Vx2,Narrator Toolbar and Trojan.Unclassified.ContextMenuHandler

[Larry]

Below is a detailed scan history from MS AntiSpyware
Beta. It claims removal of this but that is not the case.
For some reason Vx2.Narrator attempts re-installing on
almost every new boot or new user login.

I have tried to send a "Suspected Spyware Report" but
that fails. I have also tried doing a deep scan in the
safe mode but the MSAS program freezes.

Any help will be appreciated, as I have large amount of
unwanted adds being served.

Start of report....
-------------------------------------------------
Vx2.Narrator Toolbar more information...
Details: Related to the VX2 Transponder.
Status: Removed
Severe threat - Severe-risk items have an extreme
potential for harm, such as a security exploit, and
should be removed.

Infected files detected
c:\windows\system32\puyaby.dat

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run Narrator


Trojan.Unclassified.ContextMenuHandler.A Trojan more
information...
Details: This trojan installs as a context menu handler
in Windows. It uses a 6 character random name on
installation. ******.dll, it also will use a random 6
character Project Name ******.class to identify itself.
Status: Removed
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected files detected
c:\windows\system32\cuzyoz.dll

 

[Steve Wechsler [MVP]]

Larry,

1 - Enable show hidden files and folders, including system files :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2 - Make sure you have the latest refresh of MSAS. The current version
is .509. Make sure that MSAS has the latest definition installed.
Currently it's 5693.

3 - Disconnect from the internet, scan with MSAS in Normal mode, then
reboot to Safe Mode and do 2 more scans from there or until the system
is cleaned.

4 - Reboot to Normal mode and scan once more to ensure that VX2 has been
successfully removed.

The Narrator file reinfests the system if not successfully removed. The
..dat file is in use and can not be removed in Normal mode. Going into
Safe Mode *should* allow MSAS to remove it and protect against
reinfestation.

Steve Wechsler (akaMowGreen)

MS-MVP 2004-2005
Windows Server - Software Distribution
Windows - Security

 

[Guest]

Steve,
The deep scan in the Safe Mode worked, thanks. I am
finally clean.

One thing to note is that I had to wait thru what I
thought was a frozen MSAS program as I stated in my
earlier (first) post.

What actually was happening was that it took nearly 30
minutes looking at two files. They were on separate parts
of the scan for a total of 60 minutes, plus the other
regular part of the scan. That made for an extremely
long "deep" scan. I decided to wait it out as the hard
drive was spinning and it appeared that it was doing
something.

One of the files it spent 30 minutes on was InkObj.dll in
the "C:\Program Files\Common Files\Microsoft Shared\Ink"
directory. It is an old file that was compressed by
Windows XP and was last access in Aug of 2002.

I don't kow what the other file was.

 

[Bill Sanderson]

Thanks very much for getting back to us on this one--it's good to have
validation of the advice we've been giving, and it's good to hear the full
story about the "hang."

I'm glad you were able to have the patience to sit out those long time lags
and give the thing a chance to actually work. What it is doing in those 30
minute periods is another question--but I'm glad it worked in the end.