Had a client with a system that was infected with an new strain of malware. It was identified as Trojan.Win32.Genome.arbx and was infecting the svchost.exe.
The system was running Windows XP Kaspesky Antivirus 2011. The client complaint was that the system had been locking up and running slow. Initial contact with the system was remotely. Initial check show that the Kaspersky was was running and the database were up to date.
I checked the task manager and found 6 iexplorer processes running without a user interface. Attempts to kill the process would restart a new process. I updated Malwarebytes, Ran a scan and found 155 infected objects, deleted those objects and restarted the system. After the reboot, Kaspersky popped a message stating the svchost.exe was infected with the Trojan, and in would only allow it to be ignored.
I checked the task manager and the iexplorer processes were still running. I check the setting in Kasperky and found the the setting to ignore the svchost.exe removed it from the expetion list, only to have it return.
Ran Malwarebytes full scan and did not locate any malware. At this point I shutdown the system and told the client I wold pickit up when I got back into town. I picked up the system and took it to the office I ran my tools in safe mode and did not find the malware. I finally did a repair install of WinXP that got rid of the trojan.
After patching the system. Kaspersky would not start it protective services on boot, I had to start them manually. I tried updating to 2012 and still had the same problem. I finally un-installed Kaspersky and scrubbed the registry and residual keys, after reinstalling everything was working properly.
I would like to read your newer posts, so I will bookmark you. Hope to see your updates.
Review by Ruby Red for Rating: I’m pretty technologically illiterate, but I think this software is great. Once installed, it found a few hidden viruses on my netbook and got rid of those fast. Since then it has been like a steel wall protecting my netbook: viruses try to attack but they can only bounce off! I also like how it self-updates, how it lets you know the name of the virus, how it shows infection statistics (how common or rare the particular threat is), and how it keeps logs of the threats that it’s averted and/or destroyed. One subscription protects three computers at once, so I think this software was a good deal for the money, especially since at the time that I ordered it it was a bit cheaper on Amazon (and came with free shipping!) than on other big computer store sites.
Shoot, I had it beat and just a few minutes ago, I got hit again.. the IUser Icon was a car this time.. but it eganhcd value’s..This is nuts! I keep going into control panel and deleting the new Icon and all it’s files.. then into Task Manager and there it is.. stop task on it there too. Then into the security to find it enabled in that also..Thanks Tim, but no, my security is poppin up asking me constantly if I want to allow or deny XXX and of course the minute I see the strange Icon in control panel under users. I know it’s hit again.So before I delete anything, I go to control panel, check the users, then if there’s a strange one, delete and start looking for the rest of it.That way, I’m not stopping updating from legit sources.There has to be a way to stop this bug???I wait for it to rear it’s ugly head again, and send in the new nameit’s using. I was so angry, I forgot and deleted it before writing it down..sorry.
John: I think I’m going to do that too. I am getting wagrinns from F-Secure, every 20 minutes of malware trying to connect. All it does after I deny and delete is change the last .abc part The first one was .ohe..then it went to .ohl, then another and another.. I have a page full of deleted and name changed attempts. This is bad, it’s never been this bad! Can’t get a break from the attack attempts..Jikkuryuu: You could be right as I found udxfytw in sys again today and no IUSER has shown up for days..I’ve deleted udxfytw 9 times already..it has to be in more files/or mem.. It was in my task manager and security was enabled..how it did that, I’ll never figure out.
Just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and i hope you post again soon..
no, I’m got hit again last night, did everything I could, and got hit again today.. I noticed I had some files similar to the ones you have listed..took me a while, but after checking them out I deleted.It’s in everything.. task manager, you can watch it constantly trying to connect, keeps flashing in and off task manager..so do the others.This is insane I have my security at it’s highest level and still I can’t stop it.I’m going to figure this out, I’ve had enough! sitting here clicking deny every 30 seconds when I’m trying to write something on the computer.
I can always trust your information to make my homework or just to learn something more.
Jane, I set my security to the hishegt level (Kaspersky) and it was alerting me to programs like Winzip, IE, Windows and firefox because it perceived them as changed because these get updated legitimately on a regular basis. So you may be getting some false positives and at the same time preventing your antivirus from getting the updates it needs. Just guessing.Once I allowed thse updates, and Kaspersky restarted the machine several times, and I renamedC:\WINDOWS\SYSTEM32\tpszxyd.sysandC:\WINDOWS\SYSTEM32\udxfytw.sysand deleted the lUser_admin accountI’m not getting anymore warnings. I’m not completely confident that it is really gone, but the symptoms are totally gone.
This is what my security styesm found! I got hit again today..all gone now.Result: 1 malware foundTrojan-Clicker.Win32.VB.cdm (virus)C:\WINDOWS\SYSTEM32\UDXFYTW.SYS Action: renamedTrojan-Clicker (Generic Description) Trojan-Clicker is detection of trojan malware that remains resident in styesm memory and continuously or regularly attempts to connect to specific websites. This is done to inflate the visit counters for those specific pages. The purpose of a trojan-clicker is to either earn money for appearing to drive traffic to specific sites (fraud) or to drain the budget of a competitor (attack) by artificially inflating the referrals that are paid for.
It has struck me again, two more times since I wrote the first post. this time, I went to cnoortl panel, deleted that user IUSER then did the same thing as the other person, renamed the file udxfytw.sys_old..that didn’t work for long either. So I ran search for the udxfytw and found two of them, one in sys and one in Prefect..I deleted both files.Before I deleted that icon IUSER, I changed the password it was using, not sure what that was, but gave it a new password..that worked for a while, then another IUSER came up so I deleted again..I’m getting sick of this thing..it keeps coming back.Up your security level to high so far, so good for me..but it could strike again today.