General discussion

Locked

Spyware generating random named process?

By bill ·
Hello,

I have a PC that is infected with a number of spyware and virus goodies. I have managed to eradicate most of them. There is one that is eluding me however and I am looking for info on how to figure this out. The problem is as follows:

1) I use MSCONFIG to disable all startup applications.
2) I restart the PC and there are several programs re-enabled as well as a new goodie that got put in the startup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run entry. The gem that shows up in there has a random name like xxgfr.exe.
3) I can delete the entry from here and another one shows up.
4) I can stop the process and a new one appears with a different name in its place.

My questions are:

1) How can I figure out which process is monitoring for this process' death and starting a new one?
2) How can I figure out which process is adding the entry to the registry after I have deleted it?
3) Is there some hook available that lets programs run on shutdown that can put this entry in the registry?
4) Is there a vulnerability in XP that lets a process be created/run that is invisible to the task manager? If so, how can I find it and go after it?
5) Is there a way to hook into XP to see who is writing the registry so I can detect who is doing this?

Thanks in advance.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by godheadbob In reply to Spyware generating random ...

1) I don't know
2) I don't know
3) I don't know
4) I don't know
5) I don't know

However, more than likely the piece of malware on your PC has another file located somewhere on the C:\ drive that is causing all this to "re-insert" itself into your life. I would try turning off system restore, documenting what's on your PC with hijack this, deleting the offending "RUN" entry, re-booting your PC and re-running hijack this.
Does it show up with Spybot or AdAware?

Collapse -

by Blackcurrant In reply to Spyware generating random ...

Hi

One thing you do not mention is system services. Run msconfig again, and disable *every* startup item. Next, click the Services tab, click the box that says 'Hide all Microsoft services', the select 'Disable all'. Now reboot and see if the entry reappears.

If not, then you can re-enable each service one by one until the offending scumware is identified.

You may also want to invest in a professional Adware/Spyware removal program. You do not say which programs you use so if you can not afford to pay for one of these you should look at free alternatives such as AdAware, Spybot, Microsoft AntiSpyware, SpyBlaster, Avast antivirus, AVG...

For really troublesome spyware you can run a trial edition of Adware Away which is very good.

Good luck

Collapse -

by bill In reply to Spyware generating random ...

FYI, I know the basics of how this process works and am looking for the details of where these types of things can hide that I don't know about. The problem doesn't show up as a known virus or spyware.

I am writing software that will go in, find these things, and remove them once and for all. I find it rather disturbing to have to use multiple products to perform basically the same task where some find one thing, some another, etc.

Thanks in advance.

Collapse -

by haileyan In reply to Spyware generating random ...

Run MSConfig in Safemode. What is mostlikely happening is that there is a process running in memory that checks that registry key. If you remove it it creates another one. Safemode should prevent it from running and then you can remove the registry entries. Also, check the RunOnce registry keys as sometimes these programs have an entry there that will start the problem all over again.

Run your spyware and adware remover while in safemode as well.

Collapse -

by bill In reply to Spyware generating random ...

The software I use includes:

PestPatrol
CounterSpy
Spybot Search & Destroy
AdAware
Hijack This
(also Norton and McAfee though both of these are fairly useless in my opinion regarding spyware)

FYI, I have used msconfig and turned off startup applications and services. It still seems to be there.

I have a sneaky suspicion that this is a very clever piece of crapware (i.e. software developed by low lifes for the purpose of trashing your computer) that exploits a hole in some application and loads as a DLL as part of a regular process. Maybe I'm just being overly analytical but as a software engineerI know there are lots of ways to create these nasty little pests. I figure if I know about these that the low lifes that develop adware, spyware, and viruses know about them too.

Editorial: Look at the "Aurora BetterInternet" as an example of a major pest. It's the equivalent of showing up at the CEO of the company responsible for "Aurora BetterInternet", defecating on his doorstep, and believing that this is "acceptable behavior". It's not.

Please help stomp out these dregs of the internet.

Collapse -

by sgt_shultz In reply to Spyware generating random ...

well. unless brand new one, sounds just like spyware/virus infestation i dealt with recently on xp box. i used only msconfig, regedt32, anti-virus, ad-aware personal se and hijaak this to cure. i thought i might need cacls to blast permissions down the folders on the hd but turned out wasn't too hard to figure out which folders needed fixing. i did deep scanning for everything (antivirus first) in safe mode. rebooting and staying in safe mode to double-check ad-aware hijackthis and not booting into safe mode or connecting to internet until still clean after reboot.
i had to change some permissions on registry entries and folders and use my tools in safe mode with system restore turned off to get it all out.
i just figured out which files by paying attention to all that frightening stuff and chanting 'not rocket science' 'not rocket science' (and, in my case, 'read the screen' 'read the screen')...
pretty creepy isn't it, looking in services and seeing those funky things. whatever is starting up in msconfig is the spawning prcess don't you think?
you have the tools to see what is starting up and from where (msconfig, hijack, regedt32). you just need to get the virus/malware to stop running so tools can remove it. safe mode, off internet and adding back permissions to registry entries and files and folders ought to do it.
have you visited site like ntsysinternals to see what tools are available to monitor processes and registry writing. i believe you can set up security event logging built into xp to see what writes to registry...check out scripting and security sections of www.microsoft.com and technet.microsoft.com and support.microsoft.com
if you google vx2 and go to the lavasoft userforum websites there is excellent discussion of vx2 and how it works to reinfect. i don't know if they have it completely figured out yet.
but they can give you the depth of answer you seek i think...

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums