Anti-Spyware Forums


Reply
Thread Tools Display Modes

files keep coming back at sysWOW64

 
 
cpliu
Guest
Posts: n/a

 
      30-05-2011, 01:38 PM
I have some kind of virus that keep copying files to sysWOW64 folder.
MS Security Essential usually catches it right after files being
installed. I checked msconfig and disable the entry that may be doing
this and checked all the RUN, RUN ONCE items in registry. But the
files keep coming back to the folder after rebooting. What the program
does is to launch IE in the background (no visible window you can see)
and plays some audio advertisement.

I wonder if there is a program that can monitor the system and let me
know know what program was activated to copying files to system32 and
sysWOW64 folders. Is there a program like that?

How can I completely eliminate this ill-intended spyware/virus?

Thanks for the help,

 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a

 
      30-05-2011, 02:39 PM
From: "cpliu" <(E-Mail Removed)>

> I have some kind of virus that keep copying files to sysWOW64 folder.
> MS Security Essential usually catches it right after files being
> installed. I checked msconfig and disable the entry that may be doing
> this and checked all the RUN, RUN ONCE items in registry. But the
> files keep coming back to the folder after rebooting. What the program
> does is to launch IE in the background (no visible window you can see)
> and plays some audio advertisement.
>
> I wonder if there is a program that can monitor the system and let me
> know know what program was activated to copying files to system32 and
> sysWOW64 folders. Is there a program like that?
>
> How can I completely eliminate this ill-intended spyware/virus?
>
> Thanks for the help,


While all viruses are malware, not all malware are viruses. In fact, the vast majority of
malware are not viruses they are trojans. Viruses are very specific in that they have the
ability to self replicate and/or infect other executables by appending, prepending or
inserting malicious code in legitimate files to spread. Trojans on the other hand need
assistance to spread such as Social Engineering and the vulnerability/exploitation vector.
All too often people call all malware "viruses" when the terminology is "malware."

Many trojans use various "self preservation" techniques to exist on a given host. One is
a helper file that makes sure the actual malware is loaded and protected from being
removed. Thus you have to not just remove the actual trojan but you have to remove the
helper file as well to make sure that trojan isnt re-injected to being loaded.

There are many ways, depending on the malware, that this can be done from booting in Safe
Mode to remvoving the hard disk of the affected computer and placing it on a surrogate
computer.

You have supply MORE information such as the fully qualified name and path to the file
that MSE detects and the name that MSE defines the malware to be.

Additionally, you can uplaod the malware to; http://www.uploadmalware.com/ and I can
analyze the file and see what the file is doing and maybe determine its slef preservation
schema.



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp


 
Reply With Quote
 
 
 
 
FromTheRafters
Guest
Posts: n/a

 
      30-05-2011, 03:44 PM
cpliu wrote:
> I have some kind of virus that keep copying files to sysWOW64 folder.


Some kind of malware, perhaps? Or maybe some remnant of an infestation
still exists?

> MS Security Essential usually catches it right after files being
> installed. I checked msconfig and disable the entry that may be doing
> this and checked all the RUN, RUN ONCE items in registry. But the
> files keep coming back to the folder after rebooting. What the program
> does is to launch IE in the background (no visible window you can see)
> and plays some audio advertisement.


Adware as a malware sub-type. Still not proof of a virus or an infection.

> I wonder if there is a program that can monitor the system and let me
> know know what program was activated to copying files to system32 and
> sysWOW64 folders. Is there a program like that?


Well, the OS itself can do this kind of thing with files on the
'Protected Files' list. Aside from that, maybe Process Explorer can show
you the culprit guardian program.

> How can I completely eliminate this ill-intended spyware/virus?
>
> Thanks for the help,


First you will have to identify it. It would be helpful to know some
Operating System specifics also.
 
Reply With Quote
 
Virus Guy
Guest
Posts: n/a

 
      30-05-2011, 10:57 PM
"David H. Lipman" wrote:

> > I have some kind of virus that keep copying files to sysWOW64
> > folder.


> > How can I completely eliminate this ill-intended spyware/virus?


> While all viruses are malware, not all malware are viruses.
> In fact, the vast majority of malware are not viruses they are
> trojans.


Since there is no alt.comp.trojan, do you really think your "virus 101"
lectures provide any useful information?

To most people (and arguably the entire industry) the term "virus" is
sufficient to denote any software that is present on a user's computer
without their consent or knowledge.

It is or has become a catch-all term to describe a phenomena for which
consumers expect "protection" in the form of "anti" software - ie
Anti-Virus.

I don't believe that anyone has ever marketed an Anti-Trojan or
Anti-rootkit or Anti-worm software protection package.

Explaining to the average computer owner that a virus is not a trojan is
not useful or actionable information.
 
Reply With Quote
 
FromTheRafters
Guest
Posts: n/a

 
      31-05-2011, 12:26 AM
Virus Guy wrote:
> "David H. Lipman" wrote:
>
>>> I have some kind of virus that keep copying files to sysWOW64
>>> folder.

>
>>> How can I completely eliminate this ill-intended spyware/virus?

>
>> While all viruses are malware, not all malware are viruses.
>> In fact, the vast majority of malware are not viruses they are
>> trojans.

>
> Since there is no alt.comp.trojan, do you really think your "virus 101"
> lectures provide any useful information?
>
> To most people (and arguably the entire industry) the term "virus" is
> sufficient to denote any software that is present on a user's computer
> without their consent or knowledge.


There's even at least one taxonomy that uses virus as the umbrella term.

I don't like it though.

> It is or has become a catch-all term to describe a phenomena for which
> consumers expect "protection" in the form of "anti" software - ie
> Anti-Virus.


Then the next question would be what kind of virus is it? If it is one
of the kinds that self-replicate, it might call for different treatment
from one of the types that don't. You still will want to differentiate
between those types, so why not keep the old terminology where trojans
don't self-replicate and viruses and worms do.

> I don't believe that anyone has ever marketed an Anti-Trojan or
> Anti-rootkit or Anti-worm software protection package.


They have, all except for anti-worm, but Snort can probably be counted
as one. The thing is, they are all different and have to be avoided or
removed differently. For instance, if it is a virus, there doesn't need
to be a 'startup' method of the kind that would show up in a HJT report.

> Explaining to the average computer owner that a virus is not a trojan is
> not useful or actionable information.


Perhaps not, but accurate information from that average user sure would
help us to help him. It really would help if users didn't insist on
using wrong terminology just because they think that everyone else does
so why shouldn't they.


 
Reply With Quote
 
Nobody > (Revisited)
Guest
Posts: n/a

 
      31-05-2011, 07:44 AM
On 5/30/2011 6:38 AM, cpliu wrote:
> I have some kind of virus that keep copying files to sysWOW64 folder.
> MS Security Essential usually catches it right after files being
> installed. I checked msconfig and disable the entry that may be doing
> this and checked all the RUN, RUN ONCE items in registry. But the
> files keep coming back to the folder after rebooting. What the program
> does is to launch IE in the background (no visible window you can see)
> and plays some audio advertisement.
>
> I wonder if there is a program that can monitor the system and let me
> know know what program was activated to copying files to system32 and
> sysWOW64 folders. Is there a program like that?
>
> How can I completely eliminate this ill-intended spyware/virus?
>
> Thanks for the help,
>


MSSE is fairly good, but kinda weak on the "malware" side at times.
(I'm not going to bother with the neverending "virus/malware/trojan"
argument)

MalwareBytes AntiMalware (MBAM)(free) is one additional tool everyone
should have. The reason I choose MBAM is because their current
downloadable installer usually doesn't need a "web-update" to work.
(in other words, they appear to keep their installer very up-to-date)

So far, the best download site has been the "official mirror" at
http://majorgeeks.com/download.php?det=5756

(warning; rest of this sounds like overkill, but it's what I've found
that works on unkown baddies that happen on "other peoples pooters"
(friends and family crap))

Download it to an easy place to find (as on the desktop), but
immediately rename it "mbam-setup.exe" to something like "skunk.exe".
(and move the icon up to the upper-left screen corner)

Shut down your computer. Remove your internet connection (pull the RJ45
Cat5 connector off the back or pull it out of your cable/FiOS
modem/router/switch (this is temporary, so don't let the connector cable
fall where you can't find it)

Restart your computer in SAFE MODE... done by repeatedly and rapidly
tapping the F8 key as soon as your computer shows the BIOS screens. If
done right, you'll see a "DOS-like" bootmenu".
(It's a timing problem, if you miss it and can't get the bootmenu, let
your pooter boot all the way into Windows, then select Turn-Off/Restart
and try the tappy-tappy F8 thing again until you get it)

Select "plain" Safe Mode (usually at the top of the list with the
up-arrow key and <enter>

Pick a known ADMINISTRATOR account (if needed), then go to the desktop
icon from above and install it, then run it *WHILE STILL IN SAFE MODE*

**DELETE the desktop installer file and icon)

Restart Windows in normal mode (should be just "restart" from Safe mode)

Run MBAM again from the start menu.

No guarantees, but MBAM has gutted about every "piece-of-crap" I've had
to handle over long distance with friends and family crap for over two
years.

Afterwards, consider buying the retail MBAM and install it. The retail
auto-updates and "runs resident".

If you don't want to buy it, you'll have to "check for updates" when you
manually run it, but run it at least once a week. It's a fast scan.

--
"**** this is it, all the pieces do fit.
We're like that crazy old man jumping
out of the alleyway with a baseball bat,
saying, "Remember me mother****er?"
Jim “Dandy” Mangrum
 
Reply With Quote
 
cpliu
Guest
Posts: n/a

 
      01-06-2011, 07:36 PM
Sorry if I used the wrong term. I just used virus as a generic term
for it. MS Security Essential calls it virus too, although it's more
like a spyware. These files keep coming back. It generates random
names (except 2 of them, such as .exe with no filename). I have to
move them to a separate folder every time.

I will post more details in the future.

THANKS!
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a

 
      01-06-2011, 07:56 PM
From: "cpliu" <(E-Mail Removed)>

> Sorry if I used the wrong term. I just used virus as a generic term
> for it. MS Security Essential calls it virus too, although it's more
> like a spyware. These files keep coming back. It generates random
> names (except 2 of them, such as .exe with no filename). I have to
> move them to a separate folder every time.
>
> I will post more details in the future.
>


Please do and I look forward to the information and possibly providing assistance.



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp


 
Reply With Quote
 
FromTheRafters
Guest
Posts: n/a

 
      02-06-2011, 01:01 AM
cpliu wrote:
> Sorry if I used the wrong term. I just used virus as a generic term
> for it. MS Security Essential calls it virus too, although it's more
> like a spyware.


It bugs me that the *professionals* misuse terminology. I know that
they're just 'dumbing down' for the average user, but it really isn't
helpful them coming up with terms like "trojan virus" or listing a
trojan as a sub-type under a virus description.

Anyway, another apparent misunderstanding exists with calling this thing
"spyware" when the symptoms described "adware". Not trying to be
critical of anyone, but 'adware' brings (perhaps unwanted) content to
the user, and 'spyware' leaks content out to the collector. Not all
cases of either are malware, it depends on how they are being used.


 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a

 
      02-06-2011, 01:33 AM
From: "FromTheRafters" <(E-Mail Removed)>

> cpliu wrote:
>> Sorry if I used the wrong term. I just used virus as a generic term
>> for it. MS Security Essential calls it virus too, although it's more
>> like a spyware.

>
> It bugs me that the *professionals* misuse terminology. I know that they're just
> 'dumbing down' for the average user, but it really isn't helpful them coming up with
> terms like "trojan virus" or listing a trojan as a sub-type under a virus description.
>
> Anyway, another apparent misunderstanding exists with calling this thing "spyware" when
> the symptoms described "adware". Not trying to be critical of anyone, but 'adware'
> brings (perhaps unwanted) content to the user, and 'spyware' leaks content out to the
> collector. Not all cases of either are malware, it depends on how they are being used.
>


The terminology for that is "data exfiltration".


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp


 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SysWOW64 folder Carl Larner Computer Security 5 12-04-2010 04:34 AM
rdriv.sys unable to delete keep coming back wilson Security Software 2 01-02-2007 11:09 PM
Common files keep coming up MissVill Security Software 5 18-01-2006 08:21 PM
Why spyware keep coming back after clean up? Jimbo Spyware 13 26-06-2004 01:43 AM
why they keep coming back? Mr Security Software 2 15-12-2003 02:51 PM


All times are GMT. The time now is 04:11 AM.