HELP: INFECTED WITH VX2

[bronan]

After install of AD-Aware 2007 discovered I am infected with VX2 Malware..
With Scan/ Remove I can just remove malware until next boot and VX2 appears again.
Try wit VX2 Removing Tool from Ad-Aware Professional, but this one is useless.
Checked with Hijack this, nothing suspicious found.
As this malware automatically change after each deletion and at the next boot appear again, seems that is nightmare to remove it from the System.
Any one can help please.
SpyBot did not detect VX2, NOD 32, KIS 7.0, Webroot and bunch of other similar apps not even detect it.
This VX2 infection is accompanied with Data Miner.This is log file created from Ad-Aware 2007 Pro after scan:
"Infections Found
===========================
Family Id: 776 Name: VX2 Category: Malware TAI:10
Item Id: 300016485 Value: Root: HKU Path: S-1-5-19_Classes\\interface\{59ebb576-ceb0-42fa-9917-da6254a275ad}
Item Id: 300016485 Value: Root: HKU Path: S-1-5-20_Classes\\interface\{59ebb576-ceb0-42fa-9917-da6254a275ad}
Family Id: 1106 Name: WurldMedia Category: DataMiner TAI:9
Item Id: 300025356 Value: Root: HKU Path: S-1-5-19_Classes\\interface\{67972704-3546-4e3d-ab46-e39dbae06123}
Item Id: 300025356 Value: Root: HKU Path: S-1-5-20_Classes\\interface\{67972704-3546-4e3d-ab46-e39dbae06123}"
Seems that will be very dificoult to remove this infection, as this malware is polymorphous changing his name very quicly and activating itself after each reboot.
Following one tutorial found on the net, runn dllcompare Utility and using KillBox unregitered and deleted two, dll files not recognized by Windows,reboot, but again same story.
There is more than one form of VX2 and looks realy as nightmare to remove it.
Any help and your assistance to solve this problem will be highly appreciated

 

[HalComps]

i think it might be something else activating and its not been detected, ive read a few things but not a solution as of yet but if i find anything ill let u no asap unless some1 else comes up with a solution..

 

[HalComps]

actually ready this, might shed some light

http://www.antisource.com/article.php/vx2

 

[IllogicallyLogical]

Check out....

- How to get rid of VX2.BetterInternet

faq760-5206

Joey
A+, Network+, MCP

 

[linney]

See the detailed procedure mentioned at the end of this thread, you may be able to adapt and make use of it in your specific case.

problems with IE and explorer
thread779-1049037

More of the same here.

Special Spyware Removal Instructions

http://www.computercentral-inc.com/tech/techsupport.htm

Download links.

http://www.computercentral-inc.com/tech/Spyware Removal/

Alternatively, back up your valuable data, format the drive and re-install XP.

 

[SirBlack]

Here are two other sites you may want to check out for manually removing VX2:

http://www.spywareguide.com/product_show.php?id=25

http://cexx.org/vx2.htm

Hope these help!
Bob

 

[bronan]

Thanks for your support.
As mentioned above, already tryied with dllcompare and KilBox- found two files not recognized by Windows and using KillBox unregistered and removed those two dll files, but nothing usefull happend- VX2 accompanied with WurldMedia malware on the next reboot appear again..
Try to find what version of VX2 I have because seems is not VX2 BetterInternet.
Try also with "sargui" Sophos Anti-Rootkit GUI interface to discover hidden registry entry or file, nothing found in connecrion with VX2 or WurldMedia.
Searched in registry according tutorials from your posts, but VX2 dll or IE Helper dll can't locate.
Don't know how to upload here the picture created from Ad-Aware 2007 to show you how this bloody nasties looks like.
Gyuys please beleive me, this matter drive me crazy.
As found since now, there are many people infected with this pest, and not yet is created an efficient remover tool.

 

[HalComps]

if u go to

http://imageshack.us/

upload the picture and then select direct link to image copy it and then paste it here. hope that helped

 

[bronan]

@HalComps,
This is the link for image:<a

http://img242.imageshack.us/my.php?image=vx2infectionjb5.jpg"

target="_blank"><img src="

http://img242.imageshack.us/img242/6968/vx2infectionjb5.th.jpg"

border="0" alt="Free Image Hosting at

http://www.ImageShack.us"

/></a>

 

[HalComps]

be easier for you to run through this post. follow it all to a T.

http://forums.techguy.org/security/305106-solved-vx2-betterinternet-virus.html

im sure you'll be all fixed but it will take time so dont rush through it.

Good Luck and let me no how you got on.

eve

 

[bronan]

@HalComps,
Unfortunatelly couldn't dload some file as "Findit.zip", "Hoster".Other thing is we have different OS- my is XP Pro/SP2 , and seems that content of C:\Windows\System 32 is different.I can not find files mentioned in the post in my System 32 Folder.
His case is from 2004.
I runn VX2 Finder Utility and this is the log created:
"Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
klogon
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
WgaLogon
wlballoon
WRNotifier


Guardian Key--- is called:

Guardian Key--- :

User Agent String---"
Open the Registry and found entries for all mentioned files, but I am afraid to remove or delete to dont create bigger problems.

 

[SirBlack]

Run regedit & export your registry files to your Desktop. If somethings goes whacko, you can always replace your registry with the back up. Have you run HijackThis? If not, dowmload the latest version & post a log. Also, shut down System restore before deleting any files so Sys Restore does not put them back in. You can reactivate Sys Restore after you're sure you've eliminated all pests.

 

[electronicsfreak]

Post your hijackthis file on here. Also run a full system scan from this site.

http://housecall.trendmicro.com/

Then use this cleaner to remove all temp files

http://www.ccleaner.com/

Then use this registry cleaner

http://www.download.com/Eusing-Free-Registry-Cleaner/3000-2094_4-10658410.html?tag=lst-0-1

Go to my computer, tools, then folder options, click the view tab, click circle to show hidden files and folders. Then uncheck the hide protected windows files, click yes when it asks if you are sure.


then download avg anti spyware, under scanner click settings, set it to delete. Run a full system scan with it.

http://www.ewido.net

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[electronicsfreak]

Once you are done with all of that , disable and renable system restore.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[SirBlack]

Unless you're sure of what you're doing, it's still a good idea to back up your Registry before even using a 3rd party Reg Cleaner.
Bob

 

[bronan]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:35 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\momo\Desktop\Programi XP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://v4.windowsupdate.microsoft.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Spellin&g - C:\WINDOWS\web\Spell_It.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -

http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134761366352

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120398838933

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) -

http://support.f-secure.com/ols3/fscax.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) -

http://ax.emsisoft.com/asquared.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BCE97F7-1D82-457D-9A96-C336FC56B1A8}: NameServer = 165.66.160.1,165.66.160.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE659785-D27D-4EC5-BDFB-CCEF96D8FDF4}: NameServer = 195.66.160.1 195.66.160.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 7261 bytes
Try with AVG -nothing detected.
My System Restore is disabled.
Not even one of installed apps detected this infection - really strange.
Start thinking about possibility of False-Postive or bug in Ad_Aware 2007.

 

[electronicsfreak]

Unless you have added these 2 id remove them

O17 - HKLM\System\CCS\Services\Tcpip\..\{9BCE97F7-1D82-457D-9A96-C336FC56B1A8}: NameServer = 165.66.160.1,165.66.160.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE659785-D27D-4EC5-BDFB-CCEF96D8FDF4}: NameServer = 195.66.160.1 195.66.160.2

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[linney]

Remove WurldMedia Spyware

http://www.spyany.com/program/article_spy_rm_WurldMedia.html

http://www.spywareguide.com/product_show.php?id=483

Can you make use of a parallel install of XP, or something like BartPE, which allow you to fight this pest outside of the infected install of XP?

These two articles in the RegEdit Help are a good explanation of the process of loading another install of XP's Registry in to a clean XP for manipulation.

To load a hive into the registry
To unload a hive from the registry

 

[SirBlack]

Try putting a check mark to fix next to
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
Basically, if legit, it's a utility for your dis[ay driver but it chews up lots of your system's resources.
Any malware can be named anything, so you should check where the file of the running process is located on your disk. If it's a "non-Microsoft" .exe file and it's is located in the C:\Windows or C:\Windows\System32 folder, then there is a higher risk that it's some type of infection. Process Explorer is a big help in determining CPU uasage & maker. You can review & download Process Explorer from

http://www.download.com/3000-2094_4-10684373.html

If HijackThis does not resolve this issue, you can disable this app in your "services" tab or run msconfig, check 'Selective Start up' then click on the 'Start up' tab. It may be listed as ati2evxx.exe or ATIPOLL. If it still persists in coming back @ reboot, back up your Registry, shut down Sys Restore, reboot in Safe Mode, run regedit & search for it here: HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run.
After all is back to normal, re-enable Sys Restore.
Hope this helps.
Bob

 

[HalComps]

If you still cant get rid of this pest, might be easier to reinstall your windows. a pain we no, but back up the important data and start again