Spyware/Adware Help needed

I am trying to fix my mom's pc (I am posting this thread from my PC). She has a VCClient error popup and IE ad windows opening which affectively stop her being able to do anything. I have gone through the processes listed in the "READ & RUN ME FIRST..." thread. The only Antivirus software loaded is Norton. I ran all of the programs listed in step 5 and a bunch of things were cleaned up (cookies, adware, etc.). I ran the Kill2Me program, but it said there was nothing found. When I rebooted back in normal mode (in order to go online and run the online scanning programs in step 6), a bunch of Microsoft Antispyware windows popped up saying things were trying to be changed and asking if I wanted to allow or block them. I answered as best I could. Then once I was online the system basically was froze up with the IE ad windows popping up, so I was unable to run the online programs. After unplugging the modem (dial-up) again and rebooting, I ran the HijackThis program. I will attach the log file.

 

Welcome to MajorGeeks.com!

Did anyone install the VCClient software?

Please see the below thread on how to install and run Ewido Security Suite. After you run the Ewido scan, try to again run the online scans listed in the READ ME and attach the logs.

Running Ewido Security Suite ...

 

No, no one installed VCClient. I don't even know what it is. What is it?

I ran Ccleaner again and then the Ewido scan, as per instructions, and will attach that log file. When I rebooted back in normal mode, I still got the VCmain and VCClient error messages. I went back online and tried running Bitdefender. I found a couple of things, but they were only already Norton quarantined items, two of which Bitdefender claims to have deleted. Unfortunately, Norton popped up and said a threat was encountered which it deleted (Adware.Adshooter), then the IE window running Bitdefender spontaneously closed. I have, once again, started Bitdefender, but if it bombs again, I don't know what to do.

Okay, I'm having trouble getting into the "Manage Attachments" section for some reason in order to attach the Ewido scan text log, so, I'm going to do a no-no and paste the contents here since it isn't too long.

Inline log attached!

 

Okay, I was able to successfully run Bitdefender. It said the computer is still infected. I will attach the log file. I am in the process of running Panda ActiveScan.

 

I have finished running Panda Active Scan. The log file is attached.

 

Now please attach a fresh HJT log from normal mode.

 

Here is the HJT log.

BTW, thanks for fixing my Ewido scan text post as an attachment. (I'm assuming you did it.)

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

sf

MyWebSearch

CMMan

Ewido

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

sf.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - ~00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll (file missing)

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk121CFUS

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\sf ←–– Delete this whole folder if it exist!

C:\Program Files\MyWebSearch ←–– Delete this whole folder if it exist!

C:\Program Files\CMMan ←–– Delete this whole folder if it exist!

C:\Program Files\Common Files\VCClient ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete the above, reboot to normal windows and procede with the below...

Finally, I would like you to Flush your System Restore Points. Please follow the instructions in this link --->Disable and Re-enable System Restore

• First, turn OFF System Restore to flush any bad Restore Points.
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete this fix, reboot and attach a fresh HJT log and let me know how things are running.

 

Regarding the Add/Remove Programs part: neither sf, MyWebSearch, nor CMMan were listed. Ewido, of course, was listed since I had used it. I removed it.

Regarding Task Manager processes, I found and successfully ended sf.exe.

I checked the items listed in HijackThis and fixed them.

I found and removed the c:\Program Files\sf and c:\Program Files\Common Files\VCClient folders. I did not find the MyWebSearch or CMMan folders.

I ran the scans and completed the other processes listed.

I will attach the fresh HJT scan log.

The VCMain and VCClient windows no longer pop up when booting up. Regarding the continuous stream of IE ad windows, after having run Ewido they no longer seemed to come up. The only way to know if it is truly eliminated is to go back online with that computer, which I have not. Time will tell.

Thanks for the help. I am curious, however, of what the computer was infected with and what the possible source of the infection was, if you can enlighten me regarding that.

 

Your HJT log looks clean, are you having any further problems?

 

No more problems so far, but the computer hasn't gotten a whole lot of use since then. My mother has used it some. So, do you have any idea from whence she might have gotten the infection? It would be good to be able to tell my mother so she would know what to be more careful of.

Thanks again.

 

It's hard to tell exactly where it comes from, mainly from surfing the internet unprotected. My suggestion is to surf wisely and you'll be fine.

You should see this article on How to Protect yourself from malware!

Surf Safely!