Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DMW Process


  • Please log in to reply
1 reply to this topic

#1 Chungalin

Chungalin

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 02 April 2014 - 01:05 PM

Split from http://www.bleepingcomputer.com/forums/t/517325/dmwexe-fake-firefox-lenovodatajs-new-malware/ - Hamluis.

 

Yesterday I found same DMW process with Firefox icon, running under WSCRIPT. In HKCU\Software\Microsoft\Windows\CurrentVersion\Run I find a reference to Data.js (javascript) inside Program Files\Common Files\Spigit\. This folder seems a compact Firefox installation. Data.js is a obfuscated javascript that does something on the Registry and has a list of browser useragent strings.

 

I also found this folder: %USERPROFILE%\Local Settings\Application Data\AMozilla\AFirefox, containing a profile.

 

I traced back how this bleep came, and I found that on 27 March I went to www.free-codecs.com to get latest FFDSHOW for a new computer setup. For a reason I’m still wondering, I ended up downloading from there a file ffdshow_rev4525_20131117_clsid.exe with a size of about 16MB (!) I noticed that my previous versions from 2012 were about 4.5MB, “more bloating" I thought... Now I go back to that website and I’m unable to download the same file again! Why I got a 2013 version instead of latest 2014-02-09 one? Anyway, that extra size contained the trojan.

 

On the other hand, removal seems easy: kill process dmw (wscript too), remove autorun entry with Autoruns, and delete folders described above. Remove these Registry keys too:

 

HKEY_CURRENT_USER\Software\DownloadHelper

HKEY_CURRENT_USER\Software\Microsoft\Notepad (only delete these two values: sdate, sysid)


Edited by hamluis, 03 April 2014 - 08:01 AM.
PM sent new OP - Hamluis.


BC AdBot (Login to Remove)

 


#2 Kirbyofdeath

Kirbyofdeath

  • Members
  • 459 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on Earth
  • Local time:09:16 PM

Posted 02 April 2014 - 10:35 PM

Please, if you have a related problem, just post a new topic.

 

Created topic for new OP - Hamluis.


Edited by hamluis, 03 April 2014 - 08:06 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users