Computing.Net > Forums > Security and Virus > vx2 hijacker (unremovable version!?

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

vx2 hijacker (unremovable version!?

Reply to Message Icon

Original Message
Name: Daggoth
Date: December 25, 2004 at 06:13:19 Pacific
Subject: vx2 hijacker (unremovable version!?
OS: Windows XP
CPU/Ram: 866/256
Comment:

Since a few weeks my system is infected by vx2 look2me and i wasn't able to remove it. When I'm not online the system allways wants to connect to 'www.ad-w-a-r-e.com' and when I'm online I get annoying advertismet pop-ups.

Spybot only finds these entries(HJT log), deletes them, but they keep coming back:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

The vx2 remover tool for ad-aware tells me my system is clean.

The official look2me uninstaller tells me that there is no look2me installed.

These instructions http://www.pchell.com/support/look2me.shtml also do not help, they seem to be for a different version of look2me.

vx2finder doesn't find any infections neither.

Replacing the files with killbox doesn't help neither.

The neweset version of ad-aware finally finds the vx2 *.dll files in windows/system32 and deletes them after a reboot, but they keep coming back with different names (even when i run ad-aware in safe mode)!!
Explorer also crashes while running ad-aware scan. The vx2 files found look for example like this:
G:\WINDOWS\system32\enr8l19u1.dll
G:\WINDOWS\system32\guard.tmp
G:\WINDOWS\system32\ii50_32.dll

Any ideas what else I can try to do? Thanks...


Report Offensive Message For Removal


Response Number 1
Name: Abnormal
Date: December 25, 2004 at 09:32:52 Pacific
Reply: (edit)

Some instructions to start with.

http://www.lavasoftsupport.com/index.php?showtopic=54511

Others with your problem can be found
in this link ASAP.

Look around for the vx2 posts, that will
give you an idea of what your up against.
You may want to post a log in the less crowded forums.

Good luck



Report Offensive Follow Up For Removal

Response Number 2
Name: Mushroom
Date: January 2, 2005 at 13:36:12 Pacific
Reply: (edit)

Daggoth: Good luck, I'm fighting that myself. You may discover as you follow Abnormal's suggestions that *no working solution has been found* -- I've found five posts on message boards asking about recurring VX2 where after the person has tried AdAware, its VX2 plugin ("clean!"), Spybot, etc. they still have random-named DLLs and a totally redirected 'hosts'.

BTW, the redirects are from CoolWWW, which was introduced by VX2. CWShredder will clean 'hosts' temporarily, but the source remains. We need a REAL solution!!

Say something cryptic, then leave snickering.


Report Offensive Follow Up For Removal

Response Number 3
Name: Mushroom
Date: January 3, 2005 at 19:32:52 Pacific
Reply: (edit)

Daggoth: I think I finally found a solution. After much messing around with the usual spyware removal tools that didn't do enough and setting up McAfee Firewall to keep the bad stuff from getting in or out (containment kept things from growing back), I used Pocket Killbox to get rid of the offending DLLs from memory.

Hint: open up an Explorer window, navigate to c:\windows\system32 and select View - By Date so you can see if anything was created today. Don't close the window if you reboot, that way you'll see immediately if anything new crops up. Also, delete all HOSTS files and make sure they don't regenerate the list of hijack paths.

I did one thing I'm sure is not recommended: after using Killbox to remove a wicked DLL, I hit the Reset button on my computer. The thinking was to keep the Shutdown sequence from regenerating any dropper in the RAM. When the computer came back up, I did another look at System32 and Killbox cleanup (2 DLL's found, 1 was listed as unremoveable but it apparently was gone already), reboot, and nothing has come back in 24 hours.

Best of luck.

Say something cryptic, then leave snickering.


Report Offensive Follow Up For Removal

Response Number 4
Name: xiaolong2004
Date: January 4, 2005 at 11:40:52 Pacific
Reply: (edit)

What I did was to disable the system's access to the dll files so that they cannot be run and duplicated.

This is the procesure:

1. locating the dll file(s) in Explorer as Mushroom suggested;

2. right-click a bad dll file and choose properties;

3. click the Security tab and select SYSTEM under "Group or user names";

4. Deny the system access to the file by check the Full Contronl under the Deny column and apply;

5. reboot the system (Because system cannot access the dll files, it cannot start and duplicate it.)

6. locate the dll files, change the access right back to normal and delete them.


Report Offensive Follow Up For Removal

Response Number 5
Name: stg
Date: January 18, 2005 at 15:50:45 Pacific
Reply: (edit)

i did what xiaolong wrote and it worked perfectly. there is still garbage in the registry/file section but VX2 is inoperative. when the spyware removal programs will update they will clean the rest. good job xiaolong! woohoo, now i can sleep peacefully :)


Report Offensive Follow Up For Removal







Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home








Do you have your own blog?

Yes
No
I did before
I will soon


View Results

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History




Data Recovery Software