other spyware removal, delete all temporary IE files and cookies, disable system restore on your PC, empty the recycle bin, run the disc-cleanup wizard and unplug any network/internet connections.
3- Boot to Safe Mode. Run AdAware. Delete everything it finds.
4- Open the C:windowssystem32 file. Sort everything by date modified. Look for the guard.tmp file right at the end of the list. (if you can't see it, try the 'view hidden files' approach). Right-click in guard.tmp and open it with notepad. Delete all the text you can see there and replace it with the word "dummy". Save this. Right clicking on the guard.tmp file should now show it to be about 7bytes long - write protect it as well.
5-reboot to safe mode again. I found this seemed to take a very long time when I did it. Looking in the system32 folder, you should now see a new dll with a similar random name to those mentioned above, but this time it will only be about 7 bytes long - it seems that the guard.dll file you edited has become the new dll file, although since you re-wrote it it will no longer contain the correct instructions to continue the cycle. In effect, you've broken the chain.
6-Run AdAware. It'll again tell you it will delete vx2 on next boot.
7-Reboot to safe mode (again...)
8- Run Adaware again. This time it should show up as clean.
Anyway, this worked for me. I hope it helps some others out there...
37. by Guest. 2005-02-19 21:02:54
I dont have a browser helper object key..what else can I do?
38. by paul. 2005-02-19 06:02:45
I almost went to reformatting my harddrive. I couldn't get rid of this monster. Then I bought this CD off eBay for about $11 with shipping out of blind hope. It has several nuke 'em programs: antispyware, virus detection, and I through the works at my harddrive, so I am not sure which from this CD worked, but I was finally able to rid myself of VX2. What a bastard of a piece of spyware!
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&rd=1&item=7132679925&ssPageName=STRK:MEAFB:IT
or search in eBay
"BEST SPYWARE VIRUS TROJAN REMOVER " and make sure you see the red cross.
39. by Justin Fleming. 2005-02-18 20:02:53
I downloaded the ad-aware vx2 cleaner. I ran ad-ware and it said the vx2 process was in there. THEN I ran cleaner and the damn thing did not work. I am about to cry....
40. by Phil Jones. 2005-02-17 18:02:24
The Ad-Aware add-on "VX2 Cleaner" worked for me. Ad-Aware 1.0.5 with the definition file dated 16 Feb 05 cleaned all but two VX2 DLLs. The "VX2 Cleaner" seemed to get rid of the last two. http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
I also tried the instructions at http://www.techsupportforum.com/archive/index.php/t-31306.html which did not work. I got a list of DLLs that "Windows does not See or cannot Access". I tried to remove them using the "Killbox" app as described in the article but no! VX2 survived with its loathsome godlike powers of immutability.
On a side note, pretty soon I expect all new malware will follow VX2's magnificent example. Then everything we have to deal with will be "Files that Windows does not See or cannot Access". Well done, Bill G. Ad-Aware is going to descend into a morass of special cases and one-off fix tools. Internet Explorer? Forget it. Firefox? Too popular. Go for Mozilla Internet Suite and use the Navigator browser.
Vx2 is a pain in the butt. I deleted it on Ad Aware SE a million times, but it would never go away. It would always say that it couldn't delete a component unless I rebooted. But I was able to use the net and research on it to find this. I guess it helps. (0=
22. by Guest. 2005-03-06 15:03:02
Hey guys I've tried all of this stuff and just about put a gun to my head. So I did a system restore back to a month ago on XP and guess what it's gone!!!!!!!!
23. by TiTo. 2005-03-04 22:03:04
I'm rumming win98 and I can't get rid of VX2. It keeps comming up in my system files as "forcuw". Please help...please. I try using Ad Aware Se but when I hit delete it freezes the process...help
24. by 2 Kim. 2005-03-02 04:03:51
before suspend or kill process "rundll32" and "winlogon"
25. by Kim. 2005-03-01 14:03:38
when I try to save guard.tmp after deleted everything in it and replacing with dummy, it wont let me. It says, It can't create it. make sure path and file name are correct. Can someone plz help me? I'm not good at removing adware and spyware. Never had a problem with ad-aware removing anything before so this is totally new for me. Thanks!
26. by DF. 2005-02-27 18:02:56
Thanks to Matnee -it worked, i've copied his/her notes and added comments
first time I've ever wanted to get a hold of the toerags that put such code together
This method requires Lavasoft AdAware & about 10 minutes of free time.
• Zonealarm popups - VX2 infection characterised by various .exe programs asking permission to connect to the internet
There's a rather persistent permutation of this that seems to be immune to AdAware and it's VX2 removal tool PlugIn - it says it'll delete it on next boot but never manages. Unfortonately, I found this on my pc one day and decided to set aside a few minutes to rid myself of it. 2 Hours later...
The big problem seems to be this version of VX2 works due to the relationship between 3 files in the windowssystem32 file - 2 dll files and one called Guard.tmp. The problem is that you can't delete the dll files while the pc is on (you're told they're in use, hence AdAware has to try and delete on next boot), and these dll files seem to rename themselves randomly on startup. If you go to the windows/system32 file (well, in XP anyway - not tried it on other O/S) and sort all files by date modified, you should see them. They'll have names like h6j4lg1q16.dll , On2a5o1d.dll and so on (although I can't stress enough that these file names are seemingly random - check for dll's with the latest timestamp to find them). You should also find the Guard.tmp file there. This is pretty clever in that if you delete it or re-name it, another guard.tmp file will appear before your very eyes after about 30 seconds.
Now, I'm not totally certain about this, but it seems that the guard.tmp file acts as a sort of seed for the next generation of randomly named dll files and something (presumably in one of the dll files) writes the guard.tmp file. This is pretty clever I suppose, as they seem to protect eachother. Anyway, here's how I got rid of it (on XP Pro, at any rate. Not sure about other operating systems)..
• DF – run the freeware program CMDLINE and this shows the process running and also the program that calls the process. It showed that rundll.exe was called by a program with Umonitor at the end. e.g. c:windowssystem32narsel.dll�, UMonitor�
• the .dlls (there was usually 2 of them) did not replicate, but changed name each time the computer was booted, so date stamp (using windows explorer details) as the key factor in spotting the programs as they had the date and time of when the computer was last booted. File size was usually about 227kb.
•
1- Firstly, instal AdAwareSE and update it.
2- As with any other spyware removal, delete all temporary IE files and cookies, disable system restore on your PC, empty the recycle bin, run the disc-cleanup wizard and unplug any network/internet connections.
3- Boot to Safe Mode. Run AdAware. Delete everything it finds.
4- Open the C:windowssystem32 file. Sort everything by date modified. Look for the guard.tmp file right at the end of the list. (if you can't see it, try the 'view hidden files' approach). Right-click in guard.tmp and open it with notepad. Delete all the text you can see there and replace it with the word "dummy". Save this. Right clicking on the guard.tmp file should now show it to be about 7bytes long - write protect it as well.
5-reboot to safe mode again (hold down F8 whilst computer boots). I found this seemed to take a very long time when I did it. Looking in the system32 folder, you should now see a new dll with a similar random name to those mentioned above, but this time it will only be about 7 bytes long - it seems that the guard.dll file you edited has become the new dll file, although since you re-wrote it it will no longer contain the correct instructions to continue the cycle. In effect, you've broken the chain.
DF – following seemed to work although I also renamed the Guard.tmp file to GU.tmp as well as changing the data inside as above. I also deleted it manually in safe mode from windows explorer
6-Run AdAware. It'll again tell you it will delete vx2 on next boot.
7-Reboot to safe mode (again...)
8- Run Adaware again. This time it should show up as clean.
I also opened the .dll files with hexmad file viewer to confirm content (scrolling down did not seem to work as it does in proper Microsoft .dll’s)
DF - remember no real DOS in XP and DOS start-up disk cannot read NTFS drives
Anyway, this worked for me. I hope it helps some others out there...
• DF - Check zonealarm – if no attempts by winlogon or rundll.exe to connect to internet then success
• DF - also ctrl alt del and rundll.exe should not be running as a process in the background
27. by russian somebody. 2005-02-27 05:02:16
great thanks for all!
28. by russian somebody. 2005-02-27 05:02:50
sorry for such english, but
my expirence VX2 under windows 2000 server:
=== run w2k under debug mode under administrative
= run some Process Explorer (from www.sysinternals.com f.e.)
= kill rundll32 tree process
= suspend winlogon tree process
= remove from HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
branch with vx2 dll ( with DLL value full path and unusualy mixed numberalphared dll name)
= remove from registry all branch with "guard.tmp" value (substring search) (about 6-7 times)
= remove guard.tmp from /system32
= some waiting
=== power off
= boot normaly
= remove all vx'ed-strange dll ( with mixed alphanumerical name and fixed-around size)
= run adaware and clear system
= that's all
29. by dave. 2005-02-26 10:02:36
i managed to remove vx2 last night.
many thanks to people who posted suggestions on this site.
in the end i had to use a variation of a number of the posts.
this is what i did:
1. boot into safe mode
2. run adaware se - this seemed to allow the creation of guard.tmp
3. try to remove all infected files. it should come up with 2 infectred file it cannot delete - it says they are system protected.
4 say yes to delete after reboot DON'T RESTART this will reset them and they will change name again.
5. next run killbox. in the file name type in the path and file name for guard.tmp - it should be in the windowssystem32 folder.
6. at the bottom left there should be a radio button that says replace on reboot. - click on that also click use dummy file.
7. create a text file containing to word dummy.and make a note of the directory path
8. in the box under the path to guard.tmp type the path to the dummy file you just created.
9. before you press the delete (the x button) you must unload the rundll32.dll process as guard.tmp piggybacks itself on it..
10. next you must restart into safe mode again.
11. next do a search for guard.tmp. if it has worked you should have two copies of it have a look (i.e edit) the one in the system32 folder it should contain the word dummy and a message left by killbox saying this file is safe to delete. DON'T delete it. make the file read-only.
12. delete the other guard.tmp
13. rerun adaware se and tell it to dele infected files. and the two .dll s on restart.
14. restart into safe mode and run adaware se.
your computer should now be clean. all that remains is to remove the .dlls .
note: i also denied acess to guard.tmp in the registry to everybody but the administrator. don't know if that is needed or not.
sorry it's so long but i hope it helps.
30. by lha. 2005-02-25 09:02:16
Si encuentro el "guard.tmp", lo borro?
no es tan facil como suena,
corra el adware, pongale ciudado no lo deje simplemente corriendo y vuelva mas tarde.
lo que tiene que hacer es:
1- ARRANQUE EL COMPUTADOR COMO ADMINISTRADOR. abra el ad-aware, mire las opciones dentro de cada submenu y selecione todo(pasa de x roja a "bueno marca" verde.
2- corra el anty-spy de yahoo (companion toolbar), si no la tiene le recomiendo que la instale. actualizela seleccione "scan for tracking cookies" DESCONECTE EL COMPUTADOR DEL INTERNET Y DE LA RED(NETWORK. desactive la opcion de "autorecovery" de windows.(windows 2000 no la tiene)
3- corra el anti-spy de yahoo
4- borre todo. pongale cuidado si no le deja borrar algo(anote el nombre de lo que no se deja borrar)
5- corra el limpiador del disco duro
6- corra el ad-aware. seleccione "Perform fully system scan"
7- pongale cuidado cuando ad-aware esta corriendo si la pantalla parpadea. si lo hace este prevenido que tiene el VX2. si cualquier ventana abre diciendo cualquier tipo de error o informacion no la toque (el virus esta tratando de apagar el sistema) recuerde que los archivos ban a cambiar de nombre cada vez que el computador arranca.
8-caundo el ad-aware temine y le muestre los archivos y "key_entries" solo seleccione esos que no son de clase VX2 (no borre nada todavia)
9-no cierre el ad-aware todavia. vaya a windowssystem32 busque los .dll archivos con la misma fecha de creacion que el dia en que esta. son entre dos y 4 archivos.
10- abra los archivos con notepad, borre todo lo que encuentre y cambielo por "dummy protect it" y grabelo con el mismo nombre NO LOS BORRE.simpre va a haber uno que no se deja tocar.no cierre la ventana.
11- vaya al "proccess runing" y mire cualquier proceso que tenga nombre raro y terminelo.
12- vuelva a la ventana donde esta mirando el system32 y el "desktop", mire por archivos con iconos llamativos como corazones, cartas, etc. borrelos
13- recurede que si abre una ventana o programa no lo puede cerrar. regrese a la ventana de ad-ware y borre las lineas que no son VX2 y cierre el ad-aware.
14- corra el programa "regedit" o "regedt32" use el que tiene la opcion de seguridad en el menu.
15- utilize la opcion de encontrar "find" y busque por "guard.tmp" (trate Grupo por grupo hasta que lo encuentre) quitele todas las opciones de acceso y deje que solo el administrador sea el que pueda modificarlo o leerlo. corra el limpiador del disco duro.
16- no cierre ninguna ventana y desconecte el computador, no lo apage, coja el cable y desconectelo. espere cinco minutos y arranque el computador denuevo como administrador.
17- espere hasta que el computador carga completamente. corra el ad-aware denuevo.
18 - ahora en este punto el resultado de ad-aware debe dar como resultado negativo para archivos y "key_entries" tipo VX2. ahora corra el ad-aware bajo cada usuario para estar seguro que el sistema esta completamente limpio. si lo encuentra bajo otro ususario tiene que repetir todo el proceso bajo ese usuario.
19 - despues que esta seguro que el sistema esta limpio abra el antivirus (norton, mcafry, etc) actualize las definiciones y escane el computador, repita este paso baja cada ususario.
listo ahora se puede decir que borro el "guard.tmp" archivo.
31. by Lha. 2005-02-25 01:02:23
i try every single option discribe. but i found that if you use adaware to find the files and only delete those that are not VX2. just pull the power cord out of the computer. wait about 5 minutes and reconect the cord to the computer and turn it on. go an run "regedt32" find the file "guard.tmp" remove all permission except administrator and default user. run again the adaware under each user ( stay under safe mode for each user) use the disk clean up under each user. you will find out that the VX2 will disaper. took me around 3 weeks to clean up my system. but finally is working fine. be aware that you can get this adware downloading free mp3 files or aol messanger icons.
before you conect your system back to the network and the internet, run the adaware for each user in regular mode one more time.
i hope this can help user for windows 2000. the versions and files are really different from xp to 2000.
32. by Randall Gregory. 2005-02-22 21:02:51
After spending the entire afternoon working with this virus infection, I found a relatively good method to eradicate VX2. I went (manual) after Spybot, Adaware, Spyferret, Microsoft Anti-Spy failed to remove this pesky critter. This is a very nasty virus constantly changing and adapting. Even in safe mode it will still run as a hidden process, however you can get to the files (exe and dll) in safe mode with the command prompt. One of the most important indicators of infected files is their date. If you know when your computer was infected, then identifying infected files becomes easier. then First step is to boot the computer in safe mode with the command prompt. then delete all the files in the windows/temp directory and prefetch directory. Run task manager and look for any rundll32. Stop this process. Second is to list all the files in the /system and /system32 directory for all .exe .dll .txt .tmp For those unfamilar with DOS the command is DIR *.exe /a /p Substitute the .exe for other file names.
Notice the dates and names. Look for guard.tmp and other files created the date of infection also other files with 0 for size. The main exe file on my computer was an encrytped file that appeared as M?CONFIG.exe. The only way to access this file was to reset the attributes by typing at the command prompt >attrib -s -h -r m*con*.e*. For people unfamiliar with DOS, the stars tell the program to ignore any characters represented by the stars. This was the only way I could delete this exe!!!! The designers of this virus are very clever indeed. After removing the attributes you can delete the exe by typing >del m*con*.e*
Other files linked to this infection did not have this elaborate protection and were easier to delete. Once I deleted this exe, erased the temp file and erased the other files in system and system32 directories. Oh, I fogot to mention, to remove system permission on the exe before you reboot and go into the command prompt
33. by Walt. 2005-02-22 04:02:22
Two points:
1. An alternate to step 3 in my note below would be to reboot the hard drive but use F8 to get into the DOS interface. The key thing is you don't want to let the VX2 startup process rename its files and load the memory resident portion.
I wouldn't count on the hard drive DOS interface always being available; VX2 mutates constantly and we can count on the DOS interface being disabled at some point in the future. The Startup (or recovery) diskette is a completely independent system that will do the key job; for most of us it's a lot easier to use that than to remove the HDD and install it as a slave on another system.
2. The procedure in my following note leaves a junk file (the one you renamed); this should be deleted once you're sure everything is working again.
Class action lawsuit *and* eternity married to my ex-wife. (Call the later an 'uncivil penalty.' There are plenty of targets for a class action, too -- very profitable U.S. companies that make money from knowingly using or distributing VX2 components.
34. by Walt. 2005-02-22 04:02:41
The current ugly variant pretty much won't let you do anything. I got three copies at about one-week intervals. The killbox tools listed in other notes here seem not to work on my WIN 98 system and AdAware's VX2 plugin does not install successfully. The following seems to have cleaned it up without too much hard work. YMMV.
1. Find a DLL in WINDOWS/SYSTEM with the date of corruption. 35-40 k in the variants I encountered, but growing steadily as development continues. If unable to do this step (Explorer is dead), continue with step 2.
2. Be sure no disk activity, then unplug.
3. Replug, boot from STARTUP diskette.
4. Use DOS-like interface to change the file type of the file located in step 1, viz:
a. C:
b. cdWINDOWS/SYSTEM
c. If you could not do step 1, use dir *.dll /p and just keep looking until you find the right file, as above.
d. rename endgmo.dll endgmo.dlx
(Subsitute the name you found for 'endgmo.')
5. Remove diskette, reboot.
6. Run AdAware and get rid of everything you're not sure about, including about:blank -- that page was hijacked by my variant.
7. Clean all cookies, empty recycle. Reboot.
8. If you get an error message during startup about a missing file, use MSCONFIG to keep it from being used, viz:
START/RUN/MSCONFIG -> Startup. Look for a RUNDLL32 for a DLL, mine was named 'sp' and the file was 'se.dll' in WINDOWS/TEMP; this is the file you got the error message about. Uncheck the box so no attempt will be made to run this file.
9. More skilled users than I can substitute cleaning up in the Registry for step 8.
Salt in 1000 cuts, tying on anthills, and such is too good for the scum that develop and distribute this stuff. I'm thinking in terms of the rest of their lives married to my ex-wife.
35. by ellisd@alcasoft.com. 2005-02-21 12:02:28
VX2 Removal
New variant detected but not removed by Lavasoft VX2 add-in
The following combination was able to eliminate VX2 from the computer.
1) Turn off system restore
2) Do full scan with Lavasoft Ad-ware and before removal, write down all files and paths.
3) Unplug the computer. DO not shutdown
4) Move hard drive to second computer and install as secondary drive
5) Look at files listed by ad-ware. Note they may be system or hidden files use /AH and /AS options on dir command
6). Note the sizes
7) Search the hard drive for other files with the sames sizes. Delete all these files. Files will have strange names combo of letters and numbers .dll
8) Searh for the file guard.tmp and remove it
9) Search for the following special files. They may be hidden and system
windowssystem32esbuzn.dll
windowssystem32wqroyg.exe
windowssystem32wqroyg.dll
documents and settingsall usersstart menuprogramsstartuphftpyi.exe
10) Delete each of these files and put a dummy text file in their place with the same name. Make the dummy file read-only, hidden and system.
11. Also make a dummy text file for
windowssystem32esbuzn.exe
documents and settingsall usersstart menuprogramsstartuphftpyi.dll
12) Put harddrive back in original computer, boot up and do full ad-ware scan. Should not find any more running VX2 process. Delete all files ad-ware finds.
13) Do a full virus-scan
14) Turn restore on and make a new restore point.
36. by Matneee. 2005-02-21 09:02:33
This method requires Lavasoft AdAware & about 10 minutes of free time.
There's a rather persistent permutation of this that seems to be immune to AdAware and it's VX2 removal tool PlugIn - it says it'll delete it on next boot but never manages. Unfortonately, I found this on my pc one day and decided to set aside a few minutes to rid myself of it. 2 Hours later...
The big problem seems to be this version of VX2 works due to the relationship between 3 files in the windowssystem32 file - 2 dll files and one called Guard.tmp. The problem is that you can't delete the dll files while the pc is on (you're told they're in use, hence AdAware has to try and delete on next boot), and these dll files seem to rename themselves randomly on startup. If you go to the windows/system32 file (well, in XP anyway - not tried it on other O/S) and sort all files by date modified, you should see them. They'll have names like h6j4lg1q16.dll , On2a5o1d.dll and so on (although I can't stress enough that these file names are seemingly random - check for dll's with the latest timestamp to find them). You should also find the Guard.tmp file there. This is pretty clever in that if you delete it or re-name it, another guard.tmp file will appear before your very eyes after about 30 seconds.
Now, I'm not totally certain about this, but it seems that the guard.tmp file acts as a sort of seed for the next generation of randomly named dll files and something (presumably in one of the dll files) writes the guard.tmp file. This is pretty clever I suppose, as they seem to protect eachother. Anyway, here's how I got rid of it (on XP Pro, at any rate. Not sure about other operating systems)..
1- Firstly, instal AdAwareSE and update it.
2- As with any other spyware removal, delete all temporary IE files and cookies, disable system restore on your PC, empty the recycle bin, run the disc-cleanup wizard and unplug any network/internet connections.
3- Boot to Safe Mode. Run AdAware. Delete everything it finds.
4- Open the C:windowssystem32 file. Sort everything by date modified. Look for the guard.tmp file right at the end of the list. (if you can't see it, try the 'view hidden files' approach). Right-click in guard.tmp and open it with notepad. Delete all the text you can see there and replace it with the word "dummy". Save this. Right clicking on the guard.tmp file should now show it to be about 7bytes long - write protect it as well.
5-reboot to safe mode again. I found this seemed to take a very long time when I did it. Looking in the system32 folder, you should now see a new dll with a similar random name to those mentioned above, but this time it will only be about 7 bytes long - it seems that the guard.dll file you edited has become the new dll file, although since you re-wrote it it will no longer contain the correct instructions to continue the cycle. In effect, you've broken the chain.
6-Run AdAware. It'll again tell you it will delete vx2 on next boot.
7-Reboot to safe mode (again...)
8- Run Adaware again. This time it should show up as clean.
Anyway, this worked for me. I hope it helps some others out there...
37. by Guest. 2005-02-19 21:02:54
I dont have a browser helper object key..what else can I do?
38. by paul. 2005-02-19 06:02:45
I almost went to reformatting my harddrive. I couldn't get rid of this monster. Then I bought this CD off eBay for about $11 with shipping out of blind hope. It has several nuke 'em programs: antispyware, virus detection, and I through the works at my harddrive, so I am not sure which from this CD worked, but I was finally able to rid myself of VX2. What a bastard of a piece of spyware!
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&rd=1&item=7132679925&ssPageName=STRK:MEAFB:IT
or search in eBay
"BEST SPYWARE VIRUS TROJAN REMOVER " and make sure you see the red cross.
39. by Justin Fleming. 2005-02-18 20:02:53
I downloaded the ad-aware vx2 cleaner. I ran ad-ware and it said the vx2 process was in there. THEN I ran cleaner and the damn thing did not work. I am about to cry....
40. by Phil Jones. 2005-02-17 18:02:24
The Ad-Aware add-on "VX2 Cleaner" worked for me. Ad-Aware 1.0.5 with the definition file dated 16 Feb 05 cleaned all but two VX2 DLLs. The "VX2 Cleaner" seemed to get rid of the last two. http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
I also tried the instructions at http://www.techsupportforum.com/archive/index.php/t-31306.html which did not work. I got a list of DLLs that "Windows does not See or cannot Access". I tried to remove them using the "Killbox" app as described in the article but no! VX2 survived with its loathsome godlike powers of immutability.
On a side note, pretty soon I expect all new malware will follow VX2's magnificent example. Then everything we have to deal with will be "Files that Windows does not See or cannot Access". Well done, Bill G. Ad-Aware is going to descend into a morass of special cases and one-off fix tools. Internet Explorer? Forget it. Firefox? Too popular. Go for Mozilla Internet Suite and use the Navigator browser.