Re: VX2 - My Victory!
From: boaz (nospam_at_yahoo.com)
Date: 08/30/05
- Next message: boaz: "Re: VX2?"
- Previous message: Roger Fink: "Re: Protected folders"
- In reply to: Bigbruva: "Re: VX2 - My Victory!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Aug 2005 10:11:10 -0700
I've tried the new VX2. It says something like that it "found a new variant
of VX2" but it "failed to clean".
"Bigbruva" <Richardh@dontusethis.ws> wrote in message
news:%23xKQijXrFHA.332@tk2msftngp13.phx.gbl...
> First off congratulations on removing this nasty little application. :-)
>
> However I am interested as to why the VX2 Cleaner did not work for you.
> Could you confirm the exact version of VX2 that Ad-Aware or MWAS reported
> to you?
>
> Thanks
>
> BB
>
>
> "bz" <nospam@yahoo.com> wrote in message
> news:OgHQX3SrFHA.2540@TK2MSFTNGP09.phx.gbl...
>> Hi,
>>
>> Couple posts below, I was having problem with an unknown VX2 spyware. I
>> have tried everything but nothing works.
>> After couple hours of intense fighting, I finally got rid of this stupid
>> crap!
>>
>> First of all, nothing will work. So, don't waste your time running any
>> of the spyware in Safe Mode or whatsoever.
>>
>> This is how this VX2 crap works:
>>
>> 1)
>> It adds an registry entry in this key:
>> ...Mircrosft\Windows NT\Current Version\Winlogon\Notify\CSCSettings
>>
>> By looking at this key, it seems to me that everytime you logon or
>> logoff, it will call a DLL. And you can't delete that file with any of
>> the scanners becasue it is IN-USED. (Thanks XP!!!)
>>
>> Of course, by my Volcan logic, this DLL must be the source of the
>> spyware. It must be the one doing the recreation of the same file.
>>
>> Since everytime you delete this file, it somehow recreates another one in
>> the System32 folder. Logic dictates that the running DLL must be copying
>> a hidden file hiding somewhere. Since it is hidden, there is no point to
>> hunt it down. Even you hunt it down, the running process will probably
>> recreate another one somewhere.
>>
>> 2)
>> Now this is another interesting Volcan logic. If it copies another file
>> to a new file, the file size of both files must be the same.
>>
>> Doing a DIR /S (and ATTRIB) will show you that there are a whole bunch of
>> the hidden files with different file names but with the exact same file
>> size. The file size is 417792.
>>
>> By looking at these files for couple hours, there is a patent. The file
>> names are not random. It looks at the files before and after it, and
>> then it creates the file name from the two files.
>>
>> For example if you have these two files:
>> Expand.DLL
>> Explorer.DLL
>> It will add a file: Expbnf.DLL right in between these two files. This
>> make the file look legit. The most interesting thing is that all the
>> file are DLL except one. There is one file called GUARD.TMP. This must
>> be the initial infestion!!!!
>>
>> 3)
>> I have tried but after couple hours, I finally realize that there is no
>> way to delete all these files by hand. There are hundred of these
>> depending how many times you login and logout over the past... huh...
>> since you got this spyware! SO DON'T BOTHER TO DELETE THE FILES.
>>
>> 4)
>> So, I fire Norton Antivirus to see what happens. Lucky Me! Norton
>> reports that there are TWO files among these hundreds of files that it is
>> not able to scan because these two files are IN-USED. Ah-HAAA!!!!
>> Bullseye!
>>
>> 5)
>> War is almost over!!!
>> I search the registry for these two files. Deleted couple of registry
>> keys. I DID NOT RESTART THE COMPUTER. DO NOT RESTART THE COMPUTER.
>> Remember there is something hooked to the login/logout thing. I PULL THE
>> POWER CORD instead.
>>
>> 6)
>> I restart my computer with the XP CD. Get into the Recovery Console.
>> And then deleted the two specific files.
>>
>> 7)
>> After I reboot, somehow the registry comes back. BUT Adaware does not
>> find any VX2. YES!!! There must be something else that is writting the
>> registry back. Now this is another Volcan logic. If the two active
>> files have already been removed, there must be another 3rd file
>> resposible to written the registry back.
>>
>> 8)
>> War is over!
>> I run the Task Manager to see if there is any strange looking running
>> process. Ah HAA! There is one called POLETMGR.EXE. Everytime I try to
>> end this process, it pops right back in. I figure out that I can safely
>> remove this file becasue when I end this progress, it restarts itself
>> with the same POLETMGR name; not something random. Interestingly, I
>> don't find any reference in the registry. I guess this guy is just a one
>> time thing.
>>
>> 9)
>> I reboot from the XP CD and to the Recover Console. Deleted this POLE
>> something file.
>>
>> 10)
>> Victory!!!
>> Run Adaware and M$ Antispyware to clean out whatever that is left.
>>
>> 11)
>> Yes! Done!!! Nada spyware!!! No strange process running!!!
>>
>>
>> Hope this helps!!!
>>
>> P.S. I still have hundred of those DLL sitting in my hard disk. Not one
>> single Antivirus or spyware scanner can recognize them. So, if you want
>> some, drop me a mail. ;)
>>
>>
>>
>>
>>
>
>
- Next message: boaz: "Re: VX2?"
- Previous message: Roger Fink: "Re: Protected folders"
- In reply to: Bigbruva: "Re: VX2 - My Victory!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
