[da5id]

I'm about to set up my gateway machine with a firewall. I've just purchased ZoneAlarm but haven't installed it yet. The gateway machine has been in use for about a month so far without a firewall. Looking at Task Manager (Win2k SP3) I see one app that's running 13 or 14 times, each instance taking up about 4 meg of RAM. If I reboot, the same thing happens but the app has a different name. None of my other machines exhibit this behaviour.


I have the latest version of Norton AntiVirus with up-to-the-minute virus defintions, and I have the latest version of Ad-aware. Neither of these sees any problem with the mystery app. X-Teq's X-Setup shows no mysterious service or apps set to start on reboot.


I can stop all but one instance of the app. Of course, when I reboot they all come back. I know there's something fishy going on here, but I don't know the first place to start looking for information on this one. The app name keeps changing so there's no use googling for references to it.


Has anyone seen this before?

 

[gotapex]

Give this a try:

http://housecall.antivirus.com/housecall/start_corp.asp

 

[Trik]

Could be a trojan / worm.

They've been known to rename themselves.


List some of the names here.

 

[da5id]

Two names I've seen are mnyf.exe and mjxglu.exe. I'll make note of others if I see 'em. I have ZoneAlarm installed now and I've got it blocking any outside access to both those apps. mnyf.exe has been the app of choice for the last few reboots, and ZoneAlarm has caught it listening and trying to connect to a web server.


But why does nothing detect this thing? Oddly, if it gets blocked by ZoneAlarm I can kill all instances of that app with Task Manager.

 

[SIMJEDI]

Do you have AOHELL??

If so I highly reccomend somthing else.



peace

 

[da5id]

No AOL here. I've been using the 'net for almost ten years now...

 

[dandrewk]

First, check to see if you have spyware that was installed without your knowledge.


Spybot:
http://security.kolla.de/index.php?l...&page=download


Then check to see if something is running at Windows startup. Use MSconfig, and see what all those startup applications are here:
http://www.pacs-portal.co.uk/startup_content.htm


I would recommend everybody using spybot and cleaning out all those unnecessary startup apps regardless if you are having problems or not.

 

[da5id]

SpyBot should be about the same as Ad-aware, which I've tried without success.


I downloaded msconfig and found a service called radmm which was from an unknown manufacturer. I disabled it and am about to reboot to see if that stops the stupid thing.


Thanks for the pointer, dandrewk!

 

[shodoug]

Spybot is a different product from adaware. There are some things that it removes which adaware does not. I would not discount its use if I had a problem that adaware did not fix.


I routinely run both of them on my computers.


Best regards,

Doug

 

[da5id]

Good point, Doug. I've downloaded SpyBot and will try it out. Disabling that radmm service didn't do any good, unfortunately.

 

[da5id]

SpyBot didn't find anything more that Ad-aware did. I deleted mnyf.exe, rebooted, and now have an app named icwlx.exe running a dozen times over. I added it to ZoneAlarm and so am able to kill all those processes.


Damn, this thing's tenacious.


Thanks for all the help so far, everyone.

 

[uk.steve]

Whats in your startup menu folder?, if theres nothing there then have a look in regedt32.exe in the following key HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run


It should list the usual executables that run on startup, if theres something strange there then thats where the usual viruses hide themselves. http://www.sophos.com/virusinfo/analyses/w32ororl.html is an article which explains how to remove a typical worm/trojan from a PC, most viruses these days are fairly similar except the author tries to change the way the original worm behaves in order to avoid detection.


Its probably worth emailing the virus with an explanation to one of the well known virus centres like http://www.sophos.com/support/queries/#sample to see what they make of it. To be honest its quite well known that norton misses quite a few of the viruses out there, mcafee is fairly good but kills (slows) any pc I've seen it running on and that includes top of the range business PC's. Im not kidding you when I say it makes them so slow its a joke. My advice would be to get sophos antivirus.

http://www.sophos.com/virusinfo/analyses/w32ororl.html explains how to remove those kinds of viruses/trojans, the problem is that you can download the source to various trojans/worms and people modify them in order to try and bypass most of the virus checkers out there. You would think that some people have better things to do.


Hopefully it could be some poorly written program that you installed from a website, but you never know these days.

 

[salsbst]

In addition to HKEY_LOCAL_MACHINE, as uk.steve suggests, try the same path under HKEY_CURRENT_USER:


HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVers ion\\Run


...as well as the RunOnce and RunEx keys in those locations.


It is possible (though not likely) that the virus (if it is one) is loaded by a Windows Service... which would be indicated in the Services administrative tool... (start /control panel/ administrative tools / services). If something looks suspicious, then you can try setting it's startup state to "disabled", although there are some key services which should not be treated this way... tread lightly on your services!


Good luck! We're pulling for you!

 

[da5id]

Thanks for the suggestions uk.steve and salsbst.


I had already checked those registry entries with X-Teq X-Setup and found nothing. Just to double check I did go into regedit and nothing looked suspicious. Hmmm... now that I think about it there was one thing that did look a little shifty. Something called mobsync had a /logon switch. Ah, a quick Google search reveals this is a Windows mobile synchronization app. Kind of useless on a desktop machine, but difficult to disable, apparently.


The machine in question here has a stock Win2k install with absolutely nothing else on it. Until yesterday its only purpose in life was to act as a gateway between the Internet and my home network. My mistake was leaving it unprotected while I looked for a good firewall app. Previously I had a beautiful Linux setup with an excellent iptables firewall script I spent days perfecting. That machine's hard drive died, leaving me with no 'net access. This was a completely unacceptable situation so I dragged out an old machine, threw Win2k on there and enabled ICS (Internet Connection Sharing).


I'll take your suggestion, Steve, and send the info to one of the virus reporting places. In the end, I could just re-install Win2k and be rid of it that way, but I don't want to give in that easily!