+ Post New Thread
Results 1 to 10 of 10
Windows Thread, Where else does spywear live? in Technical; Right. I came back yesterday to find one of our desktop systems infected (so much for Windows Defender!). It's recurrent ...
  1. #1

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,470
    Thank Post
    525
    Thanked 1,993 Times in 932 Posts
    Blog Entries
    23
    Rep Power
    575

    Where else does spywear live?

    Right. I came back yesterday to find one of our desktop systems infected (so much for Windows Defender!). It's recurrent spywear and since this morning I've taken the following actions to remove it (it keeps coming back the little tyke!)

    1. Ran Windows Defender with Delte set on all options. It said it found nothing.

    2. Ran Ad Aware. Again it found nothing.

    3. Ran Spybot S&D. It found lots and removed them

    4. Deleted all of the system restore points.

    5. Deleted the startup entries.

    6. Cleared all temp files and temporary internet files maually, just to be sure.

    7. Rebooted.

    8. Watched the pop-ups start again.

    Any extra ideas would be greatly appreciated.

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223

    Re: Where else does spywear live?

    1. IE BO?
    2. win.ini run= ?
    3. win.ini shell= ?
    4. Startup program group?
    5. Device driver?
    6. Service?

    Also bear in mind, the spyware might be using a rootkit to hide itself.

    All in all, I'd suggest you format/reimage. It's quicker.

  3. #3

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,470
    Thank Post
    525
    Thanked 1,993 Times in 932 Posts
    Blog Entries
    23
    Rep Power
    575

    Re: Where else does spywear live?

    I'm consideriung the last option, belive me. I did try the other options you listed too.

  4. #4

    Join Date
    Oct 2005
    Location
    Anywhere but in a school ;o)
    Posts
    522
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Where else does spywear live?

    Believe it or not, I've found spyware sat in the root of the C:\ drive in various exe forms... not sure it'll help you.

    Have you got your Sys Restore turned back on? Does it still pop up if you turn sys restore off?

    (I'm sure you've looked at that... but just thought I'd check)

  5. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110

    Re: Where else does spywear live?

    Its probably hidden from windows by a rootkit running as a driver. Try this http://www.sysinternals.com/Utilitie...tRevealer.html to find any suspicious files. I found one on a relatives machine, most informative. Safe mode helps if its a driver.

  6. #6
    krisd32's Avatar
    Join Date
    Feb 2006
    Location
    Longridge, Preston
    Posts
    542
    Thank Post
    85
    Thanked 67 Times in 46 Posts
    Rep Power
    42

    Re: Where else does spywear live?

    when doing spyware searches i always run in safe mode as most of the time they will not be running then and usually 100% fix rate on all machines with adaware and safe mode also go into registry

    hklm\software\microsoft\windows\current version\run - and all the other run options and delete all the keys that you don't recognise.(hkcu aswell same path but usually everything resides in hklm)

    as i said i do this on any pc with spyware issues and found it to be 100% effective!

  7. #7

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,219
    Thank Post
    2,769
    Thanked 935 Times in 875 Posts
    Rep Power
    343

    Re: Where else does spywear live?

    boot up into safe mode with networking ( That way you can still access the internet to get things )

    I would suggest ewido from www.ewido.net , spy sweeper from www.webroot.com

    Make sure to update the defintions for ewido and spy sweeper.

    As for things starting up with windows get startup control panel from www.mlin.net ( great little utility ).

  8. #8

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,582
    Thank Post
    107
    Thanked 761 Times in 592 Posts
    Rep Power
    179

    Re: Where else does spywear live?

    I oncew had a piece of malware that launched as part of the shell, attaching itself to explorer. This was hidden in the registry.

  9. #9

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,470
    Thank Post
    525
    Thanked 1,993 Times in 932 Posts
    Blog Entries
    23
    Rep Power
    575

    Re: Where else does spywear live?

    Quote Originally Posted by gecko
    boot up into safe mode with networking ( That way you can still access the internet to get things )

    I would suggest ewido from www.ewido.net , spy sweeper from www.webroot.com

    Make sure to update the defintions for ewido and spy sweeper.

    As for things starting up with windows get startup control panel from www.mlin.net ( great little utility ).
    I already use Startup COntrol Panel. The entries keep re-installing themselves on the fly (aaaarrrrgggghhhhhh!)

    So far I've had no joy, not even with the Sysinterals rootkit proggy.

  10. #10

    Join Date
    Jun 2005
    Posts
    223
    Thank Post
    6
    Thanked 8 Times in 8 Posts
    Rep Power
    29

    Re: Where else does spywear live?

    yes there's probably a couple of processes running and monitoring each other. In the past i've gone into safe mode and wiped out everything in the startup reg etc with msconfig. Then hit F5 to refresh and check which ones have re-registered themselves. Those will be the evil ones!

SHARE:
+ Post New Thread

Similar Threads

  1. Another New Live Site
    By in forum Web Development
    Replies: 16
    Last Post: 18th October 2007, 07:48 AM
  2. Site Live-ish
    By bensewell in forum Web Development
    Replies: 32
    Last Post: 5th October 2007, 08:55 PM
  3. Website now live
    By Scotmk in forum Web Development
    Replies: 19
    Last Post: 22nd September 2007, 12:41 AM
  4. They Live!
    By ICT_GUY in forum General Chat
    Replies: 4
    Last Post: 5th September 2007, 08:17 AM
  5. ms live
    By russdev in forum Windows
    Replies: 5
    Last Post: 2nd November 2005, 01:15 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •