Hidden controller

Got your own spyware horror story?

For the last few days, my sister's computer has been acting up. I have WinPatrol, and Scotty the Watch Dog kept asking permission for "Autoexec.bat" and "Config.sys" to run. I repeatedly rejected it, which was followed by a system error pop-up: "could not find file."

I knew then that something was up. I decided to go to the desktop and try to open Ad-Aware. It didn't open, and neither did Spybot-Search & Destroy , AVG, or SpywareBlaster. I tried launching them from the start menu program list and the Run command, but neither worked. I just got a red "X" and an error message saying I can't open it without administrative permission. Even my "All Programs" list was completely empty. After being aggravated to my limit, I powered down.

Everything worked much better the following day: files opened and backed up, but there were still those annoying pop-ups from Scotty. I'm wondering if there's a rootkit hiding whatever I'm infected with, because nothing's been picked up except a cookie called "BlackCore" from Spybot-Search & Destroy. Is there any hope for getting rid of this?

-Raina
Tampa, Florida

Reply from the Download.com editors:

Malware is at its most insidious when it conceals its whereabouts, either by masking all traces of itself as a rootkit, or by attacking legitimate files and stealing their names. It sounds like you could have a case of the latter, which would explain the activity that WinPatrol caught with "Autoexec.bat" and "Config.sys," a batch file and a system file, trying to access your computer in new and suspect ways.

Variations on the Autoexec.bat.exe worm, known by Sophos as W32/Melo-C and Symantec as W32.Sejese, also weaken many antivirus programs, making performance slow. If you haven't tried this already, log into Safe Mode before running your antispyware software.

Another possibility is that WinPatrol is detecting a different program that's trying to edit those files. WinPatrol 11 notes a heightened security for the autoexec.bat, config.sys, and boot.ini files, which are often targeted by rootkits. If you're experiencing problems after running your security software in Safe Mode, create a log with HijackThis and submit it to a spyware forum for analysis. Just note that HijackThis displays all your running processes, not a list of your infected files, so it's a good idea to familiarize yourself with how it works. This video explains HijackThis basics.

After the hullabaloo involving your sister's compromised computer, it's easy to see your concern about BlackCore. It is a known Trojan horse, though it's also possible that the Trojan file has already been disabled and what you're left with is the cookie. You can select and "fix" the BlackCore cookie in HijackThis and address the issue when you consult a spyware forum.