From: H Carvey (keydet89yahoo.com)
Date: Thu Jul 01 2004 - 07:26:08 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In-Reply-To: <200406301026.12115.sven.carstensblinker-links.de>

Sven,

I'll have to admit...your responses certainly generate a lot of questions. Please bear with me here while I try to get some idea of what you've got going on...

>So I started up sysinternals procexp.exe and autoruns.exe.
>There I found a bunch of different programs running that didn't belong there.

Didn't belong where? Autoruns shows multiple locations...

>These were with varying names and locations within \windows and
>\windows\system32.

Varying names...such as? Many times, the name of the file pointed to by a Registry entry will give clues as to what it does. Some malware drops a file on the system with a file name comprised of 8 random lower-case characters. Not the definitive, of course, but a clue.

Also, in addition to procexp.exe (or perhaps instead of) I'd suggest that you run tlist.exe (from the MS Debugger Tools, *not* the RK) or cmdline.exe (DiamondCS) to get the command line used to launch each process. This is usually more informative than simply the process name.

>Then I tried to install AdAware. This failed. So I first killed the suspicious
>processes and then AdAware installed without failure.
>AdAware updated and detected the changes in the registry (res:\\ types for IE)

Hhhmmm...not sure where you got your understanding of the "res://" URI, but you might want to read this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;220830

The "res://" resource doesn't necessarily have a one-to-one relationship with "detected...changes in the registry".

Please understand...I'm not trying to find fault with anything you've done. However, I do think that with a better understanding of the issues at hand, these sorts of things can be handled a little better in the future.

Harlan

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]