VX2 or something painfully like it

Well, to a lay person, there may not seem like much different between dir *.dll and del *.dll, but if you’re a computer guy, you’ll notice a subtle and, oh, rather important difference. Especially when you run that command in the system32 directory. And you don’t have any operating system disks or fun things like that.

Oh, and it would be one thing if it was MY computer. It’s not. My computer doesn’t feel like turning on these days. It was Shukla’s computer. Who is Shukla, you ask? Oh, just the founder and head of Parikrma. No, she won’t mind. It’s not like the information on her lappy is important, or anything.

But it’s like this: why am I still at the school at midnight? Because of a wonderful piece of spyware called VX2 (at least I think that’s what I’m dealing with). It’s ingenius, really: I can tell you just how it works. I just can’t tell you how to stop it. But it goes something like this:

When installed, it creates various copies of itself to the system32 directory as .dll. Amazingly, despite all being the same file, it ranges in size from 220kb to 240kb– yeah, go figure that one out. Having created a copy of itself, it latches onto a Windows service called WinLogon, which handles, as the name suggests, log-on and log-off operations. When Windows 2000 or XP boots up, WinLogon is called, which in turn calls all of its dependencies– one of which is VX2. WinLogon is a critical system process– meaning that it can’t be stopped or paused while Windows is running. So long as WinLogon is running .dll is in use, and can’t be removed. .dll does two things: it randomly throws up some pop-ups when there’s an internet connection, and it perpetuates itself. It monitors its registry keys such that if they are deleted, they are instantly replaced.

Since WinLogon is a critical system process, it runs even in Safe Mode. There’s no way around it.

When you shut down the computer, .dll builds a new verion of itself and changes the registry, such that even if you shut down, go through the recovery console and delete the file, you’re not going to get the RIGHT file. There’s no way of knowing which instance is going to be used next, and no way of deleteing all the instances because the file name and size are both random in a directory full of important DLLs.

The ONLY possible way to beat this, that I can think of, would be to use a program like ERD Commander, which provides CD-based access to both the Windows file system and the Windows registry.

Unfortunately, I’m in India. I certainly don’t have a copy of ERD Commander.

So, I’m at an impasse. Fortunately, there was a backup of all the DLLs I inadvertently deleted with my typo under the system32\\dllcache directory– getting the computer back up and running was just a matter of finding that fortunate trove of DLLs, and then pressing “n, enter, n, enter” about a thousand times while I copied back the DLLs I deleted, and didn’t overwrite the potentially newer DLLS already in system32.

I’ve scoured the net looking for solutions. No luck. So I’m going to go home and sleep. I’m good at that! =)