Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Strange new malware CRWAVE.exe 1

Status
Not open for further replies.
griffindm

griffindm

IS-IT--Management
Dec 5, 2000
1,204
US
Looking for some advice on this one. Running IE6 with latest patches on Win2K Pro (also current). IE is periodically pushed to a junkware site WinFirewall, etc. When closed IE crashes with an unrecoverable error.

Have run cwshredder, adaware, spybot, and HJT several times. I have a process running, CRWAVE.exe, that refuses to die. It also tries to contact the internet (stopped by ZA). It was originally loaded from c:\Winnt\fonts. I killed it there, but it continues to reload on reboot. No other instances of that file found.

The Hijackthis log is down to just:

O4 - HKLM\..\RunOnce: [*crwave] C:\WINNT\Fonts\crwave.exe rerun
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

Anyone have some advice? I think this one is a morpher.

Thanks,

griffindm

The Decision Support Group
Reporting Consulting with Cognos BI Tools
"Magic with Data" [pc2]
Want good answers? Read FAQ401-2487 first!
 
Sort by date Sort by votes
Actually, I was able to track this down myself. No mention of it on the net though. A similarly named exe was used by Crystal for their sound cards back in the mid-1990's.

What I had forgotten to do was to ensure that Windows Messenger Service was shut down. It was using that to re-establish the registry setting and re-start the malware service everytime HijackThis was fixing the registry and/or I was killing the process.

It was also using a reverse spelling (evawrc.dat) to help it hide, though I was never able to find the file where HJT said it was pointing from the registry, which was in my Local Settings/Temp folder.

Still, if anyone wants to help me with a postmortem on this, feel free.

Thanks,

griffindm

The Decision Support Group
Reporting Consulting with Cognos BI Tools
"Magic with Data" [pc2]
Want good answers? Read FAQ401-2487 first!
 
Upvote 0 Downvote
You might try doing safe-mode startup to make it possible for Spybot/HJT to knock it out. Sometimes that is the only way to kill the process. You might have to dig it out of the registry manually too.
 
Upvote 0 Downvote
Just wanted to mention: I was able to kill the process and have HJT eliminate the registery entries via stopping the Messinger process.

Thanks.


The Decision Support Group
Reporting Consulting with Cognos BI Tools
"Magic with Data" [pc2]
Want good answers? Read FAQ401-2487 first!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
MalwareBytes may have been hacked
Replies
0
Views
179
2ffat
2ffat
goombawaho
  • Locked
  • News
Malware Injected Into CCleaner 3
Replies
2
Views
172
goombawaho
goombawaho
xit
  • Locked
  • News
New beta product from Malwarebytes 1
Replies
4
Views
210
kjv1611
kjv1611
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
193
goombawaho
goombawaho
goombawaho
  • Locked
  • Helpful tip
Evil: Poweliks Malware 1
Replies
1
Views
116
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top