Losing the Spyware Battle

M

mcp6453

I have an XPP machine that has the worst infestation of spyware I've
seen, and it is whipping me. It had some viruses, too, but I got rid of
those pretty easily. It was necessary to run LSPFIX (what a great
utility!) to get the machine to communicate over the Ethernet port.
Because I don't want to have to reinstall the applications (there are
some custom written ones that I don't want to have to figure out), I'm
spending unbillable time trying to clean it. Here is where I am so far:

1) EZTrust Antivirus scan - clean
2) housecall.trendmicro.com online scan - clean
3) Ad-Aware (updated) scan - clean
4) Microsoft Antispyware scan - clean
5) Run in Registry - no unidentified keys
6) Manually deleted urkurk.exe from \windows\system32
7) Manually deleted jervw.exe from \windows\system32
8) Re-ran all scans in Safe and Normal modes
9) Set everything in msconfig to off
10) Set Microsoft Antispyware to real time monitor
11) Installed Google toolbar to prevent pop ups
12) Removed everything unfamiliar in Add/Remove Programs

On each of the above, if anything was discovered, I did a rinse, lather,
repeat until the process came up clean.

When I start Internet Explorer, I still get an occasional popup. What am
I overlooking? Why are Ad-Aware and Microsoft Antispyware not picking up
these varmints?
 
R

R. McCarty

Been there, Done that - What a fun operation - Right up there
with cleaning out gutters. Sometimes it's better to backup all
the data and re-install. But if that's not an option, you've made
a good run at it. Here's a few extra items:

Dump IE Cache, Cookies.
Download/Run Spybot Search & Destroy 1.4 (Just Released)
Download/Run HiJackThis & CWShredder. Check for BHO's
(Browser Helper Objects).
Override Default Cookie Handling - Accept 1st, Block 3rd
Run online scans for Virus, Trojans and Malware
Check IE Zone Settings
**Likely you've got Registry remnants that are just a royal PITA
to try and remove manually. Some of the online scanners can
pinpoint them, but offer no removal capability.
 
K

Kerry Brown

mcp6453 said:
I have an XPP machine that has the worst infestation of spyware I've seen,
and it is whipping me. It had some viruses, too, but I got rid of those
pretty easily. It was necessary to run LSPFIX (what a great utility!) to
get the machine to communicate over the Ethernet port. Because I don't want
to have to reinstall the applications (there are some custom written ones
that I don't want to have to figure out), I'm spending unbillable time
trying to clean it. Here is where I am so far:

1) EZTrust Antivirus scan - clean
2) housecall.trendmicro.com online scan - clean
3) Ad-Aware (updated) scan - clean
4) Microsoft Antispyware scan - clean
5) Run in Registry - no unidentified keys
6) Manually deleted urkurk.exe from \windows\system32
7) Manually deleted jervw.exe from \windows\system32
8) Re-ran all scans in Safe and Normal modes
9) Set everything in msconfig to off
10) Set Microsoft Antispyware to real time monitor
11) Installed Google toolbar to prevent pop ups
12) Removed everything unfamiliar in Add/Remove Programs

On each of the above, if anything was discovered, I did a rinse, lather,
repeat until the process came up clean.

When I start Internet Explorer, I still get an occasional popup. What am I
overlooking? Why are Ad-Aware and Microsoft Antispyware not picking up
these varmints?
Click to expand...

Some popups seem to elude any blocker. That doesn't mean your pc is
infected.

Kerry
 
R

Richard Urban

Redo all of your extensive tests after booting up into "SAFE MODE". In safe
mode only the bare minimum of services and start applets are running. If it
isn't running it can likely be cleared out - as long as it can be detected.

--
Regards,

Richard Urban

aka Crusty (-: Old B@stard :)

If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!
 
C

Courtney

Popups are not spyware, they are just popups. It doesn't indicate spyware.

It's interesting to note that you installed spyware on your system to stop
spyware. The Google toolbar (by their own admission) is a type of spyware.
So is Yahoo!s version.

To stop popups, I use two products: SpywareBlaster, and FireFox.

Spyware puts your typical spyware site in the restricted categories of IE,
Mozilla, and FireFox. FireFox doesn't run ActiveX, which is run by IE and
Avant. Between the two, I haven't seen spyware or popups for a very long
time. Another interesting thing to note: Microsoft AntiSpyware has not
detected a single ding since I installed SpywareBlaster (freeware).

courtney
 
M

mcp6453

I'm closing in on it. There is one file that keeps trying to be install
in Run in the registry, called ulkulk.exe. Microsoft Antispyware blocked
it, but I cannot find that file on the hard drive (search hidden and
system files) and I cannot find any reference to it in the registry or
elsewhere. There is some place I'm not looking. A Google search yields
zero hits on that filename, which must mean that the
spyware/adware/whateverware is creating a randomly assigned name for the
critter.
 
S

Steve N.

mcp6453 said:
I'm closing in on it. There is one file that keeps trying to be install
in Run in the registry, called ulkulk.exe. Microsoft Antispyware blocked
it, but I cannot find that file on the hard drive (search hidden and
system files) and I cannot find any reference to it in the registry or
elsewhere. There is some place I'm not looking. A Google search yields
zero hits on that filename, which must mean that the
spyware/adware/whateverware is creating a randomly assigned name for the
critter.
Click to expand...

That makes it tough to find alright, but not impossible. Go into Task
manager and start killing off unfamiliar tasks and processes, be
suspicious of any that keep reloading and then try tracking the file
that is associated with the recurring process/task. When you locate it
you won't be able to delete it unless in Safe Mode. Then search the
registry in Safe Mode for that filename and delete any keys containing it.

Steve
 
M

mcp6453

This site was helpful, but for the benefit of others, assuming that I
have gotten rid of the mess, the two main files that were giving me
problems were jervw.exe and rukr.exe, both in \windows\system32, both
hidden. I think another file wrote them as they kept coming back. I had
to go through the registry to get rid of all references to both. They
were apparently planted by one of the search bar programs, but I have
spent so much time on this one and done so many things that I cannot
remember which one.

Strangely enough, the program recommended in the link below did not find
some of the startup files that I had to delete manually. They were still
showing on the Startup tab in msconfig, but not in Autoruns.exe.

Thanks for all the help. Hopefully this machine is clean.

And before you ask, NO it was not cost effective to spend this much
time, but I enjoy a challenge and always learn something along the way.
In this instance, I learned about Autoruns.exe, which is now part of my
toolkit.

This tutorial shows how to find where the malware is loading from :

http://www.bleepingcomputer.com/for...ojan_Virus_Worms_or_other_Malware-tut101.html


MowGreen [MVP 2004-2005]
===============
*-343-* FDNY
Never Forgotten
===============

I'm closing in on it. There is one file that keeps trying to be
install in Run in the registry, called ulkulk.exe. Microsoft
Antispyware blocked it, but I cannot find that file on the hard drive
(search hidden and system files) and I cannot find any reference to it
in the registry or elsewhere. There is some place I'm not looking. A
Google search yields zero hits on that filename, which must mean that
the spyware/adware/whateverware is creating a randomly assigned name
for the critter.
Click to expand...
Click to expand...
 
M

Mike Holder

Un-install and clean what you can by "regular" means. Then restart in
safemode and run regedit. Navigate to the following key:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
Make a note of each entry present and path.
Google search on each entry to identify what they are.
Delete the suspect entries.
Restart, this will help prevent the spyware/malware from loading and make
them alot easier to clean from the drive and system.
 
K

Kelly

Hi,

This works every time:

In most cases without using third party, this takes three steps.

1. Start/Run/Regedit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Gain the exact path.
Note: Save these two to regedit favorites.

2. Start/Run/Msconfig/Startup

Gain the exact path.

3. Follow the path via Windows Explorer.

Leave/have all three windows opened, now open the Task Manager.

Once knowing the exact path, end the process via the Task Manager, then
delete the entry via Windows Explorer. From there, delete the run command
from both regedit and msconfig. With regedit still open, hit F5. If it
replaces itself, you didn't do it in a timely manner or you didn't follow
the exact placement path.

Note: In some cases, depending, you will be allowed to rename the .exe via
safe mode and then delete.

The only three needed:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update the first two programs, once installed, before running.

All should be well, if not run the scan listed below for the paths of
leftovers. BTW, also check the prefetch folder and System Volume.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com
 
S

Steve N.

Kelly said:
Hi,

This works every time:

In most cases without using third party, this takes three steps.

1. Start/Run/Regedit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Gain the exact path.
Note: Save these two to regedit favorites.

2. Start/Run/Msconfig/Startup

Gain the exact path.

3. Follow the path via Windows Explorer.

Leave/have all three windows opened, now open the Task Manager.

Once knowing the exact path, end the process via the Task Manager, then
delete the entry via Windows Explorer. From there, delete the run command
from both regedit and msconfig. With regedit still open, hit F5. If it
replaces itself, you didn't do it in a timely manner or you didn't follow
the exact placement path.

Note: In some cases, depending, you will be allowed to rename the .exe via
safe mode and then delete.

The only three needed:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update the first two programs, once installed, before running.

All should be well, if not run the scan listed below for the paths of
leftovers. BTW, also check the prefetch folder and System Volume.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp
Click to expand...

FWIW Kelly, I have found startup reg entries using the old jv16
RegCleaner 4.3 that HijackThis did not find. I don't like recommending
registry cleaners though, too much can go wrong too easily. I guess the
same can be said for HijackThis, though.

Steve
 
M

mcp6453

Kelly said:
Hi,

This works every time:

In most cases without using third party, this takes three steps.

1. Start/Run/Regedit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Gain the exact path.
Note: Save these two to regedit favorites.

2. Start/Run/Msconfig/Startup

Gain the exact path.

3. Follow the path via Windows Explorer.

Leave/have all three windows opened, now open the Task Manager.

Once knowing the exact path, end the process via the Task Manager, then
delete the entry via Windows Explorer. From there, delete the run command
from both regedit and msconfig. With regedit still open, hit F5. If it
replaces itself, you didn't do it in a timely manner or you didn't follow
the exact placement path.

Note: In some cases, depending, you will be allowed to rename the .exe via
safe mode and then delete.

The only three needed:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update the first two programs, once installed, before running.

All should be well, if not run the scan listed below for the paths of
leftovers. BTW, also check the prefetch folder and System Volume.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp
Click to expand...

One other thought. While tackling this machine, Microsoft Antispyware
reported two rogue ActiveX controls. Using MA, I was able to stop the
controls and then delete them. No other software I have used has ever
pointed to a problematic ActiveX control, to my knowledge.
 
M

mcp6453

Kelly said:
Hi,

This works every time:

In most cases without using third party, this takes three steps.

1. Start/Run/Regedit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Gain the exact path.
Note: Save these two to regedit favorites.

2. Start/Run/Msconfig/Startup

Gain the exact path.

3. Follow the path via Windows Explorer.

Leave/have all three windows opened, now open the Task Manager.

Once knowing the exact path, end the process via the Task Manager, then
delete the entry via Windows Explorer. From there, delete the run command
from both regedit and msconfig. With regedit still open, hit F5. If it
replaces itself, you didn't do it in a timely manner or you didn't follow
the exact placement path.

Note: In some cases, depending, you will be allowed to rename the .exe via
safe mode and then delete.

The only three needed:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update the first two programs, once installed, before running.

All should be well, if not run the scan listed below for the paths of
leftovers. BTW, also check the prefetch folder and System Volume.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp
Click to expand...

I'm saving this post for two reasons: 1) I think Kelly is a genius, and
2) if I had known about prefetch folder before yesterday, I could have
saved a lot of time.
 
K

Kelly

Thanks for your addition, Steve....much appreciated! :blush:)

As per your comments, what are you calling startup reg files (example if you
could)? I am very interested. :blush:)

As for HT, it just takes a bit of common sense and being familiar with your
settings. A bit different can be said for a registry cleaner, even though
HT does remove from the registry and does make changes.

That said, users of the program seldom know to use the Config option, which
can preset the home page instead of ending up with About:Blank and having
them all checked, once ran. Also included within that arena: there is
nothing there that can't be removed (this statement does not apply to Win98
nor ME).

What runs upon boot is clearly listed within msconfig/startup. It does not
remove any installed programs, just the bootup process which can be easily
corrected. The rest is added toolbar, etc items via IE that commonly relate
to Alexa, Messenger, Yahoo, etc. Those added buttons are seldom used anyway
and the user wouldn't miss them for the grand part.

As for the rest, HT can solve immediately what users suffer from without
knowing where else to turn. I have been impressed with this small utility
for a great while now.
--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com
 
K

Kelly

Thanks for the feedback. While MA is still in beta and runs a bit slow
(also adds a process without closing when done), did removing those keys
help you noticeably that you could mention? Or are you just stating it
polled something the other's didn't. Not necessarily a good thing. :blush:)

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com
 
M

mcp6453

Kelly said:
Thanks for the feedback. While MA is still in beta and runs a bit slow
(also adds a process without closing when done), did removing those keys
help you noticeably that you could mention? Or are you just stating it
polled something the other's didn't. Not necessarily a good thing. :blush:)
Click to expand...

I don't know how to give you an intelligent answer except to say that
when I went into Advanced Tools, one of the options is to view ActiveX
controls. Two of them were marked as questionable, and one of the two
had a name identified with spyware. (Sorry, I did not write down the
name.) The pop ups kept coming back until I deleted the ActiveX control.
In MA, you permanently stop the ActiveX control, then you go in to block
controls and permanently delete. That is at least what worked for me. It
all happened at the end of a long day, so if what I am reporting does
not make sense, I defer to your expertise!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Malware "Possible_Virus 7
help with spybot/spyware 6
Windows, spyware, and removing it! 32
Spyware and Windows XP Home Edition 2
Windows has detected Spyware 1
Scheduled scan doesn't run 1
Spyware Popups 10
Freqeunt Computer crashes-adware or spyware? 1

Top