0

My home server (aging HP Proliant MicroServer, Windows 7 x64) has acquired some Malware from Hell. Turned up in one of those dodgy installers that wraps a legitimate installer in another package, and installs all sorts of nefarious software on your system.

It has proved intractable. Three processes are now running constantly on my machine, using CPU and doing goodness knows what.

And they're unkillable. I can't kill the processes, all I get is an "Access is denied".

The processes are called:

  • svnlgau.exe
  • iaawlnv.exe
  • igfxmtc.exe

I've traced the three executables to these folders:

C:\Users\<user>\AppData\Local\iaawlnv
C:\Users\<user>\AppData\Local\igfxmtc
C:\Users\<user>\AppData\Local\rtnpeku

All of which are owned by some unknown account and are inaccessible.

Things I've tried:

  • Changing the owner of the folders to the Administrator
  • Using "Unlocker" on the directories to take possession of them
  • Booting in safe mode as an administrator, killing the processes and deleting the directories
  • Scanning with Microsoft Security Essentials (which can't access the folder either)
  • Scanning with MalwareBytes
  • Scanning with Windows Malicious Software Removal Tool (MSRT)
  • Killing the processes with Kaspersky Task Killer

Short of rebuilding the machine, which would take days, is there anything else I can try?

Maxcelcat
  • 101
  • 2
  • 1. Copy that important user data that you surely backed up to a safe location and scan it from a safe machine (linux live CD if no other machines possible) 2. Reinstall. – djsmiley2kStaysInside Jan 03 '18 at 12:42
  • Rebuild the machine. I'm sorry, but it's the only way to ensure that your system is clean again. It sounds like a lot of time and effort, but it's worth it. Hopefully this will serve as a valuable lesson learned after the malware mysteriously *"Turned up in one of those dodgy installers."* Taking shortcuts and trying to save a little bit of money will eventually burn you, and the malware authors already know it. – Run5k Jan 03 '18 at 12:56
  • @Run5k: Sadly you can find dodgy installers for freeware as well. Even SourceForge was at some point infamous for it. – u1686_grawity Jan 03 '18 at 13:03
  • @Run5k in this case, the installer was for ImgBurn, a reliable bit of software I've used for years on numerous machines. I was not expecting malware from such a source! – Maxcelcat Jan 03 '18 at 22:29
  • @djsmiley2k Ah live CD, didn't think of that. Will give it a try. Failing that it looks like a rebuild... After I back up 6Tb of data somewhere :-/ – Maxcelcat Jan 03 '18 at 22:33
  • @Maxcelcat, that depends upon the source. The only place I have found that has a reliable installer (without OpenCandy adware) for ImgBurn is [Major Geeks](http://www.majorgeeks.com/files/details/imgburn.html). On top of that, when I first download a new software installer I perform a test install within a virtual machine. When it succeeds, I keep that *clean* installer on the software share of the file server on my home network for future use. Obviously that is a bit of extra work, but it is much faster than rebuilding a server. – Run5k Jan 03 '18 at 22:43
  • 1
    @Run5k I realised in the past that I'd always avoided the mirror sites, and only used the direct download link. I'm very wary of new software too, but imgburn I've used for years. I usually back away when I see an installer that says "Would you like these other offers?" or "Please wait while we download the actual installer", but I was in a hurry this particular day. Also it turns out this idiot had the raw installer sitting on another machine at the time *slaps head* – Maxcelcat Jan 03 '18 at 22:58
  • @Maxcelcat, I typically try to download from the original source, also. However, the OpenCandy adware controversy surrounding ImgBurn led to to utilize Major Geeks, instead. Once again, sorry to hear about your malware problem, and best of luck with the rebuild. – Run5k Jan 03 '18 at 23:22

0 Answers0