Here’s a new twist on the old “Russian Mafia” trojan. You know the type - you delete it, it re-installs itself. You kill it, it respawns. Now, so you won’t notice it, IT DOESN’T SHOW UP IN TASK MANGLER.
NOTE: I only found this because I had a customer with a machine that refused to run 16-bit windows apps. In the process of rebooting it, I got an error about a file that it claimed was in use (pqwp.exe) in the “All Users\Start Menu\Programs\Startup” folder. Knowing that executables don’t belong there, I deleted it. After a restart, it came back. Spybot didn’t see it, HijackThis didn’t see it. I saw it. Deleted it again.
Now, here’s the fun bit. Having dealt with this crap before, I opened the command prompt, went looking for hidden .EXE files, system .EXE files, and finally, just looking (date sorted) through ALL .EXE files. Of course, I got a few with random names, which is almost always bullshit.
Delete first one. Delete second one - access denied! But it’s not in task manager?!?! PSKill it - it tells me it killed a process. Delete file, all gone.
Reboot, IT’S FUCKING BACK!
So, I go looking some more, and HijackThis had pointed out a program called “starter.exe”, which HijackThis flagged as “EnsoniqMixer”. This was incorrect. starter.exe is another hide-from-task-mangler process that is not a mixer, but the base virus installer. Kill and delete it, kill and delete the other two, and finally nuke the pqwp.exe.
All clear now.
Moral: you need to get yourself “PSTOOLS” from www.sysinternals.com. Now.
We are starting to see more rootkit-like behaviour out of standard trojans. This is NOT a good thing.
Tags: Computers by Brian Corbino
Comments Off