Since June 30, I have been struggling with a particularly nasty
version of vX2. This variant brought with it or was somehow
associated with zestyfind, targetsoft, twaintec and a couple of other
malware / virus infections. This was on a machine with current norton
anti-virus definitions, anti malware daemons, and a hardware firewall.
The cause was most
likely browsing to an infectious web site.
This vX2 variation was immune to hijackthis, cwshredder, and spybot.
The symptoms were having the default home page in IE changed to
zestyfind, having the hosts
file populated with bogus entries (mostly pointing to the localhost,
but a couple of real
IP's mixed in), the constant creation / re-creation of winupd.dll,
targetsoftsetup.exe, and
targetsoftsetup.exe-xxxx.pf in the windows\system32\prefetch folder.
The browser would also launch sporadically to GAIN sites and other
useless game, travel, etc. sites. Each time, three advertising icons
would appear on the desktop.
Also, in the system folder, the vX2 executables would take the form
6xx4svc.dll where xx is
some combination of letters (usually the second letter being an "o".)
The file 6to4svc.dll
is a valid windows development environment file, and should not be
mistaken for malware.
The malware versions were frequently hidden, system, and read-only.
There were other symptoms as well, such as rundll32 taking up 90% of
the processor time and quick-launch not working.
Here are the steps I took to remove this awful infection. It took me
close to a full day to figure out. Since my daughter was the culprit,
I'm sending her a bill which she can pay me out of her college fund
;-)
1. Ran ad-aware. Basically, this was a game of whack-a-mole and made
no difference.
2. Removed the targetsoft registry key, and created a new one where
everyone had "deny" privleges.
3. Renamed winupdt.dll to winupdt.$$$ and created an empty read-only
instance of winupdt.dll using notepad to prevent the viral version
from being created. I also did this with winhost32.exe, inetadpt.dll,
and wincore.dll all of which were malware associated files.
4. Rebooted, ran adaware again, reducing the infection, but not being
able to clear it completely. I built a few walls in the previous
steps, but still could not get rid of the infection.
5. Downloaded the 1.02 version of the adaware vx2 removal plugin and
ran it. It detected the vx2 infection and prompted me to reboot. I
did so, and ran adaware which found a number of vx2 files. However,
it always had trouble deleting one or two of them. No matter how many
times I repeated the process, one of the .dll's would activate
(possibly as part of the targetsoft executable process... but I'm not
sure), spawn a bunch of others, and reinfect the machine.
6. Finally, I ran adaware, identified the locked hidden files and used
"moveOnBoot," a great utility from gibonsoft, and had it delete the
locked vx2 files on bootup. This allowed me to reboot without active
infection, and run adaware to remove any lingering files.
At this point, I still have no quicklaunch toolbar. If no fix arrives
for this, I will likely reinstall XP service pack 1 to see if it
reappears.
Hope this helps someone. Feel free to contact me.
RO