Re: HOWTO: How to remove VX2 spyware (the latest and worst versions)


Dude,

Thanks dude, keep in mind though there are lots of machines out there with
Windows98, ME, 2000, XP that have and have not been updated, patched with
service packs and still don't get virus or spyware infected. It's not
because some idiot administrator ordered SP2 doesn't get installed, but most
probably some idiot administrator (or user) got themselves infected.

As long as you're running a good AV, firewall and Spyware protector\cleanser
that's always kept updated, and you don't click the, "Click OK button to be
eligible for $US 400, 000.00..." button on some websites, and other such
things you should be OK.

Such things are not attributable to the lack of SP2 on WinXP.

- Winux P

"dude" <deepdark@xxxxxxxxx> wrote in message
news:1134513325.587288.264190@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: Hi,
:
: A friend of mine got infected with a variant of VX2 spyware because
: some idiot administrator at their work ordered that they don't install
: SP2 or any other updates.
:
: This particular flavor of VX2 that he got is extremely difficult to
: remove. NONE of the anti-spyware programs could remove it on their own.
: AdAware WITH the VX2 Cleaner plug-in also said that it's a new variant
: that it can't do anything about.
:
: After about 3 hours of analysis, I found a way to remove it. It's
: pretty difficult for a normal user.
:
: 1. Clean all spyware that normal tools like AdAware and Search&Destroy
: can clean.
:
: 2. Download "HijackThis", run it and click "Do a system scan only"
:
: 3. Under "Winlogon Notify" in the list that HijackThis produces, you
: will find a DLL file in windows\system32 with a random name, such as
: t85r03194w.dll. WRITE IT DOWN. Close HijackThis.
:
: 4. Open regedit. Go to
: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
: Extensions\Approved
:
: 5. On the right hand side, look for an item that has something in the
: "Name" column but NO DATA on the right (in the "Data" column). There's
: normally only one shell extension like that, for VX2. Click that item,
: press F2, Ctrl+C, Esc (to copy the GUID).
:
: 6. Go to My Computer in regedit, and press Ctrl+F, Ctrl+C, Enter (to
: find this GUID). When regedit finds the key, expand it, and under
: InProcServer32 you will see, on the right hand side, the "(Default)"
: key that will contain a file name such as
: C:\WINDOWS\SYSTEM32\askjhas.dll. WRITE IT DOWN AS WELL.
:
: 7. Get a XP installation CD ready.
:
: 8. THE FOLLOWING IS THE MOST IMPORTANT STEP.
:
: 9. SWITCH OFF THE COMPUTER FROM THE MAINS. DO *NOT* SHUT DOWN THE
: COMPUTER - SWITCH IT OFF FROM THE POWER PLUG. This is to prevent VX2
: renaming the DLL files, which it ALWAYS does. Do **NOT** use the Power
: Off button on your computer - plug off the CABLE that's in the wall
: socket.
:
: 10. Power on the computer, and immediately insert the XP installation
: CD. Make sure the computer boots from the CD. If the computer starts
: booting from the hard disk, SWITCH IT OFF FROM THE MAINS STRAIGHT AWAY
: and repeat the step 10 again. If you fail here, you'll have to start
: from the beginning.
:
: 11. Once XP setup starts, choose R (for Recovery console).
:
: 12. Choose 1 as the Windows installation.
:
: 13. Type in the administrator password for your computer.
:
: 14. Type in "CD WINDOWS\SYSTEM32" and press Enter
:
: 15. Type in "ren X1.DLL SHIT1.TXT". x1.dll is the name of the file you
: wrote down the first time.
:
: 16. Type in "ren X2.DLL SHIT2.TXT". x2.dll is the name of the file you
: wrote down the *second* time (step 6).
:
: 17. Type EXIT and reboot your computer normally.
:
: This worked beautifully for me.
:
: In conclusion, whoever wrote this VX2 spyware should be imprisoned for
: a very, very long time and his computer burned at stake.
:


.