Ad-a-w-a-r-e/vx2 problem here as well

THEY ARE GONE!

Am I 100% clean now? If so, thankyou very much chaslang!

I'll go do that now.

 

Good night. Thanks again.

 

Now chaslang's having his snooze, I'd be grateful to you bjgarrick if you'd be able to show me where I'm vulnerable as apparently my logs show some weak points in my systems.

 

Hmmm, running kill2me seems to still bring up My Documents with the search tool open in it.

Should I be worried?

 

Also - when after what things should I turn on System Restore? It's been off since I first found the malware...........

 

.............and another thing. Trend Micro Scan's discovered an akrules.dll TROJ AGENT.BT virus in C:\Documents & Settings\Computer\Local Settings\Temp folder - it's uncleanable. Deleting it will take care of it, right?

 

Well.........

The Bin works.

My home page hasn't been altered.

No a-d-w-a-r-e site pop-ups when I'm using IE.

The biggest sign was when I was off-line, Network Connections was constantly telling me that the spyware (the above site) wanted to connect to the web. I couldn't play Age of Mythology because it kept reverting back to the desktop with this bloody connection request.

This is all after I've had a good night's sleep. Might I be clean? In that case, I'll go about proofing my PC.

I will later on do another Trend Micro Scan for good measure, but like I said I want to know the My Documents thingo is.

 

And another thing - Task Manager reports WINWORD.EXE is again in use in the Processes tab even though I haven't used it in weeks.

 

My Documents still pops up with the search tool ready as well after I run kill2me for some reason.

 

Thats normal for kill2me to open My Documents after being ran.

 

If you are on a dialup connection Windows XP Service Pack 2 will take a while to download so if you would like you can go to this website and register to get a free cd from Microsoft with Service Pack 2 on it. It will be sent to you within a week or so. Just go here to register!


All Windows XP users should have this critical update installed.

 

I don't want to get SP2 until I know I'm clean, I'm told I must wait.

Here is a TDS log:

Scan Control Dumped @ 14:52:57 28-12-04
Positive identification (DLL): Adware.Look2Me.u (dll)
File: c:\!submit\guard.tmp

Positive identification (DLL): Adware.MPGcom.a (dll)
File: c:\windows\iempg2.dll

Positive identification: TrojanDropper.Win32.SurfSide.a
File: c:\windows\ssk_b5.exe

Positive identification (DLL): Adware.Coreak (dll)
File: c:\windows\system32\akcore.dll

Positive identification (DLL): Adware.VirtuMonde (dll)
File: c:\windows\system32\aklsp.dll

Positive identification (DLL): TrojanDownloader.Win32.Agent.br1 (dll)
File: c:\windows\system32\akupd.dll

Positive identification (DLL): Adware.Look2Me.u (dll)
File: c:\windows\system32\aometer.dll

Positive identification (DLL): Adware.Look2Me.u (dll)
File: c:\windows\system32\oifox32.dll

Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.aw (dll)
File: c:\windows\system32\preload2.ocx

I had no idea all those were on my PC. They are deleted now.

Can you tell me if from that log you are able to work out if this spyware is still on my PC?

 

I can't connect to the web in safe mode so I will then have to re-boot after this.

Anything else I need to know because of this?

When you post I'll then go to safe mode.

 

They were all gone - TDS got them all it seems. I don't know they mutated/missed one which made them all mutate.

I will do the malware protection process tonight when I can stay on-line for a while. I read on this forum I think it's risky to download such things as Windows Update SP2 while you still may have spyware on your PC. I also need to know when I should turn System Restore back on.

 

You are a legend. Thankyou so much!

 

Seriously,

You are awsome. I'm an IT guy by trade, but spyware isn't exactly my field of expertise. Thank you so much. I rarely need to go through this much trouble to fix a problem, and this VX2/ Cool WWW "whatever" it was, was the biggest pain in the #*$& I've had to deal with . You are truly appreciated.
I didn't have to ask questions, I just followed this thread and used the tools provided. very nice.

are there any articles on the nature of these "replicating" spyware programs? I could understand how they worked when they were dealing with the registry and hidden files, etc. but when they start registering hidden .DLLs and whatnot it's beyond what I know. has anyone on this forum written anything about it?

 

Google has made itself my home page again. I don't know how or why.

AboutBuster when ran also opens up My Docs folder.

I'll wait until I get a post before I post any logs.

 

I believe I am, I was just doing all the programs I got for this (cwshredder/stinger.exe/kill2me/aboutbuster/vx2finder.exe) just for the sake of it to see if they were picking anything up.

Thanks for that info though - what are the vx2/look2me/coolwwwsearch finder programs that I don't need anymore and how do I get rid of them?

 

If your clean you dont need any of these tools. Just delete them, the only one that creates a program file directory is the older version of CWShredder, the new version does not.(It would be named "Intermute") if it existed. This will remove these files. You can always download these tools again if needed.

Please see this thread to prevent re-infections.

How to Protect yourself from malware!

Browse Safely!