Memory Watcher - Spyware

Mr_Frugal · 30 October 2006 at 6:59PM

I have several anti spyware programs on my PC and also run Nortons for virus/firewall protection.
Recently (ie in last week) I have found that I have been 'infected' with 3 files showing as "Memory Watcher" (a piece of spyware showing as a 'serious threat').
I keep removing these with my spyware remover (successfully) to find that they are back again within minutes (typically 5/10 mins after removal).
It literally doesnt matter what sites I visit they seem to come back all the time (ie stuck to just BBC site and found it would still reoccurr).

It would therefore appear that there is a sort of 'parent' file that is recreating the files when I remove them. However this 'parent' file is not being located by the spyware remover.

Does anyone know of this particular piece of Spyware (ie Memory Watcher) and know of a way to remove it for good ?

Any help greatly received.

Mr_F.

startrekker · 30 October 2006 at 7:55PM

Looks like it may have installed itself, and appears in your add and remove programs. Have a look and see if you can remove it from there. If you can, the minute you do re-boot the machine and run you spyware to be sure

Mr_Frugal · 30 October 2006 at 8:18PM

Thanks, but I've checked Add/Remove - doesn't seem to be any 'extra' programs and nothing that I dont recognise.

Starting to pull my hair out !!!!!! I've been at this for about 6hrs today !

Have tried switching off System Restore, rebooting, running Spyware prog (& removing), rebooting, putting System Restore back on & rebooting.
Still no joy !!!

Arrrrrrrgggggggggghhhhhhhhh!!!!!

Will keep trying, any further suiggestions more than welcome !

TIA,

Mr_F.

Jon_S_4 · 30 October 2006 at 8:21PM

Have you looked at your startup files ?

Click on start, then Run, then type in MSCONFIG, then click on the startup tab and check through the entries to see if anything you dont recognise is there.

Then uncheck the entry and restart the pc, that should do the trick.

Browntoa · 30 October 2006 at 8:25PM

read through this malware sticky , posts 1 to 4

http://forums.moneysavingexpert.com/showthread.html?t=133269

full instructions + software

espresso · 30 October 2006 at 8:28PM

This webpage give information of files and registry entries which may help you get rid of it.

Browntoa · 30 October 2006 at 8:43PM

ewido ( AVG anti spyware ) and spybot will deal with it

both in the sticky

Mr_Frugal · 31 October 2006 at 1:46AM

Browntoa wrote:

ewido ( AVG anti spyware ) and spybot will deal with it

both in the sticky

Thanks to those that have posted advice so far - really appreciated.
However, tried the above two (plus Sybot S&D, Spysweeper, Windows Defender, AVG & Xoft) to no avail !.

Then tried following the instructions in the sticky (1-4) but no joy ! (Didn't try hijackthis as I dont feel confident enough that I would know what I was doing with it !!!!)

The ONLY anti spyware package that is detecting this "Memory Watcher" (every time I run it) is Xoft. It removes it successfully only for it to reappear again within minutes !!!!
It is something to do with registries (pardon my ignorance but I dont understand Registries in the slightest).

The summary report shows 3 "items" that are all "Registry Values". It then allows you to remove but they then come back !

Thanks to the poster that gave a list of registry info but as I said I dont really understand Registries - all I know about them is that if you tinker with them and mess it up you sure as hell know about it !!!!

The following is the output of the report that I ran last time (I aborted scan just after it identified the same 3 files as it always does and then chose to remove them. I wouldn't normally abort it's just that I have ran this report several hundred times today so much so that I can predict to the second when it will find them !!!!!!)

- <XoftSpy>
<Meta info="XoftSpySE-SP1 Tech-Support Log" time="30-10-2006-23-27-10" />
<ScanSettings scanActive="true" scanRegistry="true" scanSysFolders="true" scanDrives="true" scanHosts="true" scanAdvScan="true" />
- <Debug>
<DebugMsg event="REGVALUE_FOUND" data="software\microsoft\windows\currentversion\ext\stats\!!36ecaf82-3300-8f84-092e-aff36d6c7040}\iexplore\type" system-message="The operation completed successfully." malwareName="Memory Watcher" />
<DebugMsg event="REGVALUE_FOUND" data="software\microsoft\windows\currentversion\ext\stats\!!36ecaf82-3300-8f84-092e-aff36d6c7040}\iexplore\count" system-message="The operation completed successfully." malwareName="Memory Watcher" />
<DebugMsg event="REGVALUE_FOUND" data="software\microsoft\windows\currentversion\ext\stats\!!36ecaf82-3300-8f84-092e-aff36d6c7040}\iexplore\time" system-message="The operation completed successfully." malwareName="Memory Watcher" />
<DebugMsg event="SCAN_ABORTED" data="" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGVALUE_QUARANTINE_SUCCESS" data="HKEY_USERS\software\microsoft\windows\currentversion\ext\stats\!!36ecaf82-3300-8f84-092e-aff36d6c7040}\iexplore" system-message="The operation completed successfully." malwareName="Memory Watcher" />
<DebugMsg event="REGVALUE_QUARANTINE_SUCCESS" data="HKEY_USERS\software\microsoft\windows\currentversion\ext\stats\!!36ecaf82-3300-8f84-092e-aff36d6c7040}\iexplore" system-message="The operation completed successfully." malwareName="Memory Watcher" />
<DebugMsg event="REGVALUE_QUARANTINE_SUCCESS" data="HKEY_USERS\software\microsoft\windows\currentversion\ext\stats\!!36ecaf82-3300-8f84-092e-aff36d6c7040}\iexplore" system-message="The operation completed successfully." malwareName="Memory Watcher" />
<DebugMsg event="REGVLAUE_DELETE_SUCCESS" data="software\microsoft\windows\currentversion\ext\stats\!!36ecaf82-3300-8f84-092e-aff36d6c7040}\iexplore\time" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGVLAUE_DELETE_SUCCESS" data="software\microsoft\windows\currentversion\ext\stats\!!36ecaf82-3300-8f84-092e-aff36d6c7040}\iexplore\count" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="REGVLAUE_DELETE_SUCCESS" data="software\microsoft\windows\currentversion\ext\stats\!!36ecaf82-3300-8f84-092e-aff36d6c7040}\iexplore\type" system-message="The operation completed successfully." malwareName="" />
</Debug>
</XoftSpy>

Don't know if that makes sense to anyone and if anyone can understand it and translate it back in to English I would be extremely grateful (or whether it dosnt throw any light on the situation at all ??)

Thanks again to those that have posted help/advice again but would REALLY appreciate ANY help on this before I give up and chuck this damn PC out of the window !!!!

TIA,

Mr_F.

Browntoa · 31 October 2006 at 8:22AM

you need to scan in "safe mode" , follow the instructions below and then rescan with xoft, it should get rid of it then

If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

DeadHead_4 · 31 October 2006 at 9:39AM

I have often found things on my system which do not show up with ordinary spyware programs.

One tool i have found to be extremely useful is "HiJackThis" which is a freeware utility available from
http://www.hijackthis.de/

The tool itself is at http://download.hijackthis.eu/hijackthis_199.zip

What to do -

download the file

Run it on your system, it produces a log file of the results for you.
You can then upload the log file, or paste the text from the logfile into the webapge at http://www.hijackthis.de/

It then analyses everything against it's database of known applications and spyware programs, so against each listing you will get a rating of whether it is safe, or a likely nasty.

Having identified the nasties, the tool can be used to delete the registry settings etc.

I use this routinely to check for spyware stuff that adaware and spyblaster have missed etc, and it has been really useful in the past.

Hope that helps someone.

pchelpman · 31 October 2006 at 10:40AM

DeadHead ... thanks but recommendations to use HJT have already been given in this thread if you read back. [I hope you know exactly what you're doing with HJT. It's a powerful tool which could trash your machine if used incorrectly. The HJT analysis site you link to has been known to mislead impressionable users into deleting vital files.]

Mr_Frugal .... malware watcher is a pain but usually nothing too serious. In the past it went other names such as the old (and infamous) Peper infection.

Firstly, do as Browntoa say. That is very important.

If your problem still won't go away [likely] you MUST install HijackThis, scan your system with it then post the scan report to this thread.

Don't worry about HJT ... it's a very small, safe program and does NOT change anything on your computer unless you specifically tell it to.

Just post the scan report here .... we will tell you what to do.

PCH

Memory Watcher - Spyware

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free