This suspiciously sounds like some form of malware, the first coming to mind
is CoolWWebsearch. Scroll the enclosed info and download CWShredder and the
CWS.SmartKiller Removal Utility. Probably be good to have a copy of
Hijackthis as well. Let us know how you make out.
--
~john aka: jopa
WARNING: If your PC is already infested with spyware/adware, resist the
temptation to impulse buying of anti-spyware products that you see on the
Net or receive as e-mail Spam. Vendors of "rogue/suspect" anti-spyware
products advertise heavily via Google's "AdWords" ("Sponsored Links" on
Google's own search pages) and "AdSense" (Google-driven advertising
delivered to third-party web sites)," otherwise known as "Sponsored Links."
And many are known to create problems or your machine just to try and sell
you the way to "fix" it. There are a variety of anti-spyware products and
web sites -- some reliable and trustworthy, some not.
Instead, you can get help online from a corps of savvy volunteers who
specialize in busting spyware.
First:
I suggest you read this informative tutorial:
Dealing with Unwanted Spyware and Parasites
http://mvps.org/winhelp2002/unwanted.htm
And for expert online help, the following links are recommended:
http://forums.spywareinfo.com/index.php?http://forums.spywareinfo.com/index.php
OR
http://www.spywarewarrior.com/
The folks at these forums have a lot of experience in dealing with
Hijackers/Spyware/Malware. There is no charge for the help and information
available although donations are accepted. Be sure to read the guidelines,
and following their instructions you will download a little program called
HijackThis. Its purpose is simply to scan your computer and generate a LOG
of everything that is running at that moment. It does not decide what is
Good or Bad. That's what the experts at the forums will do. So *DO NOT* just
arbitrarily start deleting what it finds.
Next:
To use these forums, set up an account and post your LOG there, not here.
Someone will analyze it and let you know if anything is amuck and what you
can do to fix it. In the event your chosen site is down -- DDOS attack,
whatever, go here for a list of other Security Analysis sites and/or forums:
http://a-sap.org/
***Always follow safe Internet practices:***
1. Keep your virus definitions up to date, and scan your system regularly.
2. Keep your anti-spyware up to date, and scan your system regularly.
3. Don't open email, or download attachments from unrecognized email
addresses.
4. Be careful when downloading email attachments, EVEN FROM PEOPLE YOU KNOW!
Many viruses, worms, and trojans infect a person's system then immediately
spread themselves to the people in the infected person's address book via
email attachments.
5. Be careful downloading files from the Internet. Scan all downloaded files
with a reliable UP-TO-DATE antivirus program. Scan "zip" files BEFORE
unzipping, and scan all unzipped files BEFORE USING THEM.
6. Keep your Windows and IE current with all the latest patches and updates.
7. USE A FIREWALL.
Scumware/Cr@pware - Removal & Protection Tools:
BEWARE of Rogue/Suspect Anti-Spyware Products & Web Sites
One surprising and depressing aspect of the anti-spyware scene is the sheer
number of applications that are mere rip-offs of Spybot Search & Destroy or
Ad-Aware (two of the most recognized and trusted anti-spyware apps on the
Net). Proof of this can be found here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.spywarewarrior.com/family_resemblances.htm
but, the following list contains a number of (mostly) FREE programs that can
be used to eliminate immediate threats as well as secure your system.
CWShredder (FREE)
Removes all variations of the spyware/hijacker ""CoolWebSearch".
This is the first line of defense whenever you suspect possible parasite
infestation. Some current variations of CoolWebSearch block Ad-Aware and
Spybot from catching everything.
http://aumha.org/downloads/cwshredder.zip
http://majorgeeks.com/download4086.html
There is a new, really ugly variant of CoolWebSearch. Infected machines will
close every browser window visiting many anti-spyware sites. Possibly
anti-virus sites or even Windows Update. It will even close Spybot S&D and
some other anti-spyware applications when you try to use them. To eliminate
this threat, use CWS.SmartKiller Removal Utility:
http://www.safer-networking.org/minifiles.html
http://majorgeeks.com/download4113.html
Spybot (FREE)
Removes hijackers, spyware, adware, usage tracks and more. Resident
""TeaTimer"" feature monitors crucial processes on your machine. It
immediately detects known malicious processes wanting to start and
terminates them. In addition, TeaTimer detects, when something wants to
change some critical registry keys. It can protect you against such changes
giving you an option to "Allow" or "Deny" the change.
http://www.safer-networking.org/en/index.html
http://majorgeeks.com/download2471.html
Ad-Aware (FREE) & Pro
Protects against Data-mining, Ad-Ware, Parasites, Scumware, selected
Trojans, Dialers, Malware, Browser hijackers, and tracking components.
http://www.lavasoftusa.com/software/adaware/
http://majorgeeks.com/download506.html
HijackThis (FREE)
As mentioned above -- USE WITH CAUTION -- Just scan your machine, then save
& post the log to: Spywareinfo
http://majorgeeks.com/download3155.html
Tutorial and download:
http://www.tomcoyote.org/hjt/
SpywareBlaster 3.2 (FREE)
Prevent spyware from installing in the first place! Prevent the installation
of ActiveX-based spyware, adware, browser hijackers, dialers, and other
potentially unwanted pests. Block spyware/tracking cookies in Internet
Explorer and Mozilla/Firefox
http://www.javacoolsoftware.com/spywareblaster.html
http://majorgeeks.com/download2859.html
McAfee Stinger (FREE)
Stinger is a stand-alone utility used to detect and remove specific viruses.
It is not a substitute for full anti-virus protection. Download a *fresh*
copy each time you need it.
http://vil.nai.com/vil/stinger/
Check your browser settings here:
http://www.jasons-toolbox.com/BrowserSecurity/
A series of "tests" (and suggested fixes) to help tweak IE's settings to
help prevent infections when surfing the web.
Check security settings here:
https://www.grc.com/x/ne.dll?bh0bkyd2
http://www.pcflank.com/test.htm
General computer check and tune-up
PC Pitstop
http://www.pcpitstop.com/
If you need a good (FREE) antivirus:
AVG
http://free.grisoft.com/freeweb.php
AVAST
http://www.avast.com/eng/avast_4_home.html
Online Virus Scanner:
-you are wise to use one or more of these in conjunction with your own
antivirus. Never install more than one AntiVirus or Firewall app on a single
machine.
Trendmicro
http://housecall.trendmicro.com/
Panda
http://www.pandasoftware.com/activescan/
If you need a good (FREE) Firewall:
ZoneAlarm (FREE) & Pro
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
Sygate Personal Firewall(FREE) & Pro
http://smb.sygate.com/free/spf_download.php
This may sound like a lot of work and it is. But, if you follow this
outline, you'll learn a whole lot in the process and have a much more secure
computer.
--
~john aka: jopa
--
~john aka: jopa
SR said:
A couple months ago I did a virus scan which detected and killed a
single virus. I never knew what it did to me system until now. It seems
it some how is filter-hiding certain files:
msconfig
spybot
If I rename any file to starts with either "msconfig" or "spybot",
regardless of what comes after that, be it more text, an extension, or
nothing, it disappears. wont show in explorer or a cmd console prompt
doing a 'dir'.
Now I know it does not get delted because of I go to another computer on
my lan, be it Windows or Linux, I can see the file. If I rename the file
to something not starting with either of those strings remotely, it
reappears on the XP (SP1) host.
I had to rename my msconfig.exe to something else to be able to use it,
as even though I can see msnconfig.exe from other computers as being
actually there, wondiws refuses to acknowledge that even if I type it in
'run'.
Is there a little known feature of windwos that contains a list of
strings to blok out fiels with? Is this something in the group policy?
Or is this something deeper? I'm a seasoned tech so feel free to get
technical with me. (I've done plenty of programming and know my way
around the operating system, Windows (and Linux
Is there anyway to undo this???
I can't use spy bot (search & destroy) until this is fixed?
BTW, the system in question is still running SP1 with most critial
updates installed. Would SP2 fix this seemingly
left-over-from-fecking-virus problem?
[ OH, AND also, I remebmer one of the files having to do with the virus
was "hxdefdrv.sys", if that helps any. ]
Thanks for any help with this.
-SR
