3 items repeatedly reinstall

[Pat F]

I've been running Spybot for over a year and have become
an expert at using it.

I downloaded and installed MS Anti-Spyware Beta this last
week. Kudos to MS - this software detected 152 items of
spyware undetected by Spybot between 2 Citrix Servers
running W2K, SP4, fully patched. It also re-detected one
item of spyware Spybot does detect, but that I've had
continued issues with: We've had a repeated problem with
Ceres pop-up windows. The spyware is from
abetterinternet.com, and pops up continued ad windows
titled Ceres. If you remove it, it reinstalls immediately.

I had learned to control it with Spybot in Advanced mode
by going to Tools\BHOs, and "toggling" it. This allows
the file to remain in place but disables it.

MS Anti-Spyware also detected it and removed it, but like
Spybot, it does not go deeply enough to get the
reinstaller. As soon as it's removed, it attempts to
reinstall (red pop-up from MS Anti-Spyware advising me
that Transponder.ABetterInternet.Ceres is attempting to
install). I "Remove" it again, but it immediately
attempts to reinstall, and in fact it succeeds in
reinstalling even though I've instructed Remove. I find
Ceres.dll in C\WINNT immediately after a removal, and as
soon as one of my users runs IE, it's executable,
Buddy.exe, will be recreated. The only way I can control
it is to leave ceres.dll in C:\WINNT and "toggle" it in
Spybot Tools\BHOs. This effectively blocks it, so for the
time being, I'll be leaving Spybot in place. I've
attempted to Quarantine it in MS Anti-Spyware rather than
Remove it after a scan, but my users will still get the
Ceres pop-up windows unless I use Spybot to toggle
ceres.dll. MS needs to do some further work on this to
clean out the installer entries in the registry (I've done
a lot of research on this, and that's where they are, but
abetterinternet keeps changing the names of the registry
entries, so it's a moving target).

There are also 2 other items of spyware that exhibit the
same behavior exactly, but were never detected by Spybot.
They are Transponder.Farmmext and W32.Transponder. Same
exact behavior as Transponder.AbetterInternet.Ceres. As
soon as they're removed, they attempt to reinstall. I
haven't yet had time to do the same amount of research on
these as on ceres because I didn't know I had them until
in installed MS Anti-Spyware.

Great program Microsoft, but you've still got some work to
do, at least on these 3 pests.

 

[Ron Chamberlin]

Hi Pat,
Can you submit a 'Suspected Spyware Report' from the toolbar in the MWAS
program.

Also thinking that clearing the temp and TIF files may help you.

Ron Chamberlin
MS-MVP

 

[Pat]

Ron,

Sorry for the delay. Not ignoring you, just in the middle
of a big upgrade here. We believe we'll have that
finished by this Sunday, and hopefully I'll be able to
devote some more time to this after that.

Sent the report a few minutes ago and referenced this post.

Did clear the tmp files. Not sure what you mean by
clearing tif files. Are you talking about files with the
extension .tif? Not sure why that applies, but I'll be
glad to do it with clarification.

On the tmp files. Ran a search for .tmp, deleted
everything. Had to reboot to safe mode to get rid of some
items whose names began with a tilde (~). Rebooted
normally and some .tmp files came back including some that
were downloaders for ceres and farmmext. Only had about a
half hour to spend on that yesterday, but I want to do it
again, and, if you want them I'd like to send you details
and screenshots, which hopefully I'll be able to do after
this coming Sunday. Your email address in the forum is
(e-mail address removed). Is that correct (I noticed the
double msn, so wanted to verify)? May I send them
directly to that address as a .zip file of the .jpg
screenshots?

Finally, you may find this site useful in tracking this
down: http://www.doxdesk.com/parasite/Transponder.html

Thanks,
Pat

 

[Ron Kinner]

Pat,

Agree AntiSpy needs a lot of work.

I recently found a freeware tool called Advanced Process
Manipulator from DiamondCs in Australia that really
helped.

http://www.diamondcs.com.au/index.php?page=products

I was fighting a similar critter. Kill it and it popped
back up. Loaded under winlogon notify so it was already
on board by the time you could log in. It knew all about
Pocket Killbox and when I tried to rename it at the next
reboot, Killbox reported the registry entry had been
erased before we could reboot.

Anyway, with APM it showed me a list of running processes
and I chose Explorer and it opened up and showed 5
instances of the file. I clicked on one and told it to
stop it and a little box came up and I pressed OK. This
happened about 5 times and suddenly it was stopped. I was
then able to rename it and remove the registry entries
with hijackthis and regseeker.

If you are using Win2K or XP Pro another way to annoy it
is to right click on the file's properties then select
Security and Deny Full Control to every user. Bit hard to
do in XP Home tho.

Also have you tried: SilentRunners.vbs ? That might show
where ceres starts if it doesn't show up in HijackThis.
http://www.silentrunners.org/

One other tip. Don't rely on programs cleaning the temp
files. I ran two (XP's and ccleaner) but when I looked
there were 9 files with .dat extensions still sitting in
username\Local Settings\Temp. Had to rename them to get
rid of them. All 96K.

Ron Kinner
(e-mail address removed)

PS Be glad to work with you on getting rid of ceres.
Start by sending me a HijackThis log from one of the
infected systems.

 

[Pat]

Ron,

Your name is really familiar. Are you associated with
Ziff Davis or are you a regular poster in the HP IT
Resource Forums?

Anyway, Thank you for your excellent suggestions and
suggested tools. As I had mentioned in a previous post,
we're in the middle of a major upgrade right now, and the
time I can devote to this is limited. However, I should
have some time to dig deeper 2 weekends from now.

I may have killed ceres and farmmext. I could not get MS
Anti-Spyware to send a report over the last several days
(continuation of a previous post for the benefit of others
who may be following this). Whenever I tried, it would
hang, and the program would go in to Not Responding.
Tonight I uninstalled MS Anti-Spyware, deleted the
files/folders in it's Program Files folder, then re-
downloaded a fresh copy of the installer and reinstalled
it. I'll find out tomorrow night if it can now send a
report.

While configuring, I noticed a section I hadn't been in
before, which is at Tools\Advanced Tools\System
Explorers\Startup Programs. In there, I found the startup
for farmmext. I blocked it. Since farmmext and ceres are
both transponders, this might also block ceres. In the
section \IE BHOs, I also blocked band class and ceres.

I'll check again after the next scan and see if either
showed up. If you look at my original post and follow it
down, you'll note that after a scan, they both reinstall
when removed. So far, I've been controlling ceres with
Spybot in the Tools\BHOs section by "toggling" the .dll
file after it reinstalls.

Further details to follow, and thank you again, very much,
for your input. It's all useful. I'll let you know if
this needs further work or if it's resolved.

Pat

 

[Ron Chamberlin]

Hi Pat,

<Not sure what you mean by clearing tif files.>
The .tif are Temporary Internet Files, and are stored in a different barn
than 'normal' temp files.
Here's how I kludge thru to them: Open Windows Explorer--->C:\Documents and
Settings. Then it's to the Tool Bar--->Folder Options--->View--->Hidden
Files and Folders and check the box "Show hidden files and folders" > Now
expand C:\Documents and Settings and under each user you will now see a
folder "Local Settings". Open that puppy and choose Temporary Internet
Files. I am not concerned about the cookies therein, but everything else
can go for now.

<Your email address in the forum is (e-mail address removed). Is that
correct (I noticed the double msn, so wanted to verify)? >
Nope. That's not correct, and I hope yours isn't either. I, and most
others, munge the email address to avoid farming of them by bots. If you
were to drop one set of 'msn', you would find me.

Ron Chamberlin
MS-MVP