HOWTO: How to remove VX2 spyware (the latest and worst versions)

Hi,

A friend of mine got infected with a variant of VX2 spyware because
some idiot administrator at their work ordered that they don't install
SP2 or any other updates.

This particular flavor of VX2 that he got is extremely difficult to
remove. NONE of the anti-spyware programs could remove it on their own.
AdAware WITH the VX2 Cleaner plug-in also said that it's a new variant
that it can't do anything about.

After about 3 hours of analysis, I found a way to remove it. It's
pretty difficult for a normal user.

1. Clean all spyware that normal tools like AdAware and Search&Destroy
can clean.

2. Download "HijackThis", run it and click "Do a system scan only"

3. Under "Winlogon Notify" in the list that HijackThis produces, you
will find a DLL file in windows\system32 with a random name, such as
t85r03194w.dll. WRITE IT DOWN. Close HijackThis.

4. Open regedit. Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved

5. On the right hand side, look for an item that has something in the
"Name" column but NO DATA on the right (in the "Data" column). There's
normally only one shell extension like that, for VX2. Click that item,
press F2, Ctrl+C, Esc (to copy the GUID).

6. Go to My Computer in regedit, and press Ctrl+F, Ctrl+C, Enter (to
find this GUID). When regedit finds the key, expand it, and under
InProcServer32 you will see, on the right hand side, the "(Default)"
key that will contain a file name such as
C:\WINDOWS\SYSTEM32\askjhas.dll. WRITE IT DOWN AS WELL.

7. Get a XP installation CD ready.

8. THE FOLLOWING IS THE MOST IMPORTANT STEP.

9. SWITCH OFF THE COMPUTER FROM THE MAINS. DO *NOT* SHUT DOWN THE
COMPUTER - SWITCH IT OFF FROM THE POWER PLUG. This is to prevent VX2
renaming the DLL files, which it ALWAYS does. Do **NOT** use the Power
Off button on your computer - plug off the CABLE that's in the wall
socket.

10. Power on the computer, and immediately insert the XP installation
CD. Make sure the computer boots from the CD. If the computer starts
booting from the hard disk, SWITCH IT OFF FROM THE MAINS STRAIGHT AWAY
and repeat the step 10 again. If you fail here, you'll have to start
from the beginning.

11. Once XP setup starts, choose R (for Recovery console).

12. Choose 1 as the Windows installation.

13. Type in the administrator password for your computer.

14. Type in "CD WINDOWS\SYSTEM32" and press Enter

15. Type in "ren X1.DLL SHIT1.TXT". x1.dll is the name of the file you
wrote down the first time.

16. Type in "ren X2.DLL SHIT2.TXT". x2.dll is the name of the file you
wrote down the *second* time (step 6).

17. Type EXIT and reboot your computer normally.

This worked beautifully for me.

In conclusion, whoever wrote this VX2 spyware should be imprisoned for
a very, very long time and his computer burned at stake.

.