Sign in with
Sign up | Sign in
Your question

Found a strange process in the Task Manager.

Last response: in Windows XP
Share
Anonymous
May 11, 2005 10:25:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello:
I have found a process that appears in the task manager when it is
initialized, but dissapears in no time, it appears as SysFader, I don't know
if it is part of Windows or some kind of spyware, because I've seen it when i
have trouble with spyware or viruses in many computers. I hope you could help
me identifying this "process", No antivirus, nor anti spyware software has
detected it.
Thank You!

ATTE:
Luis Martínez Moreno
dragon_cz@hotmail.com
Anonymous
May 12, 2005 12:36:26 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Luis Martinez wrote:
> Hello:
> I have found a process that appears in the task manager when it is
> initialized, but dissapears in no time, it appears as SysFader, I
> don't know if it is part of Windows or some kind of spyware, because
> I've seen it when i have trouble with spyware or viruses in many
> computers. I hope you could help me identifying this "process", No
> antivirus, nor anti spyware software has detected it.
> Thank You!
>
> ATTE:
> Luis Martínez Moreno
>


http://www.google.com/
Search for:
what is SysFader

--
Shenan Stanley
MS-MVP
--
Anonymous
May 12, 2005 4:48:03 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The virus is a Trojan called 'Winshow'.

Here is the fix...
This problem is created by a trojan (VBS_Winshow.A, as Trend Micro refers to
it as)
http://www.trendmicro.com/vinfo/virusencyclo/default5.a...

or adware as Symantec refers to it as.

http://securityresponse.symantec.com/avcenter/venc/data...

This past weekend happens to be about the one month anniversary of its
initial appearance; perhaps this is the reason why it the 'copy' error
started showing up. On my machine, it looks like it first deposited itself on
10/30/03. Its main impact for me was it would not allow multiple launches of
IE from the desktop icon, and it became impossible over the weekend to synch
my pda, HD MP3 player or use my multi-card reader, and impacted anything else
that was hooked up through my USB 2.0 card. IE session since the beginning of
November have seemed somewhat buggy; anything depending upon a plug-in applet
(like Java) took FOREVER to load. The 'copy' boot error does not show up with
every bootup or login, making it seem like the problem goes away.

In 2000/XP, you need to search for the folders Winshow and Winlink, usually
deposited in C:\ Documents and Settings \ (user) \ Local Settings \
Application Data, where (user) is whatever name you log into or use XP/2000
with. If you have them, you will need to delete eventually, but you'll first
have to delete the registry entries (if you don't, the trojan will simply
recreate the folders with the next bootup). There probably is the file
'msupdater.exe' on your machine as well, this and the two folders have been
associated as a IE hijacker routine a number of people have reported on the
internet.

Norton's WinDoctor can delete some of the registry entries (it did for me,
but it didn't get everything), but you really need to use it or better yet,
use Hijack This, booted into Safe Mode (where the trojan isn't allowed to
start before attempting to delete its components).

For those who don't know, Hijack This is an anti-hijacking app is easy to
find (and best of all, is free). You can find it on CNET and other places to
download. In my case, it came in a .zip file; within it was a .exe file that
launches Hijack This when clicked. It doesn't appear to install itself to
Windows. Upon starting in Safe Mode, you should get a window; select Scan,
and in a second or two you will get a listing of the processes that launch on
startup with your specific computer. Look for the Winlink and Winshow entries
(under BHO on my computer), click the tick boxes, and click Fix Check.

Once done, you can reboot normally, go and find the the msupdater.exe file,
Winshow and Winlink folders and delete w/o them showing up again.

To further clean up, you can go into the registry (with regedit, but only if
you know what you're doing in there), and search for both winlink and
winshow; there may be remnants still lurking as there were on my computer. If
you find them, delete them; the trojan shouldn't be active at this point so
it shouldn't recreate them. NOTE: if you have multiple login user identities
on your machine, you may have to do this exercise for EACH one. If you're
knowledgeable and brave enough, you can delete the registry entries in Safe
Mode also, without using Hijack This or any other app.
Anonymous
June 15, 2005 1:22:08 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thankyou, I'm trying this.

Medalist <borag@kocsistem.com.tr> wrote in message
news:AD07AECB-F74D-42DD-B922-B8C6C944B8C5@microsoft.com...
> The virus is a Trojan called 'Winshow'.
>
> Here is the fix...
> This problem is created by a trojan (VBS_Winshow.A, as Trend Micro refers
to
> it as)
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.a...
..A&VSect=T
>
> or adware as Symantec refers to it as.
>
>
http://securityresponse.symantec.com/avcenter/venc/data...
>
> This past weekend happens to be about the one month anniversary of its
> initial appearance; perhaps this is the reason why it the 'copy' error
> started showing up. On my machine, it looks like it first deposited itself
on
> 10/30/03. Its main impact for me was it would not allow multiple launches
of
> IE from the desktop icon, and it became impossible over the weekend to
synch
> my pda, HD MP3 player or use my multi-card reader, and impacted anything
else
> that was hooked up through my USB 2.0 card. IE session since the beginning
of
> November have seemed somewhat buggy; anything depending upon a plug-in
applet
> (like Java) took FOREVER to load. The 'copy' boot error does not show up
with
> every bootup or login, making it seem like the problem goes away.
>
> In 2000/XP, you need to search for the folders Winshow and Winlink,
usually
> deposited in C:\ Documents and Settings \ (user) \ Local Settings \
> Application Data, where (user) is whatever name you log into or use
XP/2000
> with. If you have them, you will need to delete eventually, but you'll
first
> have to delete the registry entries (if you don't, the trojan will simply
> recreate the folders with the next bootup). There probably is the file
> 'msupdater.exe' on your machine as well, this and the two folders have
been
> associated as a IE hijacker routine a number of people have reported on
the
> internet.
>
> Norton's WinDoctor can delete some of the registry entries (it did for me,
> but it didn't get everything), but you really need to use it or better
yet,
> use Hijack This, booted into Safe Mode (where the trojan isn't allowed to
> start before attempting to delete its components).
>
> For those who don't know, Hijack This is an anti-hijacking app is easy to
> find (and best of all, is free). You can find it on CNET and other places
to
> download. In my case, it came in a .zip file; within it was a .exe file
that
> launches Hijack This when clicked. It doesn't appear to install itself to
> Windows. Upon starting in Safe Mode, you should get a window; select Scan,
> and in a second or two you will get a listing of the processes that launch
on
> startup with your specific computer. Look for the Winlink and Winshow
entries
> (under BHO on my computer), click the tick boxes, and click Fix Check.
>
> Once done, you can reboot normally, go and find the the msupdater.exe
file,
> Winshow and Winlink folders and delete w/o them showing up again.
>
> To further clean up, you can go into the registry (with regedit, but only
if
> you know what you're doing in there), and search for both winlink and
> winshow; there may be remnants still lurking as there were on my computer.
If
> you find them, delete them; the trojan shouldn't be active at this point
so
> it shouldn't recreate them. NOTE: if you have multiple login user
identities
> on your machine, you may have to do this exercise for EACH one. If you're
> knowledgeable and brave enough, you can delete the registry entries in
Safe
> Mode also, without using Hijack This or any other app.
>
Related resources
!