I'm Overrun By Malware
<div class="IPBDescription">Techies... I need you!</div> Ok, i've tried on numerous technical support boards (ok, two), and i'm close to my wits end.
<span style='color:red'>DISCLAIMER: YES I HAVE A VIRUSCHECKER. YES I HAVE AD-AWARE. YES I HAVE SPYBOT S&D. YES THEY ARE ALL FULLY UPDATED..
</span>
As some of you may know, I recently reformatted my computer. This breif period where I had no virus or spyware protection was too good an oppotunity of most pieces of malware to resist, and thus I am flooded with crap.
I'll try and keep this clear and easy to understand. Firstly, I have been getting 5 instances of "DSO Exploit" in spybot S&D, and every single time I run it the same thing happens. I fix the problem and it comes right on back.
Secondly, there are several processes which I do not recognise, and which have been trying to use my internet connection. The first, wininigo.exe, is definately malware of some kind, but no-one seems to know how to get rid of it. The processes are as follows:
Wininigo.exe
Msework.exe
Muamgrd.exe
Host32.exe
As I said, some of these may be harmless, but i'd feel a lot better if someone could give me a positive ID on them all.
Thridly, probably as a result of one or more of the above programs, I have been getting a dialog box saying something along the lines of "You or a program is trying to access data at: xxxx.xxxx.com". The places it has tried to connect to are:
sen.ccseniors.com
jupiter.syrolnet.org
rx00.xnet666.com (now that doesn't sound good does it?)
1.xdgz.com
Again, some of these may be harmless places that windows update, or some other harmless program is trying to access, but if anyone recognises these places as nasties, please let me know.
Just for the record, none of these are actually gaining access to the internet thanks to zonealarm, but I would like to stop them from trying.
Finally, how do you configure a network to run through zonealarm? I can't figure it out. The server is at 192.168.0.1 and the client is at 192.168.0.249, and i've tried putting 192.168.0.249 in the trusted zone to no avail. And yes, i've tried pinging that IP to check its the right one and it responds just fine.
In my years (all two of them) on these boards i've found there is very little you people don't know, so impress me once again. This is driving me crazy.
*edit* oh, and if anyone can direct me to a good forum or IRC channel that deals with this sort of thing, please do. Oh, and I know about computing.net. Thanks.
*edit* Right, here's another, housecall picks up worm_agobot-5, I run it again, it picks it up again even though it said it had cleaned it, what the hell do I do?
<span style='color:red'>DISCLAIMER: YES I HAVE A VIRUSCHECKER. YES I HAVE AD-AWARE. YES I HAVE SPYBOT S&D. YES THEY ARE ALL FULLY UPDATED..
</span>
As some of you may know, I recently reformatted my computer. This breif period where I had no virus or spyware protection was too good an oppotunity of most pieces of malware to resist, and thus I am flooded with crap.
I'll try and keep this clear and easy to understand. Firstly, I have been getting 5 instances of "DSO Exploit" in spybot S&D, and every single time I run it the same thing happens. I fix the problem and it comes right on back.
Secondly, there are several processes which I do not recognise, and which have been trying to use my internet connection. The first, wininigo.exe, is definately malware of some kind, but no-one seems to know how to get rid of it. The processes are as follows:
Wininigo.exe
Msework.exe
Muamgrd.exe
Host32.exe
As I said, some of these may be harmless, but i'd feel a lot better if someone could give me a positive ID on them all.
Thridly, probably as a result of one or more of the above programs, I have been getting a dialog box saying something along the lines of "You or a program is trying to access data at: xxxx.xxxx.com". The places it has tried to connect to are:
sen.ccseniors.com
jupiter.syrolnet.org
rx00.xnet666.com (now that doesn't sound good does it?)
1.xdgz.com
Again, some of these may be harmless places that windows update, or some other harmless program is trying to access, but if anyone recognises these places as nasties, please let me know.
Just for the record, none of these are actually gaining access to the internet thanks to zonealarm, but I would like to stop them from trying.
Finally, how do you configure a network to run through zonealarm? I can't figure it out. The server is at 192.168.0.1 and the client is at 192.168.0.249, and i've tried putting 192.168.0.249 in the trusted zone to no avail. And yes, i've tried pinging that IP to check its the right one and it responds just fine.
In my years (all two of them) on these boards i've found there is very little you people don't know, so impress me once again. This is driving me crazy.
*edit* oh, and if anyone can direct me to a good forum or IRC channel that deals with this sort of thing, please do. Oh, and I know about computing.net. Thanks.
*edit* Right, here's another, housecall picks up worm_agobot-5, I run it again, it picks it up again even though it said it had cleaned it, what the hell do I do?
Comments
Or in lifes case, suicide! It's your only option.
No, I have nothing helpful to add.
Wininigo
<a href='http://www.tek-tips.com/gviewthread.cfm/pid/760/qid/895145' target='_blank'>Click</a>
msework.exe
<a href='http://www.helpforums.co.uk/forum/viewtopic.php?t=18323' target='_blank'>Click</a>
The other two can be deleted in much the same probably...turn off system restore, restart in safe mode, delete the file and traces from reg. Generally solves the problem.
Hijack this is good for locating and removing those reg entries.
<a href='http://www.spychecker.com/program/hijackthis.html' target='_blank'>Click</a>
Obviously I have tried just looking for the exes themselves, but a search came up with nothing (yes i included hidden folders...).
I only got these because of a few hours vunerability while I downloaded critical updates. Next time I reformat i'm saving all of this stuff to a disk like I should have in the first place.
And finally, this isn't my computer. My computer hardly ever has this kind of problem. This is my mum/sisters computer, and I care about it's welfare because it provides my internet connection.
Edit: In most cases I don't think you need to have ANYTHING in there...I normally don't keep anything there. Also try opening services.msc and look for anything weird.
I'm going to bed now since its pretty late here, keep posting and i'll try some of your suggestions in the morning.
Edit: the temp folder in the (usually hidden) local settings folder of each user account.
1) a)Download windows service packs and burn them to CD. scan the cd for viruses. Unplug your net connection.
b) Format again twice in a row, then install a clean copy of windows and service packs.
c) Install drivers for your most basic hardware from their respective CDs.
d) install zonealarm or firewall of choice, and antivirus program of choice.
d) download critical updates from windows update.
e) install everything else.
2) Nuke the site from orbit. It's the only way to be sure.
i like formatting, it's a lot easier than tracking down lots of registry entries (i keep my computer with fairly minimal installs, and back up stuff a lot) and more importantly you're sure that the new install is clean.
Also make sure any other computers on the network aren't infected.
for running a network through zonealarm, i'm not sure what you mean, but set the gateway in the settings to 192.168.0.1. I haven't used ZA in a while though, so I don't remember much. And make sure you haven't locked ZA <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html//emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo-->
The processes are Muamgrd and Host32 and the registry calls them Microsoft update and windows update. Which is real?
I'm also still having no luck on getting ZA working through the network, any ideas? I can still access the other computer's shares, but I can't use the connection itself.
The dumbest thing to do is to name those Automatic Windows Updater or Windows update something. I'm sure Blaster does that as well.
And use a better browser if not already using it : <a href='http://www.mozilla.org/products/firefox/' target='_blank'>Mozilla FireFox</a>
O.k, your advice worked with all of the programs except one. Wininigo. I turned off system restore, went into safe mode and deleted every reference to it, BUT IT CAME BACK!
Worse yet, now my mum refuses to not use zonealarm, she's conviced that wininigo only came back because I switched it off after clearing it, which may be the case.
I would quite like to know why the windows firewall isn't catching this thing <!--emo&???--><img src='http://www.unknownworlds.com/forums/html//emoticons/confused.gif' border='0' style='vertical-align:middle' alt='confused.gif' /><!--endemo-->
Infact download Hijackthis and post a log and theres a good chance that theres some other stuff lurking in there too that it will turn up.
Edit: Aswell as doing that the winigo program maybe hideing in the temp film in the user accounts (hidden) local settings. Did you delete the files and folders in there? Thats probably where it's reinstalling itself from.
1) Disconnect from internet
2) Open up windows search and search for winigo.exe, and delete any traces of it
3) *OPTIONAL* Scour the registry for winigo.exe
4) Reboot
Sort of worked for me when I got Blaster. Not sure about you though XD
Though I'd also suggest HijackThis if you don't want to do all the dirty work yourself, since it does all of it itself.
Maybe your adaware , spybot whatever backups might have been infected with crap and you keep installing em...
Interestingly enough, going into MSCONFIG and removing it from the startup thingy did the job, I was under the impression that only the most pathetic spyware could be beaten like that.
Interestingly enough, going into MSCONFIG and removing it from the startup thingy did the job, I was under the impression that only the most pathetic spyware could be beaten like that. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
On the contrary, there are only a few ways spyware can load itself up
Running its own exes
Infecting /merging itself with another exe
DLL hooks
MSCONFIG clears the first of these, and covers the majority of malware
S&D etc are only really necessary to remove DLL hooks and patches. Merged exes are really the domain of viruesses, not spyware.
Anyway, is the problem solved now?