Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 21 subscribers
  • Views 17259 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HPmal/Crusher-Y virus/spyware

khang le

Hi everyone,

    I have a problem today. the email:"

File "C:\Windows\System32\cmd.exe" belongs to virus/spyware 'HPmal/Crusher-Y': Process killed."  is sent every time when users login the computer. 

I need to research and find out causes and solutions for this problem.

I try to find the previous emails of these users which contains something like virus or spyware from flash drives, infected websites,... but I didn't see anything, just emails like that.

I search Google but the information I found is very common and I am not sure about them:

  • Downloads from questionable websites
  • Infected email attachments
  • External media, such as pen drive, DVD, and memory card already infected with HPmal/Kovter-A
  • Fake updates that trick you installing them
  • Programs posing as fake virus removal tools
  • Infected documents circulating on peer-to-peer (P2P) file sharing networks, torrent sites, and IRC channels

SO, anyone used to meet this problem, please tell me the main causes you found .

Many thanks,

Khang



This thread was automatically locked due to age.
Parents
  • +1

    Hello Khang,

    the detection is likely caused by the shell (cmd.exe) running an as yet unknown malicious script. The might be preceding somethings but these are not what cmd.exe runs as they would have already been blocked.
    As you say it's when users log in you should check what is run when they do - Sysinternal's AutoRuns should help to identify the offending file(s). Please submit a sample of you have found.

    Christian

  • 0 in reply to QC

    Hi Christian

    we tried to identify the virus through the Sysinternals suite but we can't determine 100% the guilty process.

    We have some machine that randomly give us this warning:

    "C:\Windows\System32\reg.exe" belongs to virus/spyware 'HPmal/Crusher-K': Process killed.

    "C:\Windows\System32\cmd.exe" belongs to virus/spyware 'HPmal/Crusher-W': Process killed.

    sophos block and delete the process, but randomly the situation repeat it.

     

     

    Thanks for help us

    Kind regards

    FM

  • 0 in reply to FayeMüller

    Hello FM,

    some other process is calling reg.exe - probably not as a result of some start-up item - either directly or via cmd.exe. You could use Process Monitor and filter for Operation is Process Create and Process Start to see what is calling reg.exe with what parameters.

    Christian

  • 0 in reply to QC

    Hi Christian

    we discovered that we had a scheduled task running a .js infected file.

    Thanks for your help

    Regards

    FM

Reply Children
No Data
Unfiltered HTML