News:

Tekforums.net - The improved home of Tekforums! :D

Main Menu

pw.exe - some kind of maleware/downloader/whatever - cant get rid of it !

Started by knighty, November 17, 2010, 01:48:35 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

knighty

something just ran on its own, (java popup)... I was watching the end of an episode of house, and clicked a link to gumtree at the same time just before it happened.. guess it could one either of them ?  (not the things Id normally suspect, but I wasnt doing anything else)


and I cant bloody get rid of it !!!

I can end tank pw.exe easy enough...... but any time I try to run a program it blocks it and loads up instead, or in the case of things like regedit itll load up a fake regedit

Im trying to google.... but its hard work.... have to keep end tasking pw.exe or I get a load of popups and the window Im on closes.... and if I don;t end task it quick enough the computer restarts without warning....


google is telling me to find
File Location (Windows 7 and Vista) – C:\Users\[username]\AppData\Local\PW.exe

and remove it.... but I don;t have that file... (show all files is deffo on)


anyone seen this before ?  its driving me crazy, normally i can find a way around stuff like this and sort it out... but I can;t do anything right now... no regedit, no msconfig, no adaware, no spybot, cant even doubble click folders (have to right clock and open) and had to right clicka  folder, open it, then stick google in the address bar to get on here !


anyone seen this before ?
or have any ideas ?

Im google-ing my ass off, but its messing with my search results too! (if i open a link, it runs again, so i have to end task it then click the link again QUICK or i just get sent to the same pay £££££ to remove it site)

soopahfly


bear

A rootkit.

http://spywarefiles.prevx.com/RRAHGJ275496/PW.EXE.html


File Name Aliases

PW.EXE can also use the following file names:

    GET_FILE[1].EXE
    USERS_BMW2_FILE_FILE[1].EXE
    MSASCUI.EXE
    MTG.EXE
    A.EXE
    0.6771159850539643.EXE

This should do it, run from bootable CD I believe

http://greatis.com/unhackme/download.htm  (there is a free working evaluation copy available)

knighty


I managed to download trendmicro housecall (there free virus scanner) and run that because its a java app not an exe (I think?)  

anyway, it ran, but didn;t find anything :-(

Quote from: soopahflyStart - Run - MRT.
Or you can run Malwarebytes.
I cant run it, it blocks any *.exe from running :(

Quote from: bearA rootkit.
http://spywarefiles.prevx.com/RRAHGJ275496/PW.EXE.html
File Name Aliases
PW.EXE can also use the following file names:
GET_FILE[1].EXE
USERS_BMW2_FILE_FILE[1].EXE
MSASCUI.EXE
MTG.EXE
A.EXE
0.6771159850539643.EXE

This should do it, run from bootable CD I believe
http://greatis.com/unhackme/download.htm  (there is a free working evaluation copy available)

Ill download it on my laptop and give it a try !



thanks :-)

soopahfly

Couple of things with this, I encounter this on a monthly basis with some of my customers.

It only affects your user account, so if you log out and back in, it will work.
You can run Malwarebytes in Safe mode.

You can rename the exe file to something else, .com for example and it will still run.

Beaker

The file sometimes gives itself a system attribute, so a command line attrib switch should make it visible.  

Its another version of "security tool"/Anti-Virus 20xx and its ilk.  Its also a downloader, so youll want something decent to sweep up the machine afterwards.  

knighty

made another account and logged on using that - good catch soopa !


this is driving my crazy....  ran the above programs and its still there.... all scans are comming up clean
(run from this account)

ran what i can on my account and they come up clan too.... but its still loading up in the background any chance I get....


I might just backup and format.... Im about due anyway!

Pete

Can you run command.com?

If so you can do

copy C:\path\program.exe c:\path\program.com

then run c:\path\program.com

Works with a lot of things including regedit.

edit: missed reading stuff... tried combofix? tbh youre best off flattening it.
I know sh*ts bad right now with all that starving bullsh*t and the dust storms and we are running out of french fries and burrito coverings.

bear

I think you must be in safe mode or clean from bootable CD
to get rid of those things otherwise they will just recreate in a new place or with a new name.

I am so glad to run Nix havnt had any problems for quite some time now :)  I run it on my lappy and my desktop :D

knighty

well thats what I get for letting my brother use my computer to download stuff !


after about an hour of messing around, and cleaning stuff out using another login/account I managed to run a system restore......

but I guess the virus etc. is still here just waiting for me to run whatever triggers it in the first place....

(all scans come back clean..... but they did that before while the bloody thing was running, so no change there)


Ill back everything up and format over the weekend !

Beaker

I clean these out on a daily basis at work.  The file is there in common files normally, just going in and wipe it out!

knighty

thing is... I cant find anywhere :(

off back to work.... Im leaving a bunch of different scanners going, all doing a full/in-depth scan etc...

Ill see what they turn up !


everything is running fine now.... but Im assuming itll come back soon :-(