I’m having a hell of a time trying to get rid of some kind of Malware/Virus/Spyware crap on my main system.
What happens is about 5 or 6 minutes after connecting to the Internet, a blank command window opens (C:\WINDOWS\system32\cmd.exe), afterwards a bunch of suspicious processes start running and an IE window opens and tries to go to http://www.whiplashmusic.com/blank2.html.
The following files also suddenly appear in C:
IELower.exe
is.exe
low.exe
mmxateam.exe
sw.bat
tb.exe
xe.exe
zdrivers.exe
The sw.bat batch file contains: @echo off
IELower.exe
tb.exe
low.exe
xe.exe
mmotor.exe
mmxateam.exe
is.exe
exit
So I guess what’s happening is after detecting an internet connection these files are extracted to C:, sw.bat is run and tries to start the extracted exes.
The problem is I can’t find where the hell they keep coming from. I’ve run a full virus scan, scans with 2 different spyware scanners, combed through the registry, and made sure I recognize all the programs set to run on startup.
Another solution was to get hi-jack this, run it, and post the log on their forum. Experts there helped me get rid of a bunch of spyware that invaded my machine one afternoon.
That was actually one of the first things I tried, unfortunately everything running seemed to be legit… Until I found this:
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
This is the lsass.exe that’s supposed to be running:
C:\WINDOWS\system32\lsass.exe
Looks like the W32.Ahker.G@mm worm.
Oh well. I think I may have finally nuked it completely at least.
That was actually one of the first things I tried, unfortunately everything running seemed to be legit… Until I found this:
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
This is the lsass.exe that’s supposed to be running:
C:\WINDOWS\system32\lsass.exe
Looks like the W32.Ahker.G@mm worm.
Oh well. I think I may have finally nuked it completely at least.[/quote]\
Believe it or not, Windows XP System Restore is a frickin’ miracle worker for this crap, and so far it seems to be stable and useful. Just roll the machine back to the point before it became infected. Of course, if it has been too long it won’t help, but it’s saved my bacon a few times now.
Is there a name for the lovely bit of spy/malware I managed to install last night that Hijacks IE and pretends to be XP security centre warning you that you’ve been infected by a (non existent) virus?
It tries to persuade you to download various bits of spyware detection software which naturally finds bucket loads of dodgy stuff.
Search and destroy doesn’t detect it, nor does a vanilla version of Adaware. I’m having difficulty downloading the updates at the moment to see if newer versions pick it up.
My solution against malware that downloads updates is to run a software
firewall in very paranoid mode. When a connection is made, a program
changes etc., Norman warns me. Kerio was a bit too paranoid, but Norman
warns just enough to catch new programs trying get updates, unless it’s
already caught it in the process of installing the downloader.
This particular lovely was bundled into what appeared to be a genuine media player codec so I’d stupidly OK’ed both the download and running the install.
I’m running software and hardware firewalls and, presumably because it appears to be hijacking IE, the software firewall isn’t reporting any rogue processes trying to access the net.
I’ve disabled IRC, SMTP and IM ports on the hardware firewall until I know what I’d dealing with and messenger service is about the first thing I disable when I install windows.
Once again, thank god for Firefox or I’d have totally and utterly screwed rather than just seriously screwed.
[edit] Looks like it is PS Guard. this should be fun.
hmm I think I got rid of most of the stuff, but I dont seem able to reclaim IE from firing up the nasty page. Funnily enough uninstalling it from control panel doesn’t actually seem to remove it.
Is there a way to tell IRC to fire up Firefox instead?
