If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rating: | Display Modes |
#1
|
|||
|
|||
Why would malware install a copy of Windows.exe?
Okay, so yesterday, I was called over to a friend's house to fix up his
computer which he got infected with malware that he downloaded without thinking (browser hijackers, PUP's, etc., a whole suite of various malware in one package). It was a bad infection, but I finally got it all out. So ran a scan on the malware package installer with his default virus scanner, and it didn't even recognize it as a malware. He was running Microsoft Security Essentials (which I had installed for him originally). I knew it had to be malware so I uploaded it to the online Jotti's Malware Scanner (http://virusscan.jotti.org/en), and only about 40% of the scanners found it to be malware, so Microsoft wasn't alone in being braindead about it. One of the scanners that did recognize it was Avira, so I've switched him over to Avira now. Anyway, one puzzling aspect of this infection was that the malware had installed a copy of Windows.exe into the Public Documents folder. I also had it scanned by Jotti, and absolutely 100% of the scanners listed it as legit. I looked at its properties, and it was listed as a 32-bit Windows PE executable. What would be the purpose of installing Windows PE on an existing Windows system? Is to run some sort of root kits or something? Yousuf Khan |
Ads |
#2
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On 7/27/2015 11:29 AM, Yousuf Khan wrote:
Okay, so yesterday, I was called over to a friend's house to fix up his computer which he got infected with malware that he downloaded without thinking (browser hijackers, PUP's, etc., a whole suite of various malware in one package). It was a bad infection, but I finally got it all out. So ran a scan on the malware package installer with his default virus scanner, and it didn't even recognize it as a malware. He was running Microsoft Security Essentials (which I had installed for him originally). I knew it had to be malware so I uploaded it to the online Jotti's Malware Scanner (http://virusscan.jotti.org/en), and only about 40% of the scanners found it to be malware, so Microsoft wasn't alone in being braindead about it. One of the scanners that did recognize it was Avira, so I've switched him over to Avira now. Anyway, one puzzling aspect of this infection was that the malware had installed a copy of Windows.exe into the Public Documents folder. I also had it scanned by Jotti, and absolutely 100% of the scanners listed it as legit. I looked at its properties, and it was listed as a 32-bit Windows PE executable. What would be the purpose of installing Windows PE on an existing Windows system? Is to run some sort of root kits or something? Yousuf Khan Windows PE is legit. https://technet.microsoft.com/en-us/.../Dn621903.aspx You might want some malware removal tool installed like Malwarebytes https://www.malwarebytes.org/ |
#3
|
|||
|
|||
Why would malware install a copy of Windows.exe?
Yousuf Khan wrote:
Okay, so yesterday, I was called over to a friend's house to fix up his computer which he got infected with malware that he downloaded without thinking (browser hijackers, PUP's, etc., a whole suite of various malware in one package). It was a bad infection, but I finally got it all out. So ran a scan on the malware package installer with his default virus scanner, and it didn't even recognize it as a malware. He was running Microsoft Security Essentials (which I had installed for him originally). I knew it had to be malware so I uploaded it to the online Jotti's Malware Scanner (http://virusscan.jotti.org/en), and only about 40% of the scanners found it to be malware, so Microsoft wasn't alone in being braindead about it. One of the scanners that did recognize it was Avira, so I've switched him over to Avira now. Anyway, one puzzling aspect of this infection was that the malware had installed a copy of Windows.exe into the Public Documents folder. I also had it scanned by Jotti, and absolutely 100% of the scanners listed it as legit. I looked at its properties, and it was listed as a 32-bit Windows PE executable. What would be the purpose of installing Windows PE on an existing Windows system? Is to run some sort of root kits or something? Yousuf Khan I have a Windows.exe in my new Malwarebytes folder. It's digitally signed and passes as legit. Ed |
#4
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On 27-Jul-2015 13:28, Ed Cryer wrote:
Yousuf Khan wrote: Okay, so yesterday, I was called over to a friend's house to fix up his computer which he got infected with malware that he downloaded without thinking (browser hijackers, PUP's, etc., a whole suite of various malware in one package). It was a bad infection, but I finally got it all out. So ran a scan on the malware package installer with his default virus scanner, and it didn't even recognize it as a malware. He was running Microsoft Security Essentials (which I had installed for him originally). I knew it had to be malware so I uploaded it to the online Jotti's Malware Scanner (http://virusscan.jotti.org/en), and only about 40% of the scanners found it to be malware, so Microsoft wasn't alone in being braindead about it. One of the scanners that did recognize it was Avira, so I've switched him over to Avira now. Anyway, one puzzling aspect of this infection was that the malware had installed a copy of Windows.exe into the Public Documents folder. I also had it scanned by Jotti, and absolutely 100% of the scanners listed it as legit. I looked at its properties, and it was listed as a 32-bit Windows PE executable. What would be the purpose of installing Windows PE on an existing Windows system? Is to run some sort of root kits or something? Yousuf Khan I have a Windows.exe in my new Malwarebytes folder. It's digitally signed and passes as legit. Ed Yep. Malwarebytes/chameleon folder |
#5
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On Mon, 27 Jul 2015 16:29:58 +0100, Yousuf Khan wrote:
Okay, so yesterday, I was called over to a friend's house to fix up his computer which he got infected with malware that he downloaded without thinking (browser hijackers, PUP's, etc., a whole suite of various malware in one package). It was a bad infection, but I finally got it all out. So ran a scan on the malware package installer with his default virus scanner, and it didn't even recognize it as a malware. He was running Microsoft Security Essentials (which I had installed for him originally). I knew it had to be malware so I uploaded it to the online Jotti's Malware Scanner (http://virusscan.jotti.org/en), and only about 40% of the scanners found it to be malware, so Microsoft wasn't alone in being braindead about it. One of the scanners that did recognize it was Avira, so I've switched him over to Avira now. Anyway, one puzzling aspect of this infection was that the malware had installed a copy of Windows.exe into the Public Documents folder. I also had it scanned by Jotti, and absolutely 100% of the scanners listed it as legit. I looked at its properties, and it was listed as a 32-bit Windows PE executable. What would be the purpose of installing Windows PE on an existing Windows system? Is to run some sort of root kits or something? Yousuf Khan Microsoft Security Essentials is the very worst virus checker. AVG is far batter. No Idea about Jotti though. |
#6
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote:
Microsoft Security Essentials is the very worst virus checker. AVG is far batter. No Idea about Jotti though. MSE wasn't alone here, at least 60% of virus scanners didn't find it either. AVG and Avira both did however, and there were a few others as well. I've used both AVG and Avira in the past, and Avira is by far the least offensive to have installed, next to MSE. Yousuf Khan |
#7
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On Mon, 27 Jul 2015 21:55:46 +0100, Yousuf Khan wrote:
On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote: Microsoft Security Essentials is the very worst virus checker. AVG is far batter. No Idea about Jotti though. MSE wasn't alone here, at least 60% of virus scanners didn't find it either. AVG and Avira both did however, and there were a few others as well. I've used both AVG and Avira in the past, and Avira is by far the least offensive to have installed, next to MSE. I've never had a problem with AVG. I only allow the basic realtime protection and turn off all the other crap. I read somewhere how many things AVG and MSE detect. MSE only detects HALF as many things as most others. |
#8
|
|||
|
|||
Why would malware install a copy of Windows.exe?
Tough Guy no. 1265 wrote:
On Mon, 27 Jul 2015 21:55:46 +0100, Yousuf Khan wrote: On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote: Microsoft Security Essentials is the very worst virus checker. AVG is far batter. No Idea about Jotti though. MSE wasn't alone here, at least 60% of virus scanners didn't find it either. AVG and Avira both did however, and there were a few others as well. I've used both AVG and Avira in the past, and Avira is by far the least offensive to have installed, next to MSE. I've never had a problem with AVG. I only allow the basic realtime protection and turn off all the other crap. I read somewhere how many things AVG and MSE detect. MSE only detects HALF as many things as most others. http://chart.av-comparatives.org/chart1.php Ed |
#9
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On Mon, 27 Jul 2015 22:12:22 +0100, Ed Cryer wrote:
Tough Guy no. 1265 wrote: On Mon, 27 Jul 2015 21:55:46 +0100, Yousuf Khan wrote: On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote: Microsoft Security Essentials is the very worst virus checker. AVG is far batter. No Idea about Jotti though. MSE wasn't alone here, at least 60% of virus scanners didn't find it either. AVG and Avira both did however, and there were a few others as well. I've used both AVG and Avira in the past, and Avira is by far the least offensive to have installed, next to MSE. I've never had a problem with AVG. I only allow the basic realtime protection and turn off all the other crap. I read somewhere how many things AVG and MSE detect. MSE only detects HALF as many things as most others. http://chart.av-comparatives.org/chart1.php Ed I think I'll give Panda a try if it's free. MSE isn't on there though. |
#10
|
|||
|
|||
Why would malware install a copy of Windows.exe?
Tough Guy no. 1265 wrote:
On Mon, 27 Jul 2015 22:12:22 +0100, Ed Cryer wrote: Tough Guy no. 1265 wrote: On Mon, 27 Jul 2015 21:55:46 +0100, Yousuf Khan wrote: On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote: Microsoft Security Essentials is the very worst virus checker. AVG is far batter. No Idea about Jotti though. MSE wasn't alone here, at least 60% of virus scanners didn't find it either. AVG and Avira both did however, and there were a few others as well. I've used both AVG and Avira in the past, and Avira is by far the least offensive to have installed, next to MSE. I've never had a problem with AVG. I only allow the basic realtime protection and turn off all the other crap. I read somewhere how many things AVG and MSE detect. MSE only detects HALF as many things as most others. http://chart.av-comparatives.org/chart1.php Ed I think I'll give Panda a try if it's free. MSE isn't on there though. The one everybody raves about recently is Bitdefender. If it were free I'd migrate from AVG to it. But I have minimal problems with malware; far more problems caused by my own meddling with things. (:- Ed |
#11
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On Mon, 27 Jul 2015 22:19:00 +0100, Tough Guy no. 1265 wrote:
On Mon, 27 Jul 2015 22:12:22 +0100, Ed Cryer wrote: Tough Guy no. 1265 wrote: On Mon, 27 Jul 2015 21:55:46 +0100, Yousuf Khan wrote: On 27/07/2015 3:46 PM, Tough Guy no. 1265 wrote: Microsoft Security Essentials is the very worst virus checker. AVG is far batter. No Idea about Jotti though. MSE wasn't alone here, at least 60% of virus scanners didn't find it either. AVG and Avira both did however, and there were a few others as well. I've used both AVG and Avira in the past, and Avira is by far the least offensive to have installed, next to MSE. I've never had a problem with AVG. I only allow the basic realtime protection and turn off all the other crap. I read somewhere how many things AVG and MSE detect. MSE only detects HALF as many things as most others. http://chart.av-comparatives.org/chart1.php Ed I think I'll give Panda a try if it's free. Now installed, although I never received an account activation email, I guess it'll work without that. But it's unclear if it's up to date, I found "automatic updates" and clicked "update now", and the circle is spinning indefinitely. Nothing is coming through the internet connection. It's reading 0kbps. |
#12
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On 27/07/2015 5:19 PM, Tough Guy no. 1265 wrote:
I think I'll give Panda a try if it's free. MSE isn't on there though. I'll probably keep using MSE on my own systems, as it is the least intrusive AV of them all. I've always had problems with resource utilization from other AV in the past. Yousuf Khan |
#13
|
|||
|
|||
Why would malware install a copy of Windows.exe?
On 27/07/2015 1:28 PM, Ed Cryer wrote:
I have a Windows.exe in my new Malwarebytes folder. It's digitally signed and passes as legit. Which is what's puzzling, what's malware doing installing legit Microsoft software for? Yousuf Khan |
#14
|
|||
|
|||
Why would malware install a copy of Windows.exe?
Yousuf Khan wrote:
On 27/07/2015 1:28 PM, Ed Cryer wrote: I have a Windows.exe in my new Malwarebytes folder. It's digitally signed and passes as legit. Which is what's puzzling, what's malware doing installing legit Microsoft software for? Yousuf Khan Does MS own Malwarebytes? Ed |
#15
|
|||
|
|||
Why would malware install a copy of Windows.exe?
Ed Cryer wrote:
Yousuf Khan wrote: On 27/07/2015 1:28 PM, Ed Cryer wrote: I have a Windows.exe in my new Malwarebytes folder. It's digitally signed and passes as legit. Which is what's puzzling, what's malware doing installing legit Microsoft software for? Yousuf Khan Does MS own Malwarebytes? Ed Has anyone done "Properties" on this purported file ? Malwarebytes has Chameleon technology, their words for a way to fool the malware into allowing a copy of mbam.exe to run. They have some trick where they rename files, or do something so that the malware is less likely to block it. If the file is signed, there's a good chance you'll have proof of ownership. Paul |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|