Welcome to SecurityForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Cleaver Malware/Spyware running rings around me..

  
   Security Forums (Home) -> General Discussions RSS
Next:  Virus Trojan Removal - LinkBotA  
Author Message
Nick

External


Since: Jan 17, 2005
Posts: 1



(Msg. 1) Posted: Mon Jan 17, 2005 4:54 am
Post subject: Cleaver Malware/Spyware running rings around me..
Archived from groups: alt>comp>virus (more info?)
I have contracted some malware or a tojan which has almost completely
locked me out of my machine..

I have AVG installed, and I have run Trust.com's online virus checker,
both of which say everything's OK..

Spybot S&S tells me I have Coolwwwsearch.smartsearch and
Kazaa.irc.spybot13.world, but although it tells me they have been
removed, they immediately come back..

The nasty thing is that I have been locked out of all of my dignostic
tools... I can't Ctrl-Alt-Del and view Processes, The services control
panel has been disabled. Regedit, Hijack This, Netmon, Regmon, etc.
have all been diabled.

I finally found a freeware registry editor wich it allowed. On viewing
the registry I have the following entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisableRegistryTools =1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisAllowRun\
blackd.exe =1
blackice.exe =1
lockdown.exe =1
lockdown2000.exe =1
netmon.exe =1
processmonitor.exe =1
smc.exe =1
sniffem.exe =1
taskill.exe =1
tskill.exe =1
zapro.exe =1
zlclient.exe =1
zonealarm.exe =1

And the following 'autoruns'..
DriveService16 chkscan32.exe -drivers
DriveService16 chkscan32.exe -services

If I try to remove any of these entries from the registry, they just
reappear...

Also, my hosts file redirects all major security sites + microsoft.com
to nowhere...

Does anyone recognise this behaviour, or have any suggestions as to
how to get rid?

Thanks

Nick

 >> Stay informed about: Cleaver Malware/Spyware running rings around me.. 
Back to top
Login to vote
imbsysop

External


Since: Jun 25, 2004
Posts: 26



(Msg. 2) Posted: Mon Jan 17, 2005 3:53 pm
Post subject: Re: Cleaver Malware/Spyware running rings around me.. [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On 17 Jan 2005 04:54:51 -0800, nickholmes RemoveThis @email.com (Nick) wrote:

>I have contracted some malware or a tojan which has almost completely
>locked me out of my machine..
>
>I have AVG installed, and I have run Trust.com's online virus checker,
>both of which say everything's OK..
>
>Spybot S&S tells me I have Coolwwwsearch.smartsearch and
>Kazaa.irc.spybot13.world, but although it tells me they have been
>removed, they immediately come back..

try "coolwebshredder" ? ..

 >> Stay informed about: Cleaver Malware/Spyware running rings around me.. 
Back to top
Login to vote
David H. Lipman

External


Since: Jul 04, 2003
Posts: 1735



(Msg. 3) Posted: Mon Jan 17, 2005 4:19 pm
Post subject: Re: Cleaver Malware/Spyware running rings around me.. [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Follow the suggestions that sh4d03 has provided you. But before you do the scanning, make
sure you shutdown as many applications as possible.

If this is a WinXP PC then disable the System Restore cache before you clean the PC and once
you clean the PC re-enable the System Restore cache.

--
Dave




"Nick" <nickholmes.DeleteThis@email.com> wrote in message
news:8b16d548.0501170454.6684f5c5@posting.google.com...
| I have contracted some malware or a tojan which has almost completely
| locked me out of my machine..
|
| I have AVG installed, and I have run Trust.com's online virus checker,
| both of which say everything's OK..
|
| Spybot S&S tells me I have Coolwwwsearch.smartsearch and
| Kazaa.irc.spybot13.world, but although it tells me they have been
| removed, they immediately come back..
|
| The nasty thing is that I have been locked out of all of my dignostic
| tools... I can't Ctrl-Alt-Del and view Processes, The services control
| panel has been disabled. Regedit, Hijack This, Netmon, Regmon, etc.
| have all been diabled.
|
| I finally found a freeware registry editor wich it allowed. On viewing
| the registry I have the following entries:
|
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
| DisableRegistryTools =1
|
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisAllowRun\
| blackd.exe =1
| blackice.exe =1
| lockdown.exe =1
| lockdown2000.exe =1
| netmon.exe =1
| processmonitor.exe =1
| smc.exe =1
| sniffem.exe =1
| taskill.exe =1
| tskill.exe =1
| zapro.exe =1
| zlclient.exe =1
| zonealarm.exe =1
|
| And the following 'autoruns'..
| DriveService16 chkscan32.exe -drivers
| DriveService16 chkscan32.exe -services
|
| If I try to remove any of these entries from the registry, they just
| reappear...
|
| Also, my hosts file redirects all major security sites + microsoft.com
| to nowhere...
|
| Does anyone recognise this behaviour, or have any suggestions as to
| how to get rid?
|
| Thanks
|
| Nick
 >> Stay informed about: Cleaver Malware/Spyware running rings around me.. 
Back to top
Login to vote
sh4d03

External


Since: Jun 11, 2004
Posts: 47



(Msg. 4) Posted: Tue Jan 18, 2005 12:23 am
Post subject: Re: Cleaver Malware/Spyware running rings around me.. [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Nick wrote:
> I have contracted some malware or a tojan which has almost completely
> locked me out of my machine..
>
> I have AVG installed, and I have run Trust.com's online virus checker,
> both of which say everything's OK..
>
> Spybot S&S tells me I have Coolwwwsearch.smartsearch and
> Kazaa.irc.spybot13.world, but although it tells me they have been
> removed, they immediately come back..
>
> The nasty thing is that I have been locked out of all of my dignostic
> tools... I can't Ctrl-Alt-Del and view Processes, The services control
> panel has been disabled. Regedit, Hijack This, Netmon, Regmon, etc.
> have all been diabled.
>
> I finally found a freeware registry editor wich it allowed. On viewing
> the registry I have the following entries:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
> DisableRegistryTools =1
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisAllowRun\
> blackd.exe =1
> blackice.exe =1
> lockdown.exe =1
> lockdown2000.exe =1
> netmon.exe =1
> processmonitor.exe =1
> smc.exe =1
> sniffem.exe =1
> taskill.exe =1
> tskill.exe =1
> zapro.exe =1
> zlclient.exe =1
> zonealarm.exe =1
>
> And the following 'autoruns'..
> DriveService16 chkscan32.exe -drivers
> DriveService16 chkscan32.exe -services
>
> If I try to remove any of these entries from the registry, they just
> reappear...
>
> Also, my hosts file redirects all major security sites + microsoft.com
> to nowhere...
>
> Does anyone recognise this behaviour, or have any suggestions as to
> how to get rid?
>
> Thanks
>
> Nick

Try running the scans in safe mode.

run these:
AdAware SE 1.05 Personal
SpyBot SD 1.3
SpySweeper - www.webroot.com

Install them and then run them in safe mode in full scan mode. Whilst in
safe mode you should be able to use your diagnostic tools also. My guess
would be that there are arbitrary executables in the System32 folder.
View the directory be date last modified and look for anything with a
random array of characters that is either an exe of a dll. If you're
uncertain post the name of them and also right click and go to
properites for that file and see if there is a version tab.

Post if you get stuck

Sh4d03

--
If you require more assistance or if my suggestion works please E-mail me at
sh4d03 [at] TPG [dot] com [dot] au. Additionally, if you are able to provide
assistance to me and wish to E-mail me directly please also feel free to
contact me in this manner. Please ensure you include "Newsgroup_sh4d03"
in the
subject line. Please pay attention to the capitilisation. Emails sent to
this the above address which do NOT contain "Newsgroup_sh4d03" in the
subject line will fail to reach me.
Thanks,
Sh4d03
 >> Stay informed about: Cleaver Malware/Spyware running rings around me.. 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Running a trojan program and Virus programs a waste of time? - Thanks for opinions of the knowledgable ones:>) Regards Buddy B

Request for examples of mixed virus-worm-trojan malware - Hi everyone, I am currently preparing a paper about malware. I would appreciate very much examples of mixed malware entities, i.e. showing at the same time features of viruses, worms, trojans, adware, spyware, etc... I am already gathering this..

Damn spyware - I'll tell ya, this isn't my week. I downloaded a free screensaver from what I thought was a reputable site and during the install, it asked me if I wanteded to install some '3rd party software.' kyeahbutno. As soon as I clicked the no button, zone..

spyware query - OK -- Every so often I run adaware. If I run it say every 6 weeks, it comes up with about 30 items. They are all termed "data miner." What does that mean? I keep eliminating these files. Also, clearly these items keep coming back. How can I fi...

Spyware Blaster 3 is out - Hi all. Just wanted to post that spywareblaster 3 is now out, and includes protection for Mozilla as well as IE (I'm not sure if the other one did, but I was under the impression it was just IE). Anyway, it's got a cool new user interface, but let's...
   Security Forums (Home) -> General Discussions All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]