I had a student laptop come in with this nifty new spyware/virus dealie yesterday and there wasn't much I could do about it. Later when I walked over to meet the help desk manager for lunch he was working on a second laptop with the same problem. Google doesn't turn up anything about it. Anyone seen this before? Is it something new or a classic(both laptops came in with no AV software of any kind)?
LP
New Spyware? - "iiexplorer.exe"
Moderator: Thanas
-
LapsedPacifist
- Jedi Knight
- Posts: 608
- Joined: 2004-01-30 12:06pm
- Location: WestCoast N. America
-
General Zod
- Never Shuts Up
- Posts: 29211
- Joined: 2003-11-18 03:08pm
- Location: The Clearance Rack
- Contact:
-
LapsedPacifist
- Jedi Knight
- Posts: 608
- Joined: 2004-01-30 12:06pm
- Location: WestCoast N. America
I did a trendmicro scan first, and then reinstalled-updated-and scanned with the University supplied SAV-9. Both scans in safe mode(first scan with networking).
Hijackthis was showing a bunch of keys of some search, iiexplorer in three or four locations, and systeem32. Nuked it there.
Adaware had like 60-70 things it pulled up.
Used the winsock tool dealie to repair TCP and all.
At the end of all that, it was still creating keys in HKLM/yadda/run, HKCU/yadda/run, and HKCU/yadda/runservices.
The first scan pulled a handful of viruses, and I made the mistake of not recording what they were.
LP
Hijackthis was showing a bunch of keys of some search, iiexplorer in three or four locations, and systeem32. Nuked it there.
Adaware had like 60-70 things it pulled up.
Used the winsock tool dealie to repair TCP and all.
At the end of all that, it was still creating keys in HKLM/yadda/run, HKCU/yadda/run, and HKCU/yadda/runservices.
The first scan pulled a handful of viruses, and I made the mistake of not recording what they were.
LP
-
Faram
- Bastard Operator from Hell
- Posts: 5271
- Joined: 2002-07-04 07:39am
- Location: Fighting Polarbears
Never heard of a malware naned iiexplorer, could you drop it to tranaker @ gmail.com ? and i'll have a look at the file.
[img=right]http://hem.bredband.net/b217293/warsaban.gif[/img]
"Either God wants to abolish evil, and cannot; or he can, but does not want to. ... If he wants to, but cannot, he is impotent. If he can, but does not want to, he is wicked. ... If, as they say, God can abolish evil, and God really wants to do it, why is there evil in the world?" -Epicurus
Fear is the mother of all gods.
Nature does all things spontaneously, by herself, without the meddling of the gods. -Lucretius
"Either God wants to abolish evil, and cannot; or he can, but does not want to. ... If he wants to, but cannot, he is impotent. If he can, but does not want to, he is wicked. ... If, as they say, God can abolish evil, and God really wants to do it, why is there evil in the world?" -Epicurus
Fear is the mother of all gods.
Nature does all things spontaneously, by herself, without the meddling of the gods. -Lucretius
-
LapsedPacifist
- Jedi Knight
- Posts: 608
- Joined: 2004-01-30 12:06pm
- Location: WestCoast N. America
Sorry for the thread necromancy but I've got an update. It turns out that iiexplorer is indeed a virus: sophos info. I let this guy slide figuring that if it were a virus the various AV guys would catch it, and if it wasn't a throrough spyware removal would be forthcoming. Well it never did and sysinternals procmon<?> showed that computers coming through the door with this were using tcp to spread like mad. One of the chunks o' weirdness around this was the addition of reg keys around OLE - HKU/default/software/ms/OLE etc. Those keys seemed to be enough to keep it going. Variations around the campus seem to be iexp.exe, iiexplorer, systeem.exe, systemss.exe...
So at that point we sent the iiexplorer file off to the various antivirus companies and it turned up as one of the many variants of a worm.
The moral of the story becomes, I guess, that when you have some real wierdness go ahead and submit the files it might help. Moral of the story 2 is even if you've got two very similar things with different names submit them BOTH to symantec, because they aren't that clever.
LP
Sorry for the necromancy, and the expanded thread on what probably won't affect anybody else.
So at that point we sent the iiexplorer file off to the various antivirus companies and it turned up as one of the many variants of a worm.
The moral of the story becomes, I guess, that when you have some real wierdness go ahead and submit the files it might help. Moral of the story 2 is even if you've got two very similar things with different names submit them BOTH to symantec, because they aren't that clever.
LP
Sorry for the necromancy, and the expanded thread on what probably won't affect anybody else.