Clever Smitfraud….



Sometimes you see a malware implementation that you have to have respect for the cleverness/ingenuity of the design. These pests can be dastardly to get rid of, but essentially this pest was occasionally popping up a “windows integrity scanner” installer. It wasn’t frequent, but it was persistent and the user was afraid that it was the gateway to other bad stuff. (That’s correct…) Anyway on inspecting the msconfig list of programs running at startup I found gsudxz.exe or some such nonsense (psuedo-random string of letters). I opted to reboot into safe mode and run the smitfraud removal tool because this looked like a typical smitfraud infection… turns out it wasn’t though.


The removal tool did it’s job, found the item I had suspected and I rebooted to find it gone. I continued to work on the machine for another 40 minutes or so on another issue and left. I soon had a call that it had returned! So, I revisited and sure enough there was another entry in the startup list…. wdxcijk.exe or something similar… Hmmm… were is the “puppet master” process though? I killed off the process in memory and the startup entry, but knew there must be something “lurking in the shadows” that put it back in place.

So, I ran the Autorun utility from sysinternals…. I haven’t used that utility before believe it or not, but it does an EXCELLENT job of listing every thing that might automatically run or load at startup. It turns out that there are run entries in the registry that are not displayed by msconfig. (Thanks microsoft…) This particular baddie had taken up residence at hklm (hkey local machine) / software / microsoft / windows / current version / policies / explorer / run … an the file it was running was safely tucked away in the c:documents and settingsall usersapplication data area….

so this process was responsible for running at startup and making sure that it’s minion was active. If the minion wasn’t active it would create a fresh copy and run it/place it in the regular startup area. Clever…. someone cleaning manually or via utility would quite easily find the and remove and not be certain how it kept sneaking back in.

Related Posts

Blog Traffic Exchange Related Posts
  • Total Security Antivirus Removal Total Security Antivirus is another rogue security application that poses as legitimate antivirus software to dupe people into installing and then paying for it. It is related to Antivirus 360 and is perhaps the followup software from the same group. This particular pest is possibly installing itself onto systems by......
  • Disinfecting a PC... part 1 This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc's I've seen. It's also an interesting......
  • How to Remove Win Security 360 | Win Security 360 Removal Guide Win Security 360 is a rogue antivirus application that is promoted through the use of trojans and other malware as well as sites that claim to do malware scans of your computer. Among the things that it will do is schedule itself to run when the system boots and it......
Blog Traffic Exchange Related Websites
  • 10 Interesting Facts About Apple CEO, Steve Jobs! Steve Jobs was voted the CEO of the decade by Fortune magazine. And my, what a decade it's been! He brought back Apple from the throes of doom to making it the most admired company in the world! In 1997, when Jobs returned to the then troubled Apple, Michael Dell,......
  • Making the Most Out of Competition by Running for Charity Charity is alive and well in the modern culture. This is seen in the donation drives as well as the charitable events which are held every day. For those who are into running, there are many ways you can do your part by running for charity. While some people will......
  • 5 Reasons Why Running is Good for You [/caption] How could this possibly be good for me, this is the first thought that runs through many people’s mind when they start to run because of the strain it has on your body. There are certainly more efficient exercises, but there are also a lot of good reasons that......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site