Sunday, March 05, 2006

HitchHikers guide to vx2.look2me

If you have no clue what the title is and you are running windows then you probably have it. It is one of the most nastiest adware/spyware i have ever seen. I got attacked twice (I am a frequent visitor of crack sites) and had a hard time getting rid of it. Today I cleaned my roomy's PC, whose PC had been adware infested for months.

Before you flame me for not putting enough cladding on Windows, know that I have Norton AV with Internet Security/Firewall, intrusion detector, spam blocker, Windows defender and ad-aware on my system... still that nasty adware crept into my sanctum :X. Interestingly it exploits both firefox and IE's URL hooks, pops a flash animation at regular intervals, automatically resizes the browser window and redirects to some random site... ironically to adware/spyware removal sites. Here is my DIY vx2.look2me removal guide (I am saving you from shelling out $40 to Dell spyware removal support guys or reinstalling windows):
  1. Get the following softwares: Ad-aware with vx2 plugin, ewido anti-malware scanner, hijackthis, spybot and killbox(no remove on reboot wont help)... these are all free softwares.
  2. Boot into safe mode and run a complete scan with both ewido and ad-aware. Delete all the nasties that show up. And DO NOT say OK to the box that asks to RUN DLL AS AN APP. Do all the next steps in safe mode.
  3. Now go to the addons section of Ad-aware and run vx2 removal tool. Most probably it will just say that there is a new variant... just ignore it for the time being (Although if it claims that your system is clean then read no further... your problem is solved).
  4. At advanced stages of mayhem the adware creates a fake copy of the system32 folder under C:/Windows with nothing in it.
    1. See if its a fake copy. If you double click a fake copy, you would find nothing in the folder. If are no fake copies... goto step 5.
    2. Goto the folder options and deselect "Hide system files". you should be able to see two system32 folders in C:/Windows
    3. go to the command prompt and do the following:
      1. cd c:/windows/
      2. attrib -s -h system32
      3. attrib +s system32
  5. Open Hijackthis, select scan and remove/fix anything suspicious... specially broken links and URL hooks.(Remember to get your log file analyzed online and remove all the stuffs that is shown as unknown or nasty... sometimes it shows important files as unknown, generally some rarely used software so dont burn your fingers).
  6. Next run spybot and fix/destroy anything you can.
  7. open the file C:\WINDOWS\system32\drivers\etc\hosts in notepad. Delete everything after the line 127.0.0.1 localhost (unless ofcourse... you have added them yourself).
  8. Now search *.dll in your installation directory modified in the past 24 hours (there is an option in the search menu to select that)
    1. Select all the dll's of size about 230 kb.
    2. Drag and drop them into killbox (set the option of killbox to delete on next boot).
    3. drag all of them one by one, pressing the delete icon each time(the red cross)... but dont reboot each time, just keep on adding and deleting.
    4. Reboot your PC after adding everything to killbox.
    5. Do the same search again and now manually delete the files which will be found again in C:\!killbox
  9. Run hijackthis and now try to fix any thing which was reappearing even after fixing.
  10. Reboot into normal mode and run the ad-aware's vx2 tool. It should say Clean now.
If the above steps do not work, do tell me how you got rid of the malware. The first time I got infected, I monkeyed around with the registries to kill it..but i dont remember that approach.

PS: There is always an option of reinstalling the OS or putting Linux if you are too desperate.

5 comments:

  1. Forgot step 0: Don't run arbitrary binaries from completely unreliable and unsecure websites.
    I use Windows, a very meager McAfee and Firefox, and I'm clean as a whistle :P.

    ReplyDelete
  2. Sometimes it is necessary to run arbitrary binaries and get my hands dirty... the keygens/cracks do sometimes come with malware.
    Since they are indispensable for me, I need extra, pumped up security.

    ReplyDelete
  3. u need to credit me for this and where is the starbucks coffee ?? u can have half of it if u want but the otherhalf is still mine :P

    ReplyDelete
  4. also dude don't diss about dell spyware , just cos i was in dell spyware saved u 40 bucks :P

    ReplyDelete
  5. hmmm... well yeah dunkin u helped me with the first three points and got me started.
    I will definitely treat you with 3/10 startbucks coffee.
    Secondly I never said anything about dell spyware removal... just that they burn a hole in your pocket :P

    ReplyDelete