Loader.exe and smss.exe

[blargg]

Today, my comp kept loading iexplorer (Internet Explorer) in the background. I also noticed that 'File Loader' asked for access to the internet.
Under local settings>temp, I found the two exe files and deleted them.

When either of them were running under the name 'file loader', ie would load in the background. By right clicking the files, they said they came from 'Black Internet' Inc.

Also, my ie history showed ad sites in the history.

Neither spybot nor avast detected anything, which was a little concerning.

Hope this helps.

-blargg

[blargg]

I had a loader.exe and smss.exe in my temp folder, opening up IE in the background. I deleted the files, but ie still loads on startup. I checked both msconfig and the HKLM/software/microsoft/windows/currentversion/run directory, but nowhere does it show iexplore.exe. I can't figure out how to stop it! Any ideas?

[sharp]

The same two files surfaced on my Windows XP Pro workstation last night.

I never use IE, only the last version of Firefox.

There are a few instances of IE always running in the background. Ending the processes in task mgr does not help as they restart.

Rogue process SMSS.exe also will not close, only loader.exe could be ended through task mgr. Both files show the company as 'Black Internet'.

I was running S&D last night when the computer rebooted by itself. This was likely by design.

Unfortunately a rootkit was installed in the master boot record. S&D, MBAM, Hitman Pro, and Symantec AV is unable to find any malicious files, but I have confirmed the presence of a rootkit using GMER and the MBR rootkit detector tool.

Although I renamed the two files before the OS was randomly rebooted, the rogue SMSS.exe (file location: /temp/) restarted upon reboot in safe mode!

NOTE: There is another instance of SMSS.exe which appears to be an authentic MS Windows process. It only uses a kb of memory, while the rogue SMSS.exe uses a few MBs.

I will attempt to fix the MBR later today, but it is very likely I will need to do a clean install of the OS. From what I understand Windows XP is very vulnerable to these types of attacks. Windows Vista and 7 are likely more protected.

[blargg]

After attempting multiple system restores which failed for some reason, now my comp is telling me windows is not genuine and doing weird things.... I guess I'll restore an image from a few months ago.

Geez, what a hassle.

System Restore-please leave it on until advised

[sharp]

After attempting multiple system restores which failed for some reason, now my comp is telling me windows is not genuine and doing weird things.... I guess I'll restore an image from a few months ago.

Geez, what a hassle.

What operating system were you running?

My Win XP workstation was running up to date security definitions, all recent MS updates, and routinely was scanned using multiple programs.

I'm very surprised of how easily this malware took control over the OS. I can only suspect at this point that some sort of exploit was run while browsing the web (using only Firefox!). No plug-ins or executable files were run within the last few days.

[sharp]

If the computer is infected with a rootkit, restoring Windows using a past image will likely not remove the rootkit. The hook starts first before the OS loads!

You can attempt using the fixmbr command in the Recovery Console. If that is not sucessful you may need to completely format the drive on which the OS boots from.

Hopefully others will chime in later today with their experiences.

[blargg]

If the computer is infected with a rootkit, restoring Windows using a past image will likely not remove the rootkit. The hook starts first before the OS loads!

You can attempt using the fixmbr command in the Recovery Console. If that is not sucessful you may need to completely format the drive on which the OS boots from.

Hopefully others will chime in later today with their experiences.

Holy Crap, you were right. It didn't work! I also use firefox btw.
Well, I'll try that fixmbr thing now.

[blargg]

Well, I used bootrec.exe /fixmbr from the W7 boot cd. All seems okay for now. Thanks for the help, sharp. I have no idea how I got this crap on my computer...

[sharp]

To verify if the rootkit has been removed, you can use the GMER application. It is a very thorough scanner that runs in Windows.

[tashi]

Hello and

Please see this post: http://forums.spybot.info/showpost.p...05&postcount=2

If you would like someone to take a look at the system please see the FAQ to post a preliminary DDS log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Then start a new topic in the Malware Removal Forum and copy paste the log into it, an analyst will advise you as soon as available.

From the Malware forum FAQ:

Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (dirty or not) and won't remove the malware. Let your helper advise you as to when a System Restore flush is called for.

Best regards.