VX2 help please

[geeksRus]

windows xp...no sp2...it has vx2 which i can't seem to remove. installed the ad aware vx2 cleaner and ran it...it says the system is cleen but wants to run ad aware at the next boot. upon reboot ad aware duznt run...and VX2 is still there. i have tried a squared...avg 7...spybot...have installed and run spyware blaster...have scanned with them in safe mode as well as normal mode...sh!t keeps coming back. will try connecting the HD to another machine and scan that way...maybe i can remove the DLL files that way. anyone have a suggestion on this VX2 thing? this one is kicking my a$$.

[gazzak]

Try this page

[geeksRus]

thanx much...this one is a killer.

[geeksRus]

after all that the guy decides to just put win98se on the machine...since what he had was a pirated copy of xp pro. no CD or number... couldnt do any security updates or sp1 or 2. windows reported an invalid registration # and refused to install anything. sometimes you just feel like knockin the hell out of people.

[mudduck]

I finally found a solution to the pain in the butt popups and re-directs. I got this info from Lavasoft and mixed in some of the things that I did myself to alleviate these problems. First, lets look at your symptoms:

*** You are getting icons installed on your desktops like: Block Spyware, Online Dating, My PC Search, Free Online Music
*** You are getting Fatal Exception BSOD Stopsin C000021A
*** You are getting errors dealing with IdleUI[1].Dll
*** You can't get rid of 69.20.16.183 in your Host file (keeps coming back)

The problem is you are infected by the CoolWebSearch, VX2 and Secondthought malware/adware. These boys are tough to get rid of but if you follow the instructions below to the letter, we can solve it.

Step 1
-Remove as much as possible using Ad-aware SE with the most recent reference file. reboot and have these 2 utilities ready.

http://www.downloads.subratam.org/DllCompare.exe Dllcompare (version(1.0.0.127)which will scan for locked files created by VX2)
and

http://www.downloads.subratam.org/KillBox.exe Killbox (version 2.0.0.76, which will be responsible for removing the files found)

Using DllCompare

Copy the dllcompare.exe to your desktop, don't just run it from the download site.
it is preset to scan the System32 directory, so nothing other than you clicking the [Run locate.com] button is required.
When the scan is complete, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the [Compare] button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete *in blue Completed
Click the button [Make a Log of what was Found]

To identify suspected VX2 files, look at the dates in the log, all will have been created in the month of late Nov and to current. There are other legitimate files that may also be there, so just dont delete everything in the list either
****
sample log:
QUOTE
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!(File name changes radomly so yours could be different).
________________________________________________

D:\WINDOWS\SYSTEM32\dad8.dll Mon Dec 13 2004 3:24:48a ..S.R 223,232 218.00 K
D:\WINDOWS\SYSTEM32\enp2l1~1.dll Mon Dec 13 2004 3:09:08a ..S.R 223,232 218.00 K
D:\WINDOWS\SYSTEM32\hr0u05~1.dll Sun Dec 12 2004 10:36:04p ..S.R 224,137 218.88 K
D:\WINDOWS\SYSTEM32\hrp805~1.dll Mon Dec 13 2004 3:24:48a ..S.R 224,107 218.85 K
D:\WINDOWS\SYSTEM32\irrml5~1.dll Sun Dec 12 2004 10:14:28p ..S.R 224,427 219.16 K
D:\WINDOWS\SYSTEM32\lmexpand.dll Sun Dec 12 2004 10:36:04p ..S.R 223,232 218.00 K
D:\WINDOWS\SYSTEM32\oabcp32r.dll Mon Dec 13 2004 3:10:04a ..S.R 224,362 219.10 K
________________________________________________

1,108 items found: 1,108 files (7 H/S), 0 directories.
Total of file sizes: 190,775,194 bytes 181.93 M

Administrator Account = True

--------------------End log---------------------


Now, most IMPORTANT that you do not reboot until all files can be entered into Killbox

Step 2

Using Killbox

Copy Killbox to your Desktop (Do not run from the download site)

Settings for Killbox
From the menu bar click the "About" and ensure you have version 2.0.0.76 or better.
Select Option Replace on Reboot
From the Dllcompare log copy & paste each full path into the Killbox topmost box.
ie: a fullpath from our sample log would be
D:\WINDOWS\SYSTEM32\dad8.dll
D:\WINDOWS\SYSTEM32\enp2l1~1.dll
etc.

With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Do this for every file you have matching the VX2 criteria, in the dllcompare log.
*in the sample file here, every file matches VX2 parameters and would be input into Killbox.
QUOTE
ie: Top line in Killbox would have the path
D:\WINDOWS\SYSTEM32\dad8.dll
the bottom line would show a dummy file in user Temp directory
D:\Documents and Settings\User\Local Settings\Temp\kbdummy.1


Do this same step for every file in the dllcompare log, (Or each file one of the forum experts/helpers etc. tell you to)

When you get to the last file in the Dllcompare log, also add in one additional file

C:\Windows\System32\Guard.tmp
*Be careful to include the correct path to the system32 folder, as drive letters & windows folder names change slightly from system to system
If this is an issue, click the [Browse] button in Killbox and navigate to the guard.tmp manually. (it will always be in the System32 directory, and may need to have File & Folder options to "unhide system files" enabled)


On that last file, close all programs and Reboot your computer.

Step 3

After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty.
At worst, it will show many less files, and you may have to repeat the step 2 again one more time.

Guard.tmp, may still exist as it creates on Shutdown, but is unprotected at this point.
Open Killbox again, paste the path to guard.tmp into the first box.
ie:
QUOTE
C:\WINDOWS\SYSTEM32\guard.tmp

This will only require a "Standard File Kill" default setting of Killbox.
If the file does exist, you will see the name guard.tmp in Blue appear. Click the Red X to delete it.

Step 4

Cleanup

Providing the Dllcompare log is free of offending VX2 .dll files you now need to repair some of the damages done to your system.

Open Killbox and Copy & Paste the path to the Desktop.ini for recycle bin.
ie:
NOTE: If you can't find it, don't worry about it. I couldn't either.Just skip this step.
C:\RECYCLER\Desktop.ini

Click Red X to delete it.
or
Simply Browse to the Directory under Croot) called RECYCLER
In killbox you will see in blue also the term Directory
Click the Red X to delete it.
*Either of these methods will fix the bug where no files are shown in recycle bin, and no option to store files into recycle bin.

For ease of use, download the VX2Finder

Click the [Restore Policy] button, this will restore the removed Debug privilege for Administrators, otherwise some utilities will not function properly.

You will also need to remove the UserAgent from the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform
*Use VX2Finder [UserAgent$] button will remove this

and the Load dll for VX2 under the Notify key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
under this key will be a sub key holding the name of the VX2 dll file, and will need to be removed.
That Subkey could be called just about anything and will be different for every System.
example:
QUOTE

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s0pula791d.d ll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


I will be adding a utility to make the registry modifications in the future.
At this point, your system will be *clean enough* to allow the other utilities such as Ad-aware & HiJackThis to remove the multiple other auto downloaded & unwanted applications you will have.

Hosts

From the Killbox menu bar, click Tools & select Hosts File

It will open in Notepad, just highlight the offending entries, or basically everthing under the entry
QUOTE
127.0.0.1 localhost

*Hijackthis will also remove these.

For a final cleanup, delete all files in all your Temp folders (i.e. Temporary Internet). NOTE: A freeware program like Cleanup does a great job at this.

Use Regedit to edit your Registry file (Be careful). Do a search for the following and delete all keys and sub keys related to them:
Ygytfy
Yuyrqy
VX2
Coolwebsearch
Secondthought

*** Run Adaware SE to scan and re-boot PC
*** Check Hijack This for any bad entries such as Host 69.20.16.183 and delete them if necessary
*** Re-boot PC again

You are done! Congratulations! You can now search the web and do your work without pain in the butt malware.
mudduck