Varien of VX2.Look2Me

[Mike Vidal]

Hi Everyone:

There is a new varient of the subject item going around
that exhibits the same behavior (new files created in
win\sys32 (abbreviations used)directory, that are removed
at reboot, along with a slew of entires in the hosts file.
Beta does not fix it at all, Adaware has a plug in that
says it fixes it but does not. This is a link to a similar
vx2.look2me that was out there but this one that I ran into
is using different file names, but the behavior is the
same: http://users.telenet.be/marcvn/spyware/1894454.htm

The only way I could get of this program was to run bit
defender that idientifed a file call upd2date???.exe (I
believe this was the file name) which it removed but came back.

I ended up using a tool called ERD commander to boot with
that cd, get into the win\sys32 directory sort by date and
rip the offending files out manually, sorting the files by
date and getting all files with a date newer than the date
the problem started up to the current day you are working
on the machine.

This varient attaches itself to explorer.exe and will start
to pop iexplorer.exe pages while the system is idle on the
internet.

This is a really nasty bug, and MS needs to get a fix out
for this and for the antispyware.

My exprience otherwise with the antispyware it is a good
tool to get control of a machine but not all inclusive, I
still need to use spybot and adware along with Hijack this
and other stuff to really get a machine clean.

Mike V.

 

[Bill Sanderson]

If you have a good handle on the fact that a machine is infected, doing a
Tools, suspected spyware report helps.

 

[Mike Vidal]

Bill:

-----Original Message-----
If you have a good handle on the fact that a machine is infected, doing a
Tools, suspected spyware report helps.

I tried that, it would not let me report. I would have
liked to submit a report from my personal machine, but the
program does not seem to give you an option to fill in
information as it wants files from the infected machine and
I had to dump them in order to get control of it.

I did at least give you all links to a similar threat
should you run into to this bad guy.

Mike V.

 

[Bill Sanderson]

Thanks! Steve Wechsler has the ability to get binaries (or useful links) to
the development team, fwiw.

 

[Jeff Ben]

VX2.Transponder is a resilient little cousin? I am
wondering what a C- techie can do. Running Beta isolates
the bugger every time, and then I tell it to remove, and
it says it does/did, then it says to reboot, and we
do/did. And it is still there -- and in Beta it says it
was "told" to ignore!!! It cannot be removed as far as I
can figure -- went to safe mode, went to AdAware AND
Search and Destroy (these 2 don't even "see" the bugger).
So, we sit here with 50 window spawning and no hope.
Mike -- any direction here?

 

[Bill Sanderson]

Check out the message from Ron Kinner in Announcements today.

HijackThis and guided cleaning--either by Ron or in a forum--is probably
your best bet, if Microsoft Antispyware isn't removing what you've got.

Do remember to do a tools, suspected spyware report while it is dirty,
though!