I just spent 5 and a half hours nuking the same bug from a users machine
today.
I loaded the following:
Adaware Personal SE with VX2 plugin
Spybot S&D
MSAS
HijackThis
Look2Me auto-uninstaller from link at PCHell.com page for Look2Me
Process Explorer from
www.sysinternals.com
ccleaner
Symantec Corporate Antivirus 9 with definitions dated 3/28/2005
SpywareBlaster
BHODemon 2.0
I opened the registry to the Windows | Run section, I opened Process
Explorer, Windows Explorer to the system32 folder and sorted by date to
watch for reinstalled files - I also checked show hidden files and unchecked
the hide system files in the Folder Options.
One file returned time and time again, in my case, ivprv.exe, in the process
explorer. It could be killed but always returned after any cleaning and
reboot. The hosts file kept being overwritten with entries to the ip
address in the subj line above. SPYBOT AND MSAS were UNABLE TO STOP this
from happening.
I disabled System Restore
I ran ccleaner multiple times and made sure every temp location was empty -
I noticed that the index.dat files were larger than normal and would not
delete because a process was holding them open. I killed the ivprv.exe file
and then they would delete while in safe mode.
Even though Process Explorer continued to show the ivprv.exe file to be in
system32, it did not show in the Windows Explorer listing.
Adaware, spybot S&D, and MSAS all removed numerous items in regular mode and
safe mode but I finally kept my battle in safe mode.
I ran hijackthis a few times and removed everything
I ran a full scan of SAV 9 in safe mode and found many files not found or
deleted by the top three antispy proggies above. ivprv.exe still came back.
I ran the Look2Me uninstall but ivprv.exe still came back in the Process
Explorer.
I noticed that several files dated the 29th with a time stamp from the time
during this battle. I went into the security settings for these files and
removed ALL users/groups and rebotted back into safe mode.
ivprv.exe showed up finally in the Windows Explorer so I deleted it -
finally.
I ran every tool on full scan one more time and checked the hosts file one
more time.
Reboot to normal and all systems are a go. Bugger finally gone.
One note: A none pathed entry to rnkr.exe followed through this process but
MSAS is blocking it and it dsoesn't seem to be doing anything - I have not
searched the registry for it yet. I was tired and everythign was behaving.
I'll look tomorrow.
Not sure where she got this pest but it happened yesterday - while I was
trying to take a day off.
Let me know how your battle goes. MSAS submitted numerous reports to
Spynet.
JohnF.