Spyware/malware Can't seem to stop it

Posted on 2004-04-22
Medium Priority
Last Modified: 2010-04-11
I have a client that has an issue with spy ware. I ran spybot, found 350 different spywares on her machine......ran spy sweeper and found another 82........got her logins working for her travel software after taking all these off the computer.....buit she is still getting a ton of pop-up ads.....How do I find what is causing these.....
AND for the BIG points Why didn't these anti-spyware softwares kill it.
Question by:hawgpig
  • 4
  • 3
  • 2
  • +6
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 400 total points
ID: 10895055
ActiveX and IE are the real enemy. Get a browser like Mozilla, or Opera and you'll have 99% less of this.
http://www.2learn.ca/comtech/spyware/spyware.html (good site, read the links- good explainations)
SpywareBlaster on the link provided above will set your IE to stronger settings to lessen spyware.
I feel Ad-Aware is the best remover, and blocker/preventer out there.

Pop-Up blockers can reduce the amount a little, try google's toolbar (toolbar.google.com) it's free.
McAfee Anti-Virus if configured to find "potenially unwanted, and joke programs" can help to. ZoneAlarm is another that has good ad/spy blocking as well as being the best firewall.

Mozilla.org (free, blocks pop-ups, no activeX, no AD's)
Opera.com (free version contains AD's and can't block pop-ups)


Expert Comment

ID: 10895068
A lot of advanced spyware uses something called a trickler, something that continues to call spyware in and is sometimes not detected by Spyware Removal Programs.

Accepted Solution

LeftofCool earned 800 total points
ID: 10895088
Something I should have added before: Is your client experiencing any redirects when she searches or are pop-ups the only symptom. Also what kind of pop-ups are they. Are they related to the site being viewed or are they porn pop-ups. If so you haven't gotten rid of all the spyware.  Also, you might want to try Ad-Aware in addition to the removal programs you are using already. It can be found here: http://www.lavasoftusa.com/ .
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 49

Assisted Solution

sunray_2003 earned 400 total points
ID: 10896213
LVL 21

Expert Comment

ID: 10896871
Look in the Task manager: are there any services that look suspicious?
LVL 21

Expert Comment

ID: 10896873
Also check add/remove programs and look if there are some programs you don't know.

Assisted Solution

magus123 earned 200 total points
ID: 10897022
all these option provided by these experts are great , what you should also consider is finding out
what operating are running like in task manager .  but task manager will not the cut the cake
in your case , run  adaware and check the log to see what services and applications are running a
good way to find out what is suppose to be running is going to this site


a great list on whats running .

also consider to see if any application is access the internet , to do this you can use
a 3rd party software or  run
netstat -a.

another things is make sure you have the latest service packs.

also disable the messenger service in services.

another thing is your client maybe access a site thats banner and malware enabled.. some clients
dont know this ,  ive had customers keep getting malware and still not know whats been happening.
internet site they visit often contaminate their system.  

another tip is ad a pop up blocker , virus scanner and firewall to their system , i use norton pro.

even thou  all these options will help you , you can still get malware on your system , as malware
has found a hole in any secure system.

the best thing is to know what your running , whats open , and what needs to be secure.
if you want us to help you please post your adware log , also run cwshredder from mjein.

if pop ups are your main concern go out and buy norton profeesional for a more secure safer
system, also note norton does not cdome completely secure out the box it requries some
editing and policy changes getting it their , mosty people norton firewall sucks at doing
its job , but have they configured it the way they want it.

also buying a nat or proxy device that hides your intranet can greatly improve security.

whats the best solution thou ???????????????????????????

a new compete fresh formattted and installed system
running adware and cwshreeder once  a week for
preventive measures.

 having this type of system
2 partitions
1  "os"
2 "data"

have what you need installed services , virus scanner , etc
fixes , programs , everything you will need on the system on "os"

then create a image of the partition 1 os   and save it to 2 data .
have the client or user have her programs point to 2 data to
save documents and anything important , if at anytime
the user becomes infected with a serious problem ,
or failure due to hardware ,software ,virus or malaware
or even courrption.

you can always  have a boot cd or disk boot and boot the
dos enabled image program and restore partition "os"
of course doing this overwrites anything that was
on the os partition it should not matter as you
put everything on the data partition.

this option reffers to advanced users that find
their computer slowing that after some time
of trash that get full in the os , causing it to
slow down.

dont use this if your client is a beginner ,
also note that you should save all important data
before any formating and even before reimaging
or restoring a partiton ...

LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 200 total points
ID: 10900510
Just like all anti-virus programs don't pick up the same viruses, and give them all different names, the world of spyware removal is much the same !
I find LavaSoft AdAware to be the best and most up to date, and run in conjunction with HiJackThis as I like seeing things in the flesh.
350 different SpyWares (including tracker cookies) isn't so bad.  Pretty similar to what mine picked up after I first bothered to scan my home PC for SpyWare (after 1-2 years of more or less consistent use !!).
LVL 38

Expert Comment

by:Rich Rumble
ID: 10900617
Agreed, Ad-Aware all the way. Again, a new broswer will help out TONS! Ditch the IE, ActiveX- winblows broswer.

Expert Comment

ID: 10905140
I've run into similar problems with clients. This is what I've had to do:

1) Disconnect from the internet.
2) Reboot
3) Go into Task Manager and write down everything that is running. (If you know it's Windows 100% you don't have to write it down. But beware, the latest versions of spyware are very sly. They name services like 'svchosta' which is not a Microsoft app.)
4) Reboot into safe mode.
6) From another PC, check everything on your list on Symantec's website. They have a very good search tool that allows you to look up each 'service'. It will give you a list of possible virus'/adware that are associated with that 'service'. You'll have to peruse the list to see which might be the culprit. Follow the removal instructions.
7) If you haven't already done so from item 6, check the registry. There are multiple places that a program can be started from on bootup, not just HKLM/Software/Microsoft/Windows/CurrentVersion/Run. Many of the adware programs use some of the lesser known startup registry locations. I wish I could list them all but you probably will find them when going through item 6. Also, one of the adware programs is notorious for inserting itself into the registry location above every time the PC is turned on. I had one machine that had close to 300 entries in that location, 285 of which were the same line.

Sorry, this is very labor intensive but necessary to make sure they don't rebuild themselves as quickly as you remove them. There is one, that remains memory resident, that checks to see if you've deleted it's directory or registry entries. If it finds that something is missing, it recreates or redownloads whatever is necessary. Very nasty.

Now for the really scary part. Many of these are now watching to see if you go to financial websites and trapping ID's/Passwords/account info and then SMTP 'ing the info to someone. Recommend to anyone who has an infected PC with adware that they change all of their passwords immediately and contact any financial institution they may have touched from that PC and explain to them what has happened.

Expert Comment

ID: 10905913
Rather than writing everything down, download HijackThis, it makes a list of all running processes and logs them. After it does this, post the log here.

Expert Comment

ID: 10919650
A simpler, free, and perhaps more direct answer would be to do this:

Download and run Spybot - Search and Destroy (http://www.safer-networking.org/).  Use it's Immunize function to harden the user's IE settings.  Use it's Check for Problems to remove any spyware.

Download and use the Google toolbar.  Disable everything but it's popup blocker.

I have a LOT of machines set up with way with users who run the gamut.  We get zero popus and zero spyware.

LVL 21

Expert Comment

ID: 10925576
I think he already ran SPybot.

Author Comment

ID: 10955201
Wow....Thanks for all the input people.....I wish I had points for everyone....
I picked out the things that helped me most....
The blackviper.com site was interesting...haden't seen that one before...
Years ago when ad-aware first came out I used their software......and had some problems...
Guess they got it fixed cause I broke down and tried it again.....and that is what stopped the popups...
Now it looks like they have NETSKY on their system...
going back tomorrow to fix that also...
Thanks again everyone......

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question