Post #189,280
1/7/05 3:23:01 AM
1/7/05 3:25:28 AM
|
VX2
There's a new version of the VX2 malware/spyware/adware program that's a royal hell to remove. AdAware's special VX2 remover tool cant' even detect it (though an AdAware scan will identify 3 VX2 files after each reboot and won't be able to remove one of them, and the "remove on reboot" feature never happens because VX2 immediately removes it.
Other scumware removers are equally helpless.
Debug mode is disabled and any changes to the registry cause an immediate VX2 reinstall. It has multiple watchers to repair any damage and the randomly named .dll files can't be seen by Windows or the Task Manager. If you reboot on the CD and go to Maintenance Mode, you find none of the files identified by AdAware are there. If you pull the plug in hopes they won't be removed or changed - still not there.
Oh, yes, it also modifies the recycle bin so files it puts in there don't show and the bin looks empty, and of course it modifies the hosts file too.
You need three tools some guy neamed Option^Explicit wrote: dllcompare.exe, killbox.exe and VX2Finder, and it's still largely a hand job including editing the registry and removing a Notify key, which will be randomly named and points to a randomly named file.
Cool - I'm going to charge extra for this one!
[link|http://www.aaxnet.com|AAx]
|
Post #189,283
1/7/05 8:00:31 AM
|
Did you try the new free MS antispyware tool?
Just curious to see if anyone has used it yet
A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://wxxe.org|Tune In]
|
Post #189,296
1/7/05 9:40:48 AM
|
Wanna bet...
That it works?
Or that is doesn't work either?
My gut (and boy oh boy what a gut it is) tells me when one happens, the other will soon follow in a form of a "mandatory update" to the OS.
This is gonna get WAY MORE UGLY before it gets better. And not due to the "current" spy/adware writers, nor the competeing scumware cleaners.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Miltary Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
|
Post #189,300
1/7/05 11:11:53 AM
1/7/05 11:12:59 AM
|
Doubtful that it works.
First of all, they'd need someone else to copy wouldn't they? None of the others work.
Second, the ownership and distribution of this thing has been tracked in detail. VX2 is currently being developed by a marketing company in New York with 100 employees and backed by millions in venture capital from well known technology venture capital firms.
The distribution of the current version has been tracked through a number of servers that hand off to each other, including one in Russia (just a relay) and ends up in Canada under the ownership of a couple of Canadians well known for Internet scum.
No, Microsoft's anti-spyware is a move of desperation. By some counts they've already lost 30% of the browser market to FireFox. The main reason is spyware/adware/malware. With the failure of Passport and now this, their plans to own the Internet are crumbling. They have to stop the browser erosion or they won't get the chance to try again.
[link|http://www.aaxnet.com|AAx]
|
Post #189,305
1/7/05 11:52:15 AM
|
Re: Wanna bet...
I'm not really a gambling man which is why most of the computers here that were infected w/ spyware now have IE disabled
I may get around to testing the MS tool anyway
A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://wxxe.org|Tune In]
|
Post #189,304
1/7/05 11:37:15 AM
|
ICLRPD (new thread)
Created as new thread #189303 titled [link|/forums/render/content/show?contentid=189303|ICLRPD]
===
Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
|
Post #189,306
1/7/05 12:00:57 PM
|
Well, I can't say . . .
. . I wasn't aware of the possibility of that interpretation.
[link|http://www.aaxnet.com|AAx]
|
Post #189,322
1/7/05 2:40:38 PM
|
Did you try this set of instructions?
[link|http://help.lockergnome.com/index.php?act=ST&f=65&t=29689|Lockergnome]. It seems that a combination of booting in Safe Mode and examining logs from [link|http://www.tomcoyote.org/hjt/|Hijack This] permits VX2 to be removed.
I haven't tried it myself, and hope I don't need to...
Cheers,
Scott.
|
Post #189,325
1/7/05 2:56:43 PM
1/7/05 2:57:52 PM
|
That's for older versions
The current version leaves no trace in HijackThis AdAware or anything else, and it's fully running in Safe Mode and even Safe Mode Command Prompt so it can't be removed, and the files you find with an AdAwre scan don't really exist or can't be seen by Windows.
I tried yanking the plug so there would be no chance of clean-up and then went into Windows\\System32 from a recovery boot from CD and none of the listed files was there. Only DLLCompare can find the VX2 .dlls and does so by comparing it's own list with what Windows sees. Anything Windows can't see is suspect.
Oh, and incidentally, it updates itself to the latest version every few weeks to keep ahead of the scumware removers.
[link|http://www.aaxnet.com|AAx]
|
Post #189,326
1/7/05 3:04:28 PM
|
Joy. :-( Thanks for the info.
|
