[BUG] Malware SystemConfigInfo000 and node.exe

[Audrey]

I've been battling this malware all day. It is a typical popup that has "Windows has been blocked" and "Call this number" but it has a delayed cmd prompt that runs from the program data folder mentioned above. Then it pops up in the browser. (node.js serverside java script, c:/programdata/systemconfiginfo000/node.exe)

If I delete the folder it reinstalls. I cannot find it in autoruns, processexplorer, etc. All the malware scanners (malwarebytes, hitmanpro, microsoftscanner, etc.) breeze right by it without a flag, however - when they scan by it - it activates and pops up again.

Anyone else dealt with this one? I have found a few obscure, unhelpful posts on the web...

 

[GreyWolf]

msconfig uncheck all startups and services not related to microsoft also check for recent software some adobe bootlegs will do that if your able to (without a internet connection) create a new user account and give it admin rights check to see if it's still there as a issue.

HP site mentions this issue but on Windows 7 edition.

 

[Markverhyden]

Does this happen in safe mode? Did you boot from something else and delete the contents of the prefetch and Temp folder?

 

[Audrey]

Thanks guys! Followed through on both of your suggestions. Finally found several js script files and deleted them, then was able to delete the folder. First time I've had a pop up scam this difficult to remove. Including an image of all the files and folders just in case anyone else needs the info.

 

[GreyWolf]

I should of mentioned that a boot CD that can give you access to the ntfs would of probably help you way better in resolving this issue.

Also searching by date pattern afterwards will give you a more global view of what was tampered with.

 

[Audrey]

You’re right. A close look at dates and a deeper look at the properties in process explorer got me on the right path. I’m not sure I could see the js files earlier in the day. I did a lot of different things and finally just found them. This computer belongs to the Sheriff’s office so I had to be careful and not interfere with their programs and workflow. I’m going to watch it until Monday and make sure I found everything.

Whew!!

 

[Markverhyden]

Those exploits are almost always browser based so I always go through their browsing history and clear out anything that looks suspicious.

 

[GreyWolf]

@Markverhyden Not to forget lovely extensions and add-on's...

 

[Audrey]

This one was definitely NOT browser based. That’s why it was such a difficult one to find. Usually only takes a few minutes to get rid of those. I’m expecting more calls on this one. It isn’t anything I could’ve talked them through on the phone.