Malware use new method to active on next reboot in Windows XP

Discussion in 'malware problems & news' started by egomoo, Jan 9, 2011.

Thread Status:
Not open for further replies.
  1. egomoo

    egomoo Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    115
    While doing removal with "antivirus 2010",I have found a new method to active malware on Windows startup.

    C:\WINDOWS\winSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll

    NOD32 detect as Win32/Sirefef.CB

    http://www.threatexpert.com/report.aspx?md5=53243938af9118b8d674a5f82ea43d19

    We all know a malware must be active on the next boot and we know lots of Registry startup items which AutoRun scans.

    the file shsvcs.dll will run on windows start and create vbma*.sys.

    So that TDSSKiller could not delete vbma*.sys file after reboot
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    It looks like on a clean machine that this dll should only be in system32 and SysWOW64 if you have a 64 bit machine. I'm not finding much other info on it. It looks like you could block it with SRP by only allowing it to run from the locations I specified and nowhere else, if I am correct in assuming it shouldn't exist anywhere else.
     
Loading...
Thread Status:
Not open for further replies.