New
#1
peculiar infection
Hi all,
I've got a strange infestation here. What a stupid thing started it. Yet, I feel like I'm on the forefront of something new.
The only real search that works for me is wmcagent -- but none of those results help.
symptoms:
in user\appdata\local are a few new folders - they have no owner, the admin can't takeown on them, and they can't be explored. "Access Denied"
proceexp. shows a process (CWCERAHSvc.exe) running under services.exe in SAFE mode too.
Outside of safemode what has been running is mbrixwk.exe. Another exe is addenda.
oh, and rosenquist. None of these get google hits. none of them can be killed "Access Denied"
A search for each of them via RegEdit turned up numerous entries (some in the firewall rules). Deleted all entries, reboot etc. no change.
Malwarebytes full scan turned up stuff -- but none of it with those keywords. Windows Defender found nothing.
There was an entry in the menu:Startup named "presuming" and another, as i recall, redundantly named "presumingpresuming".
Besides today's carnival the machine could use a reinstall of WOS anyway -- but hah! I can't find the disc. So I ordered a new 7Pro disc (yeah the infected is a 7HP install)
I wouldn't be writing if I'd found the disc. Now that I am its as much a curiosity as a desire to be clean.
I'm not a guru of internals but I find it peculiar how files can hide in inaccessible folders with no obvious reference to where they get started and can start in safe mode too.
oh there's another exe which seems to be at the tail end of the process tree VSMCEWU.exe. when connect to the 'net I'll end up with about 7 of these, one will take 20+cpu, the others .5 to 2. I forgot to search the reg for that. will do, but I doubt, at this point, it'll help whether I find it or not.
the lack of public search hits makes me wonder if this a nice new flavor infection
any insights would be avidly read, any potential solutions greatly appreciated.
Thanks all.