I can't get rid of this!

Tried both. Comes back as clean. I got the firewall to block the webpage that pops up but obviously something is running in the background that doesn't show in my processes list.

Nothing on active desktop either. Good suggestion though.

Newcastle Brown? For when I get so hacked off with it that I need a drink?

You regularly buy kegs at a time then?

You might need to check for rootkits.

http://www.sysinternals.com/Utilities/RootkitRevealer.html

What tools have you tried? Some that I recommend are Spybot Seach and Destroy, AD-Aware SE, Hijack This, Microsofts Antispy.
As for a virus scanner NOD32 is more than 5 times fasters than any other scanner and it detects/cleans more than the others.

If you can't get it off I can ship you an ultimate boot cd.

Did you run your removal tools while booted to safemode without networking? All spyware cleaning should be done in safe mode.

Download HijackThis, which can scan for spyware and show running processes. While you're getting Rootkit Revealer, pick up Autoruns and Process Explorer. The latter will show which DLLs are associated with processes. Check the properties of these DLLs; recent creation date and missing meta-information are suspicious. Google searching the DLL names may also help.

Try using reged32.exe <regedt32? i forget> to browse your registry for malicious entries. I think that's the only program which can see the otherwise hidden overlong key names. Searching Google for the overlong key name invisibility bug may turn up more.

Maybe this is a Browser Helper Object (BHO) attached to your Active Desktop... which is just plain nasty. There is a good BHO remover, but I don't remember the name. You can find them in the reg key HKLM\Software\Microsoft\Windos\CurrentVersion\explorer\Browser Helper Objects. Their SIDs (long numeric names) are listed as subkeys. Copy the SID, go to the top of the registry, and run a search for the SID. Each should have an entry in HKLM\Software\CLASSES\CLID. Search your hard drive for the DLLs referenced in the subkey, and if they are suspiciousm delete the DLLs, CLSID key, and Browser Helper Object key.

Or, this could be very nasty, just above rootkit nasty, and be attaching itself to Winlogin or another early-loading service. Worst case, boot to safe mode with command prompt, run HijackThis (which loads in GUI), and use that to launch your other removal tools. As long as you don't run Explorer.exe, the hacked fundamental services won't load and you'll have full access to your own system.

And there are many spyware forums out there, so maybe someone has posted removal instructions. Good luck.

I am also having an issue with another spyware piece, Virtumundo. I can't even seem to delete it in safe mode, it says the file is in use. Apparently, it's attached itself to the login procedure, so since I still have to log in in safe mode, it gets launched. The only way I can think of is to remove the drive and pop it into a different machine. I was hoping for a more elegant solution though.

Hmmm... Does knoppix support ntfs? If so I'll d/l it first thing tomorrow.

Command-line-only safe mode?

I nuked Virtumundo off a machine a few weeks ago. I found the procedure online someplace. It took a few minutes, involved some software, namely 'CleanUp40.exe' and 'VundoFix.exe'. I have the applications if you PM me an address (too big to attach) I'll send them to you. I don't recall keeping the instructions, so you'll have to google around.

-Zeke

Mentioned at the end of my previous rant, if the spyware loads in safe mode, you'll have to boot to "Safe mode with command prompt."

First, boot to regular GUI safemode and copy all of your spyware tools from a CD to the machine. Run HijackThis and see which malicious DLLs are attached to the fundamental services like Winlogin. Also HijackThis and Process Explorer will show you hidden processes that Task Manager can't, so make note of those.

Then reboot to safe mode command prompt, and start HijackThis. It loads graphically (like everything else will) so use its Run ability to browse directory trees to your other spyware tools.

My Winlogin cleaning notes are not on hand, but here's a start. Since you know the malicious DLL and EXE names, find and delete them. You may need to access the Services portion of the registry (I think it's triplicated, so check each one). Remove references to the bad files and, possibly, recreate good references to the real files by retyping the info from a known good computer.

Cleaning spyware by hand is fun. Too bad it's so well hidden that I don't see it anymore.

I found the page I used when I got rid of the Virutomondo issue:

http://forum.tweakxp.com/forum/Topic181585-29-1.aspx

Please note that the file name they use in the example is NOT THE ONE YOU'LL SEE. Virutomondo randomly generates a file name and you have to look through your HiJackthis logs to find the name. Once you have that you can follow the instructions as posted in the link above.

-Zeke

Kick Bootie... Thanks.

As far as nuking the machine, if it were mine, I would have long ago. Unfortunately, it's a local judge who has no compunction paying me $65 per hour to grind the spyware away and leave his data as intact as can be. I'm happy to oblige.

This morning I thought about command prompt mode, since the adware attaches itself to the logon script. Command mode requires no login - unless you run explore. I figured that was the next step but have't been back to his house to try it.