Posted 04 February 2005 - 02:28 AM
I have had several customers with what looks like a new VX2 variant. I can remove the other adware with Ad-Aware, SpyBot, and HJT. The problem is certain dlls and exes keep coming back.
This malware removes the "debug privilege" from all accounts so I can't run Sysinternal's FileMon or ListDLLs. Also the "local security policy" icon is missing from the Administrative tools and secpol.msc has been deleted.
I have deleted the files using the recovery console but they reappear. The filenames are random letters and numbers but the EXEs are usually 6 characters (yoyryp.exe) and the DLLs are approx. 12 (r9ap0qrvhae3.dll) and are located in %systemroot%\system32 and are set as hidden and system. I have tried unregistering with regsvr32 /u but Access is Denied.
Please advise on how to clean so I don't have to do a reformat and for future reference.
Thanks for any help.