cws hijacker

[jaybird]

I have run cwshredder, spybot s&d, and adaware6.0. This
got rid of cw hijacker, or so I thought. Two days later
while only logging on to MSN I was hijacked again.
Lavasoft adaware shows 8 attempts and changes when this
happens. Also noticed even when cw was removed machine
seemed to run slow. Any Ideas? And how can I bring up a
listing if what programs are actually running and
possibly connecting to this
problem.

 

[Guest]

Ctrl-Alt-Drl will bring up Taskmanager and allow you to see all the
processes that are currently running.

Process Explorer from www.sysinternals.com will do that too but it will also
reveal what the actual path is to the process.

Knowledge of what *should* be running will enable you to identify what
*should* be eliminated )

I also suggest to correctly firewall your box and have your AV up-to-date

 

[jaybird]

Firewall is up and running also NAV2004 was just
installed and updated. I know about taskmanager but
don't know what is vital and what is not.

 

[Guest]

OK.
So then I suggest you use Process Explorer and look at the path of whatever
is running.
Then I would look up the exe and look at the properties to find the
Manufacturer. If it is something like Microsoft, or Symantec, or any other
'known' manufacturer, you can go by the assumption you at least *need* it,
because you use that software. (*vital* is another definition )
The ones that remain or cannot be accounted for as 'known', try and just end
the process in task manager to see if your system takes kindly to it, ie.
are you still in business.
You can also check out
http://www.liutilities.com/products/wintaskspro/processlibrary/ to see if
any of the processes you have running are listed and what they are for. That
may help weed out the bad ones.
Then you can get one of the 'startup monitor'-type programs to prevent them
from starting up next time around.
If it conserns a service that is running, you can disable that service.

hth (further)

 

[Guest]

You might try to clean the system again, while not connected tothe internet, install Zone Alarm, reconnect to the internet and wait for Zone Alarm to identify the process trying to access the internet. At least then you have a name to track.
Other than that, Search and Destroy can be configured to lock the registry and notify you if anything tries to write to it.
This is assuming that you have actually been succesful at cleaning the system, and are being identified and reinfected when you get back on the internet.
Reimage is good for the soul.

 

[Plato]

Process Explorer from www.sysinternals.com will do that too but it will also
reveal what the actual path is to the process.

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

 

[Guest]

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

out of curiousity,
do you mean I should go and fix his machine for him as well or do you mean
he's not capable of finding the tool based on the info I gave him?
given the fact he's got his nickers in a twist the way he has with his
machine, (in my mind) almost certainly and exclusively through rummaging the
net, I did not think for one second he needed a reference 'spot-on'.