Malware Hunting

Posted on 2009/06/10


Today my mother asked me to check her laptop: she said it disconnected often. She has a Windows XP Home SP3 old laptop. I run Avira’s Luke FileWalker to check for viruses and it doesn’t find any. Meanwhile I open task manager and sort the processes by CPU usage. A process called something like wmqoi catches my attention. A quick google search does not provide results. As I close the IE window, another window pops up displaying a classic 404 page not found, but the top left icon is not IE’s.  WTF? Time for a little experiment: I keep the window open and terminate the wmqoi process. The window closes. Hmmm…

I search through the computer and find wmqoi.exe, along with some wmqoi.* files, in the “C:\Documents and settings\USERNAME\local settings\application data\” folder, and the relative entry in the “C:\Windows\Prefetch” folder. I “quarantine” all files by moving them in a zipped folder with password.

I reboot, verify that everything works and hand the laptop to mommy, asking her to report strange behavior immediately. After few minutes she shouts “Wow, it’s fast! What did you do? The sites open instantly!”. Well, I hope I fixed it. I still don’t know how the laptop got infected, but my mother could have clicked anything from “fabulous icons for your mail” to “you won a prize, click here to claim it!”. I hope the new IE8 “malicious sites filter” helps. Meanwhile, since I didn’t find any relevant information to help me, I wrote this post, waiting to be indexed by the search engines.

add to :: Bookmark Post in Technorati :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook :: Bookmark on Google :: Add to Netscape :: Share on Yahoo :: Add this to Live

Posted in: Software