mswaaaaa.exe wants to gain access to my computer ..
>>
search your files (from windows explorer) - ensure you use advanced search option to include hidden files and folders. then come back and tell us where in your computer that particular .exe file resides.
|
p.s. and to make sure it is not a rogue scumware that is to blame, follow the advice here:
www.spywarewarrior.com/rogue_anti-spyware.htm#onli...e
|
|
|
Thanks Dalgleish, but I am presuming it wants to enter via my internet connection which is why the firewall is telling me. I am naturally denying access until I know more.
|
Err Dulwich, if Zone Alarm is saying xxxx.exe wants access its ALREADY in your computer and trying to get OUT via your internet.
------------------------------
TourVanMan TM < Ex RF >
|
|
|
Do you have an anti-virus utility installed?
If so and it's properly updated it will - or should - stop any nasties.
Best not to let it in under any circumstances, especially as a quick Google doesn't reveal anything.
- - - - - - - - - - - - - - - - - - - - -
What\'s for you won\'t pass you by
|
I have the free AVG which is updated more or less daily. A scan shows nothing.
I've got the Lavasoft adaware and a scan using that shows nothing apart form the normal trackers that I get rid of a couple of times a week.
The windows XP advanced search option says there's nothing on my C drive with this name.
The hunt continues.
|
|
20 minutes and no more answers - this must be serious!
|
|
When it happens try opening the task manager (CTRL-ALT-DEL and choose task manager) look at processes and see if you can see it on the list.
|
|
|
another source of information:
in zonealarm, look up
1. the program-control>programs tab, highlight the blocked exe and look at the info in the panel below to see where the exe file is located.
2. the alerts & logs section and look at the time in question to find what was being blocked.
then post your results here.
|
I'm afraid I forgot to look it up in ZoneAlarm program control. However I have found it's part of a Virus - Win32/Sality to be a little more specific. Apparently it's linked to Russian email addresses and among other things it likes looking for bank account details and sending them home.
The good news - it's not on my computer - the Zone Alarm WAS warning me it was trying to get in.
It is on another family computer though. mswaaaa.exe is happily sitting in the processes of Task Manager and I can't get it out! I'm part of the way through trawling websites (Symantec etc.) to find a way to remove it. Unfortunately AVG is not much use in this respect.
Why was it on the other computer? A teenager who has little regard for his old man's warnings about downloads might just have something to do with it......grrr!
|
Dulwich
Can you show your zone alarm log? As far as i know Zone alarm cant log programe names coming in, because its not given in the IP details. It can only log programe names or processes if its on the trusted side (ie your computer)
------------------------------
TourVanMan TM < Ex RF >
|
dulwich - ditto as per tvm's request.
i am curious to find out where the mswaaaa.exe resides (btw -does it have four or five "a"'s in the name?).
i have been unable to find any reference to it in any security advisory or other xp related discussions.
no reference to that file in any win32/sality discussions that i can find either.
and please do let us know how you get on with attempts to remove it.
|
It's got 5 "a"s - mswaaaaa.exe. The AVG anti-virus found aixbmaaa.exe (apparently part of it) which led me to Win32/Sality.
My head hurts - and the computer in question is going slower and slower. I'll report when I find more, but the idea of deleting everything and reloading Windows XP is very strong in my mind - but I'll sleep on it.
|
I'll take a look for a solution but this is a good example of why you need a proper firewall active.
When MS Blaster came out, all company PCs had AV and laptops due to dial-up/broadband firewall from Zone Labs. Neither stopped infection because the source of infection was the corporate LAN and thus was "trusted". If it was over the Internet Zone Alarm would have stopped it.
So I hope we all have at least the XP Firewall running.
|
>>So I hope we all have at least the XP Firewall running.>>
A waste of time - free ZoneAlarm is the answer.
- - - - - - - - - - - - - - - - - - - - -
What\'s for you won\'t pass you by
|
Do you know which variant of Sality it's meant to be. I also fail to find references to the exe's.
If I were trying to trouble shoot this on one of our PCs.
- Run AV with latest signatures
- Run Anti-Spyware
- Check the registry to see what gets executed on start up. Look under HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- Run task manager and end the exe's and then delete the files... might find they reappear because another process is infected
Note If the exe or a dll is running on startup then you won't be able to delete the files. Hence my reference to the registry.
And if you can stop the exe's re-run an AV scan as it might fix the problem now the process is stopped. Localise the scan to the location of the exe (see references in above threads).
|
Reference to registry above needs back slashes which were removed by the site... between all capital letter apart from CurrentVersion which is one word.
So the structure for the registry is:
HKey Local Machine -> Software -> Microsoft -> Windows -> CurrentVersion -> Run
|
"............... - Check the registry to see what gets executed on start up. Look under HKLMSoftwareMicrosoftWindowsCurrentVersionRun
- Run task manager and end the exe's and then delete the files... might find they reappear because another process is infected
Note If the exe or a dll is running on startup then you won't be able to delete the files. Hence my reference to the registry.
And if you can stop the exe's re-run an AV scan as it might fix the problem now the process is stopped. Localise the scan to the location of the exe (see references in above threads)......... "
Er?
You may well be right rtj70, but you speak a foreign language. I was always told the registry is a dark, dark place of mystery and it's somewhere that young (?) innocents such as me should not venture into.
I spent most of Sunday running scans, generally cursing and then deleting things - but obviously not the right thing.
PS I think I may have been conned by one or two commercial sites that offer free scans and money to fix the problems. I've not paid anything - I'm not that silly, but for example one of these scans told me I had a trojan called Keenval, but an hour's free scan by symantec told me it wasn't on my computer at all.
PPS Symantec Security Response - W32.HLLP.Sality gives removal instructions, but I think bits are missing from the instructions.
|
The worrying thing with a variant of the Sality work is it's a key logger type, i.e. it logs keys and send them somewhere. Think passwords for online banking etc.
If you're careful in what you delete the registry is not such a dangerous place...
So when you mention W32.HLLP.Sality, is that the variant of Sality that was identified? There are lots of worms/viruses called Sality.
Rob
|
PS I think I may have been conned by one or two commercial sites that offer free scans
>>
dulwich: my first reply to you listed some rogue free scanners. of the best free trustworthy genuine scanners that will disinfect for you, just four for starters are:
1. microsoft: safety.live.com/ initially select the "full scan" option which will then allow you to select how much/little you want to scan.
2. kaspersky: www.kaspersky.com/virusscanner
3. symantec: www.symantec.com/techsupp/home_homeoffice/index_vi...l
www.symantec.com/techsupp/home_homeoffice/virus_st...l
4. mcafee: uk.mcafee.com/root/mfs/default.asp?cid=16943
uk.mcafee.com/root/mfs/scan.asp
try them in that order, and see how you get on.
|
Dulwich
the instructions about the registry are to stop the virus starting everytime you start the computer. You must do this before you can remove it.
Follow the instructions to remove the entry from the 'run' section then reboot the pc. When it restarts you should find that the virus is not active. Then you can delete the virus files/ run av to clean.
Then get a decent firewall. If you are on broadband and using one of those usb modem/routers throw it away and buy an adsl modemrouter.
|
Thanks mark99, I am beginning to understand the procedures now. The firewall is fine - it tends not to work when you (well others) disable it though ! ! !
Thanks Dalglish, I'm 60% of the way through no. 1 on your list : the microsoft scan.
|
Well, microsoft safety.live.com gave me plenty of virus notifications and "issues" e.g. Tool:PornDialer.BR , c:\windows\nctl.exe , Altnet , NavExcel SearchToolbar - 5 issues.
Kaspersky tells me I have 5 viruses and 11 infected objects. The print out runs to 3 pages including Trojan-Dowmloader.Win32.Keenval.f (which Symantec didn't find), Trojan-Spy.HTML.Paylap.ev , Trojan-Spy.HTML.Bayfraud.ev , Mail MS Outlook 5: infected - 6 , Trojan-Downloader.Win32.Small.bwk , Trojan. Win.32.Agent.fd
What's the routine please to simply wipe the hard disc and start again - I really don't have confidence that all the cr*p is going to be properly deleted by me fiddling about and forever asking advice and acting on it.
|
dulwich -
1. do a full re-format of the hard drive. if you want to get rid of as many traces as physically possible of old stuff, use a "secure disk wipe/erase/shredder" utility ( if your exisiting security software does not have it, get some freeware).
2. reinstall - assuming you have the xp install cd. personally, i would follow the advice given at
www.theeldergeek.com/hard_drives_02.htm
www.aumha.org/a/parts.htm
and use at least four partitions.
eldergeek site has most of the information you might need (see his left hand column list).
|
Dulwich
One of the (many) benefits of a dedicated hardware router with inbuilt firewall is that it is much more difficult for family members to turn off the security. They also do provide a much better protection against worms and attacks than software only devices.
Netgear and linksys are good brands and will give you a reasonable device for £50 ish. I use a netgear DG634Gv2 at home. turn on nat, enable the firewall.
You should still run firewalls and antivirus on your pc though. AVG antivirus is good and free free.grisoft.com/doc/2/lng/us/tpl/v5
I like the kerio firewall now owned by sunbelt, its free (with reduced functionality from the paid for version)
www.sunbeltsoftware.com/evaluation/440/kerio.exe
|
Here in Dulwich we've got Zone Alarm Firewall and AVG anti-virus. They have served ME well.
Turning off the firewall has damaged the "family" computer that thankfully I don't use much. The culprit was bought a laptop last week so it can be taken away to uni. It's now fully loaded with a firewall, anti-virus and a couple of ad searchers. What happens with it all - I truly don't care (and that's because I'm the totally fed up and exasperated parent of a teenager).
My own desktop is bug free. Thanks for the advice mark99, but we'll carry on as before.
Now to tackle the demolition of the hard drive.........
|
Don't forget to backup all your data if it's on the same hard drive. The bit that's easy to miss is anything under "Document and Settings", which can include:
- the "My Documents" folder
- email
- "Desktop" where you might have dropped documents etc
I suppose with this not being your main PC this might not be an issue. But if you need advise on where to look for things like email files, let me know what email application you use.
Also worth making a note of what you had installed and any settings for email servers etc.
One other point for other readers, it is said that a PC on a boradband connection with no firewall at all can become infected with a worm in a matter of minutes. Food for thought.
|
|
|
|
|
|
|
|
