returning spyware

robynze · Mar 31, 2005

I have the following entries in the registry whose processes immediately restart themselves if stopped and re-enter themselves into the registry if deleted:

etbrun - eliteppy32.exe
IKWZIr - ikwzir.exe
Starting up - wbmik.exe

I also can't find the .exe's on the hard drive anywhere to delete.

I have searched everywhere but can't find what worm or spyware or otherwise they are associated with and therefore cannot find any more specific removal tools. The only symptoms seem to be the occasional IE popup. Has anyone encountered any of these processes before? And if so, how did you get rid of them??????

chaslang · Apr 1, 2005

etbrun - eliteppy32.exe <--- normally you will find anywhere from 2 to 10 files starting with elite and ending in .exe. They all must be removed.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

robynze · Apr 3, 2005

I managed to get rid of it by logging in as the administrator in safe mode, deleting all .exe files and entries from the registry (using find next) while they were not in use (as safe mode does not start unnecessary processes). They were unable to replicate themselves and now can no longer start up when the user logs in normally. Computer seems to have worked fine over the weekend so I think I might have nipped it in the bud. Thanks for your help.

chaslang · Apr 3, 2005

I would recommend complete the instructions as given. Normally where there is one problem, there are more. Finishing the procedures will help us determine that.

robynze · Apr 3, 2005

I'd love to but I only have limited access to it as it belongs to a remote site. If they have any more problems I'll give it a go when they bring it down.

chaslang · Apr 4, 2005

Okay but those items you mentioned do need to be fixed.
To find many of these kinds of files you must enabling viewing of hidden file, system files, and all file extensions (as given in the READ ME FIRST).

etbrun - eliteppy32.exe <--- this usually has a bunch for similar filenames to go with it
IKWZIr - ikwzir.exe <--- if this is what I think it is, it is big trouble to delete

Log in or Sign up

returning spyware

robynze Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

robynze Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

robynze Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member