Posted 03 November 2011 - 09:18 AM
I have a Dell Dimension 2350 (new hard drive ca. 2006), running Windows XP SP3 Home Edition. Intel Celeron 2G, 512 RAM, with Avast! Antivirus, and regular Malware Bytes updating, less regular scans. I use Firefox and NoScript, also run Process Explorer every time I turn the computer on, and occasionally use it to shut down processes.
About 2-3 weeks ago, I began to notice high physical memory usage (e.g., 80-90%) that didn’t appear to be explained.
On November 1st, I was online (Firefox), and noticed a white flash on my screen. Suddenly a Mega-Zipper (my software to open .zip files) window popped up. I clicked on the “close” button, and hit Process Explorer to find out what was happening. A “packed image” named installer_no_upload_silent.exe was running. I used Process Explorer to shut it down.
Next, a “cmd” line showed up on Process Explorer, with a file (Installer_msi_win.msi)underneath it (no company listed, but “collecting information for Microsoft” as the description).
This happened three times that day, in the same sequence. Each time Firefox was running. I updated Malware Bytes & Avast!, rebooted into safe mode, and ran a full Malware Bytes scan . The scan showed nothing infected.
A Google search has showed 1 occurrence of “installer_no_upload_silent.exe.” on a Portuguese-language website similar to this one, from a couple of days prior to my attack. In that case, a Malware Bytes full scan showed three registry keys infected, all in the Microsoft Security Center, all resolved by the full scan.
I have gone online once since the 1st, to ensure updates to Malware Bytes & Avast!, and have run another full scan (in normal mode), and again nothing was found. Ccleaner registry scan shows “obsolete software key” for Mega-Zipper.
During my one online trip after the 1st, Mega-Zipper came on again without popping a window – I found it only because I was monitoring Process Explorer, and used PE to kill it.
I will download a (hopefully) clean version of Malware Bytes, as mine has clearly been compromised, will reboot in safe mode, and run another full scan. I will not be online from this computer often, and will likely monitor any responses from a public computer. Please do not take silence on my part as resolution of the problem – I’ll report success, if achieved.