VX2

Overview

Summary

VX2 is an IE Browser Helper Object. It monitors web pages requested and data entered into forms, sends this information to its home server, and opens pop-up advertisement windows. It also has the capability to update itself and install other software. There are two variants of this parasite with different file and internal names, but both work identically.

Alias

Adware/MSView [Panda], Application/HideWindow.A [Panda], Application/Psexec.A [Panda], Application/ToolWget.A [Panda], Backdoor Program [Panda], Backdoor.Bionet.405 [Kaspersky], Backdoor.IRC.Zapchast [Kaspersky], Backdoor.IRC.Zcrew [Kaspersky], Backdoor/Bionet.405!Server [Computer Associates], Backdoor/IRC.Zcrew [Computer Associates], Backdoor/ZCrew.B [Computer Associates], Backdoor/ZCrew.B.IRC [Computer Associates], Backdoor/Zcrew.G [Computer Associates], BAT.IRCFlood [Computer Associates], BAT.Noshare.B [Computer Associates], Bat/Flood.C!Trojan [Computer Associates], Bck/IRC.Mirc.Based [Panda], Bck/Multi.I [Panda], Bck/Zcrew.B [Panda], Bck/Zcrew.G [Panda], Blackstone Data Transponder. Was also distributed under the name NetPal by netpalnow.com, but the software now available there is the newer NetPal parasite which isn't the same code., DoS.Win32.Nenet [Kaspersky], Flooder.Win32.WarPing [Kaspersky], Flooder/Nenet. A [Panda], IRC.Flood [Computer Associates], mIRC/Flood.I!Trojan [Computer Associates], mIRC/Flood.RmtCfg!Trojan [Computer Associates], NetPal, RemoteProcessLaunch [McAfee], Sputnik (name used by VX2), Spyware/BetterInet [Panda], Trj/Femad.A [Panda], Trj/Flood.BI [Panda], Trj/Passer.C [Panda], Trojan [Name used by Ad-aware], Trojan Horse [Panda], TrojanDownloader.Win32.Femad.b [Kaspersky], VX2 RespondMiter., VX2.Clean Get-Away, VX2.MSView, VX2.My PanicButton, VX2.Respondmiter, VX2.SiteHelper, VX2.Transponder, Win32.BettInet.C [Computer Associates], Win32.Bionet.405 [Computer Associates], Win32.Femad.A [Computer Associates], Win32.IRCFlood [Computer Associates], Win32.Startpage.KF!downloader [Computer Associates], Win32/Femad.B trojan [Eset], Win32/Rslocal.B!Downloader [Computer Associates], Win32/SillyDL.70656!Trojan [Computer Associates], Win32/Spybot.FR!Worm [Computer Associates], Win32/Startpage.KF!Downloader [Computer Associates],

Variants

RespondMiter,Sputnik,AADCOM Extreme Targeting, Netpal, Transponder/Blackstone, Transponder/VX2 and Transponder/TPS108. All work identically; TPS108 was aimed at porn sites. ·

Origins

Group

Mindset Interactive

Vendor

MindsetInteractive is the company behind it all and distributesvarious useless software with the parasite. Aadcomsells advertising for them. ITCowns all these companies. Disk11hosted and tested the pest and may originally have writtenit.

Others By This Group

FavoriteMan· FavoriteMan.FOne· FavoriteMan.SpyAssault· NetPal· NetPal.PrizePopper·

Date of Origin

Variants from July, 1999 to May, 2005

Detection and Removal

Manual Removal

Contrary to VX2's claims there is no entry to removeVX2 in the standard "Add/Remove Programs" Control Panelitem.

VX2 installs itself into your System directory andis called either "IEHelper.DLL" (Transponder variant)or "VX2.dll" (RespondMiter variant). Before you candelete this file you will need to deregister it. Enterthe following command from the command line for Windows95/98/Me:

"%WinDir%\SYSTEM\regsvr32.exe"/u "%WinDir%\VX2.dll"

Or for Windows NT/2000/XP:

regsvr32 /u "%WinDir%\VX2.dll"

That's for the RespondMiter variant - for the Transpondervariant, write 'IEHelper.DLL' instead of 'VX2.dll' above.

After doing this and restarting the computer you candelete the file. There will also be some keys in theregistry under HKLM\Software\Transponder or RespondMiter,which you can clean.

Stop Running Processes:

Kill these running processes with Task Manager:

Remove Autorun Reference:

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\narrator, delete it and reboot the machine immediately.

Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:

Clean Registry:

Remove these registry items (if present) with RegEdit:

HKEY_CLASSES_ROOT\\multimppdll.multimppdllobj.1HKEY_CLASSES_ROOT\activexctrl\clsid\{4208fb4d-4e53-4f5a-bf7a-3e047ddb5281}HKEY_CLASSES_ROOT\clsid\{00000000-5eb9-11d5-9d45-009027c14662}HKEY_CLASSES_ROOT\clsid\{0000026a-8230-4dd4-be4f-6889d1e74167}HKEY_CLASSES_ROOT\clsid\{00000273-8230-4dd4-be4f-6889d1e74167}HKEY_CLASSES_ROOT\clsid\{00000580-c637-11d5-831c-00105ad6acf0}HKEY_CLASSES_ROOT\clsid\{002eb272-2590-4693-b166-fbd5d9b6fea6}HKEY_CLASSES_ROOT\clsid\{0ef3e768-48d4-40d2-91a6-7d2b816a6e55}HKEY_CLASSES_ROOT\clsid\{1000026a-8230-4dd4-be4f-6889d1e74167}HKEY_CLASSES_ROOT\clsid\{11111111-1111-1111-1111-111111111111}HKEY_CLASSES_ROOT\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}HKEY_CLASSES_ROOT\clsid\{4208fb4d-4e53-4f5a-bf7a-3e047ddb5281}HKEY_CLASSES_ROOT\clsid\{eee2ecb9-eac0-4d02-8360-4c0de4d23abc}HKEY_CLASSES_ROOT\clsid\{ef100607-f409-426a-9e7c-cb211f2a9030}HKEY_CLASSES_ROOT\clsid\{ffd2825e-0785-40c5-9a41-518f53a8261f}HKEY_CLASSES_ROOT\dlexpertclickHKEY_CLASSES_ROOT\interface\{4534cd6b-59d6-43fd-864b-06a0d843444a}HKEY_CLASSES_ROOT\interface\{50f646b1-1c3e-4b01-b818-437e1276e5be}HKEY_CLASSES_ROOT\multimppdll.multimppdllobjHKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-5eb9-11d5-9d45-009027c14662}HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{0000026a-8230-4dd4-be4f-6889d1e74167}HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000273-8230-4dd4-be4f-6889d1e74167}HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000580-c637-11d5-831c-00105ad6acf0}HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{ffd2825e-0785-40c5-9a41-518f53a8261f}HKEY_CLASSES_ROOT\typelib\{11cc62b2-65f2-4a82-b332-5de4e8384422}HKEY_CLASSES_ROOT\typelib\{690bccb4-6b83-4203-ae77-038c116594ec}HKEY_CLASSES_ROOT\typelib\{7efe1256-ab56-44b3-a63a-eb1a2208a490}HKEY_CLASSES_ROOT\vx2.vx2objHKEY_CURRENT_USER\software\multimppHKEY_LOCAL_MACHINE\software\classes\clsid\{00000000-5eb9-11d5-9d45-009027c14662}HKEY_LOCAL_MACHINE\software\classes\clsid\{ffd2825e-0785-40c5-9a41-518f53a8261f}HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{11111111-1111-1111-1111-111111111111}HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{20000273-8230-4dd4-be4f-6889d1e74167}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-5eb9-11d5-9d45-009027c14662}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{0000026a-8230-4dd4-be4f-6889d1e74167}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000273-8230-4dd4-be4f-6889d1e74167}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000580-c637-11d5-831c-00105ad6acf0}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{002eb272-2590-4693-b166-fbd5d9b6fea6}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{ffd2825e-0785-40c5-9a41-518f53a8261f}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\narratorHKEY_LOCAL_MACHINE\software\respondmiterHKEY_LOCAL_MACHINE\software\transponderHKEY_LOCAL_MACHINE\system\currentcontrolset\control\print\monitors\zepmon

Remove Files:

Remove these files (if present) with Windows Explorer:

3.exeadlinstallwin32.exebc777.htmlbios32.exebios32.exe-0753e1fe.pfblowfish.dllboot.execconmon32i.ocxcub.dlldcjignml.inidns.ocadns.ocxeuensz.dllexplorer.exe.delete_on_reboot0f0e66c68.exefind.vbsgcmd.vbshjfp.exehmhaxp.exeinfwin.exeinstaller.exejavex80.vxdload.vbsmac80ex.idfmcon.dllmsccctl32.ocxmsdos.exemsfnt32i.exemultimpp.cabmws.exenhtml.dllnocontnt.gidnvnav32g.dllnvnav32g.exepreinmpp.exeprofilepath+\desktop\clean get-away.lnkprofilepath+\desktop\my panicbutton.lnkprogramfilesdir+\clean get-away\cgetwy.exeprogramfilesdir+\clean get-away\cleanhistories.dllprogramfilesdir+\clean get-away\deletelockedfiles.exeprogramfilesdir+\clean get-away\eventfirer.ocxprogramfilesdir+\clean get-away\help.chmprogramfilesdir+\clean get-away\mixercontrol.ocxprogramfilesdir+\clean get-away\psapi.dllprogramfilesdir+\clean get-away\settings.iniprogramfilesdir+\clean get-away\unins000.exeprogramfilesdir+\my panicbutton\cleanhistories.dllprogramfilesdir+\my panicbutton\deletelockedfiles.exeprogramfilesdir+\my panicbutton\eventfirer.ocxprogramfilesdir+\my panicbutton\help.chmprogramfilesdir+\my panicbutton\mixercontrol.ocxprogramfilesdir+\my panicbutton\mypbtn.exeprogramfilesdir+\my panicbutton\psapi.dllprogramfilesdir+\my panicbutton\settings.iniprogramfilesdir+\my panicbutton\unins000.exepsis80ex.axrun.vbssecure.batsend.vbssitehlpr.infstde9.exestr.vxdsvchost32.exesystemroot+\system\ehelper.dllsystemroot+\system\host.dllsystemroot+\system\kernellos.dllsystemroot+\system\msview.dllsystemroot+\system\sitehlpr.dllsystemroot+\system\tps108.dllsystemroot+\system\vx2.dllsystemroot+\system32\3lviewer.dllsystemroot+\system32\3vviewer.dllsystemroot+\system32\3zviewer.dllsystemroot+\system32\6eo4svc.dllsystemroot+\system32\6fo4svc.dllsystemroot+\system32\6uo4svc.dllsystemroot+\system32\host.dllsystemroot+\system32\lyiclp.dllsystemroot+\system32\msview.dllsystemroot+\system32\sitehlpr.dllsystemroot+\system32\tps108.dllsystemroot+\system32\vx2.dllsystoan.exethnall1b.exethnall1z.exetrojan.txtv32driver.batvt00.exewhois.ocxwininit.iniwinsck.ocxwmplayer.exewsocksrv.exewupdt.exexstyles.exe

Remove Directories:

Remove these directories (if present) with Windows Explorer:

Restore Settings:

After following the instructions above, you will still need to restore your original settings and prevent this from happening again.

VLockerPro VMBScanner0.5 VNC VNCServer4.0 VNCViewer4.0 VX2 VX2.Pynix VXtasy Vacsina.1082 Vacsina.1206.A

VX2