HELP: INFECTED WITH VX2

[bronan]

After install of AD-Aware 2007 discovered I am infected with VX2 Malware..
With Scan/ Remove I can just remove malware until next boot and VX2 appears again.
Try wit VX2 Removing Tool from Ad-Aware Professional, but this one is useless.
Checked with Hijack this, nothing suspicious found.
As this malware automatically change after each deletion and at the next boot appear again, seems that is nightmare to remove it from the System.
Any one can help please.
SpyBot did not detect VX2, NOD 32, KIS 7.0, Webroot and bunch of other similar apps not even detect it.
This VX2 infection is accompanied with Data Miner.This is log file created from Ad-Aware 2007 Pro after scan:
"Infections Found
===========================
Family Id: 776 Name: VX2 Category: Malware TAI:10
Item Id: 300016485 Value: Root: HKU Path: S-1-5-19_Classes\\interface\{59ebb576-ceb0-42fa-9917-da6254a275ad}
Item Id: 300016485 Value: Root: HKU Path: S-1-5-20_Classes\\interface\{59ebb576-ceb0-42fa-9917-da6254a275ad}
Family Id: 1106 Name: WurldMedia Category: DataMiner TAI:9
Item Id: 300025356 Value: Root: HKU Path: S-1-5-19_Classes\\interface\{67972704-3546-4e3d-ab46-e39dbae06123}
Item Id: 300025356 Value: Root: HKU Path: S-1-5-20_Classes\\interface\{67972704-3546-4e3d-ab46-e39dbae06123}"
Seems that will be very dificoult to remove this infection, as this malware is polymorphous changing his name very quicly and activating itself after each reboot.
Following one tutorial found on the net, runn dllcompare Utility and using KillBox unregitered and deleted two, dll files not recognized by Windows,reboot, but again same story.
There is more than one form of VX2 and looks realy as nightmare to remove it.
Any help and your assistance to solve this problem will be highly appreciated

 

[bronan]

After all attempts done to solve this inconvinient, I must admit I am defeated.
With all this changes and newly installed utilities and apps I owerload my machine with zero results.
The main problem is which variant of WurldMedia I have.
Besides stopping Ati Hot Key pooler service not resolve problem.
On the next re-boot both of them were back on the end of Ad-Aware 2007 scan session.
@linney,
Unfortunatelly I have no possibilities for parallel install of XP.
I am vondering how is possible - MS and even all cyber community are helpless in front of this malware.
Solution of re-install XP is alwais awailable but this is last thing to be done.
Thanks for your assistance and help

 

[electronicsfreak]

wo wo wo, dont give up just yet. Never format until neccessary. I do not give up that easily.

Go in safe mode with system restore turned completely off and try running a clean sweep with everything.

Also run this and post the logfile on here in normal mode.

http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[SirBlack]

Did you try running regedit yet? You didn't mention it in your reply. If not, Shut down System Restore & run regedit. In Registry Editor, click File and Export a copy to your desktop. After that, click CTRL F. In the Find dialog box, type in WurldMedia (you may want to search for ATI HotKey, ati2evxx.exe, ATIPOLL any any other variants you're aware of first). Be sure you have a check in Keys, Values & Data but not in 'match whole string only'. Delete any entry found & click F3 to continue searching. If you've got the time & patience, you may want to search for one of these variants, exit Registry Editor & reboot to see if that resolved the problem or created a new one. If your system goes haywire, you can import your registry backup from your desktop. When, and if, you remove the pest from your computer, you can enable System Restore. I'd advise retaining your registry backup on your desktop for at least a few weeks in case something drastically wrong (or save it to a disk).
Hope this helps!
Bob

 

[SirBlack]

You might also go to

http://free.grisoft.com/.

They Have AV & AS and an Antiroootkit available free. Formating your HD should be an absolute last resort. It's definitely not a great way to spend any free time re-installing your OS & all other programs & updates (let alone the time it takes to format your HD). Rerun HijackThis & post a new log if pest persists.
Hope this helps!
Bob

 

[HalComps]

LOL takes and hour to install the OS with its updates and drivers, only other drivers such as additional hardware. this guy has been at the problem for a week now, clean install and everything back to normal would of been done by now. why spend weeks getting rid of a virus that no1 has even come close to solving. easier and quicker to reinstall...

 

[bronan]

@SirBlack,
Thanks to encouraging me.
Run Rootkit Revealer and this is log re. Registry :
HKU\S-1-5-21-861567501-1364589140-725345543-1003\RemoteAccess\InternetProfile 23.6.2007 14:02 11 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 23.7.2003 9:07 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 23.7.2003 9:07 0 bytes Key name contains embedded nulls (*)
Using RegSearch utility for WurldMedia , log is:
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 7/18/2007 4:11:53 PM for strings:
; 'wurldmedia'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\wurldmedia.com]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\wurldmedia.net]

[HKEY_CURRENT_USER\Software\RegCool\Options]
"SearchKeyWords"="WurldMedia|59ebb576-ceb0-42fa-9917-da6254a275ad|windows desktop search|KB 917013|Windows desktop search|"

; End Of The Log...
Also using Regedit and searching for WurldMedia found their entries for “wurldmedia com.” and “wurldmedia.net.”.
Using Reg.Cool utility searched for WurldMedia and found 12 entries.Deleted all of them, but after scaning with Ad-Aware 2007 VX2 and Data Miner appears again .
As if is not False/Positive then I have persistent Rootkit polymorph, and whatever I do, on the next boot this malware is present again.
Will try AVG Antirootkit and report results here.

 

[electronicsfreak]

Hal, first off it depends on the system on how long it will take to format. Second yeah it only takes 1 to 2 hours to install windows and drivers, however it can take hours reinstalling all software that was on the machine.

Bronan, go to tools then folder options, click the view tab. Click to "show hidden files and folders" and also uncheck the box that says hide protected operating system files. IT will ask if you are sure with a warning, just tell it yes.

Download antivir and install it with the configuration I have listed. By the way if you have norton or mcafee, uninstall either of them first as it will conflict with them.

http://www.free-av.com

This is to setup antivir after it has been installed.

Right click on the logo in the taskbar(a red square with a white umbrella), then left click configure. Towards the top left, you will see a box beside expert mode. Check this box. Now click the + beside scanner, and now the + beside scan. This will expand them.

Now click on scan itself to where it is highlighted. Now to the right under files, select the circle beside all files. Now click on action for concerning files. To the right, click the circle beside automatic. Now to the right of that, set primary action to repair and secondary action to delete. DO NOT check the box that says "copy file to quarantine before action".

Now click on archives to where it is highlighted. Make sure all boxes on this page are checked, if not check them. Now click on heuristic. To the right under win32 file heuristic, check the box beside "win32 file heurisitic", then click the circle beside medium detection level.

Now click the + beside guard and the + beside scan to expand them. Now click on scan to where it is highlighted. To the right under scan mode, check "scan when reading and writing". To the right of that under files, click the circle beside "all files".

Now click on heuristic to where it is highlighted. Check the box beside win32 file heuristic, and then click the circle beside medium detecion level. Now click ok and antivir is now setup for scanning. I highly reccomend doing a scan now.


After that, look in the registry and find those keys again and find what folder they are pointing to.

Use this to delete it

Killbox

http://www.bleepingcomputer.com/files/killbox.php

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[HalComps]

i no what your saying electronicsfreak but poor guy has been trying for ages now. still cant get rid of the damn thing. ive read all i can about this virus and no1 has come up with a solution as of yet. I personally would just start over, but at the end of the day its down to bronan if he wants to do that or carry on and see if he can get rid of this pest. the very best of luck to you bronan and i hope you do find a solution and let us all know

eve

 

[SirBlack]

I'm assuming you're shutting down Sys Restore before making and changes. I did a bit more research & here's another method for manual removal of VX2 (AKA Transponder Blackstone TPS108 AADCOM NetPal DigitalRooster MSView VX2.Transponder Transponder.TPS108):

1 Click "Start" then select "Control Panel".
2 In "Control Panel" window select "ADD/REMOVE Programs" Look For "BlackStone".
3 If "BlackStone" is found Select it and click the "Remove" button.
4 If "BlackStone" is not present in the "ADD/REMOVE Programs" close any open Web browsers. All the browsers should be closed.
5 Click "Start", select the Search button and search for "IEHelper.dll" in your HD.
6 If found, delete "IEHelper.dll".
7 Click "Start", select the Search button and search for "domlst.cch" in your HD.
8 If found delete "domlst.cch".
9 IF the system does not permit the file to be deleted... Select "START" then select "Run", type "regedit" and press "ok". (Remember to Export a backup of your Registry).
10 In the left side of the Registry Editor, select the key and its subkeys as follows.
HKEY_LOCAL_MACHINE-----SOFTWARE-----Microsoft-----Windows---CurrentVersion-----Explorer-----BrowserHelperObjects\ You should find the "{00000000-5eb9-11d5-9d45-009027c14662}" key
11 Delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662} The key is deleted.
12 Reboot the computer. Click "Start", then click "Search". Search for "IEHelper.dll" You should able to find the "IEHelper.dll" file now.
13 Now delete IEHelper.dll The "IEHelper.dll" should be able delete now.
14 Reboot the computer now, and search again for "IEHelper.dll" You should not be able to find the "IEhelper.dll" file any where in your system.
15 Click Start button on the task bar and click the "Run...".
16 Type "regedit" in the Run window and press "ok".
17 Search for
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662}
If the key if still found, proceed to the next step.
18 Follow from step 5 to step 10.
Hope this finally rids the pest for you!
Bob

 

[bronan]

As I already stated I am keeping System Restore alwais disabled.
AVG Anti Rootkit didn’t find even one rootkit in my machine.
Please look this link and let me know your opinion about:

http://www.lavasoftsupport.com/index.php?showtopic=10191&hl=wurldmedia

This case is identical as mine.
In "ADD/REMOVE Programs" there is no "Black Stone"
Will procede with search of "IE Helper dll" and other, but maybe all what I am doing is unnecessary if we have here False/Positive from Lavasoft.

 

[bronan]

In addition to above post "IE Helper.dll";"domlst.cch" and
HKEY_LOCAL_MACHINE-----SOFTWARE-----Microsoft-----Windows---CurrentVersion-----Explorer-----BrowserHelperObjects\ "{00000000-5eb9-11d5-9d45-009027c14662}" key
not exist in my OS

 

[electronicsfreak]

Give these sites a try

http://www.spywareremove.com/removeVX2.html

http://forums.majorgeeks.com/showthread.php?t=74338

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[linney]

Bronan,

That link you supplied only adds to the confusion, in my opinion. The only thing that came out of it was the suggestion to run the older version of Ad-Aware SE with the older VX2 Plugin, and see what occurs?

Recap for us here. What software scans are identifying an infection, is it just Ad-Aware 2007, or others too?

I have held off installing Ad-Aware 2007 as I felt it was not ready to go yet, this was purely based on how the GUI looked and behaved on my test machine.

 

[SirBlack]

As linney said, that link offers very little substantially. If you can't find anything related to VX2 in your Registry and Ad-Aware 2007 is the only AV/AS scan identifying it, I'd consider reverting to Ad-Aware SE until the 2007 glitches are resolved. Sometimes newer isn't always better.
Cheers, Bob

 

[bronan]

As I can’t find anything related to VG2 / WurldMedia running all others AV\AS apps, decided to ignore simply Ad-Aware 2007 scanning results.
Is completely unbelievable that no one of that numerous apps and Registry editors, cleaners and so on, can’t detect anything suspicious, but only Ad-Aware 2007.
I use Lavasoft Ad-Aware old version from a very long period and never faced any problems.
Yes, I added VX2 Cleaner, but utility reported that my System is clean.
Can’t be sure100% , but if this problem in the future confirms that is False/Positive,
I can say only say that this is very bad habit to lunch the programs which scar the people in vain.

Thanks again to all of you supporting me to overcome the problem.

 

[SirBlack]

Glad we were able to help. As far as launching programs before glitches are worked out, Bill Gates & MS are the worst offenders, not that they're the only company that does that. Rule of thumb should be, if you have a spare system to download Beta apps or 1st release versions, don't install it on your main system without doing research on it.
Cheers, Bob

 

[bronan]

Confirmed, was False/Positive.
Cheers,
bronan