Ad-a-w-a-r-e/vx2 problem here as well

Same problem for me, just got it yesterday. I too have spent copious amounts of time reading your site's fine tutorials and guides as well as the other threads on here about the vx2 thing, I will attach a HJT log at the bottom. Any other logs you need? Ad-aware's for example?

Thanks in advance. I realise a few forums like this will be repeating solutions to this for a while, when will Spybot/Ad-aware/etc update with definitions to combat this would you say?

Thanks in advance. I'll edit this post with certain details once I post the thread.

EDIT: This was done in normal mode, not safe mode. System Restore's off, I've downloaded the diagnostics offered except for hsremove; when I run ad-aware it can't scrub the vx files, and then weirdly My Documents opens up in Search Mode. I'll stop now unless this information is relevant and you want to hear more. I'll register here and ask these chaps - http://forums.techguy.org/showthread.php?t=310641&page=2&pp=15 - if this really is a cure for it.

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

 

Also be sure your using Ad-Aware SE 1.05

Ad-Aware SE referencefile SE1R23 16.12.2004

Ad-Aware VX2 Cleaner 1.03

To use the VX2 Cleaner simply follow these instructions:

1)Install the VX2 Cleaner

2)Start Ad-Aware

3)Go to “Add-ons”

4)Select the VX2 Cleaner add-on and click “Run Tool”

5)If your computer isn’t infected, click “Close”..

If your computer is infected

6)Select “Clean System”

7)Reboot your computer

8)Scan your computer with Ad-Aware

9)Remove any VX2 objects detected

10)Reboot your computer again

11)Run a second scan to make sure the files have been removed from your computer


After you complete the steps in the sticky thread and try this please attach a fresh Hijack this log. Thanks!

 

Yes, throughout the day I have followed the sticky thread. From what I can remember of today, here's how I fared:

Ad-Aware: Check, updated and ran - it finds the vx files, but it can't delete them. Like I said everything but XP shuts down when A-A tells me it can't delete sgthgsgibberish.dll or whatever it's called this time, so it remains. Also, My Documents open for no reason and the Search Tool is opened in its window.

VX Plug-in: Worthless. Says my system is clean but it isn't. In the Add-ons section of A-A this has a cross on it, maybe the plug-in itself is corrupted on the site(s) it is downloadable from.

CCleaner: Apart from removing 139mb of the c word, this didn't seem to do much.

Spybot: Picked up IGetNet and a 'common hijacker', plus several wwwcoolsearch annoyances, after trying out all the diagnostics you guys listed, one of them seemed to do the trick. But, and this I can't stress enough, once I re-connect to the web all the hard work is undone as the spyware re-downloads itself. I'll reiterate this many times. Now the stuff Spybot found and fixed is back and again giving Spybot a hard task to delete.

Stinger: Finds nothing.

CWShredder: Did work at first, now it breaks down when it scans. I've read somewhere today this is due to the vx spyware? Wow. v2.12 I got.

Kill2Me: Does what A-A does when it fails to remove vx - My Documents/Search Tool is opened.

AboutBuster: Tells me I'm clean.

HSRemove: Do I need to use this? Major Attitude's tutorial says I shouldn't use it for something like this.

----

Trend Micro Scan: This has been a good one to me in the past, I used it soon after I discovered this stuff yesterday. It found nothing.

Symantec: Clean!

Here's where it gets hard. I cannot connect to the web in "safe mode with networking" maybe I am doing something wrong.

Now, the alternative online scans...I've had the most trouble with these. Tell me - can this spyware detect you're trying to use these scans and then try and serve up a spyware-infected "Do You Wish To Download and Install Trend Micro/Bitdefender/etc" dialog box? Because I went through the Bitdefender and Ravantivirus scans and now Ad-Aware tells me there's a vx infected ocx file related to Bitdefender in my Downloaded Program Files folder. How on Earth am I supposed to seriously do all these online scans with my dial-up connection (which of course need to update before they start) before the spyware re-boots my PC again/closes down internet explorer?

 

Okay, not confident but I will post the log once I have finished the second Trend Micro scan.

 

Trend Micro scan has finished and has actually found an infection:

TROJ AGENT BT - it says it is non cleanable, the infected file is akrules.dll in my windows/system32 folder. I am going to delete it.

Where to from here?

 

SED, I need to know how to get rid of that - it's made itself a start-up program, if msconfig is anything to go by. I think it what is making ad-w-a-r-e want to connect to the web, and when I do connect, it proceeds to download all the spyware stuff I have or haven't scrubbed yet.

Because the 5 minute edit limit expired while I was trying to attach my fresh log, and it failed, I can't attach anything else because it's still waiting for the uneditable post to finish uploading its attachment. I'm going to re-boot and try to upload again.

 

Fresh Log

 

If your running Windows XP make sure you have "System Restore" disable.

Run HiJack this again from its current location in C:\Program Files\HijackThis\HijackThis.exe and have it fix these entries, BEFORE fixing anything with Hijack This make sure you exit all windows including the one your reading from here.

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com


Is this part of your ISP? DO NOT FIX THIS YET!
O17 - HKLM\System\CCS\Services\Tcpip\..\{9054BA66-392A-4618-95E3-C331E308A156}: NameServer = 203.49.70.92 139.134.2.190



Ok now for the entries below you will need LSP-Fix.
When you run this tool it may already be selected all
you need to do is click finish, if not select this file
and click"i know what im doing" and move it to the right
side and click finish. DO NOT delete anything else
but this file, If you do it could cause your internet
access to be broken.

O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll


Other than these entries your log looks ok. Remove these entries, reboot and post new log. Thanks!

 

For the eZula removal which is the SED.exe in your startup. After you have completed the steps from the Hijack This post we can move on to this removal. Simply boot into "Safe Mode". First try the uninstall of this spyware.

1)Start --> Settings --> Control Panel

2)Add/Remove Programs

3)Find "Ezula" --> Click REMOVE

4)Reboot!

5)Boot into "Safe Mode" Open Explorer and browse to your Program Files directory and remove folders with the names (if they exist)
Program Files\web offer\
Program Files\weboff~1\
Program Files\third close jugs\
Program Files\sed\
Program Files\my daily horoscope\

6)Reboot

7)Boot in normal mode, Before making changes in the registry perform a backup always. Make sure the startup entries have been removed via the uninstall. If not navigate to the following keys and remove them.

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ezwo
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\sesync


You may also want to install, update and run SpySweeper. Its a 30 day trial but its very good in removing these type spywares. Go here and download SpySweeper

 

First of all, thankyou for your help.

Before I start any of these procedures though I need to know some things.

I've been to Google and looked up this problem, gone to several sites both like this (messageboards) and otherwise and followed guides that haven't worked (the ad-aware add-on for example) or that weren't specifically for me therefore not helpful (the practice of posting HJT logs - I've just learned that this is the done thing).

I've downloaded a few diagnostic tools and programs and due to the sheer number of them I've lost track of what I need and don't need; and what info from all of them I need to share with people like yourself.

Can you please PM me if you can't tell me about it here, information on what has actually got on to my computer. In say a week or a month will this be easily curable as one of the new definitions in an Adware/spybot update, or is this thing so nasty that everybody who gets it has to go through the laborious processes such as this?

Please understand I'm not mocking what you and others on countless tech support sites/forums are doing, I'm just exasperated as you can probably imagine - is this thing whatever it is, whatever kind of 'ware infection you call it, is it that much of a hard nut to crack that all the programs and on-line scans one is told to do to combat it going to do anything about it?

Everytime you re-connect to the web to post a log, the 1% of it that might still remain begins to start the whole process all over again it seems (I have been able to remove pieces of it with spybot/ad-aware but they simply re-install themselves when I connect to check if those programs have updated definitions to take care of vx2coolwwwsearch completely). Since the problem was first reported (late November I think?), how far have the Symantecs etc on the web gotten in making sure this thing is curable? Forgetting them, have any boards like this managed to successfully destroy it 100%?

I suppose the reason I'm saying all this is that it's going to be tricky for me to synchronise with you in regards to on-line times - I'm not in America so I don't know the general time you'd be on the forums to help me and I'm unable to leave this computer on and unattended waiting for downloads/etc anyway.

Do you have MSN Messenger so I can use to talk to you in real-time? Due to my location my connection is dial-up and it is not a quick modem by any means, I'd be more comfortable if I was able to have you "holding my hand" through the steps I'm confused about

I know this post is very long but it is not a rant by any means, I know I will able to scrub this thing off my PC completely I just want to know some things about it and the general procedures first.

 

Each piece of SpyWare has different removal instructions. Anti SpyWare vendors release updates every now and then for new variants of spyware. We tell users who post what tools they need to remove there specific spyware infection(s).

The programs we tell you to use will remove the infection you have. We do not tell users who post to use useless tools. If we tell you to use a certain tool then most likely its needed for diagnosis or removal.

Each Anti SpyWare program detects and removes different things. Not one anti spyware tool will catch everything on a infected system. Thats why we ask you to post such logs and hijack this and run misc. tools to remove as much as possible to get your system clean. Every piece of spyware is curable thru certain steps we can provide.

If you have any further questions please let me know, Thanks!

 

So I assume going out and buying the newest anti-virus program and then downloading updates for it will not be a good alternative.

I am sure they are quite important but like I said it's a bit daunting with the number of them, when I should use them, whether or not they should be on the desktop, what logs I need to keep, etc etc. I do not know which one, but one of them I can't find the logs too. It doesn't let me choose where to save them.

That's good news, they can be cured. When did this problem (vx2) start? How long ago? Are there any re-infections?

 

Hi BFLeigh,

You have one of the new variants of VX2. A removal process has finally been determined for this baddie, though the major anti-spyware companies haven't caught up yet. Here are two threads where you can see the removal process in action:

Big problems with CoolWWWsearch

Help with Spyware Pop-ups PLEAZE

Also, you are far behind on your Windows Updates! You should at least have service pack 1a. You can then upgrade to SP2 AFTER your machine is clean. You do not want to add SP2 with malware on your machine. You need to do this to address some of the security holes in IE.

If you want to pursue the removal of your VX2 variant, please let one of us know!

PP

 

Thankyou, PP. I'll read those threads a bit later, I do want to pursue its removal however this is one of the times I am talking about - I am unable to stay on this machine for the required time it will take to eradicate it. My problem is twofold, managing to make sure one of you fine chaps are on-line and making sure I can be on for as long as it will take.

I'll also need help repairing what this thing has done to my recycle bin.

 

Okay. I am ready now.

Chaslang - do I start with your instructions? Or bjgarrick's?

Are you able to stay on to help me through this?

I will in my next post attach the log for the GDT.

 

Attached findit.bat log:

 

Can't delete guard.tmp

EDIT: Steps 4-8 I interpreted as steps 1-5.

 

Did you read my edit of that post? I presume the others did get deleted, I repeated steps 1 - 4 with all the dll files you specified. I will search for them. I will also attach the logs in my next post.

 

New logs!

 

Aye.

 

Ok. I will then follow your next post's instructions.

 

Still can't delete it.

 

LOL at all this leapfrogging we are doing to each other.

But seriously - I don't have MS Word open!

EDIT: Yes Killbox is the one telling me that it cannot delete the file.

WINWORD.exe is indeed showing up in the Processes tab in Task Manager. What the hell?

 

I paste the guard.tmp's location/name into Killbox, leave it on Standard, I then click the Delete File button. A box comes up titled Confirm Delete - it says 'Backup & Delete C:\Windows\System32\Guard.tmp - I then click yes. Two seconds later, a box called File Access comes up saying The File could not be Deleted.

 

Yes.

 

Re-booting now.

 

Guard.tmp is gone from system32 folder, it seems.

Here are the two logs:

 

Desktop.ini is deleted.

Rebooting now.

 

That RunOnceEx folder doesn't exist in the Notify folder. I will in my next post attach the two logs you asked for.

 

Findit and HJT logs:

 

Here you are.

When we are done can you please tell me any and all things I can do to check if the stuff is gone - I will run some programs but which should I do first off?

 

I will close down IE and run HJT. Back soon.