This is one that has been driving me crazy. I've been dealing with a computer that started with a LOT of spyware on it. That machine was so badly infested, I was pretty impressed that the machine would boot at all.
So, I start with an msconfig to keep a bunch of the stuff from starting. I know some will come back, but I needed the machine to be a bit more responsive.
Next, I went into regedit(after rebooting), and went through all the ...software\microsoft\windows\currentversion\run* entries and removed the junk I found that was bad. For those not familiar with this, it's a manual way to get to the startup stuff you can find in msconfig. The RunOnce and RunOnce variants are things that get run only once on Windows startup. These are how many pieces of spyware show up again in your startup tab, even after you've removed them.
So those were clean. The machine was fairly responsive, so I threw Ad-aware 6, CW Shredder, and HiJackThis onto the machine. Cleaning out the last of the junk, all looked pretty good. So I did a reboot to make sure the system stayed clean, and it was, except an entry in hijackthis that was indicating soundman.exe was back. So I removed it again, rebooted, and it came back.
So, I did some looking and found it was probably a part of the W32.Gaobot worm. So I went to the symantec site, downloaded the removal tool, and it found four files that it said were infected. Removed them, checked, all seemed clean. Ok, reboot, and soundman.exe is back AGAIN.
At this point, I've decided that I could use some help. Nothing on the web has come up with a solution to get rid of this thing. I've checked the hard drive and the soundman.exe file doesn't exist, so it may be a disguise for the true file, either that or there's something left over.
Since I know where the stuff that starts with windows is in the registry, does anyone know where the stuff that gets performed as you shut down is? I figure between the Run/RunOnce sections and that, clearing and keeping most spyware from returning SHOULD be a bit easier.
Any help would be appreciated.
So, I start with an msconfig to keep a bunch of the stuff from starting. I know some will come back, but I needed the machine to be a bit more responsive.
Next, I went into regedit(after rebooting), and went through all the ...software\microsoft\windows\currentversion\run* entries and removed the junk I found that was bad. For those not familiar with this, it's a manual way to get to the startup stuff you can find in msconfig. The RunOnce and RunOnce variants are things that get run only once on Windows startup. These are how many pieces of spyware show up again in your startup tab, even after you've removed them.
So those were clean. The machine was fairly responsive, so I threw Ad-aware 6, CW Shredder, and HiJackThis onto the machine. Cleaning out the last of the junk, all looked pretty good. So I did a reboot to make sure the system stayed clean, and it was, except an entry in hijackthis that was indicating soundman.exe was back. So I removed it again, rebooted, and it came back.
So, I did some looking and found it was probably a part of the W32.Gaobot worm. So I went to the symantec site, downloaded the removal tool, and it found four files that it said were infected. Removed them, checked, all seemed clean. Ok, reboot, and soundman.exe is back AGAIN.
At this point, I've decided that I could use some help. Nothing on the web has come up with a solution to get rid of this thing. I've checked the hard drive and the soundman.exe file doesn't exist, so it may be a disguise for the true file, either that or there's something left over.
Since I know where the stuff that starts with windows is in the registry, does anyone know where the stuff that gets performed as you shut down is? I figure between the Run/RunOnce sections and that, clearing and keeping most spyware from returning SHOULD be a bit easier.
Any help would be appreciated.
