Problems with spyware that reinstalls itself

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Sharagoz, Nov 19, 2006.

  1. Sharagoz

    Sharagoz Private First Class

    Alright, so I got some problems with spyware. I started noticing the problem after I began to receive those agressive ErrorSafe-popups. I've been trying to use spybot s&d to remove it, but the spyware manages to reinstall itself.
    I've had similar problems a few times before but spybot has always managed to solve the problem. Not this time.

    Its a few days since I really got aware of the problem and I've got a feeling that the spyware reinstalls itself when Im using a webbrowser. Im mainly using firefox but I also use IE daily and sometimes opera.
    Because of the webbrowser suspicion I ran a test:
    First I ran spybot and removed all entries (86 entries and its maybe 24hrs since last time). Then I rebooted the comp and ran spybot again without having started anything after the reboot.
    The result of the test can be seen here:
    http://img361.imageshack.us/img361/4273/afterrebootbs5.gif

    The hitbox thing is back already. The firewall override thing is something I've done myself and dont want removed. I didnt clean/remove any of the entries.

    After this I started FF and opera. I didnt surf the web, I just visited the start pages (google).

    I closed the browsers and ran a new test. The result was the same, so no new entries.

    After this I opened IE and only launched the start page (google). I closed the browser and ran a new spybot test.
    Here's the result:
    http://img463.imageshack.us/img463/2944/afterielk5.gif
    -1 new entry since last time.

    After this I opened a page that I knew had advertising. This was www.darkthrone.com, a text-based RPG game I play. I didnt do anything except log in to the main page.

    I ran a new test, this was the result:
    http://img179.imageshack.us/img179/7332/afterdtip8.gif
    6 new entries.

    Im sure I would have gotten more entries if I had visited more pages.
    Note: I didnt do any cleaning between the tests.

    Here's the result of HijackThis. Im not very experienced with this, but there's nothing suspicious as far as I can see.


    Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.

    Does anybody know how I can get rid of this stuff and prevent myself from getting it in the future?
    Does anybody know about some sort of application monitoring program that I can use to monitor what IE is doing when the new spyware entries are added to the registry?


    Regards,

    -Sharagoz
     
    Last edited by a moderator: Nov 19, 2006
    Sharagoz, Nov 19, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments. Make sure that you install and rename HijackThis exactly as we request!
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - ONLY IF you were not able to run Windows Defender
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    chaslang, Nov 19, 2006
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds