VX2

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview
Summary:	VX2 is an IE Browser Helper Object. It monitors web pages requested and data entered into forms, sends this information to its home server, and opens pop-up advertisement windows. It also has the capability to update itself and install other software. There are two variants of this parasite with different file and internal names, but both work identically.
Alias:	Adware/MSView [Panda], Application/HideWindow.A [Panda], Application/Psexec.A [Panda], Application/ToolWget.A [Panda], Backdoor Program [Panda], Backdoor.Bionet.405 [Kaspersky], Backdoor.IRC.Zapchast [Kaspersky], Backdoor.IRC.Zcrew [Kaspersky], Backdoor/Bionet.405!Server [Computer Associates], Backdoor/IRC.Zcrew [Computer Associates], Backdoor/ZCrew.B [Computer Associates], Backdoor/ZCrew.B.IRC [Computer Associates], Backdoor/Zcrew.G [Computer Associates], BAT.IRCFlood [Computer Associates], BAT.Noshare.B [Computer Associates], Bat/Flood.C!Trojan [Computer Associates], Bck/IRC.Mirc.Based [Panda], Bck/Multi.I [Panda], Bck/Zcrew.B [Panda], Bck/Zcrew.G [Panda], Blackstone Data Transponder. Was also distributed under the name NetPal by netpalnow.com, but the software now available there is the newer NetPal parasite which isn't the same code., DoS.Win32.Nenet [Kaspersky], Flooder.Win32.WarPing [Kaspersky], Flooder/Nenet. A [Panda], IRC.Flood [Computer Associates], mIRC/Flood.I!Trojan [Computer Associates], mIRC/Flood.RmtCfg!Trojan [Computer Associates], NetPal, RemoteProcessLaunch [McAfee], Sputnik (name used by VX2), Spyware/BetterInet [Panda], Trj/Femad.A [Panda], Trj/Flood.BI [Panda], Trj/Passer.C [Panda], Trojan [Name used by Ad-aware], Trojan Horse [Panda], TrojanDownloader.Win32.Femad.b [Kaspersky], VX2 RespondMiter., VX2.Clean Get-Away, VX2.MSView, VX2.My PanicButton, VX2.Respondmiter, VX2.SiteHelper, VX2.Transponder, Win32.BettInet.C [Computer Associates], Win32.Bionet.405 [Computer Associates], Win32.Femad.A [Computer Associates], Win32.IRCFlood [Computer Associates], Win32.Startpage.KF!downloader [Computer Associates], Win32/Femad.B trojan [Eset], Win32/Rslocal.B!Downloader [Computer Associates], Win32/SillyDL.70656!Trojan [Computer Associates], Win32/Spybot.FR!Worm [Computer Associates], Win32/Startpage.KF!Downloader [Computer Associates]
See Also:	NetPal · TPS108
Category:	Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page. Adware: Software that displays popup/popunder ads when the primary user interface is not visible or which do not appear to be assocaited with the product. Downloader: A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site. Homepage Hijacker: Any software that changes your browser's home page to some other site. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.
Variants:	RespondMiter,Sputnik,AADCOM Extreme Targeting, Netpal, Transponder/Blackstone, Transponder/VX2 and Transponder/TPS108. All work identically; TPS108 was aimed at porn sites.
Similar Pests:	Browser Helper Object · Adware · Downloader · Homepage Hijacker
Origins
Group:	Mindset Interactive
Vendor:	Mindset Interactive is the company behind it all and distributes various useless software with the parasite. Aadcom sells advertising for them. ITC owns all these companies. Disk11 hosted and tested the pest and may originally have written it.
By This Group:	FavoriteMan ·
Date of Origin:	Variants from July, 1999 to March, 2005
Distribution
Distribution:	The RespondMiter variant was stealth-installed by version 0.608W of the AudioGalaxy Satellite. It is very widespread mainly from this source, but it has also been installed by FavoriteMan. The Transponder variant is installed with all software from Mindset Interactive, which is the company behind VX2 and Blackstone Data.
Prevalence:	VX2: 0.2% More Info
Clot Factor:	VX2: 2 The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Growth:	VX2: Insufficient data to report growth
Operation
Advertising:	Yes. VX2 opens pop-up advertisements depending on targeted URLs being browsed, targeted terms being entered into forms (this is aimed at search engines), and how much browsing is being done - the software tries to hide by not opening advertisements when little is happening.
Storage Required:	VX2: at least 5465 KB
Browser Performance:	Likely to slow performance of Internet Explorer.
Risks
Privacy Issues:	Yes. VX2 reports back to its servers with URLs you have visited, things you have entered into web forms (even 'secure' ones), your computer configuration and software you have installed. If your e-mail address is set up in Outlook Express it will be sent to Mindset Interactive to be sold to spammers.
Security Issues:	Yes. The software updates itself silently and the License available on VX2's web site specially reserves the right to have it automatically install any other "third party software" at all.
Stability Issues:	None known.
Detection and Removal
Automatic Removal:	PestPatrol detects this. PestPatrol removes this.
Manual Removal:	Contrary to VX2's claims there is no entry to remove VX2 in the standard "Add/Remove Programs" Control Panel item. VX2 installs itself into your System directory and is called either "IEHelper.DLL" (Transponder variant) or "VX2.dll" (RespondMiter variant). Before you can delete this file you will need to deregister it. Enter the following command from the command line for Windows 95/98/Me: `"%WinDir%\SYSTEM\regsvr32.exe" /u "%WinDir%\VX2.dll"` Or for Windows NT/2000/XP: `regsvr32 /u "%WinDir%\VX2.dll"` That's for the RespondMiter variant - for the Transponder variant, write 'IEHelper.DLL' instead of 'VX2.dll' above. After doing this and restarting the computer you can delete the file. There will also be some keys in the registry under HKLM\Software\Transponder or RespondMiter, which you can clean.
	Stop Running Processes: Kill these running processes with Task Manager: bios32.exe boot.exe f0e66c68.exe infwin.exe msdos.exe msfnt32i.exe mws.exe nvnav32g.exe programfilesdir+\clean get-away\cgetwy.exe programfilesdir+\clean get-away\deletelockedfiles.exe programfilesdir+\clean get-away\unins000.exe programfilesdir+\my panicbutton\deletelockedfiles.exe programfilesdir+\my panicbutton\mypbtn.exe programfilesdir+\my panicbutton\unins000.exe stde9.exe svchost32.exe systoan.exe thnall1b.exe vt00.exe wsocksrv.exe wupdt.exe xstyles.exe
	Unregister DLLs: Unregister these DLLs with Regsvr32, then reboot: blowfish.dll mcon.dll nhtml.dll nvnav32g.dll programfilesdir+\clean get-away\cleanhistories.dll programfilesdir+\clean get-away\psapi.dll programfilesdir+\my panicbutton\cleanhistories.dll programfilesdir+\my panicbutton\psapi.dll systemroot+\system\ehelper.dll systemroot+\system\host.dll systemroot+\system\kernellos.dll systemroot+\system\msview.dll systemroot+\system\sitehlpr.dll systemroot+\system\tps108.dll systemroot+\system\vx2.dll systemroot+\system32\3lviewer.dll systemroot+\system32\3vviewer.dll systemroot+\system32\3zviewer.dll systemroot+\system32\6eo4svc.dll systemroot+\system32\6fo4svc.dll systemroot+\system32\6uo4svc.dll systemroot+\system32\host.dll systemroot+\system32\msview.dll systemroot+\system32\sitehlpr.dll systemroot+\system32\tps108.dll systemroot+\system32\vx2.dll
	Clean Registry: Remove these registry items (if present) with RegEdit: HKEY_CLASSES_ROOT\clsid\{00000000-5eb9-11d5-9d45-009027c14662} HKEY_CLASSES_ROOT\clsid\{0000026a-8230-4dd4-be4f-6889d1e74167} HKEY_CLASSES_ROOT\clsid\{00000273-8230-4dd4-be4f-6889d1e74167} HKEY_CLASSES_ROOT\clsid\{00000580-c637-11d5-831c-00105ad6acf0} HKEY_CLASSES_ROOT\clsid\{1000026a-8230-4dd4-be4f-6889d1e74167} HKEY_CLASSES_ROOT\clsid\{11111111-1111-1111-1111-111111111111} HKEY_CLASSES_ROOT\clsid\{ef100607-f409-426a-9e7c-cb211f2a9030} HKEY_CLASSES_ROOT\clsid\{ffd2825e-0785-40c5-9a41-518f53a8261f} HKEY_CLASSES_ROOT\dlexpertclick HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-5eb9-11d5-9d45-009027c14662} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{0000026a-8230-4dd4-be4f-6889d1e74167} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000273-8230-4dd4-be4f-6889d1e74167} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000580-c637-11d5-831c-00105ad6acf0} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{ffd2825e-0785-40c5-9a41-518f53a8261f} HKEY_CLASSES_ROOT\typelib\{11cc62b2-65f2-4a82-b332-5de4e8384422} HKEY_CLASSES_ROOT\vx2.vx2obj HKEY_LOCAL_MACHINE\software\classes\clsid\{00000000-5eb9-11d5-9d45-009027c14662} HKEY_LOCAL_MACHINE\software\classes\clsid\{ffd2825e-0785-40c5-9a41-518f53a8261f} HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{11111111-1111-1111-1111-111111111111} HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{20000273-8230-4dd4-be4f-6889d1e74167} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-5eb9-11d5-9d45-009027c14662} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{0000026a-8230-4dd4-be4f-6889d1e74167} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000273-8230-4dd4-be4f-6889d1e74167} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000580-c637-11d5-831c-00105ad6acf0} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{ffd2825e-0785-40c5-9a41-518f53a8261f} HKEY_LOCAL_MACHINE\software\respondmiter HKEY_LOCAL_MACHINE\software\transponder
	Remove Files: Remove these files (if present) with Windows Explorer: bc777.html bios32.exe bios32.exe-0753e1fe.pf blowfish.dll boot.exe cconmon32i.ocx dns.oca dns.ocx explorer.exe.delete_on_reboot0 f0e66c68.exe find.vbs gcmd.vbs infwin.exe javex80.vxd load.vbs mac80ex.idf mcon.dll msccctl32.ocx msdos.exe msfnt32i.exe mws.exe nhtml.dll nvnav32g.dll nvnav32g.exe profilepath+\desktop\clean get-away.lnk profilepath+\desktop\my panicbutton.lnk programfilesdir+\clean get-away\cgetwy.exe programfilesdir+\clean get-away\cleanhistories.dll programfilesdir+\clean get-away\deletelockedfiles.exe programfilesdir+\clean get-away\eventfirer.ocx programfilesdir+\clean get-away\help.chm programfilesdir+\clean get-away\mixercontrol.ocx programfilesdir+\clean get-away\psapi.dll programfilesdir+\clean get-away\settings.ini programfilesdir+\clean get-away\unins000.exe programfilesdir+\my panicbutton\cleanhistories.dll programfilesdir+\my panicbutton\deletelockedfiles.exe programfilesdir+\my panicbutton\eventfirer.ocx programfilesdir+\my panicbutton\help.chm programfilesdir+\my panicbutton\mixercontrol.ocx programfilesdir+\my panicbutton\mypbtn.exe programfilesdir+\my panicbutton\psapi.dll programfilesdir+\my panicbutton\settings.ini programfilesdir+\my panicbutton\unins000.exe psis80ex.ax run.vbs secure.bat send.vbs sitehlpr.inf stde9.exe str.vxd svchost32.exe systemroot+\system\ehelper.dll systemroot+\system\host.dll systemroot+\system\kernellos.dll systemroot+\system\msview.dll systemroot+\system\sitehlpr.dll systemroot+\system\tps108.dll systemroot+\system\vx2.dll systemroot+\system32\3lviewer.dll systemroot+\system32\3vviewer.dll systemroot+\system32\3zviewer.dll systemroot+\system32\6eo4svc.dll systemroot+\system32\6fo4svc.dll systemroot+\system32\6uo4svc.dll systemroot+\system32\host.dll systemroot+\system32\msview.dll systemroot+\system32\sitehlpr.dll systemroot+\system32\tps108.dll systemroot+\system32\vx2.dll systoan.exe thnall1b.exe trojan.txt v32driver.bat vt00.exe whois.ocx winsck.ocx wsocksrv.exe wupdt.exe xstyles.exe
	Remove Directories: Remove these directories (if present) with Windows Explorer: programfilesdir+\clean get-away programfilesdir+\my panicbutton
	Restore Settings: After following the instructions above, you will still need to restore your original settings and prevent this from happening again. Here''s how.
Research
File Analyses:	VX2: bc777.html · bios32.exe · bios32.exe-0753e1fe.pf · blowfish.dll · boot.exe · cconmon32i.ocx · cgetwy.exe · dns.oca · dns.ocx · explorer.exe.delete_on_reboot0 · f0e66c68.exe · find.vbs · gcmd.vbs · infwin.exe · javex80.vxd · load.vbs · mac80ex.idf · mcon.dll · msccctl32.ocx · msdos.exe · msfnt32i.exe · msview.dll · mws.exe · nhtml.dll · nvnav32g.dll · nvnav32g.exe · psis80ex.ax · run.vbs · secure.bat · send.vbs · sitehlpr.dll · sitehlpr.inf · stde9.exe · str.vxd · svchost32.exe · systoan.exe · thnall1b.exe · trojan.txt · v32driver.bat · vt00.exe · whois.ocx · winsck.ocx · wsocksrv.exe · wupdt.exe · xstyles.exe
More Info:	AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By:	Benjamin Googins and Andrew Clover PestPatrol's Pest Research Center
Last Revised:	April 07, 2005