Advanced spyware removal help needed

For most computers running several antispyware programs seems to do it, but on a few it doesn’t help as things seem to come back. Random registry keys seem to load BHO’s on startup.

Programs like Hijack this allow me to remove them, but they come back, MS Anitspware allows me to block them on startup, but I have to reblock them each startup.

What is the next step? Any good sites on how to go about getting these nasties off the system?

The next step is to identify the program, then find (google) a program written to remove said program, or simply hunt down the details and remove it manually from disk and registry (registry backup recommended beforehand).

What you have (?) is one or more instances of an installer (exe program, activex, etc) stored on our harddrive. Usuall, registry keys reinstalls them. I hardly ever get infected, but a family member’s computer had one with 6 identical secret installers, all with different file names and extensions and spread out in various loations on c-disk.

I recently got a spyware infection. After two days of trying every remedy Google could throw at me, I still had at least one hidden installer that no one seemed to know how to get rid of. (My searches seemed to indicate that this was a very recent flavor.)

I finally decided it was quicker and easier to just reformat the hard drive and reinstall, rather than try to comb through the registry and ferret it out manually. And not to turn off ZoneAlarm any more.

I normally recommend the SpywareInfo removal forum, but it has recently suffered a meltdown, with no estimate on repair time. The next best option is BleepingComputer, post your HJT log in their forum and a crackerjack volunteer will guide you through the removal process.

That being said, if you have what is known as a ‘rootkit’ variety of spyware, you might as well reformat and reinstall. I just attended a Microsoft webcast on rootkit removal, and they basically said if you have a rootkit, you have to reformat. This may change as the arms race between the white hats and the black hats continues, but at this time we are SOL against rootkits.

What’s a rootkit variety, and how can you tell if the system is infected with one?

Amen, Brother.
Especially when you do it for a living.
:slight_smile:

It wasn’t easy, either. I fancy myself to be quite handy with computers, so it was hard to admit defeat. But once I got past that, it was obviously the right decision, as my intense desire to punch the computer abated almost immediately. :slight_smile:

How much anti spyware are most folks running? I have an anti virus program of course. I’ve never gotten spyware, but then I run as a limited user and don’t shoot the duck .
Warning: There’s probably a duck to shoot on that page.
I run anti spyware to clean up an infected client, but I don’t leave it active. That’s just fewer resources available for the PC, particularly Win 98 machines.

You can use Rootkit Revealer from Sysinternals to determine if you have one, but note this does nothing to remove it. Even this tool isn’t foolproof:

Also, it only works on WinXP, Win2K, and WinNT.

It’s easier to do what Giraffe suggests and just wipe your system clean, but if you really want to play sleuth, here’s what we recommend here:

  1. Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

  2. Download nailfix at http://andymanchesta.com/Downloads/nailfix.zip (for Windows XP) or http://andymanchesta.com/Downloads/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.

  3. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Don’t run it yet.

  4. Download HijackThis http://www.majorgeeks.com/downloadget.php?id=3155&file=11&evp=3304750663b552982a8baee6434cfc13. Don’t run it yet.

  5. Download Adaware http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1 and install it. Update to the newest definitions. Don’t run it yet.

  6. Download Spybot http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1 and install it. Update to the newest definitions. Don’t run it yet.

  7. Download Spysweeper http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10373771.html and install it. Update to the newest definitions. Don’t run it yet.

  8. Update your anti-virus program to the newest definitions. Don’t run it yet.

  9. Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn’t work.

  10. Once in Safe Mode, please double-click on nailfix.cmd (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly — this is normal.

  11. Next run a full scan in Ewido.

  12. Run a scan in HijackThis. Check each of the following and hit ‘Fix checked’ (after checking them) if they still exist (make sure not to miss any):

these are not the only files to delete, remove any other suspicious files (i.e. mediaaccess, abetterinternet, aurora)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM…\Run: [tustkk] c:\windows\system32\benbqpb.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

  1. Close all open windows except for HijackThis and click Fix Checked.

  2. Run KillBox and check the box that says ‘End Explorer Shell While Killing File’. Next click on ‘Delete on Reboot’. For each of the following files below, check the box that says ‘Unregister .dll Before Deleting’ if it’s not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

c:\windows\system32\benbqpb.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\Bolger.dll
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINDOWS\svcproc.exe

  1. Run a full scan of Adaware and remove any spyware found.

  2. Run a full scan of Spybot and remove any spyware found.

  3. Run a full scan of Spysweeper and remove any spyware found.

  4. Search the registry (start->run->regedit) for any spyware programs found in hkey_local_machine\software\microsoft\windows\currentversion\run or hkey_current_user\software\microsoft\windows\currentversion\run

  5. Run msconfig (start->run->msconfig) and remove any spyware programs found in startup.

  6. Do a search on the computer for any remanents of spyware on the computer and delete them. Examples of things to search for (but not limited to):

benbqpb.exe
nail.exe
bolger.dll
ebates_moemoneymaker
svcproc.exe
mediaaccess

  1. Run a full virus scan and remove any viruses found according to instructions found on your anti-virus program’s web site.

  2. Reboot into normal mode.

This takes about 3 or 4 hours to do.

I had a similar problem with a virus and spyware this past weekend. I ran Norton, AdAware and Spybot, and none of them worked. After I tried downloading and running a few other programs to no effect, a friend advised me to get SpySearch, restart the computer in Safe Mode, then run Norton and SpySearch again. That worked, and after I restarted the computer again in regular mode, everything was fine. Somebody else could probably talk you through the details of how to do that better than I can.

Update, it does not seem to be a rootkit. So I think it’s an installer. What is the best way to find it and getting rid of it? Just running all antispyware programs in safemode?

romansperson’s advice seems pretty complete. If that doesn’t remove it, nothing will.

A slight hijack here: What’s a good way to tell whether your computer may have picked up spyware if you don’t see any obvious unusual behavior? No browser hijacks or unusual popups.

We run ZoneAlarm Pro. We also periodically update and run Ad-Aware and Spybot and all they ever turn up is tracking cookies. However Ad-Aware hasn’t succeeded in finding an updated definitions file since October so it may be missing things.

Should I routinely run Hijack This and/or some of the other tools mentioned here, “just in case”? or should I be reasonably confident that “no odd behavior” + “ZoneAlarm” = safe computer? We recently got broadband (cable modem) so I know our risk is higher than it used to be.

Are you running the full scan or the smart scan?

During the crisis I described, the friend who got me through it offered Hijack This only as a last resort and called it “the sledgehammer of the spyware toolkit.” It’s indiscriminate and picks up more than just spyware. It warns you of this fact. So if you run it and don’t know exactly what everything is, you can end up deleting things you really need. So with my limited knowledge I’d recommend against using that thing.

Download the current version of AdAware SE Personal v.106. It is a new program that came out on 5/27; the older versions are not upgradable anymore.