Question

Locked

Sticky Spyware

By Ironspider ·
Does anyone have a suggestion for removing some spyware/adware from one's computer? I've tried the following programs/sites: adaware, windows defender, norton, stinger, spybot and scanning at www.pctools.com. Nothing has worked.

W2K, all current patches.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

My humblest question for the Great Guru

by Ironspider In reply to Whisper, whisper: . . .

Oh Great IT GURU,

Please tell me what sys op requires the programs M9jEWBvc0.exe, K78GHN7u.exe, and/or cgVGW1Ew.exe (the latest 3 incarnations of said program after deletetion.)

Collapse -

Whoa!

by CaptBilly1Eye In reply to My humblest question for ...

Relax... don't take all subjective comments personally.

Back to the issue...
If those executables are still being created after running all the recommended scanners and removers, I am inclined to believe that this is a viral infection that would best be handled in one of two ways.

1. Download a copy of HiJackThis (http://tinyurl.com/b9h3s), run it and then post the resulting log into one of the many HiJackThis Log Forums (here's one I've used several times: http://tinyurl.com/2nxzqt).
There someone will work with you to clean it out. I strongly recommend that the log is posted before any changes are made. That way they will get the best picture.
This takes a lot less time than you might think and I have experienced success every time I had a similar situation.

Option 2. Reformat and reinstall.


Your situation is most likely related to a virus that has set up a Service that is re-installing randomly named executables at each boot. It's a headache that is very difficult to pinpoint and clean out properly without running many tests and trying many tiring options. That is why I recommend posting a HiJackThis log where there are people who specialize in interpreting them.
On average, when I ran into similar situations, it took less than two business days to resolve it once my log was posted.
Alternately, you could teach yourself how to interpret them (http://tinyurl.com/95mcy) but if you're like me, I think you'll find that option too tedious when others can do it for you so quickly. ...kinda the same reason you came here in the first place. Fast & Free.

Good Luck.
Please let me know the result.

Collapse -

Apology

by Ironspider In reply to Whoa!

Sorry, but I've met too many IT people that think they can walk on water right before they drown. Earlier in my career I've stuck my neck out for a few that could talk the talk, but not walk the walk and I ended up looking like a retarded monkey-humper. Since I've left IT recruiting, moved through Engineers, Food/Beverage, and sales, I've found very few that were as bad as a pompous programmer.

Before I get tarred and feathered, I have met a number of people on this site that have redeemed my thought pattern. There are some truly excellent individuals here. But yes, I'm probably a bit sensitive to the ones that tell me I don't know the difference between system ops and crap.

1. You can check my new posted log.
2. I've thought about this several times, but need to located another copy of W2K first.

Collapse -

No Problemo

by CaptBilly1Eye In reply to Apology

yea... I picked some of dat up when I read your Bio. ;-)
'Walk on water'? Naw... we just tread water very well. I like swimmin' the channels laid by those before me.

anyway... I'll recommend that you post your HiJackThis log where there are peolple who specialize in working with them. Try here: http://tinyurl.com/2nxzqt

You'll have to create a login but I think you'll find it to be the easiest and best way to resolve your issue.

Collapse -

bleeping computer

by Ironspider In reply to No Problemo

Ok, I'm there, let's see what they say.

Collapse -

HiJack This Log

by Ironspider In reply to Sticky Spyware

Ok, here's my current hijack log after I went through looking everything up to see if it was bunk or not:


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\runservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINNT\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

O4 - HKLM\..\Run: [cgVGW1Ew] C:\PROGRA~1\vuuwowvv\a0hCCgBN.exe

The last item is the only one I can't get to stop respawning. Upon searching the registry for "vuuwowvv" I found another appearance, but cannot delete it.

<IMG SRC="http://usera.imagecave.com/gornac/tomatocow/winik.jpg">

Collapse -

repost

by Ironspider In reply to HiJack This Log

O4 - HKLM\..\Run: [cgVGW1Ew] C:\PROGRA~1\vuuwowvv\a0hCCgBN.exe-------reposted line that cant be deleted.

Collapse -

Some thoughts about whats happening and what to do

by lutz2 In reply to repost

You are sucessfully removing malware, and then the malware reinstalls itself all over the place - Something is getting run that performs this reinstall. That something is evading detection; perhaps it is disguised as legit software.
Otherwise, its launching in an unconventional way: BHOs, browser helper objects, can launch from WINDOWS explorer, so the first time you fire up a window to do anything in the file system (Open "My Computer") a program launches itself. BHOs can be disabled using the advanced tools in spybot.

I like the sysinternals tools for manually finding and removing startup items. http://www.microsoft.com/technet/sysinternals/securityutilities.mspx
In particular, the Autoruns tool shows you everywhere that stuff can be started up (not just the ..\Run registry keys!)

Most insidious, bad winsock LSPs (layered service providers) become part of your network stack and do stuff whenever your computer communicates.

sysinternals Process Explorer is a good tool to help you see in detail the running programs etc. One idea here is to shut down any running program/service/driver that won't be needed while you troubleshoot the problem.

I also like "What's Running?", at http://www.whatsrunning.net

But back to a more basic thing - boot your machine with another OS, and run a scan from that OS. Boot CDs like "The Ultimate Boot CD" and "Trinity Rescue Kit" (search for those in google) can boot your machine from a CD and allow you to do things like virus/malware scanning. No launching of your infected OS is the objective.

Recently, I made a bootable windows PE USB memory stick - Windows PE can run regedit, which can be used to edit the registry stored on the hard drive of your infected OS. However, building a windows PE is pretty long process when your factor in all the downloading of (Microsoft) BDD 2007 and Microsoft Windows AIK

Taking your hard drive out and attaching it to a trusted system as a secondary non-bootable drive will aloow you to use the trusted system to do the cleanup.

Collapse -

In hind sight

by CaptBilly1Eye In reply to Some thoughts about whats ...

Hey lutz2,
While reviewing this issue, I re-read your post and see now that you were more on the money than I originally thought.
Your recommendation (if it had been followed) for the SysInternals Utilities (http://tinyurl.com/y2na3h) included RootKitRevealer which, if used, would have probably led right to the 'root' of the problem.

Oh to ye that are not heard until the hour has passed... ;-)
Well... I appreciate your insight!

I'd give ya a Thumbs Up if it were my post.

Related Discussions

Related Forums