DLL launching with every EXE

[Xaphan]

I've got a PC that's been infected with some sort of spyware. I'm going to format, but this has me completely stumped. What I've got is:

• randomly named filename mspygps.dll in the System32 folder that is launching after every EXE (not affected .bat, .pif or .com files)
• no bad startup items, no bad services
• nothing in win.ini/system.ini out of the ordinary
• HKCR\exefile looks fine, as does HKLM\ exefile reg entry

I can rename/delete the file, but then half of my programs error with "Cannot find C:\Windows\System32\mspygps.dll" or "mspygps.dll is a bad image", something to that effect. I searched the registry for the filename and came up with nothing.

Based on file size I was able to get to this page: MSLVVWBK.DLL - Trojan.Agent/Gen-Uphov-B | SUPERAntiSpyware

but that doesn't help and searching google/bing for Trojan.Agent/Gen-Uphov-B returns essentially nothing.

McAfee, Kaspersky, and a couple others won't find anything, even recovery boot CDs.

Any idea how this thing is launching on every exe? Also, if the file is deleted and I reboot, userinit.exe and the other EXE's that run before even the login screen come up error about the missing DLL, so its not an infected explorer.exe I don't think.

 

[Vlasic]

I don't waste time with spyware and figuring out how to fix it anymore.

I know this is useless but your thread was lonely.

 

[CED/Esmeralda]

Can you boot to safemode and run your AV and anti-spy/malware stuff??

If you can turn off your System Restore, then run your AV and Anti-mal/spyware stuff....

Do something real quick and that is goto to start/run type in msconfig, start-up tab and see if this "mspygps.dll" is listed and checked... If so, uncheck and apply and reboot..

Yeah, not any info out there and I checked Anandtech and MaxPC forums... Can you run Hijack This??

 

[Xaphan]

I did format/reinstall.

HijackThis did ntohing as did Combofix. Nothing in startup, no services, ran AV check in safe mode. The DLL actually was still being called in safe mode, which screamed registry thing to me but I couldn't find it anywhere.

 

[-=TTC=-Serpreme]

I'm sure there would have been a solution. I've yet to have a spyware case that couldn't be solved. Its a challenge for me.
Couldn't you just have ran a search on all keys with mspyg ps.dll, back up your registry and just see what happens?

Did you check your environmental variables?

 

[Xaphan]

I did search all keys for mspygps.dll and didn't find anything. I didn't check the environment variables though. This is the first spyware case I haven't been able to resolve

 

[-=TTC=-Serpreme]

Realistically, if you have the option to re-image it, and the solution is not readily available, then re-imaging is the way to go.

 

[DVADER]

For situations like this... Here is a very easy fix.

Either boot into BartPE, or take the HD out and slave it on another computer. Now that you have complete access to the drive without the virus running, remove the dll file, and anything else associated with it (sometimes they keep multiple copies of themselves).

Mount the SOFTWARE and SYSTEM hives in regedit, search for the dll name and remove all instances. It is possible in windows for the virus to hide keys in the registry, but not when you mount the hive from another computer. Unmount hives, do a full virus scan on the drive (while you are at it, should not be necessary if you got everything, but can't hurt).

Boot back into windows and enjoy your clean system. Done right, this takes all of 10 minutes (without the stupid scan).