The following happened last weekend. Can anyone identify the malware from the description below and say what else it does?
The key points are that the malware:<UL><UL><LI>Attempts to run itself on start-up even when set not to</LI><LI>Disables Zone Alarm (Client at least), sets itself to be allowed access to the internet and after setting Zone Alarm to deny it access to the internet it deletes Zone Alarm exe files from the hard drive!</LI><LI>Attempts to stop HijackThis from running</LI><LI>LAN communications have been affected</LI>[/list][/list]
Sequence of events:
I noticed the ZoneAlarm icon wasn t showing in the task bar as it usually does.
The Windows Close Program dialogue box showed that smss and csrss were running and Zone Alarm client, which normally runs on start-up, wasn t.
[Because the only OS I have ever run is Win98SE (and not XP or 2000) this indicates to me that a virus or Trojan was likely to present (because Win98SE doesn t have smss or csrss, and a number of Trojans use these filenames which are the same as genuine ones used by XP and 2000, and which XP and 2000 will not close.)]
I ran Zone Alarm and noticed that smss/csrss (by which I mean smss or csrss - I can t remember which) was set to allow access to the internet without confirmation being required.
I ran msconfig and saw that smss/csrss was listed and set to run at start-up. I used msconfig to set it to not start.
I set Zone Alarm to always deny smss/csrss access to the internet.
The next time I restarted the PC, Zone Alarm failed to run and I discovered zonealarm.exe and zlclient.exe files (and only these two from the ZoneAlarm folder) had been deleted!
Msconfig showed that smss/csrss had reinstated itself to run on startup.
I attempted to start HijackThis but it closed down within about 3 seconds on each of the 4 attempts I made.
I saved the current registry using regedit and restored in turn previous registries back as far as 9 months ago, but in each case smss/cmscc ran on start-up, so I restored the current registry.
Using Windows Close Program I ended smss/csrss. [I was probably able to do this only because Win98SE doesn t use it, while 2000 and XP would think it was their own file and not allow it to be closed.] I was then able to open HijackThis normally.
I compared the HijackThis report with reports I d saved from previous scans which I d routinely taken when things seemed to be operating OK. I deleted a number of keys.
ZoneAlarm now runs on start-up and smss/csrss doesn t so I seem to have achieved something.
However, communications with my other PC (via a router) have stopped. For this I use the NetBEUI protocol. Both PCs can access the internet (via the router) so TCP/IP (dynamic addressing) works OK. When I connect the 2 PCs directly (not via the router) they still don t recognise each other s existence.
I m still trying to sort this problem and I m wondering if the malware was trying to force LANs to operate with TCP/IP when the option was available.
I ve moved csrss.exe, smss.exe and csrss.ini along with the folder they were in to a different location. The folder had a seemingly random 8-letter name and came directly under windows\system.
Is there any more I should be doing to deal with the aftermath of this infection?
Operating System:Windows 98-SE (Second Edition)
Product Name:ZoneAlarm (Free)