Clever Smitfraud….



Sometimes you see a malware implementation that you have to have respect for the cleverness/ingenuity of the design. These pests can be dastardly to get rid of, but essentially this pest was occasionally popping up a “windows integrity scanner” installer. It wasn’t frequent, but it was persistent and the user was afraid that it was the gateway to other bad stuff. (That’s correct…) Anyway on inspecting the msconfig list of programs running at startup I found gsudxz.exe or some such nonsense (psuedo-random string of letters). I opted to reboot into safe mode and run the smitfraud removal tool because this looked like a typical smitfraud infection… turns out it wasn’t though.


The removal tool did it’s job, found the item I had suspected and I rebooted to find it gone. I continued to work on the machine for another 40 minutes or so on another issue and left. I soon had a call that it had returned! So, I revisited and sure enough there was another entry in the startup list…. wdxcijk.exe or something similar… Hmmm… were is the “puppet master” process though? I killed off the process in memory and the startup entry, but knew there must be something “lurking in the shadows” that put it back in place.

So, I ran the Autorun utility from sysinternals…. I haven’t used that utility before believe it or not, but it does an EXCELLENT job of listing every thing that might automatically run or load at startup. It turns out that there are run entries in the registry that are not displayed by msconfig. (Thanks microsoft…) This particular baddie had taken up residence at hklm (hkey local machine) / software / microsoft / windows / current version / policies / explorer / run … an the file it was running was safely tucked away in the c:documents and settingsall usersapplication data area….

so this process was responsible for running at startup and making sure that it’s minion was active. If the minion wasn’t active it would create a fresh copy and run it/place it in the regular startup area. Clever…. someone cleaning manually or via utility would quite easily find the and remove and not be certain how it kept sneaking back in.

Related Posts

Blog Traffic Exchange Related Posts
  • Remote tech support with anything - would I do it? I've tried to ask myself if I'd trust someone enough to let them run a remote session on my own desktop to solve a problem. I think the answer is "it depends". If you think about it, I do tech support for home users quite a bit and they let......
  • How to Remove SystemCleanerPro | SystemCleanerPro Removal Guide SystemCleanerPro is a rogue antivirus application. It is a part of the WinSpywareProtect family and will run at system startup. It will popup many warnings about your computers security (or lack thereof). It will scan your system and claim there are viruses and it will repeatedly nag you about purchasing......
  • Disinfecting a PC... part 1 This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc's I've seen. It's also an interesting......
Blog Traffic Exchange Related Websites
  • Preparing for Winter Running Winter running is a challenge because of many different factors. Depending on where you live, you may have to face conditions which will include snow and ice. If nothing else, you will have to face lower than usual temperatures. This is enough to cause some people to put off running......
  • Running in a Triathlon Triathletes have a bigger challenge than just the cyclist, the swimmer or the runner since they have to compete in all three sports consecutively.  Very often, an athlete will excel at one or two parts of the competition but have room for improvement in the third, and this will very......
  • Running for Abs: How to Get a Six-Pack with the Help of the Treadmill Getting a six-pack isn't easy, or else everyone would have them. Just the phrase "six-pack" seems to carry with it a sense that it is the truly defining characteristic of a strong physical specimen. Yet some people seem to work out constantly and never find that they have a six-pack.......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site