Re: Losing the Spyware Battle

This site was helpful, but for the benefit of others, assuming that I have gotten rid of the mess, the two main files that were giving me problems were jervw.exe and rukr.exe, both in \windows\system32, both hidden. I think another file wrote them as they kept coming back. I had to go through the registry to get rid of all references to both. They were apparently planted by one of the search bar programs, but I have spent so much time on this one and done so many things that I cannot remember which one.

Strangely enough, the program recommended in the link below did not find some of the startup files that I had to delete manually. They were still showing on the Startup tab in msconfig, but not in Autoruns.exe.

Thanks for all the help. Hopefully this machine is clean.

And before you ask, NO it was not cost effective to spend this much time, but I enjoy a challenge and always learn something along the way. In this instance, I learned about Autoruns.exe, which is now part of my toolkit.


MowGreen [MVP] wrote:

This tutorial shows how to find where the malware is loading from :

http://www.bleepingcomputer.com/forums/How_to_remove_a_Trojan_Virus_Worms_or_other_Malware-tut101.html 


MowGreen  [MVP 2004-2005]
===============
 *-343-*  FDNY
Never Forgotten
===============


mcp6453 wrote:

I'm closing in on it. There is one file that keeps trying to be install in Run in the registry, called ulkulk.exe. Microsoft Antispyware blocked it, but I cannot find that file on the hard drive (search hidden and system files) and I cannot find any reference to it in the registry or elsewhere. There is some place I'm not looking. A Google search yields zero hits on that filename, which must mean that the spyware/adware/whateverware is creating a randomly assigned name for the critter.


R. McCarty wrote:

Been there, Done that - What a fun operation - Right up there
with cleaning out gutters. Sometimes it's better to backup all
the data and re-install. But if that's not an option, you've made
a good run at it. Here's a few extra items:

Dump IE Cache, Cookies.
Download/Run Spybot Search & Destroy 1.4 (Just Released)
Download/Run HiJackThis & CWShredder. Check for BHO's
(Browser Helper Objects).
Override Default Cookie Handling - Accept 1st, Block 3rd
Run online scans for Virus, Trojans and Malware
Check IE Zone Settings
**Likely you've got Registry remnants that are just a royal PITA
    to try and remove manually. Some of the online scanners can
    pinpoint them, but offer no removal capability.

"mcp6453" <mcp6453@xxxxxxxxxxxxx> wrote in message news:OWr6GgQaFHA.464@xxxxxxxxxxxxxxxxxxxxxxx

I have an XPP machine that has the worst infestation of spyware I've seen, and it is whipping me. It had some viruses, too, but I got rid of those pretty easily. It was necessary to run LSPFIX (what a great utility!) to get the machine to communicate over the Ethernet port. Because I don't want to have to reinstall the applications (there are some custom written ones that I don't want to have to figure out), I'm spending unbillable time trying to clean it. Here is where I am so far:

1) EZTrust Antivirus scan - clean
2) housecall.trendmicro.com online scan - clean
3) Ad-Aware (updated) scan - clean
4) Microsoft Antispyware scan - clean
5) Run in Registry - no unidentified keys
6) Manually deleted urkurk.exe from \windows\system32
7) Manually deleted jervw.exe from \windows\system32
8) Re-ran all scans in Safe and Normal modes
9) Set everything in msconfig to off
10) Set Microsoft Antispyware to real time monitor
11) Installed Google toolbar to prevent pop ups
12) Removed everything unfamiliar in Add/Remove Programs

On each of the above, if anything was discovered, I did a rinse, lather, repeat until the process came up clean.

When I start Internet Explorer, I still get an occasional popup. What am I overlooking? Why are Ad-Aware and Microsoft Antispyware not picking up these varmints? 





.

Relevant Pages

  • Re: Losing the Spyware Battle
    ... Microsoft Antispyware blocked it, but I cannot find that file on the hard drive and I cannot find any reference to it in the registry or elsewhere. ... Run online scans for Virus, ... Because I don't want to have to reinstall the applications, I'm spending unbillable time trying to clean it. ...
    (microsoft.public.windowsxp.general)
  • Re: Losing the Spyware Battle
    ... There is one file that keeps trying to be install in Run in the registry, ... Microsoft Antispyware blocked it, but I cannot find that file on the hard drive and I cannot find any reference to it in the registry or elsewhere. ... Ad-Aware scan - clean ...
    (microsoft.public.windowsxp.general)
  • Re: Losing the Spyware Battle
    ... Microsoft Antispyware blocked it, but I cannot find that file on the hard drive and I cannot find any reference to it in the registry or elsewhere. ... Run online scans for Virus, ... Because I don't want to have to reinstall the applications, I'm spending unbillable time trying to clean it. ...
    (microsoft.public.windowsxp.general)
  • Re: MCE 2005 chkdsk application options
    ... say after uninstalling a program that leaves footprints in the registry. ... I don't know if this is by Microsoft design or the Gateway application that I have to use to reinstall. ... I have reinstalled Windows a number of times and I was hoping that if I let it check system files it will clean up the registry & get rid of old files etc. ...
    (microsoft.public.windows.mediacenter)
  • removing 3rd party toolbars from internet explorer
    ... when uninstall doesn't clean up after itself or get rid of ... is there something in the registry that i need to double ...
    (microsoft.public.windowsxp.general)