How to Remove VX2/f Spyware....

[Krazy Hawaiian]

There's another pain in the a** spyware out and about called VX2/f there are several variants of it and the latest /f variant cannot be removed with Adaware or SpyBot.

I got the new VX2/f version from h**p://www.rage3d.com/ looking for drivers for my ATI vid card. Before it loaded Rage 3D there was a redirect and I wasn't watching and suddenly I was on a blank page and the status bar said downloading from site then I saw the address had changed and as I closed the window all hell broke loose.

This new version has a hidden .dll file that is seperate from the main program that now not only reinstalls itself after it's deleted but it also downloads tons of other crap the instant it senses a connection to the internet.

In my case I removed it, reboted like Adaware 6 Pro asked so it could run before anything loaded and remove the remaining files and when windows was up and running with in 45 seconds it had killed the Google Popup stopper and opened close to 30 - 50 windows. I couldn't close them as fast as they were opening! Cntrl + Alt + Del and killed explorer in the task manager was only a momentairy stop. They imeaditly began opening like crazy again.

I finally disconnected the ethernet cable from the router, closed the windows ran Adaware and SpyBot and in that wild frenzy it collected 6+Mbs of crap!
It apears to be a group effort from VX2, Powerscan, Ezula (theres no way in hell I'd let that in knowingly) BroadcastPC, Bookspace, SideSearch, BargainBuddy, WebBargains, Downloadware, SideFind, Sahware, 180Solutions, TopMoxie, IPInsite, ISTBar, Virtumundo, NetworkEssentials and about 20 toolbars and other shit...

Check the picture of Adaware after scanning, SpyBot found another 200+ entries after I ran Adaware!

*****************************************************************************

How to Remove this POS Crap.....

This information is from Tom Coyote's Forum on Spyware (one of the best, but little known spyware info sites) right now there the only site with any info on removing this POS.

Both the Adaware and SpyBot Forume were asking for users to send them any info or working methods to remove it!

Follow the instructions below and use the tool in the zip file (HiJackThis Ver 1.98.2) to locate the files listed below.

DO NOT CLICK ANY OF THE LINKS BELOW! Only Click the Link for HiJackThis Ver 1.98.2! It's at the very bottom.

Run Hijack This! and fix these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [aktgiicgnhdkc] C:\WINNT\system32\qphuto.exe

O4 - HKLM\..\Run: [zjhqwiwxncpty] C:\WINNT\system32\qphuto.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab


Reboot in "safe" mode. Press F8 during the beggining of the boot sequence to get a menu of options for starting windows. Select safe mode.

Find and delete:

c:\winnt\mxtarget.dll <--- file

c:\winnt\systb.dll <--- file

c:\winnt\system32\qphuto.exe <--- file

c:\winnt\wupdt.exe <--- file


After doing that you should be rid of the POS. ARUGH what a pain in the ass. Not as bad as CoolWebSearch was but still no fun. Good Luck!
Aloha, KH

[MotoTiller]

Why not just use Mozilla Firefox instead of IE?

[xXx]

You know, You can also (if using XP Home, Or Pro) goto: Start, Programs, Accessories, System Tools, *System Restore*. It will then restore back 1 day - a few months in time. I have used this twice after getting attacked with those damn adwares/popups, etc, etc, etc ARGH! So, I restored to the day or two before I got hit with the attack, and it got rid of all of it! I also scanned with other things suchas, Anti virus, and adware removers and cleaned up anything that might have been left behind, but indeedly enough the system restore brought my PC right back to how it was minutes before all hell broke loose. Goodluck to those who have this happen and if your on XP try this method works great!

[Krazy Hawaiian]

I won't use Firefox because you still HAVE to have IE to get winhoes updates..... Microslop won't take anything else kind of a double edged sword thing. With all the holes in windows you'd be alot better off updating it, and IE can be setup to do exactly what FF does, mine uasually is, except I had to turn Active X on to update the XP Corprate Ed. I have and forgot to tuen it off DOH !

I dont bother with sys restore for 2 reasons, 1 it's a resource hog (and my comp is old n slow (Athalon 2000 512 ram with it on the new games play like crap) I got this thing for free except for the drive - $49 comp USA special Plus you learn more fixing it yourself.....

2 Sys Restore eats up a bunch of disk space, I only have a little bit of free space (maybe 5-6 gigs total of 80 gigs total, too many movies and no DVD burner ) System Restore can easily gobble several gigs of space. I'd rather keep Faster, One Man's Island and a bunch other new movies than have winhoes hogging it, especially since I don't have cable tv, just RoadRunner.

It's bad enough as it is the way it keeps copies of every dam thing installed and downloaded in its hidden folders...

[Krazy Hawaiian]

Thinking about sys restore I don't know if it would work or not with this thing, remember it has a "hidden" .dll that unless it's wiped off the disk it's going to repeat it's same old thing on it..... you have to get rid ot the .dll or it will just come right back.

At least this one doesn't rename and move itself to a new folder everytime the parent is deleted like CoolWebSearch does.. That is one of the hardest to get rid of things I ever ran across.

[MotoTiller]

Didn't know about still having to use IE for updates, mine just auto updated to service pack 2 today through firefox -I didn't see any sign of IE being used at all

[Krazy Hawaiian]

Hmmm, that isn't what is says here.....

http://news.zdnet.com/2100-9588_22-5388755.html

also mentions something about a fix for 10 security flaws.... http://news.zdnet.com/2100-3513_22-5368397.html

More on the flaws from a security site.. http://secunia.com/advisories/12526


and a few more from the US Government computer emergency readiness team at Homeland Security.

US-CERT VU#651928:
http://www.kb.cert.org/vuls/id/651928

US-CERT VU#847200:
http://www.kb.cert.org/vuls/id/847200

US-CERT VU#460528:
http://www.kb.cert.org/vuls/id/460528

US-CERT VU#808216:
http://www.kb.cert.org/vuls/id/808216

US-CERT VU#113192:
http://www.kb.cert.org/vuls/id/113192

US-CERT VU#327560:
http://www.kb.cert.org/vuls/id/327560

US-CERT VU#125776:
http://www.kb.cert.org/vuls/id/125776

US-CERT VU#414240:
http://www.kb.cert.org/vuls/id/414240

US-CERT VU#653160:
http://www.kb.cert.org/vuls/id/653160

IE doesn't look all that bad I guess...


there is no perfect software.

[no_morelipfrom_you]

I use firefox for everything and only open IE when I need to use technet or download some windows updates. Its worth it.

[firefighter81]

This is sorta on topic, I finally downloaded Ad-Aware, never really found the use for it, but anyways, it's been searching through all my files and so far it's found "327 New Critical Objects" guess I should have downloaded this a while ago!