MBS bill virus/malware

[unclecrash]

Hi all

Yet another friends computer (words getting round so maybe i should start charging ) has been handed to me this one has a problem with MBS (micro billing services) who have installed a very difficult to get rid of pop up program. I have searched the hexus forums but there is nothing posted on this so i will tell you what i know.

MBS collect payments for websites (usually porn sites) and use a pop up proram to annoy or blackmail people into paying for something they are unaware they agreed to. A lot of people are adamant they have not visited the site(s) involved nor agreed to payment for anything.

Problem is the removal of what most people seem to regard as a a blatant con. Instructions on its removal can be found with a google search. These instructions include disabling add ons and files with mbs in the title. The files are said to be found in C:\windows\system32.
Works for a lot of people. However in my friends laptop there are no add ons or files that match the description given. Obviously these files/addons are hiding under different names. There are many add ons i am not sure of so disabling one at a time and restarting would be very time consuming.

So finally my question. Does anyone have experience of this and what range of different files names i should be looking for or indeed what names the addons could be hiding under. I have also looked in msconfig under startup and tools.

Many thanks

[herulach]

does avast/spybot etc not get it?

[dave87]

To be sure it is entirely gone? I'd reformat. Not exactly a helpful suggestion, but 100% guaranteed to work.

[unclecrash]

I have not tried avast or spybot (i will look them up now) Norton and avg do not find it though.

[godsdog]

It's actually quite messy this. MicroBillSys file traces are listed at the bottom.

You can run SUPERAntiSpyware and Spybot-S&D but depending what kind of infection / payload has been delivered it would be simpler and quicker to reinstall, especially if you're not familiar with system clean ups.

[alsenior]

i have cleaned this up a few times. there is a forum post somewhere else that give you the heads up on how to remove it. give me a few minutes and i'll find the site

Edit : found How to remove MBS account manager - Geeks to Go!

[Lucio]

This is where I find my copy of System Mechanic a useful tool, it's uninstaller tends to get rid of just about all files and registry keys associated with a particular program, no matter where it finds them on the PC.

I wish they'd sell a license and copy that could run straight from a USB memory stick

[godsdog]

Except things change. The last updated version was clocked at September 26th 2007 on the sunbelt article, and from what I remember it's changed since then too. In other words, I wouldn't be too complacent about full removal using bfu.


Edit: quick check reveals that November 11th was another update version and there has probably been another. AntiVir anti virus picks it up and it's also the best remover out of the three free ones. So I would change AVG to Avira's AntiVir. So try BFU and run Antivir and then run two antispyware programs above and provided you haven't got some dastardly newer version, you should be ok (maybe).
.
.

[unclecrash]

Spybot found two files (from memory sprzu.exe and u2 something can't remember the rest of the name) associated with mbs so i manually removed them. The following was also highlighted....
HKEY_LOCALMACHINE\software\microsoft\windows\currentversion\run,mbssm32.
I checked in regedit but it was not there. Any ideas why or how i can find it?

Never used bfu before. It looks like i have to name the file it will delete so do i have to run it for each file (Other forums on the subject say there are six files to remove in total meaning i need to find their names before using bfu) or will it remove all associated files.

I am switching to nod32 soon and will recommend to my friend he does the same but should i (we) be running more than just nod32 to gain complete protection from programs such as these or is a regularly updated nod going to be sufficient.

[dave87]

NOD32 should be sufficient unless he's the one actively installing the software.

[godsdog]

Spybot found two files (from memory sprzu.exe and u2 something can't remember the rest of the name) associated with mbs so i manually removed them. The following was also highlighted....
HKEY_LOCALMACHINE\software\microsoft\windows\currentversion\run,mbssm32.
I checked in regedit but it was not there. Any ideas why or how i can find it?

The combination of AntiVir / SUPERAntiSpyware / Spybot should clean it. Failing that it's a HijackThis job where you have to look at the infection - and unless someone has the time to go through it properly (I don't have the time right this second to go through it properly) then your best bet is either reinstall or let Nod32 have a go at it.

I am switching to nod32 soon and will recommend to my friend he does the same but should i (we) be running more than just nod32 to gain complete protection from programs such as these or is a regularly updated nod going to be sufficient.

The staple diet of an average Windows system should have a decent anti virus package, spyware prevention and spyware removal capability. Nod32 is one of the best on the market. Combine that with Spywareblaster (prevention and free) and SUPERAntiSpyware and/ or Spybot S&D (removal and free) you should be more than covered. ...unless you are being deliberately reckless.

[unclecrash]

I read throgh the link you provided alsenior and now understand how to use bfu properly. Cheers. I will try that and hope it finds the files i can't.

Many thanks to all who posted replies.