WordStar Discussion

Microsoft Windows => General Discussion => Topic started by: BillW50 on April 09, 2005, 04:48:19 AM

Title: MediaMotor, Ad-watch, NTFS, and ADS
Post by: BillW50 on April 09, 2005, 04:48:19 AM

I had an interesting thing happen to one of my laptops that I believe I solved, but I like to hear from others what theories they may have besides my own. This is a Toshiba 2595XDVD laptop running Windows 2000. Has AVG and Ad-watch always running.

Well the other day, I opened up the Windows Calculator and Ad-watch popup reported Malware MediaMotor. Choices were Accept or Block. I chose the later. I scanned with Ad-aware, clean as a bell. Scanned with AVG, still nothing detected. Ran Trend Micro's online scanner, nothing. Ran Spyware Doctor, still nothing. Opened Calculator again and Ad-watch popped up the message again.

So I did a search about this malware and it appears to redirect your browser without permission. Although I never had seen this happen. It's also supposed to have a file named mmups.exe. And it's launched through the registry under Run. Nothing was found. Interesting to say the least!

I tried to rename calc.exe and it worked. Although another infected calc.exe reappeared. I deleted it, and it would reappear. Booted to safe mode under command prompt and I deleted it there. It's now gone. Booted up Windows 2000 and copied a good calc.exe off of the network. All seems well now.

So how could the seemingly the only effected file undelete, un-rename, etc. itself? And also avoid detection until it tried to run? I don't understand ADS in NTFS very well. But that is the only thing I can think of. But can ADS executable actually pull off such a feat? Anybody have of other ideas?


Cheers!


___________________________________________
Bill (using a HP AMD 1.2GHZ & Windows 2000)
-- written and edited within Word 2000
Title: Re:MediaMotor, Ad-watch, NTFS, and ADS
Post by: Forum Admin on April 09, 2005, 06:03:55 AM
Under Windows 2000 and XP, I think Me too, there is a set list of files that Windows will silently restore should they be deleted. This mat be one of those files that gets restored without you being told?
Title: Re:MediaMotor, Ad-watch, NTFS, and ADS
Post by: BillW50 on April 09, 2005, 06:34:34 AM
Hi Mike... I just tried it on another computer and yes it does. Very interesting. So where does it restore it from? A copy of calc.exe from the dllcache folder perhaps? If so, then that calc.exe is still probably infected. I should send that one into the experts. Thanks!


Cheers!


___________________________________________
Bill (using a HP AMD 1.2GHZ & Windows 2000)
-- written and edited within Word 2000
Title: Re:MediaMotor, Ad-watch, NTFS, and ADS
Post by: Forum Admin on April 10, 2005, 02:17:34 PM
Hi,

If you go to http://support.microsoft.com (http://support.microsoft.com) and do a search for WFP (Windows File Protection) you'll get more information than you can shake a stick at.

Try article 222193 for a description of the system - introduced with Windows 98, or Me, I can't remember. You are correct in that the replacement comes from the dllcache.

There is a command-line utility called SFC.EXE that scans your protected files. You find details of that in article 222471 (for XP it's 310747).

It looks like Microsoft have shuffled their Knowledge Base files around again. You can now get to these articles by using a URL of http://support.microsoft.com/kb/ (http://support.microsoft.com/kb/) followed by the article number.