Spyware/adware Re-installing itself?

Hello Everyone, I am using xp home (oem) I cannot seem to find an answer to this, here it is>> I have these reinstalling on my pc register, they are "cometcursor, Cometcursor.com,cometcursor.net, aureate, lop.com, gator, flyswat, radiate, NetPal. I delete them manually but they keep coming back. All spyware scans that I use (spybot, adaware, spysweeper and others) dont even detect them. Also I get NetSlayer(Rat) and only yahoo antispy toolbar detects that and even after it is removed, that comes back in a day or so! I even removed NetSlayer Manually (with instructions from Pest Patrol) still returns. Anyone know why they are not being detected and why they will not stay removed. Also, I tried removing all of them and turned off system restore. Any idea's would be appreciated, Thanks, Tom

 

Hi Tom - well for one I suspect u are not getting component updates as SpyBot does detect as does Ad-Aware SE the malware u mention. Next, I would recommend u install Spywareblaster which prevents this stuff from entering ur computer. Like with all software, it is necessary to maintain regular updating. If u check Update Alerts at Wilders here, our gurus post reminders when updates are available. I check that thread daily and find it a blessing.

Here is the download site for Spywareblaster.

http://www.javacoolsoftware.com/sbdownload.html

After downloading [if u choose to do so] be sure to clicl on "enable all protection" or words to that effect. If u fail to do so, then this software will not protect u.

 

Ok, Well, I was using the latest update of spybot/adaware at the time. Also I have had SpyWareBlaster on this pc for over a year. I also have Process Guard, Ewido, Spyware Guard, SpySweeper, HiJack this, Yahoo Antispy toolbar, Startup Monitor, Script Sentry, and a Note from my Mother telling everyone to stay away from her sons pc. Now NetSlayer is detected by my Yahoo AntiSpy Toolbar and it removes it, but its back in a day or so. The others, I find myself via registry! DVK01 maybe right, When I first ran Spybot it may have put them in the registry on the first search and I forgot about it. I did not know Spybot does that? But the NetSlayer was and never is detected by anything but yahoo antispy toolbar!

 

Hey tom,

Does yahoo antispy toolbar create somekind of log or can you somehow show what locations it's finding NetSlayer....and any others you may be concerned with.

 

Yes, I believe it does have a log where you can restore what you removed. Want me to check it out?

 

Here is an attachment showing what Yahoo found and removed!

 

if we're wondering how this stuff gets started and you're comfortable with the registry you could try these locations:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"

[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"

[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"

[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*"

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User shell folders

the win.ini and system.ini files are a place too look too.... if you make any changes make sure you back up the entry first so you have a way back if you need it.

 

Chopsaw, Thank You for the info. I seen some of these registry entries before, but my pc doesn't have some of them at all, like the "Open" after "Shell" etc. I guess it has something to do with being a OEM from HP Preinstallation.

 

not really .... the items are only added if needed ... the list is not written in stone ... but these locations are a place to look if you have the re-install problem.

You don't always find the item in these locations of course ... a dll or "dynamic link lybrary" file on the system can also be the problem ... those are much harder to find ... usually what i would do is run a program like regmon.exe on start up and watch for the activity.

 

I will check it out, Thanks

 

Well, thats your opinon. But as I said above Spybot or adaware are not even picking up this NetSlayer and Yahoo AntiSpy Toolbar just picked it up again. Something is setting this back on my pc. and I will fined out what soon or later. Thanks Guys for your replies. Later