I believe I have a hacker's tool kit. Not sure how it got in, but I was running McAfee Firewall, Privacy Service, Virus Scan, Spamguard. I also dump all cookies, temp internet files and history everytime I use the internet. Then I run Adaware and virus scan. I noticed in the task manager, under processes a file named winword.exe. The problem is that I wasn't using Word or any of my Office 2003 products. I put winword.exe in Google and it said it could be legit or maybe not. They suggested to go to search and put in the name. Up came winword.exe-33aea629.pf. I put this in Google and it said it is a Hacker's Took Kit. I read on Microfort Tech page about Root Kits. I deleted the entire folder for prefetch along with uninstalling the entire Office 2003 program. I ran search and within 5 minutes winword.exe-33aea629.pf was back in the same place along with the prefetch folder. I had Windows recovery disabled. Everything came back again and again. I booted in safe mode, ran AVG it found nothing. I ran AdAware in Safe mode and you found 2 tracking cookies. I deleted them rebooted in safe again and lo and behold 2 more tracking cookies.
This thing is a STEALTH and really advanced. I am only a novice. I don't know much more than operating puters. My son is a tech and he couldn't find this thing either.
I am trying to figure out if I should Nuke and start over.
I am writing this only to alert others and especially Adaware staffers, as you are the only service that found anything. Even though you only found 2 tracking cookies, all other ad scanning progs didn't fing squat. I followed Microfoft's instructions and created a zipped folder and drug some of the suspect files from the windows folder and emailed to them for inspection. Will have to wait for reply. Just wanted to alert you. Maybe I'm too much a novice and being paranoid??
Tom
Full Version: Malware - Root Kit
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Ad-Aware SE Resolved/Inactive Issues
Hello and welcome 
I believe you have a case of paranoia, yes. Let me try to dispell some of the myths and assumptions because nothing you have done here indicates any malware infection at all.
Cookies found by Ad-Aware is quite normal and comes from surfing on the internet. Cookies are NOT malware - they are text files only. They can be considered a privacy matter which is why Ad-Aware finds and alerts you on them but they are not malware and cannot run any programs that infect your computer. So the evidence of cookies found is nothing to prove any infection.
Here is a good explanation about cookies that I find useful
http://en.wikipedia.org/wiki/HTTP_cookie
Searching Google for a file name is a dangerous bad habit. File name these days is no indication at all that you might be infected. That is because malware today many times mimic's the same file names as valid windows or program files. In your case winword.exe is likely the legitimate one because nothing else indicates any problem. It is much more likely that what you are seeing is the same as described in this old topic:
WINWORD.EXE
I only recently noticed that instances of WINWORD.EXE continue to exist in my Windows Task Manager even after I have closed MS Word. Why does this happen?.... Full discussion in the link below:
http://my.brandeis.edu/bboard/q-and-a-fetc...g?msg_id=0000Ox
Then you may find references to winword.exe as malware in search results such as this one:
http://www.liutilities.com/products/wintas...ibrary/winword/
The key to the above being the last sentence about the location of winword.exe and even sometimes that is not always applicable to all cases.
Therefore, the only reliable way to tell if a file is infected or legitimate is to have it examined. The easiest method is to scan the suspect file here:
Virus Total
http://www.virustotal.com/
or here:
Jotti Malware Scan
http://virusscan.jotti.org/
Those sites will give your file a scan using a dozen or more different products to see if it is infected. Note: Those sites can also sometimes get awfully busy, so if you find one is unavailable to too busy without a long wait, then you can try the other.
So what I would suggest from here is to go the above scan sites and submit your winword.exe for a scan. Let us know how you make out. If there is a problem, we'll be glad to help
I believe you have a case of paranoia, yes. Let me try to dispell some of the myths and assumptions because nothing you have done here indicates any malware infection at all.
Cookies found by Ad-Aware is quite normal and comes from surfing on the internet. Cookies are NOT malware - they are text files only. They can be considered a privacy matter which is why Ad-Aware finds and alerts you on them but they are not malware and cannot run any programs that infect your computer. So the evidence of cookies found is nothing to prove any infection.
Here is a good explanation about cookies that I find useful
http://en.wikipedia.org/wiki/HTTP_cookie
Searching Google for a file name is a dangerous bad habit. File name these days is no indication at all that you might be infected. That is because malware today many times mimic's the same file names as valid windows or program files. In your case winword.exe is likely the legitimate one because nothing else indicates any problem. It is much more likely that what you are seeing is the same as described in this old topic:
WINWORD.EXE
I only recently noticed that instances of WINWORD.EXE continue to exist in my Windows Task Manager even after I have closed MS Word. Why does this happen?.... Full discussion in the link below:
http://my.brandeis.edu/bboard/q-and-a-fetc...g?msg_id=0000Ox
Then you may find references to winword.exe as malware in search results such as this one:
http://www.liutilities.com/products/wintas...ibrary/winword/
QUOTE
Description:
winword.exe is the main executable for Microsoft Word, a word processing application which is bundled with the Microsoft Office Suite.
Note: winword.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
Determining whether winword.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from.
winword.exe is the main executable for Microsoft Word, a word processing application which is bundled with the Microsoft Office Suite.
Note: winword.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
Determining whether winword.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from.
The key to the above being the last sentence about the location of winword.exe and even sometimes that is not always applicable to all cases.
Therefore, the only reliable way to tell if a file is infected or legitimate is to have it examined. The easiest method is to scan the suspect file here:
Virus Total
http://www.virustotal.com/
or here:
Jotti Malware Scan
http://virusscan.jotti.org/
Those sites will give your file a scan using a dozen or more different products to see if it is infected. Note: Those sites can also sometimes get awfully busy, so if you find one is unavailable to too busy without a long wait, then you can try the other.
So what I would suggest from here is to go the above scan sites and submit your winword.exe for a scan. Let us know how you make out. If there is a problem, we'll be glad to help
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.