Archived from groups: comp.sys.laptops,comp.security.misc,microsoft.public.security.virus (More info?)
I had an interesting thing happen to one of my laptops that I believe I
solved, but I like to hear from others what theories they may have
besides my own. This is a Toshiba 2595XDVD laptop running Windows 2000.
Has AVG and Ad-watch always running.
Well the other day, I opened up the Windows Calculator and Ad-watch
popup reported Malware MediaMotor. Choices were Accept or Block. I chose
the later. I scanned with Ad-aware, clean as a bell. Scanned with AVG,
still nothing detected. Ran Trend Micro's online scanner, nothing. Ran
Spyware Doctor, still nothing. Opened Calculator again and Ad-watch
popped up the message again.
So I did a search about this malware and it appears to redirect your
browser without permission. Although I never had seen this happen. It's
also supposed to have a file named mmups.exe. And it's launched through
the registry under Run. Nothing was found. Interesting to say the least!
I tried to rename calc.exe and it worked. Although another infected
calc.exe reappeared. I deleted it, and it would reappear. Booted to safe
mode under command prompt and I deleted it there. It's now gone. Booted
up Windows 2000 and copied a good calc.exe off of the network. All seems
well now.
So how could the seemingly the only effected file undelete, un-rename,
etc. itself? And also avoid detection until it tried to run? I don't
understand ADS in NTFS very well. But that is the only thing I can think
of. But can ADS executable actually pull off such a feat? Anybody have
of other ideas?
Cheers!
___________________________________________
Bill (using a HP AMD 1.2GHZ & Windows 2000)
-- written and edited within Word 2000
I had an interesting thing happen to one of my laptops that I believe I
solved, but I like to hear from others what theories they may have
besides my own. This is a Toshiba 2595XDVD laptop running Windows 2000.
Has AVG and Ad-watch always running.
Well the other day, I opened up the Windows Calculator and Ad-watch
popup reported Malware MediaMotor. Choices were Accept or Block. I chose
the later. I scanned with Ad-aware, clean as a bell. Scanned with AVG,
still nothing detected. Ran Trend Micro's online scanner, nothing. Ran
Spyware Doctor, still nothing. Opened Calculator again and Ad-watch
popped up the message again.
So I did a search about this malware and it appears to redirect your
browser without permission. Although I never had seen this happen. It's
also supposed to have a file named mmups.exe. And it's launched through
the registry under Run. Nothing was found. Interesting to say the least!
I tried to rename calc.exe and it worked. Although another infected
calc.exe reappeared. I deleted it, and it would reappear. Booted to safe
mode under command prompt and I deleted it there. It's now gone. Booted
up Windows 2000 and copied a good calc.exe off of the network. All seems
well now.
So how could the seemingly the only effected file undelete, un-rename,
etc. itself? And also avoid detection until it tried to run? I don't
understand ADS in NTFS very well. But that is the only thing I can think
of. But can ADS executable actually pull off such a feat? Anybody have
of other ideas?
Cheers!
___________________________________________
Bill (using a HP AMD 1.2GHZ & Windows 2000)
-- written and edited within Word 2000
/www.virustotal.com/flash/index_en.html
Facebook
Twitter