TODO and VX2.Transponder problems

G

Guest

I'm Running Microsoft NT 2000 on a laptop rarely used in
my office. I've began using it lately until around two
weeks ago when I began getting a lot of pop-ups even when
not running explorer. I started out by running an Ad-
Aware Scan and it found over 50 problems (mainly miners),
then I ran Spy-Bot Sd and found another 11 problems one
of which was called VX2.Transponder Browser Plug-in, I
deleted it as the program suggested. I then just to err
on the side of caution ran a Microsoft AntiSpyware Scan
which Found it again and two others; Transponder.Dl.Max
and just one simply called TODO so I removed them. When I
logged back in the next day the small box in the corner
popped up asking if I wanted to add VX2.Transponder to
the start up menu, I blocked it and then open up MS
AntiSpyware and reviewed the last scan and it said 3
objects were found and 1 was ignored and that ended up
being VX2.Transponder so I clicked remove and after it
had finished a box came up looking like a Microsoft Spy
ware prompt saying I should reboot my computer to fully
fix the problem, so I chose yes. When the computer
reloaded VX2.Transponder came up again. I Ran MS
AntiSpyware and it said I had ignored it when I had
chosen remove .This process went on until I gave up...
now I decided to try it again and it wont go away, I've
even tried to delete the .exe file that it says its
spawning from and says I cant do that... then in
reviewing process that where running I found a odd string
of letters ending with .exe (something like nczvlqw.exe)
and I'd end it and then another would pop up in its
places with a different name, I later discovered this was
to be blamed on TODO, apparently when ever I delete
this .exe it spawns another so if any one knows how to
solve these problems it would be a great help.
 
B

Bill Sanderson

Anonymous is correct--you are seeing Aurora, I believe.

You should clean with Microsoft Antispyware in safe mode, just to be sure
other things are taken care of--it can certainly clean some VX2 variants.

The other near-by thread mentioned was cleaned by going to a removal URL
found in one of the popups. This may be the easiest route. I have cleaned
this one by hand myself, and I can point you to a thread at CastleCops where
this one was cleaned:

http://castlecops.com/postp520003.html


There are three parts to this critter.

one part is the randomly named piece which you can identify using Microsoft
Antispyware's process explorer as TODO:

Take careful note of the location and the naming convention of that piece.
I can't recall how it is dated--I think currently, which is a good clue.
This one will change names with every boot so look for it by
characteristics, not absolute name

Second part: nail.exe (in \windows or \windows\system32? or the winnt
equivalents)

third part: Also named in what appears to be random fashion, but with a
longer name--8 characters, in the case I saw.

The way I was able to identify the third part was an online scan with Trend
Micro's scanner:

http://housecall.trendmicro.com

That gave me the name of that crucial third piece. Several of these pieces,
perhaps all three, are active even in safe mode command prompt.

Once you can identify all three pieces, what I found effective, was to boot
to the recovery console, using my original Windows CD, and choosing R at the
first Repair prompt.

Take come care about this if all you have is an OEM reinstallation CD--some
of these apparently don't include the Recovery Console facility, which is a
separate OS allowing limited access to the installed Windows, and some
repair commands.

It has DIR and delete commands, and if you are comfortable working at a
command prompt, you can delete the pieces involved.

The CastleCops thread includes the use of a tool I haven't tried yet:

Download FindIt's.zip to your desktop.
Unzip/extract the files inside open the folder and run the FindIt's.bat
and wait for a text to open, it will take awhile be patient, post the
results please.
http://forums.net-integration.net/index...&id=142443 "

This piece apparently identifies items specific to this threat so it may be
what to try first.

Additionally--if none of this looks like fun to you, or it looks too
complicated, I believe that this is within the range of services that
Microsoft PSS offers free help with.

If you are in the US or Canada, you can call 1-866-PCSafety for free help
from Microsoft PSS for issues of virus removal or repair, or for problems
with security-related patches.

If you are elsewhere in the world, this same help is available via your
nearest Microsoft subsidiary or office, but the phone call may not be free.

If you do choose to call PSS, I'd like to hear how it goes--I've made this
reference a few times, but am not absolutely certain this is within their
guidelines, since it isn't strictly speaking a virus--just adware which acts
like a virus!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Vx2. transponder 4
Cydoor, HuntBar, and Vx2.transponder 2
VX2 HOW DO U GET RID OF IT 8
False Positive for VX2 3
Vx2,Narrator Toolbar and Trojan.Unclassified.ContextMenuHandler 3
VX2 REMOVAL 2
Aurora / "A Better Internet" / VX2 / Transponder - How to Eliminate??? 4
Varien of VX2.Look2Me 5

Top