+ Post New Thread
Results 1 to 10 of 10
Windows Thread, Where else does spywear live? in Technical; Right. I came back yesterday to find one of our desktop systems infected (so much for Windows Defender!). It's recurrent ...
  1. #1

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,442
    Thank Post
    701
    Thanked 2,302 Times in 1,063 Posts
    Blog Entries
    23
    Rep Power
    678

    Where else does spywear live?

    Right. I came back yesterday to find one of our desktop systems infected (so much for Windows Defender!). It's recurrent spywear and since this morning I've taken the following actions to remove it (it keeps coming back the little tyke!)

    1. Ran Windows Defender with Delte set on all options. It said it found nothing.

    2. Ran Ad Aware. Again it found nothing.

    3. Ran Spybot S&D. It found lots and removed them

    4. Deleted all of the system restore points.

    5. Deleted the startup entries.

    6. Cleared all temp files and temporary internet files maually, just to be sure.

    7. Rebooted.

    8. Watched the pop-ups start again.

    Any extra ideas would be greatly appreciated.

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227

    Re: Where else does spywear live?

    1. IE BO?
    2. win.ini run= ?
    3. win.ini shell= ?
    4. Startup program group?
    5. Device driver?
    6. Service?

    Also bear in mind, the spyware might be using a rootkit to hide itself.

    All in all, I'd suggest you format/reimage. It's quicker.

  3. #3

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,442
    Thank Post
    701
    Thanked 2,302 Times in 1,063 Posts
    Blog Entries
    23
    Rep Power
    678

    Re: Where else does spywear live?

    I'm consideriung the last option, belive me. I did try the other options you listed too.

  4. #4

    Join Date
    Oct 2005
    Location
    Anywhere but in a school ;o)
    Posts
    522
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Where else does spywear live?

    Believe it or not, I've found spyware sat in the root of the C:\ drive in various exe forms... not sure it'll help you.

    Have you got your Sys Restore turned back on? Does it still pop up if you turn sys restore off?

    (I'm sure you've looked at that... but just thought I'd check)

  5. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116

    Re: Where else does spywear live?

    Its probably hidden from windows by a rootkit running as a driver. Try this http://www.sysinternals.com/Utilitie...tRevealer.html to find any suspicious files. I found one on a relatives machine, most informative. Safe mode helps if its a driver.

  6. #6
    krisd32's Avatar
    Join Date
    Feb 2006
    Location
    Longridge, Preston
    Posts
    545
    Thank Post
    85
    Thanked 68 Times in 47 Posts
    Rep Power
    44

    Re: Where else does spywear live?

    when doing spyware searches i always run in safe mode as most of the time they will not be running then and usually 100% fix rate on all machines with adaware and safe mode also go into registry

    hklm\software\microsoft\windows\current version\run - and all the other run options and delete all the keys that you don't recognise.(hkcu aswell same path but usually everything resides in hklm)

    as i said i do this on any pc with spyware issues and found it to be 100% effective!

  7. #7

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    10,053
    Thank Post
    3,585
    Thanked 1,123 Times in 1,025 Posts
    Rep Power
    377

    Re: Where else does spywear live?

    boot up into safe mode with networking ( That way you can still access the internet to get things )

    I would suggest ewido from www.ewido.net , spy sweeper from www.webroot.com

    Make sure to update the defintions for ewido and spy sweeper.

    As for things starting up with windows get startup control panel from www.mlin.net ( great little utility ).

  8. #8

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    Boston, MA
    Posts
    7,601
    Thank Post
    110
    Thanked 771 Times in 599 Posts
    Rep Power
    183

    Re: Where else does spywear live?

    I oncew had a piece of malware that launched as part of the shell, attaching itself to explorer. This was hidden in the registry.

  9. #9

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,442
    Thank Post
    701
    Thanked 2,302 Times in 1,063 Posts
    Blog Entries
    23
    Rep Power
    678

    Re: Where else does spywear live?

    Quote Originally Posted by gecko
    boot up into safe mode with networking ( That way you can still access the internet to get things )

    I would suggest ewido from www.ewido.net , spy sweeper from www.webroot.com

    Make sure to update the defintions for ewido and spy sweeper.

    As for things starting up with windows get startup control panel from www.mlin.net ( great little utility ).
    I already use Startup COntrol Panel. The entries keep re-installing themselves on the fly (aaaarrrrgggghhhhhh!)

    So far I've had no joy, not even with the Sysinterals rootkit proggy.

  10. #10

    Join Date
    Jun 2005
    Posts
    223
    Thank Post
    6
    Thanked 8 Times in 8 Posts
    Rep Power
    31

    Re: Where else does spywear live?

    yes there's probably a couple of processes running and monitoring each other. In the past i've gone into safe mode and wiped out everything in the startup reg etc with msconfig. Then hit F5 to refresh and check which ones have re-registered themselves. Those will be the evil ones!



SHARE:
+ Post New Thread

Similar Threads

  1. Another New Live Site
    By in forum Web Development
    Replies: 16
    Last Post: 18th October 2007, 08:48 AM
  2. Site Live-ish
    By bensewell in forum Web Development
    Replies: 32
    Last Post: 5th October 2007, 09:55 PM
  3. Website now live
    By Scotmk in forum Web Development
    Replies: 19
    Last Post: 22nd September 2007, 01:41 AM
  4. They Live!
    By ICT_GUY in forum General Chat
    Replies: 4
    Last Post: 5th September 2007, 09:17 AM
  5. ms live
    By russdev in forum Windows
    Replies: 5
    Last Post: 2nd November 2005, 02:15 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •