Spyware keeps coming back....

paulc87

Gawd
Joined
Apr 15, 2002
Messages
799
I've tried every spyware program already....

Every time I restart my computer, the programs Cashback, Navisearch, and Webupdate come back. How can I trace the file that reinstalls these programs?

TIA for any help
 
Run->msconfig and startup tab will have a few. They also list where they come from. Even though it may not be a complete list... look at the source of whatever malware does show there. It will say something like "HKLM/Software/Microsoft/Windows/CurrentVersion/Run" or something like that... also same path ending in "/RunOnce" or "/RunOnceEx." The HKLM stands for HKEY_Local_Machine folder you will find in your registry. Go to Run-> Regedit. It is usually either this path or HKEY_Current_User. Those are the two spots and they have the same path except for that first part (HKLM vrs. HKCU.) I wish I could give you the exact path but it's a bit long - ie can't remember. I actually might be right on the money though. I am almost postive you will have one at least from HKLM, check out the paths in msconfig and you then know the proper spot to check in both HKLM and HKCU... Just still beware of the variations "\Run", "\RunOnce" & "\RunOnceEX"

That startup tab and those spots in your registry are where they most likely originate. Killing them in msconfig will kill 2/3's or maybe a bit over half of them, the rest require digging. I've had one TVMedia, that no sooner you kill it in the registry it works its way back before you can even restart :eek: I had to research until I found which software could eliminate this as it req'd some kind of work around. Spyware Doctor was the only thing that could kill it.

edit: Long path was right... "HKLM/Software/Microsoft/Windows/CurrentVersion/Run" and variations of "/Run" like "/RunOnce." Remember HKLM is HKEY_Local_Machine. Check HKCU->HKEY_Current_User (rest of the path is the same) too.

Msconfig->Startup menu needs nothing other than systray and recognizable stuff like drivers. You will find everything from stuff with no name(bad), stuff blatantly saying stuff like "WinAdCtrlCenter", and other stuff with names that looked like you hit your head on the keyboard ->"agkfajbf." I hate to say this as I don't want you to hose your box and kill all your startups, but most of the time if you dont know what it is... it is in fact junk. For instance I have nothing other than two nV driver things, systray, and pcc (pc-cillin). Again, the paths are there so you use a bit of sense and say you see that you have "ccApp" originated from your symantec/Norton folder and you pit two and two together. Real stuff has no reason to hide there startup path, have rediculuos names, or confuse you.
 
I think I got it, thanks for the advice guys

I had TV media once, the Process Watch that comes with Adaware comes quite in handy :D

EDIT: No I didn't. I disabled all startup programs but the ones I knew, and it still installs.

Any way to trace what program they all installed from?
 
Ok, I editted it like oodles of times... might be worth a re-read. That long-ass path was hard to remember. It's one of those things you can just automatically do once you've been there enough and your path choices are right in front you. Really hard off the top of my head with the admin policies in place on work machines. But that's the path.... it's a true battleground for malware and viruses so it's essential to get comfortable with it.
 
I deleted all the reg entries for the programs that were running, and nothing is in the Run or Runonce categories.

Hmmm its still coming back. I'm pissed off, I'll restart and post back here after i smoke a cig. Now I'm going to get cancer because of spyware :D Lawsuit maybe?
 
Yeah... well after you've removed what you can with spy programs, add/remove programs, startups in registry and msconfig.... then you hit the web with the names of the baddies for specific help. You are looking in the right places, the trick is to go forth with this info after you see what returns. Those are the key spots, if the problem is persistent, you will most likely see that it actually worked it's way back to msconfig and/or registry. Then it's google time. research could involve sharing your hijack this log. But you've done what you can do.

Run->service.msc is a place some reside also but it's trickier in there. I have only gotten honest to goodness trojans in there. I don't go there until the research tells me to with specifics in mind. I guess you could compare your list of services but other people have probably documented the problem. If you go in there looking leaving services when in doubt, you will most likely miss it as the trojans startup's I have found there try and fit in.
 
I'll throw in another request for a HijackThis log ... even though I'm new to that program, I've found it to be extremely useful. My sister found it necessary to use my comp one day and when I got home I had 6 Internet Explorer popups on my monitor. I don't use IE, so I don't know where the fuck they came from, but I was able to remove the stuff with Ad-Aware and Spybot S&D ... nearly all of it came back on the next reboot though, so I installed HijackThis and removed stuff that looked suspicious, and then ran Ad-Aware and Spybot scans again, installing SpywareBlaster after it was done to block new infections. My comp has been clean ever since :cool:
 
http://hardforum.com/showthread.php?t=768776


at this juncture Id venture a guess youll have to interupt the infection to delete it
some are very stubborn

Id recommend you trial Process Guard
you will then more or less have a firewall for the kernel itself
and have the option to approve, appprove once disapprove or disapprove once each and every process at a very low level

the default processes are
* Csrss.exe
* Explorer.exe
* Internat.exe
* Lsass.exe
* Mstask.exe
* Smss.exe
* Spoolsv.exe
* Svchost.exe
* Services.exe
* System
* System Idle Process
* Taskmgr.exe
* Winlogon.exe
* Winmgmt.exe

note processes other than those that try to run and research them individually from a 2nd computer, often you can ID the infection and manual removal instructions that way

you might need to delete via the commandline or safemode

note* Process Guard is normally installed on a known clean system, ideally a fresh install unconnected to the internet and you simply approve all processes that try to start
used this way its a very effective tool to disrupt an infection, however employing it requires considerable research, if in doubt use the disapprove once option
 
Thanks to all who helped, I used the Hijackthis program too and it worked.

Spyware is completely gone (for now)
 
congratz :D

not so stubborn after all
the cool websearch trojan in particular can be very stubborn
last time I had a runnin with the latest varient on a friends box I had to resort to Process Guard ;)
 
Back
Top