Removed Spyware returns despite cleanings

[Ron]

Hi,

I have posted and received replies to my spyware/malware
question a while back but I can't relocate the thread
(even though I found it upon 'search').

I run WinsXP home ed., and IE 6.

In a nutshell:
I chased a hundred or more Spywares off my PC by
following a stringent detecting and cleansing protocol
prescribed to me here by a consultant. (Including the
various AV scans, Ad-Aware SE, Spybot-Search & Destroy,
SpywareBlaster, WinPatrol, etc., etc.
I disabled System Restore, ran 'safe' mode, and followed
every instruction accurately. And it seemed to work.
Scans eventually showed no further Spyware. (No viruses
were present). I set up a Sygate Firewall (freeware)
which appears to be closely screening any intruding sites
trying to get into my system.

Problem: when I leave safe mode and allow 'normal' boot,
then fire up my browser, I almost immediately see Spyware
seizing my PC. The screen slows a virtual halt, but I
see the hard drive working diligently to re-infest my
system.
Sure enough, when I run Spybot I see 70-100 Spyware
entries. Interestingly, Ad-Aware only shows a few along
with some 'negligible' items.

If I can manage to navigate through websites and carry
out operations without masive delays should I just "live"
with these infections? My PC seems to be running better
than when it was first infected, possibly because my
Sygate firewall seems more vigilant.

Any thoughts as to how I can obtain better protection? (I
KNOW I should have just reformated my CD, but I wanted
to learn about protecting my system through hands on
experience).

 

[Guest]

Have you cleaned out your temp, temp internet files, cookies, etc?

 

[Guest]

Please try this:

Spyware/Virus Removal and Prevention:
http://www.fixyourwindows.com/windowsxpsolutions.htm
(Links to online virus scans on the same page)

Good Luck!

 

[Jerry]

Also locate the folder named "Prefetch" in the windows directory. Delete
everything in it (windows will rebuild the contents as you use programs). I
had the same annoying problem and found that deleting the contents worked
for me.

Jerry

 

[Chris]

Hi,

You need a FULL MAINTENANCE on your PC (Disk Clean-Up,
Defragment, etc). Run McAFee AV software. Install
SP2. And then, you should be safe.

If all this does not work, (I'm sure that it will) then
you need to REFORMAT your HD.

For further help, visit my website:
www.yourpcdoctoronline.com

 

[Jeff]

Hi,

Try installing Spyguard and Spyblaster, they help to block
a lot of spyware from being installed. With Spybot Search
and Destroy, did you immunize your system. Its strange
that you should be re-infested having several spyware
programs running. I have 5 running all the time and I
rarely ever get infested unless its new and the spyware
detections programs hasn`t been updated yet.

Jeff

 

[sgopus]

Visit your website??? that's stupid, that's what the
newsgroup is here for. Trying to make yourself larger in
your own eyes??

Full Maintenance on your pc? Just what does that mean?
Defrag does nothing to inhibit and or stop spyware/malware.
AV software does nothing to inhibit and or stop
spyware/malware. not good advice!!!

I suggest you get hijackthis and follow the directions,
post a copy of the log at the proper place, this ain't it!
if you don't have SP2 get it and install it (make back ups
first). get a better firewall. Sounds like the original
poster is getting a good grip on the basics, also read
this.

There is a new class of malware/adware/virus/trojan that
is neither found nor
fixed using the conventional tools, such as Norton,
McAffee, Lavasoft, etc.
It is based on a super hidden dll that is not detectable
by the OS, even in
safe mode. A full discussion can be found at

http://www.pcsympathy.com/sutra1193.html

including a link to a simple but effective tool called
xfind.

http://home.mnet-online.de/horst.muc/int/find23.zip

Basically, this simple tool can search for files, but it
reports the name of
the file that it cannot read. In my case it was
comjiac.dll. That is the
malware executive that keeps reinfecting the machine. It
is loaded from the
registry key under the AppInit_Dlls but that key remains
invisible and
unreadable by inheriting the file permissions. Once you
know the name from
xfind, you rename or delete using the repair console.
Once the name has
changed, the registry key now appears with normal
permissions and can be
deleted.

For those that are curious, Win2k and XP supports file
permissions that do
not let the file be read or modifed by anyone including
the OS itself. It is
super-super hidden, which is why the anti-virus programs
cannot find it.
However, the registry console apparently does not
consider file permissions
when doing simple operations such as dir, rename, or
delete. xFind gives you
the name, the repair console allows you to kill it, and
regedit allows you to
kill the load process.

Please pass along this information to other software
forums. It took me a
day of searching with google to find the kind person who
copied the recipe
from another site.

Copied with Permission

 

[Rock]

Hi,

I have posted and received replies to my spyware/malware
question a while back but I can't relocate the thread
(even though I found it upon 'search').

I run WinsXP home ed., and IE 6.

In a nutshell:
I chased a hundred or more Spywares off my PC by
following a stringent detecting and cleansing protocol
prescribed to me here by a consultant. (Including the
various AV scans, Ad-Aware SE, Spybot-Search & Destroy,
SpywareBlaster, WinPatrol, etc., etc.
I disabled System Restore, ran 'safe' mode, and followed
every instruction accurately. And it seemed to work.
Scans eventually showed no further Spyware. (No viruses
were present). I set up a Sygate Firewall (freeware)
which appears to be closely screening any intruding sites
trying to get into my system.

Problem: when I leave safe mode and allow 'normal' boot,
then fire up my browser, I almost immediately see Spyware
seizing my PC. The screen slows a virtual halt, but I
see the hard drive working diligently to re-infest my
system.
Sure enough, when I run Spybot I see 70-100 Spyware
entries. Interestingly, Ad-Aware only shows a few along
with some 'negligible' items.

If I can manage to navigate through websites and carry
out operations without masive delays should I just "live"
with these infections? My PC seems to be running better
than when it was first infected, possibly because my
Sygate firewall seems more vigilant.

Any thoughts as to how I can obtain better protection? (I
KNOW I should have just reformated my CD, but I wanted
to learn about protecting my system through hands on
experience).

You may need to run HijackThis and post the log to one of the specialty
forums, _NOT_ this one. Some of these nasties are hard to get out.

HijackThis
http://www.majorgeeks.com/download.php?det=3155

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

After your system is clean use these programs to help keep it clean:

Spywareblaster
www.javacoolsoftware.com/sbdownload.html

Spywareguard
http://www.javacoolsoftware.com/sgdownload.html

IE-SPYAD
http://www.staff.uiuc.edu/~ehowes/resource.htm

 

[Brian Viercant]

If you have style XP,you will need to change a whole mess of things,and this
does include stuff hidden away in the registry, (TGTSOFT &Style XP run a
search) Also there is a start line in the win
configuration,(kernel=kernel.exe) These need to dumped and the page saved.
The re-install spack 1,then Spack2. The adware residesin a folder called
Resources,look forit, but make sure you know what you are doing before you
delete anything.
Regards
Brian UK