How can I see what's modifying the registry ??

[Achilles97]

My browser is hijacked and I can't fix it. HijackThis, CWSShredder, Spybot, etc. I scan with HijackThis, it finds a bunch of IE keys - I delete them - 10 seconds later they are back. Is there a way to see what's writing those values to the registry? I tried "Registry Firewall" but it doesn't show anything accessing the Registry, even though the values are being changed.


Thanks

 

[Nothinman]

RegMon

 

[Apathetic]

Here's another vote for RegMon. You can fint it and a bunch of other cool utilities (and source code for several of them) here

 

[Achilles97]

Thanks guys.

It's Explorer.exe that's modifying the registry everytime I delete those keys. WTF?

What should I do?

 

[intogamer]

That doesn't work. Do the easy steps. Format with sp2 and use firefox.

 

[stash]

Or stick with IE and run as nonadmin.

 

[Achilles97]

Is there anyway to see what's invoking Explorer.exe to write those values? Or is it imbedded into Explorer.exe itself?

 

[spyordie007]

Originally posted by: intogamer
That doesn't work. Do the easy steps. Format with sp2 and use firefox.

Explorer.exe is not Internet Explorer so using a differant web browser has no bearing on this situation.

Originally posted by: Achilles97
Is there anyway to see what's invoking Explorer.exe to write those values? Or is it imbedded into Explorer.exe itself?

What are the keys and values it is writing and at what point does it write them?

I'm going to guess that the keys are being writting by spyware/adware running under the explorer.exe process tree. Have you tried various anti-spyware applications such as Ad-Aware or Microsoft's AntiSpyware (Beta) to clean the infection first?

Always go after the source of the problem, not the symptoms. If the keys keep getting re-written it most likely means you're still infected.

 

[Eltano1]

One think that you should do is (if is enable) disable the system restore , and then reboot in safe mode and start the cleaning all over again.

Eltano

 

[Achilles97]

Originally posted by: spyordie007

Originally posted by: intogamer
That doesn't work. Do the easy steps. Format with sp2 and use firefox.

Explorer.exe is not Internet Explorer so using a differant web browser has no bearing on this situation.

Originally posted by: Achilles97
Is there anyway to see what's invoking Explorer.exe to write those values? Or is it imbedded into Explorer.exe itself?

What are the keys and values it is writing and at what point does it write them?

I'm going to guess that the keys are being writting by spyware/adware running under the explorer.exe process tree. Have you tried various anti-spyware applications such as Ad-Aware or Microsoft's AntiSpyware (Beta) to clean the infection first?

Always go after the source of the problem, not the symptoms. If the keys keep getting re-written it most likely means you're still infected.

I've tried adaware, spybot, HijackThis, CWSshredder. I am running PCCillin antivirus and firewall.

The reg keys that are being changed are all the Internet Explorer homepage, search, etc. I can manually delete those keys, then at 25 seconds after each minute I can see the values being deleted and rewritten by Explorer.exe. It does this every 25 seconds after the minute.

I have system restore turned off.

I'm probably going to just reformat. I don't know what else is compromised.

Thanks!

 

[Dragonbate]

When you tried spybot did you install teatimer? It alerts you every time a program trys to change the registry. I had a similar problem with this comp it turned out to be a trojan... try avg virus scan free edition. Also use msconfig to see whats starting with windows.. I had to find the program that was creating the trojan and delete it manually.

 

[Achilles97]

I ended up reinstalling Windows.

Thanks everyone