Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: peculiar infection

19 Apr 2018   #1
rokosz

7 p-64
 
 
peculiar infection

Hi all,
I've got a strange infestation here. What a stupid thing started it. Yet, I feel like I'm on the forefront of something new.

The only real search that works for me is wmcagent -- but none of those results help.
symptoms:
in user\appdata\local are a few new folders - they have no owner, the admin can't takeown on them, and they can't be explored. "Access Denied"
proceexp. shows a process (CWCERAHSvc.exe) running under services.exe in SAFE mode too.
Outside of safemode what has been running is mbrixwk.exe. Another exe is addenda.
oh, and rosenquist. None of these get google hits. none of them can be killed "Access Denied"

A search for each of them via RegEdit turned up numerous entries (some in the firewall rules). Deleted all entries, reboot etc. no change.

Malwarebytes full scan turned up stuff -- but none of it with those keywords. Windows Defender found nothing.

There was an entry in the menu:Startup named "presuming" and another, as i recall, redundantly named "presumingpresuming".

Besides today's carnival the machine could use a reinstall of WOS anyway -- but hah! I can't find the disc. So I ordered a new 7Pro disc (yeah the infected is a 7HP install)

I wouldn't be writing if I'd found the disc. Now that I am its as much a curiosity as a desire to be clean.

I'm not a guru of internals but I find it peculiar how files can hide in inaccessible folders with no obvious reference to where they get started and can start in safe mode too.

oh there's another exe which seems to be at the tail end of the process tree VSMCEWU.exe. when connect to the 'net I'll end up with about 7 of these, one will take 20+cpu, the others .5 to 2. I forgot to search the reg for that. will do, but I doubt, at this point, it'll help whether I find it or not.

the lack of public search hits makes me wonder if this a nice new flavor infection

any insights would be avidly read, any potential solutions greatly appreciated.
Thanks all.


My System SpecsSystem Spec
.
19 Apr 2018   #2
rokosz

7 p-64
 
 

forgot to say System Restore will not start via any user/method. Just a brief "hourglass"/circle then nothing.
My System SpecsSystem Spec
21 Apr 2018   #3
Alejandro85

Windows 7 Ultimate x64
 
 

A first point of investigation could be to search for those processes in the standard autorun locations, to monitor what process launches them and track back to the root of the problem.

I don't see anything specially peculiar with this pattern, pretty much what many viruses do to disguise themselves. But it could be part of some other software installed (particularly poor behaved). I strongly doubt this is a brand new class of viruses, most likely is a new virus (copied from another one) or a simple rename or even the work of a polimorphic infection. An antivirus scan could be of some use (specially the offline ones) or to submit some suspect files to VirusTotal could help too.

In any case, if an infection is confirmed, the best course of action is a clean install, more considering you don't mind a reinstall and have a disk on its way. Keep an image of it if you want to satisfy curiosity, so you can do a "post-mortem" analisys, but I would stop using the system for anything unless it's aimed at finding the cause and only then, if it happens to be a poor program as the root cause.
My System SpecsSystem Spec
.

21 Apr 2018   #4
Marie SWE

1xWin7 Home X64, 2xWin7 Pro x64, 1xWin 2008 R2 server. 1xWinXP Pro, 1xWin 2k and Linux Mint Mate
 
 

Try to boot your computer with Linux. Then you should be able to get into the folders and see whats in it. And If you delete something, back it up in Zip/rar files so you can restore it if needed... and if there is a virus then you can submit it to Symantec or to another company for analysis.
My System SpecsSystem Spec
25 Apr 2018   #5
rokosz

7 p-64
 
 

thanks for the advice everyone. I'm still in process with Malwarebytes. their effort(s) so far haven't isolated the prob. ran a fixlist and adware. adware found stuff but nothing named in my OP. rebooted and OP named stuff came right back up. I heard back from MBAM about the results: the (they're calling it) rootkit got to the fixlist before the MBAM module that wanted to use it for scanning (I presume) could. This is way beyond my whitehat height. Cool stuff and I'd love to see it cured (its been probably 10 years or more since I picked up a rootkit). I'm standing by ready to wipe in a new install. Speaking of reinstalling OS I posted an unrelated win7forum query if anybody is interested in taking a lookWin7Pro disc wont read or boot...
thanks again.
My System SpecsSystem Spec
26 Apr 2018   #6
Alejandro85

Windows 7 Ultimate x64
 
 

It sound quite strange and I highly doubt that it's really a rootkit. You're using 64 bit Windows, and driver signature enforcement should prevent any rootkit from running. It's not 100% impossible, but unlikely enough to not to seriously consider it. A normal virus or a rogue program is far more likely.

Anyway, go ahead and nuke the system. Like with any infection, a full reinstall of the OS is the only way to clean it and be safe again. Don't bother with antiviruses.
My System SpecsSystem Spec
Reply

 peculiar infection




Thread Tools




Similar help and support threads
Thread Forum
Peculiar Web Browser Font Bug
Just recently, my computer began changing the font formatting (bold, italics) on almost all web pages, on all browsers; IE, Firefox, and Chrome. I did a complete Ccleaner scan, temp and registry, then cold-booted. The error persists. So, I figured I'd just use system restore - only to find that the...
Browsers & Mail
Peculiar behavior. HIS Radeon 270X
So if anyone has ever seen my previous Posts I was having issues with a Gigabyte 650ti boost.R1 Long story short I finally got them to Replace it and that one was bad. So the fact of the matter that particular revision i can only imagine was a lemon and I spent 250 on trash. Got me this HIS 270X...
Graphic Cards
Very peculiar system hangs when lid is closed
Recently, with no system changes, suspicious downloads, or drops in recent history, my 6 Month old Clevo build began exhibiting two very bizarre symptoms: 1) Upon booting, Windows will start normally ,up until the mouse is rendered before the log in screen appears, then the system seems to power...
BSOD Help and Support
A peculiar problem!
I installled a software. It will open using vmware. By mistake i tried to open the setup.exe file with vmware. It gave an error that it cannot be opened using vmware. Then suprisingly all my files in my laptop are now opening with vmware. i.e. It all turned to vmware symbol and now i cant ...
General Discussion
A peculiar java string:its fun to know
A java string: everyone should know This is an example, how Java script can be used for bad works. I am giving an example, which is fun to do and show your friends. Its a primitive prototype only with no or little power to do any harm. The advanced one are dangerous. YOU WILL LEARN...
Chillout Room


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 08:32.
Twitter Facebook Google+