Spyware/adware Re-installing itself?

Discussion in 'other security issues & news' started by tomteeth, Oct 17, 2004.

Thread Status:
Not open for further replies.
  1. tomteeth

    tomteeth Registered Member

    Joined:
    May 23, 2002
    Posts:
    153
    Location:
    filthydelphia
    Hello Everyone, I am using xp home (oem) I cannot seem to find an answer to this, here it is>> I have these reinstalling on my pc register, they are "cometcursor, Cometcursor.com,cometcursor.net, aureate, lop.com, gator, flyswat, radiate, NetPal. I delete them manually but they keep coming back. All spyware scans that I use (spybot, adaware, spysweeper and others) dont even detect them. Also I get NetSlayer(Rat) and only yahoo antispy toolbar detects that and even after it is removed, that comes back in a day or so! I even removed NetSlayer Manually (with instructions from Pest Patrol) still returns. Anyone know why they are not being detected and why they will not stay removed. Also, I tried removing all of them and turned off system restore. Any idea's would be appreciated, Thanks, Tom
     
  2. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi Tom - well for one I suspect u are not getting component updates as SpyBot does detect as does Ad-Aware SE the malware u mention. Next, I would recommend u install Spywareblaster which prevents this stuff from entering ur computer. Like with all software, it is necessary to maintain regular updating. If u check Update Alerts at Wilders here, our gurus post reminders when updates are available. I check that thread daily and find it a blessing.

    Here is the download site for Spywareblaster.

    http://www.javacoolsoftware.com/sbdownload.html

    After downloading [if u choose to do so] be sure to clicl on "enable all protection" or words to that effect. If u fail to do so, then this software will not protect u.
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    where are they being found and what is finding them

    also list what antispyware programs you are using

    I strongly suspect that they are the entries in the registry that are put there by spybot to PREVENT them being installed on your computer
     
  4. tomteeth

    tomteeth Registered Member

    Joined:
    May 23, 2002
    Posts:
    153
    Location:
    filthydelphia
    Ok, Well, I was using the latest update of spybot/adaware at the time. Also I have had SpyWareBlaster on this pc for over a year. I also have Process Guard, Ewido, Spyware Guard, SpySweeper, HiJack this, Yahoo Antispy toolbar, Startup Monitor, Script Sentry, and a Note from my Mother telling everyone to stay away from her sons pc. Now NetSlayer is detected by my Yahoo AntiSpy Toolbar and it removes it, but its back in a day or so. The others, I find myself via registry! DVK01 maybe right, When I first ran Spybot it may have put them in the registry on the first search and I forgot about it. I did not know Spybot does that? But the NetSlayer was and never is detected by anything but yahoo antispy toolbar!
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey tom,

    Does yahoo antispy toolbar create somekind of log or can you somehow show what locations it's finding NetSlayer....and any others you may be concerned with.
     
  6. tomteeth

    tomteeth Registered Member

    Joined:
    May 23, 2002
    Posts:
    153
    Location:
    filthydelphia
    Yes, I believe it does have a log where you can restore what you removed. Want me to check it out?
     
  7. tomteeth

    tomteeth Registered Member

    Joined:
    May 23, 2002
    Posts:
    153
    Location:
    filthydelphia
    Here is an attachment showing what Yahoo found and removed!
     

    Attached Files:

  8. Chopsaw

    Chopsaw Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    10
    Location:
    New Glasgow, Nova Scotia
    if we're wondering how this stuff gets started and you're comfortable with the registry you could try these locations:

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

    HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"

    [HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"

    [HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"

    [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"

    [HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User shell folders

    the win.ini and system.ini files are a place too look too.... if you make any changes make sure you back up the entry first so you have a way back if you need it.
     
  9. tomteeth

    tomteeth Registered Member

    Joined:
    May 23, 2002
    Posts:
    153
    Location:
    filthydelphia
    Chopsaw, Thank You for the info. I seen some of these registry entries before, but my pc doesn't have some of them at all, like the "Open" after "Shell" etc. I guess it has something to do with being a OEM from HP Preinstallation.
     
  10. Chopsaw

    Chopsaw Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    10
    Location:
    New Glasgow, Nova Scotia
    not really .... the items are only added if needed ... the list is not written in stone ... but these locations are a place to look if you have the re-install problem.

    You don't always find the item in these locations of course ... a dll or "dynamic link lybrary" file on the system can also be the problem ... those are much harder to find ... usually what i would do is run a program like regmon.exe on start up and watch for the activity.
     
  11. tomteeth

    tomteeth Registered Member

    Joined:
    May 23, 2002
    Posts:
    153
    Location:
    filthydelphia
    I will check it out, Thanks
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    As I said above if you use spubot & spyware blaster, both applications put entries in certain registry locations to STOP all downloads of the spywares

    DO NOT keep looking in registry for them they are su[pposed to be there and stick to proper well known anti spyware applications like adaware or spybot

    with common problems like cometcursor, Cometcursor.com,cometcursor.net, aureate, lop.com, gator, flyswat, radiate, NetPal
    if they don't find them then they don't exist
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    From what I've seen the Yahoo toolbar is aabout as much use in preventing spyware as a chocolate fireguard :D
     
  14. tomteeth

    tomteeth Registered Member

    Joined:
    May 23, 2002
    Posts:
    153
    Location:
    filthydelphia
    Well, thats your opinon. But as I said above Spybot or adaware are not even picking up this NetSlayer and Yahoo AntiSpy Toolbar just picked it up again. Something is setting this back on my pc. and I will fined out what soon or later. Thanks Guys for your replies. Later
     
Loading...
Thread Status:
Not open for further replies.