How to get rid of VX2.BetterInternet

There is apparently a new version of the VX2.BetterInternet spyware bundle infecting machines. Whereas it used to use a file named msg117.dll (the number may vary), it now uses a file named abd.dll (at least on the machine I looked at) which changes it's name to something different on each reboot. You do not see the abd.dll file in C:\Winnt\System32 but you will find it mentioned in the registry. If you are infected, each time you run Ad-Aware after a reboot it will detect a different DLL file in the System32 directory and identify it as VX2.BetterInternet. Here are instructions for removal:

1. After downloading and updating Spybot Search & Destroy and Lavasoft's Ad-Aware, disconnect your computer from the network and run them both. (Only Ad-Aware will detect the DLL file causing the trouble, but Spybot will remove other entries that Ad-Aware doesnt' find.) There's no point in letting them run on reboot when they ask if you want them to do this because they won't be able to remove this stuff anyway. However, you may want to run Ad-Aware a second time to verify the version of VX2.BetterInternet that you have. The msg117.dll variation usually shows two file that Ad-Aware could not remove. The one that changes it's name at every reboot will only show one.

2. Open Regedit and navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianRHRFQ. (Under the old msg117.dll version, the key name was just Guardian.) Find the file name by looking at the DllName value. On the machine I looked at, it was abd.dll.

3. Now that you have the true file name, you need to boot to a DOS prompt. On a FAT or FAT32 computer, you can use a Windows 95 or 98 boot disk. On an NTFS computer you will either need an NTFSDOS disk or use your OS CD to boot into the Recovery Console. Navigate to the C:\Winnt\System32 directory.

4. With the msg117.dll file I was able to simply delete the file. This new variation, however, flags the abd.dll file with read-only, hidden, and system attributes which need to be removed first. Windows 2000 didn't allow me to remove all three attributes at once (like in the old days) with "ATTRIB -R -H -S adb.dll". I had to remove them one at a time (ex. ATTRIB -R abd.dll). Once these attributes are removed you can delete or rename the file.

5. Reboot the computer, delete the GuardianRHRFQ key from the registry, and run Ad-Aware again. Your computer should be clean. Re-connect to the network.


(NOTE: These instructions are based on two computers I've worked on that were loaded with Windows 2000 and had NTFS partitions. Instructions may vary slightly according to the OS you are using.)