If you have a process called winrar.exe running on your computer and you don't use the 'winrar' archiving utility, your computer has most likely been infected with a variant of the coolwwwsearch parasite.
Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection!
I thak you for your responses, but since I don't believe HJT gives version info, would then need additional informations, i.e. the file properities. The idea of checking the file's path seems to hold more promise.
If I do a HJT scan and I have the WinRAR archiver running, it shows in the "Running processes" section of the HJT log as follows:
C.:\Program Files\WinRAR\winrar.exe
It would seem that the legitimate executable would be preceded in the file path by the program folder.
It (should L, OL) follow that in the CWS version the executable would have no program folder preceding it, i.e. C.:\Windows\wimrar.exe, or C.:\Windows\system (32)\winrar.exe.
I guess I would be pretty suspicious if the running process showed up as C.:\Windows\winrar.exe or C.:\Windows\system (32)\winrar.exe.
Let us know what you discover, for future reference.:smileyhappy:
Chik
453 Posts
0
March 8th, 2005 13:00
If you have a process called winrar.exe running on your computer and you don't use the 'winrar' archiving utility, your computer has most likely been infected with a variant of the coolwwwsearch parasite.
Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection!
coolwwwsearch parasite has two running processes:
C:\WINDOWS\quicken.exe
C:\WINDOWS\editpad.exe
also the filenames:
c:\windows\winrar.exe
c:\windows\waol.exe.
-chik
Midnight Star
4.8K Posts
0
March 9th, 2005 00:00
I'm also thinking that the WinRAR archiver would have version info, where the CWS app probably won't (or won't match upto the file name).
-
Mike.
msgale
2 Intern
•
2.5K Posts
0
March 9th, 2005 01:00
Midnight Star
4.8K Posts
0
March 9th, 2005 02:00
Always glad to be of assistance.
-
Mike.
SpotCheckBilly
932 Posts
0
March 9th, 2005 06:00
in the "Running processes" section of the HJT log as follows:
file path by the program folder.
have no program folder preceding it, i.e. C.:\Windows\wimrar.exe, or
C.:\Windows\system (32)\winrar.exe.