VirtualBouncer adware removal

Last week at work, I was looking up a world map, and found a couple sites through Google, clicked around a bit, didn’t think much of it. Until a couple minutes later, when popup windows started appearing every 15 seconds on my screen. I had been hit with adware. I still don’t have any idea what I did that nailed me, but it had happened. It installed all sorts of crap on my machine, put crap in my bookmarks, installed an extra toolbar into Internet Explorer, etc.

The particular spyware that infested my machine was “VirtualBouncer” and “Ad Destroyer”, which, ironically, purport to be adware fighting tools themselves. Fortunately, once I was able to identify the name of my problem, Google came to my rescue. I found this page, which listed several adware fighting tools, and the techniques that they used to finally fight off the spyware.

It ended up taking close to eight hours to mostly rid my machine of this crap (I actually came in over the weekend to clean things up because I felt guilty about using company time for my mistake). It took a long time mostly because each time I ran one of the adware cleanup tools, it would take twenty minutes as it scanned through all the registry settings and files and things. Finally, it would declare my hard drive clean. And then I’d reboot, and the adware would have reconstituted itself. Repeat a lot of frustrating times.

So I’m putting this entry up to remind myself of what I did, in case it ever happens again, and also to help anybody else that gets inflicted with this crap.

Tools that ended up being useful:

  • Trend Micro Anti-Spyware did a decent job of cleaning up most stuff. I initially tried Ad-aware, as the first page recommended, but it didn’t successfully clean my hard drive. When Google found that Trend Micro had a page specifically on Ad Destroyer, I tried that one and it seemed to work better. But it didn’t catch everything.
  • SpyBot Search and Destroy was also helpful. Its scan was, again, kind of useless, because it failed to root things out. But if you switch to the advanced menu, the tools it provides are good for tracking things down, in particular the startup cleanup, the BHO (Browser Help Object) cleanup, and the ActiveX object cleanup (bits of adware had been installed in all of those places).
  • ZoneAlarm was very helpful for figuring things out. I just set all the settings to high. Then when I booted my computer, I wrote down all the things trying to access the net, and tracked them down in the startup files and deleted them.
  • I switched to Firefox as my browser instead of Internet Explorer, which I should have done a long time ago. I use Mozilla exclusively at home, but hadn’t bothered to update my work computer.
  • I installed Absolute Startup, but it was not as helpful as SpyBot Search and Destroy at cleaning up startup stuff. But its interface for real-time monitoring of whether the startup configuration has been changed is better.
  • I installed Spyware Blaster, but I don’t know if it has done anything for me.

After all that, I still don’t think my work computer is clean. I noticed that ZoneAlarm kept on getting a request from “WinNT Logon Application” to access the net when I booted up, but I kept on denying it because I was skeptical since I run Windows XP. But after my system had seemed clean with no popups for a couple days this week, I let the suspicious WinNt Logon through to see what would happen. And, boom, I was re-infested. Fortunately, by then I knew exactly how to clean up after myself, and I had all the tools installed, so it only took twenty minutes or so to fix it. But it demonstrates that it’s still hiding in my startup someplace, despite running at least four different spyware removal programs in an attempt to clean up my drive.

Anyway. It was an incredibly frustrating experience. I work with computers, and it still took me eight hours to clean up my drive; I can’t imagine what a typical user would have done. This stuff is evil. So, beware. Switch to Firefox, don’t click on things, and if you do, there’s some tools above that may help.

3 thoughts on “VirtualBouncer adware removal

  1. Hey P–any idea if updating Windows/IE would have made any difference? It’s just kinda scary that security holes are that big for simple web browsing and malware. I remember that somebody in our office once had his machine exploding with spyware, but he was the least tech-savvy person in the office, so I chalked it up to that. But if your machine is getting slammed, well, that doesn’t bode well. Anyway, I’m glad to be using Opera, and thanks for the recommendations on what to use if I see a problem. -Bats

  2. No, I was completely up-to-date with all security patches on Windows/IE. I’m obsessive about that – there was one time at Sciex where everybody’s computer went down with a worm except for mine, because I was the only one who’d applied the latest patch.

    In retrospect, IE might have been slow to refresh on a web page when I hit Back, and so I might have clicked where I thought was a link, but was actually an ad or something that launched an ActiveX control or some nonsense like that.

    But, yeah. Kind of disheartening that this stuff is so prevalent and pernicious.

  3. An update from several weeks later. My work computer was, in fact, still infected. I’ve now tried installing Microsoft’s anti-spyware utility, which I think is as good as any of the others, and may be better because Microsoft theoretically knows more of the places where Windows hides stuff. Although it wasn’t actually successful at cleaning my computer of spyware.

    Also, Symantec anti-virus found a bunch of infected files, but couldn’t quarantine or delete them (rcur.exe and sdxsdx.exe were the culprits, although I suspect that the spyware program generated random strings as filenames, because Google’ing those filenames didn’t turn anything up), and they were completely hidden from the windows explorer so I couldn’t do it by hand.

    I did find another utility today called KillBox which removes files that other things don’t. I turned it loose on the files that Symantec had found but couldn’t clean, and it seems to have nuked them successfully after a reboot. And I haven’t seen any evidence of spyware since then. So I’ve got my fingers crossed.

Leave a Reply

Your email address will not be published. Required fields are marked *