Koobface service wwzs

grantdb · September 19, 2010, 7:06pm

Hello, I found a service on my system that I couldn’t identify:

WWZS (screenshot)

and a startup driver WZS (screenshot)

The only info I could find is the MS page: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Koobface.N&ThreatID=153386

As far as I can tell the files that MS lists in that page have been removed by Malwarebytes:

\drivers\wzs.sys
\wsz.dll

And I manually removed the wzs driver from hidden devices in device manager.

So if I remove the registry entries as shown in the MS page will that get rid of the service and startup entry?

ps. LivePCsupport did not help resolve this as it was explained how services are generated from the registry but not if this service was malware related or not.

Thanks!

[attachment deleted by admin]

Chiron494 · September 19, 2010, 7:46pm

Can you please follow the process described here and let us know if CCS finds any unknown processes. I just want to make sure there isn’t anything else you missed.

Also, if you are infected with koobface here’s a description of how to remove it.

brucine · September 19, 2010, 7:50pm

Also note that a service stated as useless or harmful should not only be disabled but deleted.

Check for other running services with autoruns or similar.

grantdb · September 20, 2010, 8:52pm

Ran Hitman Pro, CCS and they didn’t find anything. Manually deleted the registry keys by searching for wwzs and wzs (MS site I posted) and reboot and no errors and the WWZS service is gone. Thanks for the replies.