81. by Guest. 2004-12-22 13:12:58
I am an IT professional, and this is one of the nastier bug's I've fought. I tried just about everything above, and nothing worked untill #57. I assume the earlier solutions worked with earlier versions of VX2, but the evil programmers writing this stuff are probably reading my post right now, and making appropriate changes to the next version. I don't know how they sleep at night, honestly. Anyway, just to let everyone know, I needed one slight modification to #57. I removed all permissions from the appropriate files in system32 (It wouldn't let me delete the guard file untill I did this, and I was an admin with ownership, so I was able to put permissions back as necessary). I also searched for guard.tmp in the registry and deleted every entry. Thanks to everyone in this post who helped me in my 5 hour battle against VX2.
82. by Guest. 2004-12-22 09:12:36
I was hit around Dec 16. I had the latest Norton and Ad-Aware SE running with VX2 Cleaner. Every scan revealed a VX@ dll that it couldn't remove. It would ask if I wanted it to be deleted at the next boot. But each boot would generate a new insidious DLL. I download and ran CWS Shedder, Hijack This, Spybot, SpyDoctorand a half dozen other similar programs, Nothing worked. I tried the solutions prior to #57, none worked using Safe Mode. The trick was 57's suggestion to limit adminstrative rights to me and to delete other files bearing similar date. But here's what happened. I was able to delete the dll most recently identified by Ad-Aware in safe mode. Then I began deleting every dll generated in December that had a screwy name. When I came to the last one I wanted to delete, it would let me. I thought, oh no! I scanned again still in safe mode with Ad-Aware and ran the VX2 add-on. It deleted that file which I wasn't able to delete manually. I can't tell you what it was like to run a scan and find nothing, zero. Thank you #57 and for all who contribute here. I've tackled many major problems since the early 80's, but no application, no freeware, no main stream program, no tech support site, solved this problem until I came here late yesterday. Merry Christmas!
83. by Guest. 2004-12-21 10:12:05
After 3 days I finally fixed the problem. Thanks to all the suggestions I found one that worked. Here's what I did:
I emptied my temp files, temp internet files, cookies. Be sure you can access and delete hidden files.
1- run Adaware to find the .dll file that shows up
2- find the locatin of the .dll, when you find the file right click on it and go to properties
3- go to security feature and set file so it has administrative privileges only ... deny priviliges to eveything else.
4- unplug computer ... do not turn off ... unplug it
5- turn on computer in safe mode and go back to the .dll file. You should be able to delete now. Look for files in system32 that were created the same day or around the same day as the .dll file. Delete the one's that look like they don't belong. Be sure to delete the guard file.
6- run Adaware again and everything should be fine.
Good luck ... I hope this works for you
84. by Guest. 2004-12-21 09:12:46
My computer was infected with three different viruses. I tried to get different programs to remove them , but they would not allow themselves to be deleted. I finally partioned the c drive, then reloaded the windows system on to the new d drive. I then ran the virus program on the systems and windows section of c, this time it did get rid of them. It allowed me to save the music. programs and other things I was not wanting to delete. Just for thought as a different way to do this. Playing with the registry was getting too confusing with me, plus it was not working with me battling three different ones
85. by Guest. 2004-12-20 04:12:48
im not sure if this helps, but ive built a tests system and purposefully downloaded the vx2 trojan on it.
Please note that dissaembling programs is a hobby, and you shouldn't call microsoft about it.
I say its a trojan becasue of the nature of the program itself. it uses an authorized active scripting command to copy itself from the system32 folder to the system volume information area. this area is originally built to house things like file lookup tables, the restore images, dlls in use, and other bits and pieces that shouldn't be in the pagefile.
the vx2 trojan locks itself into the sysvolinf area by using the admin process 'rundll32.exe' this is not an allowed process, merely a clone since the real rundll32 doesn't show up in the process tree to begin with (service pack 1 allows it to be seen by admins). This process locks the 2 key strings so that they cannot be deleted or changed by anyone or anything.
it then propagates to the system dll cache and monitors activities using its own code.
upon careful analysis, i have found the perfect solution. be prepared for some involvement.
install a new copy of your operating system on a new hard disk. set this to the master drive.
use your original harddrive as a slave (keeping the dlls quiet because only 1 sysvolinf area can be used at a time) thereby disabling the virus.
turn off system restore on all drives and remove all but the latest restore)
please note that the drive you are deleting from is the slave (infected) drive, not the current one.
vx2finder(126).exe is a wonderful utility that accomplishes what i just instructed automatically. the only exception is that it cant unlock the restore area.
hope this helps,
MS Tech Support
86. by Guest. 2004-12-16 16:12:49
I would not try to remove the files with Adaware. Use it to find them, but then use the registry to restrict the permissions, then delete the individual files. Otherwise, it just restarts as Adaware tries to delete them.
87. by Guest. 2004-12-16 12:12:31
I used CWScrubber and it fixed my problem!!!
88. by Guest. 2004-12-16 01:12:35
after much trouble i fixed it also, here is how;
tried all the stuff above . did not fix it.
deleted all temp files in temporary internet and temp directories under all user profiles
emptied all rubbish bins
run adaware se
this locates the infected files. DONT delete them. make a note of the locations or print them out from the log.
Pull the plug on the computer.
dont exit adaware dont log off dont shut down. pull the power cord out of the computer
wait a bit and re start pressing f8 at start up
start up in safe mode , then run regedit
use the "find" feature to look for the infected files in the registry. one of them will be in there somewhere. its name changes every time adaware tries to delete it.
navigate down the registry until you get to the entry containing the infected dll . then go to permissions and deny all permissions except to administrator.
now you ought to be able to delete it with adaware
i found the trick was not to use adaware for deletion until you had nailed this file. I think its the one which immediately does some kind of soft reboot after adaware has attempted deletion. I could see my screen flicker for a second and the programs shut down and re start one after another. its at this time that the virus replicates and changes its name. once this has happed you have to start from square one again
i also found that the files names and registry entries referred to above just did not exist on my infected machine . the names and locations change all the time and adaware will show you where they are. sometimes the files are actually hidden so you cant navigate to them even in command prompt and you are always denied access rights even if you do find them . the file is always "in use " by another program and cant be touched.
knock out the registry entry first , then go get the other files. but dont ever shut down adaware or log off until the system is clean . if you need to re start , pull the plug and re start using f8 to enter safe mode either in command prompt or normal safe mode
I also played around with the attrib [not attrub] command which was refered to above. dont actually know if that helped or not...
good luck to you all
i assume the corporate payed scum bags who designed this bit of crap are reading posts like this and adapting the new versions to evade destruction. well, thats nothing that could not be fixed by a 9mm to the base of the skull. So much more effective than a class action.
89. by Guest. 2004-12-15 12:12:49
Hey post 49
I need help with this awful VX problem. I follow your instructions and find the .dll but there is no way to set permission as you instruct. If I just turn off the machine I keep getting the same .dll back again
I'm running 200 pro - any ideas would eb welcome
90. by Guest. 2004-12-15 02:12:48
Just wanted to say thank you, thank you, thank you to poster 49 for the fix. After 5 days of trying trying to rid my machine of VX2 his fix WORKED!
1. Run ad-aware and find what dll is infected (this thing will rename itself on every reboot!)
2. Run regedit, search for that dll, you'll find it in a winlogon section of the registry.
(specific folder.... HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify)
3. Goto the folder above for the entries listed where the DLL is, goto permissions, and DENY access to everyone/thing except administrators
4. Run ad-aware again and have it "clean-up" everything it finds... It will tell you u have to reboot....
5. DONT close ad-aware OR REBOOT.... This sucks, but just TURN THE PC OFF... if you logoff, the program will rename/hide itself AGAIN...
6. On reboot, Ad-aware will load again, scan 1 more time and you'll find some remainders, delete them and you are done...
Do it and take your machine BACK!
91. by Guest. 2004-12-14 09:12:03
Here is how I got rid of it:
1. Run ad-aware and find what dll is infected (this thing will rename itself on every reboot!)
2. Run regedit, search for that dll, you'll find it in a winlogon section of the registry.
(specific folder.... HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify)
3. Goto the folder above for the entries listed where the DLL is, goto permissions, and DENY access to everyone/thing except administrators
4. Run ad-aware again and have it "clean-up" everything it finds... It will tell you u have to reboot....
5. DONT close ad-aware OR REBOOT.... This sucks, but just TURN THE PC OFF... if you logoff, the program will rename/hide itself AGAIN...
6. On reboot, Ad-aware will load again, scan 1 more time and you'll find some remainders, delete them and you are done...
Best of luck all, almost had to reload system until I did the above...
92. by Guest. 2004-12-13 20:12:46
Use this blessed little tool to save you from this little piece of hell...
i tried it on my own computer and it killed the damn thing. Note that I, using xp home, had to install and autoexe.nt file to my system32 directory to make his programs work. Also you'll want to use hijackthis to get rid of any host files if you can. oh and do what he says in safe mode. i tried it in normal and it flipped out.
when are these spywhere people gonna realize that if i was gonna buy your crap i wouldn't be trying so hard to get rid of your goddamn program. i assume they're trying to sell to idiots who can't uninstall it with adaware. so why both making the ultimate unbeatable thing like this? just so that half of us have to format our computers.???
on a side note... I will never ever use ie again.... firefox is the way to go....
93. by Guest. 2004-12-09 22:12:51
The VX2 and intellegent explorer witch is usally attached to it comes from MICROSOFT!!!! thats right every time microsoft downloads an update to your computer it will show up again. I finally got rid of it and then its back on because of microsoft. Screw microsoft im switching to Linix
94. by Guest. 2004-12-02 13:12:13
Who is responsible for VX2? Corporate name? Location?
95. by Guest. 2004-11-19 12:11:09
This b**tard runs in safe mode so the usual safe mode fixes don't work.
1 Find vx2 using whatever and make a careful note of the infected filename
2 Ensure no disk activity and Pull the computers plug
3 Restart with F8 and start up in Safe Mode Command Prompt only. VX2 doesn't run in this mode.
Navigate to the folder (cd...) and delete the file noted in step 1 (del) you may need to make the file visible using attrub filename.exe -h -s -r first.
Restart the machine normally and run whatever again to find its non active backups which should then delete without problem.
96. by Guest. 2004-11-15 05:11:40
after trying to remove this strain of adware for a few hours with no sucess finally it is gone!!
wafyy BIG thanks!!
what i still dont understand is why adaware would not remove it in safe mode when i tried intially, but when u go to scan summary and delte it as a "family" it removed???
none the less it is now gone!!
thanks again!
97. by Guest. 2004-11-10 15:11:18
gets VX2 buuuuuuuuut leaves at least *.exe files permanatley from the VX2,vundo,webstat, 6gfnu5.exe etc....
help?
98. by Guest. 2004-11-10 08:11:36
Don't waste time with those other links UNLESS you want to PAY $$$$$. Why should you pay for a prvacy violation? According to Allen B. the President of VirtumunDO ,..He sent me the e-mail I posted stateding the true VIOLATORS of this VX2 (virtual Bouncer) and variants is VIRTUMONDE AS IN ---> virtumonde
send pop-ups out of controll on your windows systems... aaahhhh! I have been trying for several weeks and finally I read Waffy's post..gonna try it now so look for my new post
http://pets.allhere.com
99. by Guest. 2004-11-06 14:11:17
Thanks, Spy Sweeper did the job. I have win 2000.
100. by Guest. 2004-11-04 08:11:02
Finally....after hours of fruitless pursuits, your fix worked waffy.
I am an IT professional, and this is one of the nastier bug's I've fought. I tried just about everything above, and nothing worked untill #57. I assume the earlier solutions worked with earlier versions of VX2, but the evil programmers writing this stuff are probably reading my post right now, and making appropriate changes to the next version. I don't know how they sleep at night, honestly. Anyway, just to let everyone know, I needed one slight modification to #57. I removed all permissions from the appropriate files in system32 (It wouldn't let me delete the guard file untill I did this, and I was an admin with ownership, so I was able to put permissions back as necessary). I also searched for guard.tmp in the registry and deleted every entry. Thanks to everyone in this post who helped me in my 5 hour battle against VX2.
82. by Guest. 2004-12-22 09:12:36
I was hit around Dec 16. I had the latest Norton and Ad-Aware SE running with VX2 Cleaner. Every scan revealed a VX@ dll that it couldn't remove. It would ask if I wanted it to be deleted at the next boot. But each boot would generate a new insidious DLL. I download and ran CWS Shedder, Hijack This, Spybot, SpyDoctorand a half dozen other similar programs, Nothing worked. I tried the solutions prior to #57, none worked using Safe Mode. The trick was 57's suggestion to limit adminstrative rights to me and to delete other files bearing similar date. But here's what happened. I was able to delete the dll most recently identified by Ad-Aware in safe mode. Then I began deleting every dll generated in December that had a screwy name. When I came to the last one I wanted to delete, it would let me. I thought, oh no! I scanned again still in safe mode with Ad-Aware and ran the VX2 add-on. It deleted that file which I wasn't able to delete manually. I can't tell you what it was like to run a scan and find nothing, zero. Thank you #57 and for all who contribute here. I've tackled many major problems since the early 80's, but no application, no freeware, no main stream program, no tech support site, solved this problem until I came here late yesterday. Merry Christmas!
83. by Guest. 2004-12-21 10:12:05
After 3 days I finally fixed the problem. Thanks to all the suggestions I found one that worked. Here's what I did:
I emptied my temp files, temp internet files, cookies. Be sure you can access and delete hidden files.
1- run Adaware to find the .dll file that shows up
2- find the locatin of the .dll, when you find the file right click on it and go to properties
3- go to security feature and set file so it has administrative privileges only ... deny priviliges to eveything else.
4- unplug computer ... do not turn off ... unplug it
5- turn on computer in safe mode and go back to the .dll file. You should be able to delete now. Look for files in system32 that were created the same day or around the same day as the .dll file. Delete the one's that look like they don't belong. Be sure to delete the guard file.
6- run Adaware again and everything should be fine.
Good luck ... I hope this works for you
84. by Guest. 2004-12-21 09:12:46
My computer was infected with three different viruses. I tried to get different programs to remove them , but they would not allow themselves to be deleted. I finally partioned the c drive, then reloaded the windows system on to the new d drive. I then ran the virus program on the systems and windows section of c, this time it did get rid of them. It allowed me to save the music. programs and other things I was not wanting to delete. Just for thought as a different way to do this. Playing with the registry was getting too confusing with me, plus it was not working with me battling three different ones
85. by Guest. 2004-12-20 04:12:48
im not sure if this helps, but ive built a tests system and purposefully downloaded the vx2 trojan on it.
Please note that dissaembling programs is a hobby, and you shouldn't call microsoft about it.
I say its a trojan becasue of the nature of the program itself. it uses an authorized active scripting command to copy itself from the system32 folder to the system volume information area. this area is originally built to house things like file lookup tables, the restore images, dlls in use, and other bits and pieces that shouldn't be in the pagefile.
the vx2 trojan locks itself into the sysvolinf area by using the admin process 'rundll32.exe' this is not an allowed process, merely a clone since the real rundll32 doesn't show up in the process tree to begin with (service pack 1 allows it to be seen by admins). This process locks the 2 key strings so that they cannot be deleted or changed by anyone or anything.
it then propagates to the system dll cache and monitors activities using its own code.
upon careful analysis, i have found the perfect solution. be prepared for some involvement.
install a new copy of your operating system on a new hard disk. set this to the master drive.
use your original harddrive as a slave (keeping the dlls quiet because only 1 sysvolinf area can be used at a time) thereby disabling the virus.
turn off system restore on all drives and remove all but the latest restore)
run adaware or delete the following strings:
/System32/ iOssvcs.dll
/System32/iTshlpr.dll
/System32/iVssam.dll
/System Volume Information/_restoreBE8A08A2-826F-476B-B751-88FBE59340BC/RP70/A0007645.dll
/System Volume Information/_restoreBE8A08A2-826F-476B-B751-88FBE59340BC/RP70/A0007646.dll
please note that the drive you are deleting from is the slave (infected) drive, not the current one.
vx2finder(126).exe is a wonderful utility that accomplishes what i just instructed automatically. the only exception is that it cant unlock the restore area.
hope this helps,
MS Tech Support
86. by Guest. 2004-12-16 16:12:49
I would not try to remove the files with Adaware. Use it to find them, but then use the registry to restrict the permissions, then delete the individual files. Otherwise, it just restarts as Adaware tries to delete them.
87. by Guest. 2004-12-16 12:12:31
I used CWScrubber and it fixed my problem!!!
88. by Guest. 2004-12-16 01:12:35
after much trouble i fixed it also, here is how;
tried all the stuff above . did not fix it.
deleted all temp files in temporary internet and temp directories under all user profiles
emptied all rubbish bins
run adaware se
this locates the infected files. DONT delete them. make a note of the locations or print them out from the log.
Pull the plug on the computer.
dont exit adaware dont log off dont shut down. pull the power cord out of the computer
wait a bit and re start pressing f8 at start up
start up in safe mode , then run regedit
use the "find" feature to look for the infected files in the registry. one of them will be in there somewhere. its name changes every time adaware tries to delete it.
navigate down the registry until you get to the entry containing the infected dll . then go to permissions and deny all permissions except to administrator.
now you ought to be able to delete it with adaware
i found the trick was not to use adaware for deletion until you had nailed this file. I think its the one which immediately does some kind of soft reboot after adaware has attempted deletion. I could see my screen flicker for a second and the programs shut down and re start one after another. its at this time that the virus replicates and changes its name. once this has happed you have to start from square one again
i also found that the files names and registry entries referred to above just did not exist on my infected machine . the names and locations change all the time and adaware will show you where they are. sometimes the files are actually hidden so you cant navigate to them even in command prompt and you are always denied access rights even if you do find them . the file is always "in use " by another program and cant be touched.
knock out the registry entry first , then go get the other files. but dont ever shut down adaware or log off until the system is clean . if you need to re start , pull the plug and re start using f8 to enter safe mode either in command prompt or normal safe mode
I also played around with the attrib [not attrub] command which was refered to above. dont actually know if that helped or not...
good luck to you all
i assume the corporate payed scum bags who designed this bit of crap are reading posts like this and adapting the new versions to evade destruction. well, thats nothing that could not be fixed by a 9mm to the base of the skull. So much more effective than a class action.
89. by Guest. 2004-12-15 12:12:49
Hey post 49
I need help with this awful VX problem. I follow your instructions and find the .dll but there is no way to set permission as you instruct. If I just turn off the machine I keep getting the same .dll back again
I'm running 200 pro - any ideas would eb welcome
90. by Guest. 2004-12-15 02:12:48
Just wanted to say thank you, thank you, thank you to poster 49 for the fix. After 5 days of trying trying to rid my machine of VX2 his fix WORKED!
1. Run ad-aware and find what dll is infected (this thing will rename itself on every reboot!)
2. Run regedit, search for that dll, you'll find it in a winlogon section of the registry.
(specific folder.... HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify)
3. Goto the folder above for the entries listed where the DLL is, goto permissions, and DENY access to everyone/thing except administrators
4. Run ad-aware again and have it "clean-up" everything it finds... It will tell you u have to reboot....
5. DONT close ad-aware OR REBOOT.... This sucks, but just TURN THE PC OFF... if you logoff, the program will rename/hide itself AGAIN...
6. On reboot, Ad-aware will load again, scan 1 more time and you'll find some remainders, delete them and you are done...
Do it and take your machine BACK!
91. by Guest. 2004-12-14 09:12:03
Here is how I got rid of it:
1. Run ad-aware and find what dll is infected (this thing will rename itself on every reboot!)
2. Run regedit, search for that dll, you'll find it in a winlogon section of the registry.
(specific folder.... HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify)
3. Goto the folder above for the entries listed where the DLL is, goto permissions, and DENY access to everyone/thing except administrators
4. Run ad-aware again and have it "clean-up" everything it finds... It will tell you u have to reboot....
5. DONT close ad-aware OR REBOOT.... This sucks, but just TURN THE PC OFF... if you logoff, the program will rename/hide itself AGAIN...
6. On reboot, Ad-aware will load again, scan 1 more time and you'll find some remainders, delete them and you are done...
Best of luck all, almost had to reload system until I did the above...
92. by Guest. 2004-12-13 20:12:46
Use this blessed little tool to save you from this little piece of hell...
http://www.lavasoftsupport.com/index.php?showtopic=54511
i tried it on my own computer and it killed the damn thing. Note that I, using xp home, had to install and autoexe.nt file to my system32 directory to make his programs work. Also you'll want to use hijackthis to get rid of any host files if you can. oh and do what he says in safe mode. i tried it in normal and it flipped out.
when are these spywhere people gonna realize that if i was gonna buy your crap i wouldn't be trying so hard to get rid of your goddamn program. i assume they're trying to sell to idiots who can't uninstall it with adaware. so why both making the ultimate unbeatable thing like this? just so that half of us have to format our computers.???
on a side note... I will never ever use ie again.... firefox is the way to go....
93. by Guest. 2004-12-09 22:12:51
The VX2 and intellegent explorer witch is usally attached to it comes from MICROSOFT!!!! thats right every time microsoft downloads an update to your computer it will show up again. I finally got rid of it and then its back on because of microsoft. Screw microsoft im switching to Linix
94. by Guest. 2004-12-02 13:12:13
Who is responsible for VX2? Corporate name? Location?
95. by Guest. 2004-11-19 12:11:09
This b**tard runs in safe mode so the usual safe mode fixes don't work.
1 Find vx2 using whatever and make a careful note of the infected filename
2 Ensure no disk activity and Pull the computers plug
3 Restart with F8 and start up in Safe Mode Command Prompt only. VX2 doesn't run in this mode.
Navigate to the folder (cd...) and delete the file noted in step 1 (del) you may need to make the file visible using attrub filename.exe -h -s -r first.
Restart the machine normally and run whatever again to find its non active backups which should then delete without problem.
96. by Guest. 2004-11-15 05:11:40
after trying to remove this strain of adware for a few hours with no sucess finally it is gone!!
wafyy BIG thanks!!
what i still dont understand is why adaware would not remove it in safe mode when i tried intially, but when u go to scan summary and delte it as a "family" it removed???
none the less it is now gone!!
thanks again!
97. by Guest. 2004-11-10 15:11:18
gets VX2 buuuuuuuuut leaves at least *.exe files permanatley from the VX2,vundo,webstat, 6gfnu5.exe etc....
help?
98. by Guest. 2004-11-10 08:11:36
Don't waste time with those other links UNLESS you want to PAY $$$$$. Why should you pay for a prvacy violation? According to Allen B. the President of VirtumunDO ,..He sent me the e-mail I posted stateding the true VIOLATORS of this VX2 (virtual Bouncer) and variants is VIRTUMONDE AS IN ---> virtumonde
send pop-ups out of controll on your windows systems... aaahhhh! I have been trying for several weeks and finally I read Waffy's post..gonna try it now so look for my new post
http://pets.allhere.com
99. by Guest. 2004-11-06 14:11:17
Thanks, Spy Sweeper did the job. I have win 2000.
100. by Guest. 2004-11-04 08:11:02
Finally....after hours of fruitless pursuits, your fix worked waffy.
MjB