PDA

View Full Version : Persistent spyware


Scabrous Birdseed
20-03-2007, 08:06:35
My computer has a rather unpleasant spyware problem. What's happening is that I keep removing a raft of spyware apps (using both SpyBot S&D and Ad-Aware) but they keep returning when I reboot!

I've discounted a virus (my anti-virus software says no) and I can't imagine any of my startup software being the culprit (ClamWin antivirus, COMODO personal firewall, Skype, NvCpl). Any ideas?

Drekkus
20-03-2007, 08:27:22
what are the names of the apps? Not that i'm an expert, but there are some sites (like http://www.neuber.com/taskmanager/process/index.html) that will tell you is something is bad or not.

Scabrous Birdseed
20-03-2007, 09:15:55
They're bad, trust me. :D

Scabrous Birdseed
20-03-2007, 09:16:51
Oh you mean like that. No, I don't think that's it...

Venom
20-03-2007, 11:44:21
Try Hijack this. It's pretty good at removing nasty stuff that infiltrates your browser.

Scabrous Birdseed
24-03-2007, 05:09:59
There's still something that reinstalls half a dozen pieces of malware to my computer every time I start up and I can't figure out what. I've tried three different spyware removers and none of them know what it is, only removing the surface problem.

Scabrous Birdseed
24-03-2007, 05:15:18
By Jove, I've found it. It was "NvCpl.exe", a process all websites assured me was a vital component of the Nvidia drivers...

Scabrous Birdseed
03-04-2007, 05:46:36
FINALLY figured it out. It was a piece of spyware called VirtuMonde that generated randomly named dll files that put themselves in startup...

MDA
03-04-2007, 11:43:34
Ergh. Had a lovely time with my sister's comp this weekend - she hadn't updated virus protection since 2003 :bash:

Only 23 viruses, and I didn't count the stuff adaware removed.

She thought the update your protection messages were "advertisements", but never thought to ask anyone about them.

Drekkus
03-04-2007, 11:51:45
My laptop got infected with some really agressive trojan this weekend. It started pumping out emails like crazy, with half of them being blocked by my Symantec AV. I found what exe file caused it, but after deletion it just came back after start up. It's a laptop from work, so the techguy at work is really happy, especially since even he can't seem to get rid of it.

I'm happy I was surfing for porn this once when it happened. Just imagine if it was a Southpark site. But I guess I will be buying my SP episodes from iTunes now.

Venom
03-04-2007, 15:39:30
Find out the name of the virus by googling the name of the EXE file and see if there are instructions to remove it.

If not, you've got to look for the source of the exe. Check the system folders in
the windows directory. Look for any recent dlls or other files that you don't recognize. Try and delete them.

(May want to be in safe mode to do this)

If that does work then there's something in the registry keeping the file alive. You're fucked.

Scabrous Birdseed
03-04-2007, 18:47:18
Post your HiJack This! Log.

Qaj the Fuzzy Love Worm
03-04-2007, 20:14:56
Low-level format. It's the only way to be sure.

Drekkus
04-04-2007, 14:07:03
The IT guy at work has the laptop now, so it's out of my hands. But believe it or not, the file that caused all the spamming was called aDIRKa.exe. :lol:

MDA
05-04-2007, 13:31:15
Originally posted by Qaj the Fuzzy Love Worm
Low-level format. It's the only way to be sure.

Just did this with my wife's comp yesterday.

She updated zonealarm and installed a windows update, rebooted, and it hung up at mup.sys (google that one for a laugh, it seems to be a symptom of about a hundred problems)

same thing happened trying to get to safe mode, so we go to console and replace the mup.sys with the one off the windows CD, no effect. So we disable mup.sys, no effect.

Then ran chkdsk, which fixed something, but we still can't boot.

Repairing windows from the install CD, failed.

at that point we decided it was faster to reformat and resintall (and reregister) everything, which pretty much killed the entire evening

virus scan and adaware had both been run recently and nothing had shown up, so we're baffled as to what actually happened, but past the problem :)