1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Heavily infected machine - Please help

Discussion in 'Virus & Other Malware Removal' started by larsson, Dec 12, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. larsson

    larsson Thread Starter

    Joined:
    Dec 12, 2004
    Messages:
    3
    Heavily infected machine - Please help

    OS: Win 2K Pro
    Type of user account: Administrator

    Problem:

    1. Multiple pop up ads

    2. Spyware that I have previously deleted with multiple spyware detection tools (see Solutions Tried / Results: below.) trying to reinstall itself after a reboot and putting the machine back online

    3. Various viruses trying to invade my machine when the computer is online. I am using Antivir (free-av.com) I delete these.

    4. Virtual bouncer and Ad Destroyer tried to install themselves after I put the machine back online and had removed them using various spyware detection and removal tools as listed under Solutions Tried / Results: below. This relates to item 2, but I felt that I would list it, as it is a specific example. I killed the installs using Task Manager.

    5. I have installed and updated IE SpyAD, SpywareBlaster 3.2 (enabled all protection), and Spyware Guard 2.2 (all protection enabled). My homepage on a reboot and sometimes during operation is continually trying to change my start page from msn.com to about:blank. I have set the homepage in SpywareBlaster 3.2 to msn.com in both places that it should be changed, but it keeps reverting back in this program to about:blank under the setting as well. Spyware Guard 2.2 catches the attempted start page hijack and I am able to revert it.

    Solutions Tried / Results:

    1. Adaware SE w/ updated definitions - Ran and deleted items - Rebooted and ran again, no items detected - Put machine online and ran, multiple items detected, including 3 Modules identified, removed items - Ran again and it is detecting another Module identified on the first few seconds of scanning

    I am set to scan in archives, using Custom scanning options.

    2. Adaware SE w/ VX2 Detection Addon - Ran and detected nothing

    3. Spybot Search and Destroy w/ updated definitions and DSO fix - Ran and deleted items

    4. Spyware Doctor - Ran and deleted item - It is set to scan at startup and after putting the machine online and rebooting, it detected the same spyware that I have previously deleted

    5. Spy Sweeper - Ran and deleted items, 4 instances of Websearch were unable to be deleted - Scanned in Safe Mode, deleted items, except the same problem occurred when I tried to delete the Websearch items - Tried in both Safe Mode and normal mode to delete the associated registry entries and was not allowed to delete the files

    6. CWShredder Version 2.1 - Ran and found nothing

    7. Kill2Me - Ran and found nothing

    8. McAfee AVERT Stinger - Ran and found nothing

    9. PepiMK's CoolWWWSearch.SmartKiller - Ran prior to CWShredder and found nothing

    10. Hijackthis 1.98.2 - Ran and deleted suspicious items - Rebooted and ran again, everything looked normal - Put machine online and received suspicious items and deleted. Please see my current Hijackthis log at the bottom of this message.

    11. Antivir (free-av.com) - Ran and deleted multiple viruses - It catches viruses that are trying to invade my machine when the computer is online, but I delete them.

    12. I have installed and updated IE SpyAD, SpywareBlaster 3.2 (enabled all protection), and Spyware Guard 2.2 (all protection enabled). Please see item 5 under Problems: at the top of this message for some things this software has blocked.

    I work on fixing spyware and virus infested machines pretty much on a daily basis, but I have never come across a machine like this. It is absolutely the worst computer that I have ever worked on.

    I have come to a standstill in what to do next, as I am not allowed to delete infected reg entries (see the Websearch problem under Spy Sweeper). Please see my current Hijackthis log below. I am aware that I need to delete the entries from the log posted below (which I have previously deleted, but they return):

    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"


    Hijackthis Log:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:01:54 PM, on 12/12/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
    C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
    C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
    C:\WINNT\system32\Promon.exe
    C:\WINNT\system32\Smtray.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\SED\SED.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\explorer.exe
    C:\WINNT\system32\notepad.exe
    C:\Hijackthis 1.98.2\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [Smapp] Smtray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff .cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cab sa.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader_t3/imload er.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8B6A8CCA-DE3C-4EE1-893E-2D74 21B719C9}: NameServer = 166.102.165.11,166.102.165.13
     
  2. tj416

    tj416

    Joined:
    Nov 18, 2004
    Messages:
    747
    Go to Add/Remove Programs and remove(if there):
    Virtual Bouncer

    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"


    Then,restart in safe mode and delete these folders:
    VBOUNCER(located in C:\PROGRA~1\VBOUNCER)
    SED(located in C:\Program Files)

    Then,reboot(in the normal mode) and post another log.
     
  3. tj416

    tj416

    Joined:
    Nov 18, 2004
    Messages:
    747
    Welcome to the TSG!!:)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/307144