I've the suspecion this malware is a new one. I can't find much information about it. I only found one thread here on Bleepingcomputers and one on a Dutch forum. I can't seem to find the one on Bleepingcomputers anymore though. (I used various keywords to look for information on this problem).
The situation is as next:
OS: Windows 7 (Ultimate)
- getting fake crash reports from "AMozilla about "AFirefox". Since the weird name and firefox keeps working perfectly fine, I went investigating it.
- Malware Bytes, Emsisoft anti-malware, spybot S&D, McAfee Antivirus Plus scans don't find anything
- relocated the fake crash report location "crashreporter.exe" to the location: C:\Program Files (x86)\Common Files\Lenovo
(my laptop is not from Lenovo)
- uploaded that file to virustotal: clean
- went on further investigation and noticed even without firefox running, a process is made (and remade immediatly if killed) "dmw.exe" with the description firefox (not to be confused with the legit dwm.exe)
- dmw.exe doesn't give any positives on virustotal
- investigated more and learned the dmw.exe process is started by the start up script: data.js in the very same lenovo folder. It's also connected to the process "wscript.exe" which has it's origin in: C:\Windows\SysWOW64
- the data.js file gives only 3 positives on virustotal: link report
- tried killed that start up script and the lenovo folder with various methods (Hijack This and McAffee schredder); they failed
- I ran tdskiller; no results
So this is a tough one and I am in need of some help.
Since I only realised today I'm infected (there is no doubt that I'm), I also realise a couple days ago my wireless connection had problems. And since then I lose connection at times. (I thought it was my provider being funny, or another wireless device interfering). The Lenovofolder was made on 09/12
*edit* I probably should have posted this in the other section with a DDS-logfile.
I'll await confirmation; or if a moderator could move this thread to the right section and asks, I'll add one.
*update* My tired mind (it's 6am20 here and haven't slept yet) didn't think about this before. But I rebooted the laptop is safe modus and was able to destroy the Lenovo folder there.
After rebooting the laptop in normal modus, I got an error that data.js couldn't be loaded, which is a good thing of course. I'll have to check to remove that start up proces. What worries me still though is the connection with "wscript.exe". So I'm still looking for help/advice on this matter ;)
Edited by Daluicis, 13 December 2013 - 12:23 AM.