Unable to remove SpyWare

[Guest]

I have encountered a spyware that I cannot get rid of. The process running
appears to be a random alphanumeric string. When I stop the process, the file
renames itself and starts running again. The icon is a brown dog facing to
the right. I have tried MSAS, Spybot, Adaware and Hijack This. None of them
are even detecting it. I have also looked in the startup and the registry,
but have not been able to locate what is launching it. Anyone have any ideas?
Thanks.

 

[Guest]

Have you tried these operations running in safe mºde?
In safe mode, some of the protective services which these programs use to
ensure that they aren't removed, are not running, so they are easier to
remºve.

Update both Microsoft Antispyware and your antivirus applicªtion.

Shut down the computer and turn off the power. Wait for at least 30 seconds,
and then restart the computer in Safe mode or VGA mºde.

Open a Internet window and go to Internet Options, Delete Cookies and Temp
Files and included all offline content then also go to start and run and type
%temp% and clear that fºlder.

Run the Disk Cleanup tººl
To start the Disk Cleanup tool, click Start, click run, type cleanmgr.exe in
the Open box, and then click OK.

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those fºlders.
and c:\Documents and Settings\username\local settings\Temporary Internet
Files\Content.IE5 and delete all the files in those directories and
subdirectories).
http://www.mvps.org/winhelp2002/delcache.htm

Do full deep scans with Microsoft Antispyware. Repeat scanning until a
complete scan comes through clean. Ditto with the ªntivirus.

Let us know how it works ºut.

Engel

 

[Guest]

Also, in safe mode; You can clear prefetch files by going to Start menu and
Run and typing prefetch, and then click OK.
Prefetch files are there to help programs load/open quicker but they will be
replaced in prefetch when they are used agªin.

Engel

 

[Guest]

If you can see thats its running on your system then Hijack This would list
it, If you choose to do a scan and save the logfile it will be shown under
running processes, If its not being called from other area's of the Hijack
This log such as the 04 run area then it means you will have to dig deeper
with tools like silent runners and rootkit revealer, Post your full Hijack
Log if you need help with this and we can take it from there

Andy

 

[Guest]

Thanks for responding guys. I did all of these scans in both regular and safe
mode, with no luck. Hijack This will see the one process running, but not the
"root" process that is causing it to relaunch after I close the process.

I will google silent runners and rootkit revealer.

 

[Guest]

Here's the links, the log's from these applications can be difficult to read
and could cause problems if you remove the wrong things, If you need any help
just send them to my email ([email protected]) and I will check the
logs over, I'm not sure what this spyware is without seeing the logs so its
hard to comment at this stage but Ewido Security Suite may be able to help if
run in safe mode also getting this random file and uploading it at jotti's
malware scan site will help you know whats causing this,

Jotti's Malware Site

http://virusscan.jotti.org/

Open the site, Press Browse find the file then press Submit, This uses about
14 different Antivirus scanners to check the file and will give a good
indication of what your infected with.

Ewido Security Suite

download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Reboot to Safe Mode - Restart your computer and begin tapping the F8 key on
your keyboard and choose safe mode from the list

Run Ewido again. From the main menu click on 'scanner' then click 'Complete
System Scan' When ewido finds something, it will pop up a notification.
Select "Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click on
"Save Report" and save it to your desktop or c:/drive incase you need it
again.

To check things in more detail try Silent Runners and Rootkit Revealer

Silent Runners

http://www.silentrunners.org/Silent Runners.zip

The Purpose Of “Silent Runners†Is To Identify The Programs That Start Up
With Windows, The Script Will Report Any Non-Default Value It Finds

Unzip it to the desktop and double-click on it. If you get any kind of
warning message about scripts, please choose to allow the script to run. When
the scan is finished, a message will pop up and a logfile will have been
created on the desktop.


RootKit Revealer

http://www.sysinternals.com/files/rootkitrevealer.zip

Unzip it to the desktop, run it, and click Scan. This will generate a log
file; After the scan finishes choose File then Save it's log to c:drive (It
may save into Windows\system32 by default, change that to c:, if you get a
pop up about desktop not being a valid location press ok then change it to
c:drive) You need to ensure you are in normal windows mode to run it, You
might also get a warning from antispyware resident apps that a service is
being installed. It will be a random name but is from sysinternals.

Andy