Help - strange virus or spyware or whatever

Started by Rui 'Trovatore' Pires, Thu 24/02/2005 10:54:57

Previous topic - Next topic

Rui 'Trovatore' Pires

I wonder if anyone can help me. Recently (after having installed Download Accelerator, actually, but I'm not sure it's related, because at that very same time I browsed through many sites such as Astalavista with miminal security, so ANYTHING can have gotten in) I've been finding that the internet window I'm browsing (IE, and no, won't change. I'm comfortable with IE) will close. Withuot warning. And re-appear after some minutes, without the upper title bar - the one with the close button, making me resort to Alt-F4.

AntiVir Personal Edition, Spybot and AdAware didn't find anything wrong... at least, nothing that once corrected fixed this. I found a workaround, but it's strange - it seems that shortly after running IE after I FIRST boot the PC, two programs get run, which I can find in the Task Manager. They are something like "4231762.exe" - nonsensical. I close them, and until I reboot I will have no further trouble.

I also tried CodeStuff starter, but nothing out of the ordinary there.

I was just wondering if anyone knew anything about this strange thing.
Reach for the moon. Even if you miss, you'll land among the stars.

Kneel. Now.

Never throw chicken at a Leprechaun.

YOke

Quote from: Rui "Erik" Pires on Thu 24/02/2005 10:54:57
(IE, and no, won't change. I'm comfortable with IE)

"Please officer! Don't take my husband away! He beats me because I deserve it!"

Enlightenment is not something you earn, it's something you pay for the rest of your life.

Bernie

Hmm... start msconfig (type it into the run command bar or whatever it's called on english computers). Go to the system startup tab (last one) and deactivate all weird startup programs.
If you have a hard time telling good from bad programs, post a screenshot of your startup list.

Rui 'Trovatore' Pires

YOke - Heh. No, it's just a matter of being very comfortable with it so far. If IE beat me, I WOULD have it changed, but I'm used to it...

Bernie - Hmmm, thanks but it seems just like CodeStuff Starter. Here's the screenie.



EDIT - Before anyone asks, "Always Activate" is a WinGroove thing - no problem there.
Reach for the moon. Even if you miss, you'll land among the stars.

Kneel. Now.

Never throw chicken at a Leprechaun.

auhsor

#4
Ok I think your problem is the farmext entry. Don't quote me on that, but if you google it it seems others are trying to get rid of it too.

Hope that helps.

edit: argh..  fixed typos... I guess it was late last night.

Squinky

Heres a site I found for figuring out just what excactly all those entrys are in the task manager:

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm


Ghormak

All anti-spyware programs I've seen say Download Accelerator is spyware. Wouldn't surprise me.

I'd recommend finding that 4231762.exe and deleting the shit out of it.
Achtung Franz! The comic

Blade

That 4231762.exe is probably the file a virus created and it's probablty hidden somewhere in the temp folder. There might be a problem in manual removal - Windows may recognise it as being used by the system. 
Studies show that 50% of the people do not know they form half of the society.

RickJ

Quote
If IE beat me, I WOULD have it changed, but I'm used to it...
It just did!  Quit your blubbering  :=, get Firefox, and you will have no such problems in your future. 

http://www.mozilla.org/

Cluey

Quote from: RickJ on Thu 24/02/2005 15:46:25
Quote
If IE beat me, I WOULD have it changed, but I'm used to it...
It just did!  Quit your blubbering  :=, get Firefox, and you will have no such problems in your future. 

http://www.mozilla.org/
Ahmen!!
Aramore
My webcomic.

YOke

Everything is in the exact same place in Firefox anyway. The Back button, the Forward button, the Stop button.......the Refresh button!

Enlightenment is not something you earn, it's something you pay for the rest of your life.

Barbarian

#11
Could be just about anything... most likely a SpyWare of sorts. For a recent topic with some good posts that may be of help for you, check out:
http://www.adventuregamestudio.co.uk/yabb/index.php?topic=19142.0
Ã,  Ã, As, I suspect you may have a version of the CoolWebSearch virus/trojan (CoolWebSearch is anything but cool though).

What version of WinDoze you running? If you have like ME, 2000, XP, NT, you should have the "System Restore" feature. If the problem is recent enough, you may still be able to use the System Restore to rollback your drivers/settings/etc... to a date and time when you know your computer was still working good. Usually it's found from:
Start, All Programs, Accessories, System Tools, System Restore.Ã,  Choose "Restore my computer..." then from the "Calendar" thingy you can pick a day and checkpoint to before your problems occured.

The free version of DAP is Ad-Ware (not spyware), but the paid-for version of DAP is without any type of ads. I've been using DAP for a number of years, and it always works great for me.
But, if you're looking for a good free alternative without any kind of adware or spyware, you might try: http://www.stardownloader.com/

Also, you should make sure IE's security settings are adjusted for better protection, and you never mentioned if you're already using a firewall.. If not, then I highly suggest you get and use a firewall (there's many good free ones out there, one I like is ZoneAlarm which you can download a good free version over at www.zonelabs.com ).

Also, you may want to make sure your "Windows Critical Updates" are current, though be sure to make a System Restore checkpoint before updating in case something messes up, as, in my experience, sometimes updating with Windows can in fact mess things up even more.

Good luck.Ã, 
PS: Backup any important data/files/programs that you need to keep safe.
Conan: "To crush your enemies, see them driven before you, and to hear the lamentation of the women!"
Mongol General: "That is good."

Blade of Rage: www.BladeOfRage.com

TheYak

If you're unable to find the references to the weird program, you could also try punching "services.msc" into the run-box.  This'll open a panel of system services that are currently running (or set to run in various circumstances) on your system.  Don't disable anything unless you're pretty certain it doesn't belong, and only make one modification at a time unless you know what you're doing.  If you find a suspect program, open its properties and change the startup type from manual or automatic to disabled. 

Another thing you can try is searching the registry ("regedit" from run) for the suspect program's name.  Blade's got a good point concerning the system-file status.  If it's in a Windows directory, it may've been protected as a vital operating system file.  You can download various freeware utilities that'll delete it upon startup if you can't do so manually.  The name's incredibly suspicious as viruses will often reproduce with randomly-named files (I've got a KBdhizk.dll I've been trying to get rid of for awhile, virus-related, based upon the name should be a Keyboard Language dll).  Another thing you can try if you can't delete it is to rename it, sometimes you'll be able to do this despite error messages (mine's renamed to KBdhizk.dll.bkp and thus rendered harmless).

Rui 'Trovatore' Pires

#13
Whoa, many suggestions. Many thanks everyone. I'll uncheck "farmmext" and see what happens tomorrow, and then will try the other suggestions in order. I'll keep results posted, and thanks again!

EDIT - "Farmmext" it was! Thank you VERY much!
Reach for the moon. Even if you miss, you'll land among the stars.

Kneel. Now.

Never throw chicken at a Leprechaun.

SMF spam blocked by CleanTalk