Chaky 191 Posting Virtuoso

This one is one nasty adware. It eluded hijackthis, Spy sweeper, ad-aware, BitDefender, Malwarebytes' Anti-Malware....

Only refference I came across named it Trojan.in-t-e-r-n-e-t.

It mentions that the author is NicTech Look2Me. Suffice to say that Look2Me-Destroyer (yet another tool I tried) failed to get rid of the thing.

I think I got it via Live Messenger. It manifests by making pop-unders every time you start Internet session and open any of the browsers (firefox or IE7). Really annoying. Only thing more annoying than that is the fact that I didn't know what was causing it.

But... combofix got rid of it and my system is clean once again.

Apparently, it installs this vgaa.sys as a system driver and it boots with windows every time. I'm not sure, but I think that boots with windows even in safe mode. It creates core.cache.dsk in %System32%\drivers folder and it stores some kind of information there. Malwarebytes' Anti-Malware says that that file is trojan trace. That was my first clue, but it still couldn't get rid of it. It could not be deleted. I used tool called "unlocker" to unlock that file and delete it manually, but only until next reboot when it got recreated again. This vgaa.sys apparently uses it to track and store your surfing habits. (my wild guess)
Finally, I ran combofix, and took a look at the log after wards, and there it was... fake system driver.

It took me 2 days to put a stop to it. I hope this thread will help others with same problem.