System highjack --> shut down using power switch. Booted on puppy Linux. Mounted /dev/sda2 (C:\)cleaned temp files and Cookies in: C:\Documents And Settings\All Users, C:\Documents And Settings\Owner (main user of computer), C:\Documents And Settings\NetworkService, ..\Default User, ..\LocalService.
Then I looked for new files modified/dated for the same day and found --> C:\Documents And Settings\"Owner"\Application Data\Adobe\Shockwave Player 11\Shockwave.log.
In the log was the installation of the file: C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1163633.exe
I have been looking for the codecs or plugins or BHO which have been inserted by advertisers on the link sites for TV Shows and I think that this is it.
I know that the means of infection lately has had to be Adobe, because it doesn't play well in the sandbox. They insist on putting their polluted cr*p on everyone's computer and insist on having hardware access. Can I be sure? No, especially because I didn't open it in a editor--I just nuked it along with the other things as part of a cleanup.
PS: The aforementioned file was on the system I reloaded as well--there were binary patches applied to the native networking stack of XP--these connections were observed using netstat /b at the command prompt which pointed to FireFox, the actual network modules and other modules with kernel access. The install was too stale to bother repairing.
PSS: I would appreciate confirmation or "You're terribly, tragically wrong--misinformed, possibly paranoid and delusional. I want my 30 seconds back."
PSSS: The current system shows no signs of infection or root-kit after cleanup. AFAIK it is no longer infected. I was asking for confirmation about: SwHelper_1163633.exe.
Edited by Eqwatz, 16 February 2012 - 04:20 PM.
Moved from XP to Am I Infected.