Undeletable/renaming/randomized spyware (VX2?)

I am having major problems. I am working on a computer that had a lot of spyware/viruses. I feel that I removed all of them BUT one. I followed your basic spyware guide to try and get rid of this last piece of spyware, but it is still on the machine.

What this spyware is doing is modifying the hosts file with a tone of domain entries pointing to 127.0.0.1 It uses either IE or Firefox (whichever is the default browser) and randomly pops open websites that have advertisements. This spyware still starts up if you boot into safe mode.

I believe its a vx2.look2me variant. I have ran CWShredder and it says it REMOVED it, but then immediately run the program again and it finds and removes it again. I ran Ad-Aware with the VX2 plugin, but the plugin does not clean it and says I found a new variant with a log file that has path/filename of a randomly generated dll file that is in the c:\windows\system32 folder. Everytime I reboot and run adaware, it gives a different filename but in the same path.

Seems if I am disconnected from the internet, the pop-ups do not occur anymore.

If I use VX2 Finder, it points me to the (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify) key and under the notify key there is always a different sub-key. In that subkey (which has a new randomly generated name each time I start up) there is a dll value with path/filename to new random dll file in \windows\system32 folder which ad-aware detects but cannot remove.

I have tried removing this file with killbox, but that has not worked.

In my processes that show in Windows Task Manager, there is only one process I cannot seems to get rid of which is rundll32.exe. I think this is what is used to run the random dll listed above ... but I am not sure.

Any help is greatly appriciated. I spent a while trying to get this on my own.

Jake

 

More Info

System Specs:
Windows Home
Service Pack 2
P4 2.26 Ghz
512 MB RAM

Some of the sites that pop up on their own whenever using default browser include:
www.searc-h.com
66.48.78.222
www101.coolsavings.com
www.pacimedia.com

I also used a program that you guys do not have listed called Ewido to scan and it found the additional following:
Spyware.VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\\.Owner
Spyware.VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}
Spyware.Delfin HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility
Spyware.Look2Me HKLM\SOFTWARE\tsvcin
Spyware.Look2Me [1540] C:\WINDOWS\system32\rIsman.dll
Spyware.Look2Me [1688] C:\WINDOWS\system32\rIsman.dll
Spyware.CASClient C:\Program Files\Cas\Client\casmf.dll

The scan is actually still running and I got to go. I will be trying to remove those later. I am still posting hoping someone can give me more information or more things to try for when I come back later.

I am also redoing the bitdefender scan because I remember there being 1 file it could not get rid of although I forgot. It was 3AM last night when I went to bed so I was tired while working on this.

Please let me know if there is anymore information that can help, I will get it.

Jake

 

Well, I got it figured out on my own.

In the end to get rid of the vx2 variant, I had to use ad-aware vx2 cleaner to findout filename or vx2finder to goto reg key and look at dll entry for filename. I then wrote down the filename and pulled the plug on the machine to prevent it from renaming the file when it restarts which it can do during shutdown (weather or not you want to do this is up to you, but I read it in a different guide and it makes sense to me). I then booted into Recovery Console with a WinXP CD and deleted the file. I also then renamed odd looking (files looking like name was random characters) that were located in the system32 folder with a newer (05) date.

After doing all this and rebooting, I was able to remove the registry entry without it restoring itself. No more pop-ups occured, and the file/process has not returned.

Jake

 

Download
- Pocket Killbox
- L2MeFix Tool
- ExplorerXP

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe.
Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop.

DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your message.

Download the following file, after download is complete run the uninstaller. When uninstall is complete reboot to normal mode and procede with the below steps, I would like to check something.


Post afresh HJT log.