January 22nd, 2010 
admin Well, talk about a topic I was hoping I wouldn’t have to blog about twice in one week… good grief. Last night, while working on a client website, I was infected, yet again, with another one of these fake security viruses. This one, again, blew through the anti-virus and anti-spyware like it wasn’t even there.
After chatting with the security department at HostGator, there are a couple of loopholes these viruses are sneaking through that I want to keep people aware of.
First, make sure that your version of Adobe Flash Player is updated and current. There is a loop hole in the older software that is allowing these bugs to infiltrate systems, which can, also impact web hosts.
Second, after speaking with a computer tech this morning, I learned that Windows XP is especially vulnerable, right now, to these attacks.
Third, if you are behind on your Windows security updates, get up to date a.s.a.p. If you aren’t updated then these bugs can get into your system with relative ease, even if you think you are protected.
Files you should be watching your system for… siszyd32.exe, wwwpos32.exe, and there are others. If you find a file in your system control that looks suspicious then Google it to find out for sure.
There is also talk of these files coming through Facebook. Anyone asking you to click a link concerning pictures they have found of you online are probably dangerous, do not click on them. Walk on the side of caution whatever you do online, right now.
Any e-mails from people you don’t know asking you to click blind links are also dangerous. DELETE THEM! Better safe than sorry. These e-mails can even appear to have come from family. Many are based around a request to view pictures, participate in offers or respond to a bank issue. Even if they look legit there’s a good chance they are not. If you receive something that looks like it’s from your bank, PayPal or any other service you are using online, before you click anything in those messages, call the institution in question first.
The wwwpos32.exe file did so much damage to my main machine this morning that it wouldn’t even reboot in safe mode. Thus, it’s in the shop being recovered.
Malware Bytes (see previous blog post on virus threats) seems to be the best for removing these files. As far as anti-virus goes, I’m not sure what to recommend right now because this bug is easily bypassing, BitDefender, McAfee and Norton. The tech and the computer shop recommended Avast this morning as the top AV software right now. You can download it free through www.avast.com.
As I know more about these bugs and how to fix them, I’ll keep you posted. Tread lightly wherever you go right now, these viruses seem to be everywhere and many don’t even realize their computers and web hosts are infected.
Have a great weekend!
Rex
Posted in 
Tags: 
Wow Rex,thanks for all that info.
It starts to feel a bit unsafe to be online.
That’s rough that you have been hit with another virus again.
I hope you get your system up and running again quickly
I appreciate your warnings & please keep us posted.
Mary the Supergranny
Same thing happened to me! Fan/CPU ran red hot, and svchost.exe was using 99% of CPU. Found wwwpos32, but cannot delete it, or remove it from Startup, although Killbox is scheduled to delete it on reboot.
Hi! I’m having a lot of problems with wwwpos32…
1. I can’t remove it from my XP system. I used malware bytes to remove it, but today, i found in my autorun the wwwpos32 again.
2. I’m using avast…. but i can’t get any alert of malicious agents…. Useless…
3. I think the wwwpos32 is a rootkit that exploits ftp clients to have access to servers. Somo of my published websites are infected with an injection of javascript at the bottom of index.* and all *.js files…
4. The code injection opens a iframe and show a blank page with “bankofamerica-com.hsbc.co”… the url changes from page to page…
5. If i remove the code injection… I can get the webpage running again correctly… But just for some hours…
6. In pages using flash with swfoject… Even if remove the malicious code… I can’t get the page working again… i need to remove the swfobject and launch the flash applet using different techniques…
I’m trying to find a solution. If anyone has some tip/trick to delete this virus, please contact me…
Thank you
This is an advanced comment.
The wwwpos32.exe virus is a rootkit virus. Look for lpado.sys in your windows\system32\drivers directory. You’ll need to remove that, which isn’t easy. I used a pre-installation environment (BartPE) to boot up the machine, delete the file. Also, I used regedit to load the pertinent registry hive, and delete the offending registry entry pointing to the lpado.sys file.
I used sysinternals rootkitrevealer.exe to help me find this information. Google that for more information.
You’re also going to want to run msconfig.exe and remove anything new. This bug inserts an executable directly into the startup group. It also leaves executables in your temp directory.
The virus deleted my firefox executable, and probably others, although I got on top of it quickly. If you have a backup before the virus hit you, I recommend restoring from that, then updating your flash, firefox, virus software, and ensure your pc is up to date on windows updates.
It’s a nasty little virus.
Hi Rex!
I have the same problem with wwwpos32.exe, detected by CCleaner in startup, but haven’t found yet a way to remove it.
Most of the antivirus and antimalware programs even don’t see it!
Process svchost.exe is using 90-100% of system resources and computer is almost unusable.
I’m waiting for some solution for this crap from someone…
Al, from Croatia
Rex-
this wwwpos.exe is a nightmare…….i was somewhat lucky when it launched that i noticed it / disconnected my internet but
the things a nightmare it blew past webroot like a paper bag
i’m running a winxp pro w 3g ram…this loads in the startup directory
of licensed user…i always build a seperate admin account into my machine…i was able to log in as admin ….my version of this thing had several other exe’s embedded into them…none of the major AV/spyware
programs could remove it…just slowed it down a bit
the only way i was able to remove it was with hijackthis…and it had to be set up as a “prewindows” boot removal process…my computer was up to
date with MS……i’m not really a tech geek but know enough to be dangerous…this is a nasty bootkit…it & the embedments hammer cpu
and most major programs..adobe / autocad were all compromised
it’s a 2-3 day rebuild…hijack is free, i also bought registry booster
to help clean up the registy damage…i think i got lucky…I had done a complete OS build a month ago and norton and avast at least seemed to be able to knock some of it, but i noticed that until it’s completely removed it has subroutines that xp treats under svhost….one item that might help is to deactivate error message reporting as it seems to also
attack cpu by generating a ton of system error messages….hijack was the only program that could delete the file…
my sysmpathy to all who got this thing
thanks for your insights they helped me….
regards
scott e giles
denver