Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Pain in the a** malware

  • Please log in to reply
1 reply to this topic

#1 krustyburger


  • Members
  • 1 posts
  • Local time:10:17 PM

Posted 04 February 2005 - 02:28 AM

I have had several customers with what looks like a new VX2 variant. I can remove the other adware with Ad-Aware, SpyBot, and HJT. The problem is certain dlls and exes keep coming back.

This malware removes the "debug privilege" from all accounts so I can't run Sysinternal's FileMon or ListDLLs. Also the "local security policy" icon is missing from the Administrative tools and secpol.msc has been deleted.

I have deleted the files using the recovery console but they reappear. The filenames are random letters and numbers but the EXEs are usually 6 characters (yoyryp.exe) and the DLLs are approx. 12 (r9ap0qrvhae3.dll) and are located in %systemroot%\system32 and are set as hidden and system. I have tried unregistering with regsvr32 /u but Access is Denied.

Please advise on how to clean so I don't have to do a reformat and for future reference.

Thanks for any help.

BC AdBot (Login to Remove)


#2 daveai


  • Members
  • 266 posts
  • Local time:08:17 PM

Posted 05 February 2005 - 12:53 PM

Can you provide a HijackThis log of the infected system?

It sounds like the new VX2 (or Look2Me).

"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users