61. by Guest. 2004-12-25 20:12:44
I just finished getting rid of this new VX2 variant. It keeps it files under the %systemroo%system32 directory. It poloymorphs and changes names when rundll32.exe gets re-initiated. About the only consistant file was guard.tmp. These dlls and between 222,000 and 227,000 bytes in lengeth. They also can get evil and hide as system or hidden files. I benched marked with Ad-Aware to see what files were currently in use. It would not remove this varient, but at least showed me the live files. I dir ed these files and copied them to a notepad which a printed off. I then rebooted to my install CD and mounted the NTFS partition. From there I had to attrib -r to get rid of the read-only attribute and remove these files individually. Once removed I rebooted and used Ad Adware to verify that the system was clean. Also removed the bad entries from the host file. Here is a list of changed file name dlls that were hidden on my system to give you an idea of how these constantly change. Good luck!!!
62. by Guest. 2004-12-28 15:12:24
Hi. I tried most of the methods posted here. I ran Adaware SE and noted the locations of the files. Then I ran regedit and denied access to the appropriate .dll file. Without exiting anything, I unplugged the computer and restarted in Safe Mode. But I couldn't delete the .dll file in Safe Mode.
So I tried #46 - starting up in Safe Mode Command - but when I went into the C:WindowsSystem32 directory, it couldn't find the .dll file. But it would show up in normal safe mode.
#46 said to use "attrub filename.exe -h -s -r" if the file doesn't show up. How do I do this? What is "attrub filename.exe -h -s -r"? I'm familiar with only very basic naviagation in a DOS prompt ("cd", "cd..." del xxxxx.exe", etc.).
Any help appreciated. Thanks...
63. by Guest. 2004-12-28 17:12:11
Wow, I can hardly believe it.
I seem to have finally deleted this f*****g thing with Pest Patrol. I've been trying to get rid of this thing for weeks.
I downloaded the trial version of the corporate Pest Patrol programme. They don't seem to have a home user trial version. So I registered as a business user.
I''m running Hitman Pro now (combines CW, SpySweeper, AdAware etc.) to get rid of anything that may be left behind.
64. by Guest. 2004-12-29 12:12:43
I'm working on a friend's laptop that has XP Home (so I can't go in and set permissions, etc) and I can't attach the disk drive to another machine either. Any hope for me?
Doug
65. by Guest. 2004-12-29 13:12:37
I believe that the easiest way to remove the VX2 spyware, or any other persistent spyware, from a WinXP system that will not run Ad-aware on reboot, is to remove the HDD and install it as a slave on a Win98 or Win2K system that will run Ad-aware on reboot. However, it probably won't be necessary for the reboot run, since the infested/infected drive is installed as a slave.
ebob2k
66. by Guest. 2004-12-30 05:12:46
HAVE TRYED EVERYTHING ABOVE WITH NO SUCCESS PLZ PLZ SOMEONE HELP ME.
im ganna go crazy soon, the only way i am able to even use my computer is because ad-watch is preventing and edits at the moment but no program or solution above is working, when i watch ad-watch it prevents 1000 registry edits a minute, its insane i have no idea what to do. HELP ME someone.
67. by Guest. 2005-01-05 17:01:54
Have just removed VX2 after weeks of trying tried all above on this forum have justed used pc BugDoctor and it's gone now just need to remove www coolsearch crap
68. by Guest. 2005-01-06 14:01:52
Have today removed VX2 after many weeks of trying used PC Bug Doctor and it cleaned it out complety
69. by Doc in San Clemente, CA. 2005-01-11 18:01:20
I had the latest iteration of VX2 on a machine that adaware could not remove and the add-in tool didn't even show. When adaware would run it would show it, and ask to remove the files at next boot, but of course, since the names change, it could not remove them. Here is the soulution I found.
* Make sure you know the administrator password as you will need it. If you don't know it, but you have administrator privilages, reset the administrator password so you will know it later.
** Have a Win2000 or WinXP install disk handy. You will need it for part of this proceedure
1) Run Adaware from safe mode using the full system scan option and when it shows
the list of files it could not remove, WRITE THEM ALL DOWN with the FULL PATH.
2) Start your computer using the Win2000 or WinXP install disk. When prompted to install or repair, chose R for repair.
3) When prompted to repair using the console or automatic, chose C for console
4) Login in to the default windows - This is where you need the admin password
5) Now delete the files one by one that Adaware gave you earlier by using either
del /path/path/filename or cd to the appropriate directory(s) and delete the files.
6) Reboot as normal and run Adaware again using the Full System Scan option.
That should do it. I have not found a system yet that this did not work on.
70. by Thea. 2005-01-12 20:01:14
Does anyone have any information on the vx2.zserv variant? I've searched every where and feel like I've done all of these things with no luck. Suggestions?
71. by E. 2005-01-16 09:01:08
the post 13 down (titled Evil!!!!) from mine worked. i couldn't get a client's pc clean until i found the .dlls with an adaware scan in safe mode, removed all permissions, even the local admin, and took ownership of the files as local admin. then i pulled the plug, went into safe mode and deleted the files, then scanned with adaware. i still had to manually scan the registry for ebates moe money, virtual bouncer and elite sidebar. this is the nastiest spyware app i've ever seen. it's as destructive as most viruses. everyone at Vx2 should be tarred and feathered in front of a web cam for the whole world to see.
72. by X. 2005-01-19 10:01:39
I have had all sorts of trojans and spyware on various PCs since Q4 2004. I currently have VX2, I was just wondering if that's all that I have. From time to time my cursor appears to develop an athletic regime of its own, either hopping up and down (medium impact aerobics) or swimming lengths across the monitor. I have seen similar behavious with some other thing on another PC -- I think it was CWS. Are these cursor gymnastics part of VX2 as well?
73. by Mark Coe. 2005-01-19 22:01:16
My computer is so messed up.. I can't get rid of the VX2 no matter what I try. I hope the person that is responsible for this software gets run over by a truck and dragged for 100 feet, only to live through it as a quadrapalegic.
74. by Mike H. 2005-01-20 20:01:40
Well, I too was infected with that nasty VX2 bug and with the advice of several people on this forum, I was finally able to get rid of the VX2 that was hiding on my computer. The procedure I had to use was to run Ad-Aware in SAFE mode, identify the VX2 files, clean up the registry and after about the umpteenth time, was finally able to erase the suspected .dll files. I even searched all the dll files in the System32 folder for a date of 2005. I renamed them with a dl$ and finally was able to delete all of them. It is a tricky and time consuming operation, but I am happy to finally be rid of that nasty uninvited guest. The only question I have remaining, is at one point, the instructions mentioned to change the access restrictions to just the administrator. After you are rid of the VX2 bugs, is it safe or wise to reverse that and change the access restrictions to what they were before I changed them. Thanks again. I am glad that this forum was here to help me and hopefully, it will help others.
75. by Bill. 2005-01-23 00:01:46
To remove VX2 Use windows XP disk, boot into recovery console, locate the file guard.tmp in the C:windowssystem 32 dir, change the attributes (attrib -s-h-r guard.tmp), then write down the file size in bytes should be 224xxx, locate all dlls that have this exact size, change their attributes and erase them. use the erase command, not delete, when done erase guard,tmp, reboot machine and use ad aware to remove the registry entries and remnants of the vx2 adware.
76. by kevin. 2005-01-24 15:01:20
i cant seem to locate guard.tmp in my system32 folder. i even checked show hidden files/folders and still cant find it. but when i run adaware se, vx2 still shows up. please help.
77. by kevin. 2005-01-24 15:01:47
nevermind...i finally got rid of it!! i hope the person created this will slip and fall on his face only to get his good popped by a sharp rock.
78. by Kevin Also. 2005-01-24 18:01:59
So how did you gt rid of it. I cannot find it either. When I goto say the Trend Micro Housecall to do a virus scan, the first thing to show up is a pop-up ad of a fly (as a virus) and a frog (as a anti-virus). It's driving me nutz.
Any help out there guys?
Kev
79. by kevin. 2005-01-24 23:01:53
it took me long hours. at first i didnt even know this thing was that bad so i just scanned it with adaware for about 10 times and it kept showing up! before you do anything, go to download.com and download spy sweeper and you should have adaware. scan your computer with spysweeper and remove the nonsense found by it. clear out your temporary internet files and cookies. then read this forum http://www.lavasoftsupport.com/index.php?showtopic=54511 . that was a great help. just be sure to kill guard.tmp in your system32 folder as they will tell you to do so. and the second method on that forum helped me deleted randreco.exe which kept running. after all that scan it with spy sweeper again to make sure nothing is found. then scan it with adaware. if vx2 is still detected, write down the registry path. then go to start > run > type in regedit > go to the path of the registry file > set permission of ADMIN only. then reboot your computer in safe mode (run msconfig > boot.ini > check safemode). in safe mode, run adaware and remove all the files that are found. then do a normal reboot. you should scan it with spysweeper and adaware again just to make sure. but that should take care of it. atleast thats how i did it anyways
80. by James. 2005-02-03 03:02:51
How do i know if the VX2 thin is gone.....
do i just scan and see if it has showed up in the list at then end??? or is their another way to find out and be tottaly sure?
I just finished getting rid of this new VX2 variant. It keeps it files under the %systemroo%system32 directory. It poloymorphs and changes names when rundll32.exe gets re-initiated. About the only consistant file was guard.tmp. These dlls and between 222,000 and 227,000 bytes in lengeth. They also can get evil and hide as system or hidden files. I benched marked with Ad-Aware to see what files were currently in use. It would not remove this varient, but at least showed me the live files. I dir ed these files and copied them to a notepad which a printed off. I then rebooted to my install CD and mounted the NTFS partition. From there I had to attrib -r to get rid of the read-only attribute and remove these files individually. Once removed I rebooted and used Ad Adware to verify that the system was clean. Also removed the bad entries from the host file. Here is a list of changed file name dlls that were hidden on my system to give you an idea of how these constantly change. Good luck!!!
12/11/2004 12:17 AM 223,906 e4020edoeh0c0.dll
12/11/2004 12:25 AM 223,702 mlupgrd.dll
12/12/2004 11:04 AM 224,594 t2r80c9uef.dll
12/12/2004 11:12 AM 225,516 l4j8le1u1h.dll
12/12/2004 06:17 PM 223,702 n6n6lg5s16.dll
12/12/2004 06:17 PM 223,749 mbidntld.dll
12/12/2004 07:00 PM 225,655 l60ulgd9160.dll
12/13/2004 05:05 PM 223,749 h00q0ad5ed0.dll
12/17/2004 09:14 AM 224,360 dnj6011se.dll
12/17/2004 09:22 AM 224,676 aza6011se.dll
12/17/2004 09:29 AM 223,891 h24m0ch1ef4.dll
12/17/2004 09:36 AM 223,749 gsmf32.dll
12/17/2004 05:25 PM 226,207 fpl0033me.dll
12/17/2004 05:25 PM 226,174 wpssvc.dll
12/18/2004 04:43 PM 222,519 jtnm0751e.dll
12/18/2004 05:00 PM 222,630 pygfilt.dll
12/18/2004 05:25 PM 222,630 r28slcl71fq.dll
12/18/2004 06:59 PM 222,630 llcalui.dll
12/19/2004 09:36 AM 222,630 ir6ml5j11.dll
12/19/2004 09:37 AM 222,630 mfsnap.dll
12/21/2004 05:57 PM 224,542 o2480chuef480.dll
12/22/2004 11:05 PM 224,409 hr4005hme.dll
12/22/2004 11:16 PM 224,364 pkpusd.dll
12/23/2004 01:27 PM 224,725 l08m0al1edq.dll
12/23/2004 03:57 PM 226,239 gp84l3lq1.dll
12/23/2004 04:42 PM 226,239 g4402ehmgh4a2.dll
12/23/2004 09:44 PM 226,239 en8sl1l71.dll
12/24/2004 03:11 PM 222,620 hr2805fue.dll
12/24/2004 03:12 PM 226,239 k0pmla711d.dll
12/24/2004 03:26 PM 226,239 dpvx_xx07.dll
12/24/2004 04:02 PM 222,723 f0l0la3m1d.dll
12/24/2004 07:48 PM 226,253 cysyn32.dll
12/25/2004 10:49 AM 226,253 hr0005dme.dll
12/25/2004 12:50 PM 223,075 q8860ilse8q60.dll
12/25/2004 01:47 PM 222,239 i2600cjmefoa0.dll
12/25/2004 04:32 PM 0 p0p60a7sed.dll
12/25/2004 07:18 PM 226,253 guard.tmp
62. by Guest. 2004-12-28 15:12:24
Hi. I tried most of the methods posted here. I ran Adaware SE and noted the locations of the files. Then I ran regedit and denied access to the appropriate .dll file. Without exiting anything, I unplugged the computer and restarted in Safe Mode. But I couldn't delete the .dll file in Safe Mode.
So I tried #46 - starting up in Safe Mode Command - but when I went into the C:WindowsSystem32 directory, it couldn't find the .dll file. But it would show up in normal safe mode.
#46 said to use "attrub filename.exe -h -s -r" if the file doesn't show up. How do I do this? What is "attrub filename.exe -h -s -r"? I'm familiar with only very basic naviagation in a DOS prompt ("cd", "cd..." del xxxxx.exe", etc.).
Any help appreciated. Thanks...
63. by Guest. 2004-12-28 17:12:11
Wow, I can hardly believe it.
I seem to have finally deleted this f*****g thing with Pest Patrol. I've been trying to get rid of this thing for weeks.
I downloaded the trial version of the corporate Pest Patrol programme. They don't seem to have a home user trial version. So I registered as a business user.
I''m running Hitman Pro now (combines CW, SpySweeper, AdAware etc.) to get rid of anything that may be left behind.
64. by Guest. 2004-12-29 12:12:43
I'm working on a friend's laptop that has XP Home (so I can't go in and set permissions, etc) and I can't attach the disk drive to another machine either. Any hope for me?
Doug
65. by Guest. 2004-12-29 13:12:37
I believe that the easiest way to remove the VX2 spyware, or any other persistent spyware, from a WinXP system that will not run Ad-aware on reboot, is to remove the HDD and install it as a slave on a Win98 or Win2K system that will run Ad-aware on reboot. However, it probably won't be necessary for the reboot run, since the infested/infected drive is installed as a slave.
ebob2k
66. by Guest. 2004-12-30 05:12:46
HAVE TRYED EVERYTHING ABOVE WITH NO SUCCESS PLZ PLZ SOMEONE HELP ME.
im ganna go crazy soon, the only way i am able to even use my computer is because ad-watch is preventing and edits at the moment but no program or solution above is working, when i watch ad-watch it prevents 1000 registry edits a minute, its insane i have no idea what to do. HELP ME someone.
67. by Guest. 2005-01-05 17:01:54
Have just removed VX2 after weeks of trying tried all above on this forum have justed used pc BugDoctor and it's gone now just need to remove www coolsearch crap
68. by Guest. 2005-01-06 14:01:52
Have today removed VX2 after many weeks of trying used PC Bug Doctor and it cleaned it out complety
69. by Doc in San Clemente, CA. 2005-01-11 18:01:20
I had the latest iteration of VX2 on a machine that adaware could not remove and the add-in tool didn't even show. When adaware would run it would show it, and ask to remove the files at next boot, but of course, since the names change, it could not remove them. Here is the soulution I found.
* Make sure you know the administrator password as you will need it. If you don't know it, but you have administrator privilages, reset the administrator password so you will know it later.
** Have a Win2000 or WinXP install disk handy. You will need it for part of this proceedure
1) Run Adaware from safe mode using the full system scan option and when it shows
the list of files it could not remove, WRITE THEM ALL DOWN with the FULL PATH.
2) Start your computer using the Win2000 or WinXP install disk. When prompted to install or repair, chose R for repair.
3) When prompted to repair using the console or automatic, chose C for console
4) Login in to the default windows - This is where you need the admin password
5) Now delete the files one by one that Adaware gave you earlier by using either
del /path/path/filename or cd to the appropriate directory(s) and delete the files.
6) Reboot as normal and run Adaware again using the Full System Scan option.
That should do it. I have not found a system yet that this did not work on.
70. by Thea. 2005-01-12 20:01:14
Does anyone have any information on the vx2.zserv variant? I've searched every where and feel like I've done all of these things with no luck. Suggestions?
71. by E. 2005-01-16 09:01:08
the post 13 down (titled Evil!!!!) from mine worked. i couldn't get a client's pc clean until i found the .dlls with an adaware scan in safe mode, removed all permissions, even the local admin, and took ownership of the files as local admin. then i pulled the plug, went into safe mode and deleted the files, then scanned with adaware. i still had to manually scan the registry for ebates moe money, virtual bouncer and elite sidebar. this is the nastiest spyware app i've ever seen. it's as destructive as most viruses. everyone at Vx2 should be tarred and feathered in front of a web cam for the whole world to see.
72. by X. 2005-01-19 10:01:39
I have had all sorts of trojans and spyware on various PCs since Q4 2004. I currently have VX2, I was just wondering if that's all that I have. From time to time my cursor appears to develop an athletic regime of its own, either hopping up and down (medium impact aerobics) or swimming lengths across the monitor. I have seen similar behavious with some other thing on another PC -- I think it was CWS. Are these cursor gymnastics part of VX2 as well?
73. by Mark Coe. 2005-01-19 22:01:16
My computer is so messed up.. I can't get rid of the VX2 no matter what I try. I hope the person that is responsible for this software gets run over by a truck and dragged for 100 feet, only to live through it as a quadrapalegic.
74. by Mike H. 2005-01-20 20:01:40
Well, I too was infected with that nasty VX2 bug and with the advice of several people on this forum, I was finally able to get rid of the VX2 that was hiding on my computer. The procedure I had to use was to run Ad-Aware in SAFE mode, identify the VX2 files, clean up the registry and after about the umpteenth time, was finally able to erase the suspected .dll files. I even searched all the dll files in the System32 folder for a date of 2005. I renamed them with a dl$ and finally was able to delete all of them. It is a tricky and time consuming operation, but I am happy to finally be rid of that nasty uninvited guest. The only question I have remaining, is at one point, the instructions mentioned to change the access restrictions to just the administrator. After you are rid of the VX2 bugs, is it safe or wise to reverse that and change the access restrictions to what they were before I changed them. Thanks again. I am glad that this forum was here to help me and hopefully, it will help others.
75. by Bill. 2005-01-23 00:01:46
To remove VX2 Use windows XP disk, boot into recovery console, locate the file guard.tmp in the C:windowssystem 32 dir, change the attributes (attrib -s-h-r guard.tmp), then write down the file size in bytes should be 224xxx, locate all dlls that have this exact size, change their attributes and erase them. use the erase command, not delete, when done erase guard,tmp, reboot machine and use ad aware to remove the registry entries and remnants of the vx2 adware.
76. by kevin. 2005-01-24 15:01:20
i cant seem to locate guard.tmp in my system32 folder. i even checked show hidden files/folders and still cant find it. but when i run adaware se, vx2 still shows up. please help.
77. by kevin. 2005-01-24 15:01:47
nevermind...i finally got rid of it!! i hope the person created this will slip and fall on his face only to get his good popped by a sharp rock.
78. by Kevin Also. 2005-01-24 18:01:59
So how did you gt rid of it. I cannot find it either. When I goto say the Trend Micro Housecall to do a virus scan, the first thing to show up is a pop-up ad of a fly (as a virus) and a frog (as a anti-virus). It's driving me nutz.
Any help out there guys?
Kev
79. by kevin. 2005-01-24 23:01:53
it took me long hours. at first i didnt even know this thing was that bad so i just scanned it with adaware for about 10 times and it kept showing up! before you do anything, go to download.com and download spy sweeper and you should have adaware. scan your computer with spysweeper and remove the nonsense found by it. clear out your temporary internet files and cookies. then read this forum http://www.lavasoftsupport.com/index.php?showtopic=54511 . that was a great help. just be sure to kill guard.tmp in your system32 folder as they will tell you to do so. and the second method on that forum helped me deleted randreco.exe which kept running. after all that scan it with spy sweeper again to make sure nothing is found. then scan it with adaware. if vx2 is still detected, write down the registry path. then go to start > run > type in regedit > go to the path of the registry file > set permission of ADMIN only. then reboot your computer in safe mode (run msconfig > boot.ini > check safemode). in safe mode, run adaware and remove all the files that are found. then do a normal reboot. you should scan it with spysweeper and adaware again just to make sure. but that should take care of it. atleast thats how i did it anyways
80. by James. 2005-02-03 03:02:51
How do i know if the VX2 thin is gone.....
do i just scan and see if it has showed up in the list at then end??? or is their another way to find out and be tottaly sure?