What have I got?

nickholmes · #1 (**permalink**) 17-01-2005, 02:04 PM

I have contracted something which has almost completely
locked me out of my machine..

I have AVG installed, and I have run Trust.com's online virus checker,
both of which say everything's OK..

Spybot S&S tells me I have Coolwwwsearch.smartsearch and
Kazaa.irc.spybot13.world, but although it tells me they have been
removed, they immediately come back..

The nasty thing is that I have been locked out of all of my diagnostic
tools... I can't Ctrl-Alt-Del and view Processes, The services control
panel has been disabled. Regedit, Hijack This, Netmon, Regmon, etc.
have all been disabled.

I finally found a freeware registry editor which it allowed. On viewing
the registry I have the following entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\
DisableRegistryTools =1

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\DisAllowRun\
blackd.exe =1
blackice.exe =1
lockdown.exe =1
lockdown2000.exe =1
netmon.exe =1
processmonitor.exe =1
smc.exe =1
sniffem.exe =1
taskill.exe =1
tskill.exe =1
zapro.exe =1
zlclient.exe =1
zonealarm.exe =1

And the following 'autoruns'..
DriveService16 chkscan32.exe -drivers
DriveService16 chkscan32.exe -services

If I try to remove any of these entries from the registry, they just
reappear...

Also, my hosts file redirects all major security sites + microsoft.com
to nowhere...

Does anyone recognise this behaviour, or have any suggestions as to
how to get rid?

Thanks

Nick

owen · #2 (**permalink**) 19-01-2005, 06:41 PM

I suppose you have already formatted your PC by now. That problem could have been solved and formatting is a lot of hassle reinstating all your settings. If you haven't formatted and still require help, post back please.

Have a read of this as well:

Preventing it returning

After your problem has been resolved on the forum, it is an absoulute MUST to do the following steps to prevent the problem returning. Click on the link to get access to the software or webpage that I'm referring to.

1. Visit Windows Update
Pay a visit to Windows Update and scan for and download ALL Critical Updates and Service Packs. New updates are usually released monthly so check back to Windows Update every month.

2. Download Antivirus Software-
If you haven't already got Antivirus software, you should download and install AVG Antivirus. It is freeware and is updated nearly every 2 days (sometimes more frequently if there are a lot of new viruses) and in my opinion, is better than some Antivirus software such as Norton. Antivirus software will prevent viruses infecting your system and it is important that you update it every two days or every week at the most.

3. Download a Firewall-
If you haven't already got a firewall, it is Very important that you download one. Firewalls will prevent unauthorised access to your computer and stop data leaking out of your computer. You may think that it won't happen to you, but Hackers don't care who you are, what you do, where you live or what you had for tea last Sunday on your holiday in the Lake District, they want your data. Firewalls will keep these sneaks out and one of the best is Sygate Personal Firewall, which happens to be freeware.

4. Spyware Scanners-
It is important that as well as having real time spyware protection, you have a spyware scanning application. If you have not already been told to download one earlier in this thread, it is a good idea to download Spybot Search And Destroy and Ad-aware. They are both spyware scanners and will search for a remove spyware. It is recommended that you have both, because one will pick up entries that the other misses. It is even a good idea to download these if you have other programs such as ASE, Spysweeper, Pest Patrol, etc, because one spyware scanner will not pick up everything. Please remember to update your spyware scanners weekly/fortnightly.

5. Prevent Spyware slipping through Internet Explorer-
Quite a lot of spyware slips through Internet Explorer if your settings are not tight enough. Spyware Blaster will help you prevent spyware slipping through and installing tracking cookies. Simply run it via Start> Programs> Spyware Blaster and click Enable All Protection and it will protect you. It doesn't even have to be open! Remember to update weekly/fortnightly.

6. Constant Spyware Protection-
It is important to have constant spyware protection. Spyware Guard works like an antivirus program but detects Spyware instead. It will constantly protect your system. Check for updates monthly.

All Of these steps are very important and it is HIGHLY recommended that you download all of the programs mentioned for your own safety. Remember to Update everything (including Windows using Windows Update)! It is also a good idea to perform weekly/fortnightly scans with Spybot S&D, Ad-aware and your antivirus software.

And last of all, please remember, that common sense is your greatest tool. Without it, spyware and other related Malware would rule!

nickholmes · #3 (**permalink**) 19-01-2005, 07:19 PM

I did remove it in the end. This is how, in case anyone else gets the same thing...

I couldn't stop, or even identify the process because taskman, taskkill, tskill, regedit, msconfig, hijack this, etc. had all been disabled..

I found that this virus/malware also shut internet explorer whenever it detected keyworks such as virus, trojan, coolsearch, etc.. so getting any online help when you have it is not easy...

However, I finally found and dowloaded a freeware regstry editor which was not blocked. 'Registry Commander from Aezay Productions'

Using that I was able to identify a file - chkscan32.exe which was running on startup. I renamed this file (couldn't delete it, as it was in use), replaced it with a copy of 'notepad.exe' and rebooted the machine.

I was then able to run hijack this, spybot and adaware which were then able to get my system back to normal..

I a software engineer, so have a pretty good knowledge and understanding of Windows systems, but was amazed how this thing had literally locked me out of everything. Right down to blanking the running process list in taskmanager and closing internet exporer as soon as I typed in the word 'coolwwwsearch'.

After my main system was clean, I ran the malware in a more controlled environment on a test PC, and found it had been using registry settings which I never knew existed, allowing it to prevent applications from running, disable registry tools, firewalls and Windows Update.. Is there no way you can 'lock' portions of the registry to unauthorised editing?

owen · #4 (**permalink**) 19-01-2005, 08:10 PM

These pests are the worst because it makes it incredibly hard to run analysis tools. It could have been Smartsearch or another CWS variant. I'm not sure exactly how they do it, but it is possible because the malware probably has a list of processes which are a threat to it to terminate and ways of stopping you using even some of the standard windows tools. You can buy certain software that stops the use of Task manager, Regedit, etc so this must have used the same principal.

I won't pretend I'm a windows professional because I'm not, but I do know quite a bit about malware which is what I am here for.

What I'm wondering is whether the files that you pinpointed that were causing the problem were detected by Spybot, or indeed Ad-aware? If not, then it would be a very good idea to submit the files to Lavasoft here, supposing you still have the files.

That is the problem with Windows you see, if the makers of this malware can exploit some of the functions in Windows to cause the problem you have, then your really stuck. I'm not sure its possible to "lockdown" the registry as such, but the TeaTimer which is included in Spybot Search And Destroy helps protect some areas of the registry and notify you of changes. I'm not quite sure of everything it detects. I know it detects new startup entries, change of browser pages, new BHOS, deletion of BHOs, addition and deletion of Download Program Files and a few others.