cancel
Showing results for 
Search instead for 
Did you mean: 

FYI - sneeky malware doing the rounds

MuppetGrinder
Grafter
Posts: 151
Registered: 10-10-2008

FYI - sneeky malware doing the rounds

Hi guys, just thought I would let you all know, there is a pain in the ass pice of malware doing the rounds on the drive-by download scene.  I fell prey to it the other day, so here's some basic info in case you get hit with it at some point too.  It takes the form of a very convincing 'Windows Security Center' Message popup and also hijacks your browser.  More precicely it automaticly resets your computer, then pops up saying somthing like "Windows firewall has prevented program X.trojan from running on your system.  Your system is currently unprotected, click below to enable protection". I didn't click it so I don't know what site it sends you to.  On top of that, it then embeds in the good old svchost process call with a keep alive script.  It also (and this is the really iritating part) akes your browser open up saying some crap about "unprotected browsing detected" with two links on the page "click here to get protected" or "click here to continue without protection" each link punctuated with a nice little security center shield.  And it sends random application kill commands to your browser, so it will sporadicly just close on you (like I said, pain in the ass).  Oh yeah, and just to be really nice, it corrupts the 'msconfig'  utility, so that if you try and run it you can't (so no selective startup to get rid of the little burger)  That's the only syptoms that I know it causes, I didn't notice any file scanning in any of the logs that I checked, but I never hold info like that so didn't pay much attention.
That's the problem covered, here's how I got rid of it:  After a good bit of proccess tracking, I found It was housed in an exe called fhexj6825097.exe and had a couple of associated .dll files in there too.  This file was located in C:\documents and settings\*user name*\Application Data\Google (the folder 'Application Data' is hidden - so you will need to turn on view hidden files and folders from the tools, folder options, view menu) and was, of cource, access denied cause the process was running (under the guise of svchost as mentioned before, but there was almost certainly an invisible process running too).  Now here is where XP Pro has the advantage over XP home, I always turn off "simple file sharing" and this lets me assign the security policy of individual files and folders.  I used this to change the security options on the Google folder to deny all access for "SYSTEM" and then rebooted into safemode. once in safemode, I deleted the files, and then denyed all users write privelages to the folder.  Reboot back into normal mode and all is well with the world again. 
I don't know if changing the security policy on the folder is perticularly nescesary, but it's what I did at any rate. Also, for anyone that doesn't do it already, clear out your C:\WINDOWS\Prefetch folder regularly of anything that you don't know for certain you use.
Hope this helps somone
P.S. if anyone is wondering where I picked it up from, it was a game review site while checking out "Spyro : Dawn of the dragon" on the PS3 for the kids Undecided .