This is probably a network-distributed virus which the company I work for recently had a big problem with. Check the other PCs on your network. 1.exe will be Microsoft’s psExec and 2.exe will be the thing which actually spreads it to other PCs.
Also check for a psexesvc.exe process and kill it & delete the file in the Windows folder.
Run to %appdata%, kill the process running in the background, then delete the .exe in %appdata%. You will also need to check the same folder on any other user profiles on the PC, as well as their Start Menu’s Startup folder for any unknown .exes. Make sure that you can see hidden files.
As for preventing it reoccurring, clean your other PCs or speak with your IT staff as other PCs will be infected.
Note that this is a password-stealing trojan with an emphasis of online banking.
For a workaround, try creating the 1.exe and 1.exe in your %temp% folder and set them as read-only and hidden. Also create uninstall.exe (maybe notepad?) in your Start Menu’s Startup folder and perhaps also the various filenames in your %appdata% folder so that the virus can’t create it’s own files there:
logon.exe lsas.exe update.exe 1.exe 2.exe lsas.exe taskmon.exe dumpreport.exe svchosts.exe rundll.exe upnpsvc.exe EVENT.exe helper.exe service.exe msiexeca.exe uninstall.exe sound.exe
The AV makers have been dead slow in updating their signatures to find the files related to this.
To aid in your research on alternative AV scanners, here is the virustotal.com analysis of the file soon after all the infections started - the winners were a-squared, CAT-QuickHeal, McAfee-GW-Edition and Microsoft (!!!)
http://www.virustotal.com/analisis/e2f98e9d863914ab68aa193469f4f57fb3724e5ffec7d4630ec58005c1cb8c97-1243861321
I’ve been using this script to clean PCs. It won’t work properly on Windows 2000 (it doesn’t have taskkill.exe) and will need admin rights to clean other profiles:
@echo off
echo Computer name:
set /p comp=
rem include ie
taskkill /s %comp% /f /im logon.exe /im lsas.exe /im psexesvc.exe /im update.exe /im 1.exe /im 2.exe /im lsas.exe /im taskmon.exe /im dumpreport.exe /im svchosts.exe /im rundll.exe /im upnpsvc.exe /im EVENT.exe /im helper.exe /im service.exe /im msiexeca.exe /im uninstall.exe /im sound.exe /im iexplore.exe
rem exclude ie
rem taskkill /s %comp% /f /im logon.exe /im lsas.exe /im psexesvc.exe /im update.exe /im 1.exe /im 2.exe /im lsas.exe /im taskmon.exe /im dumpreport.exe /im svchosts.exe /im rundll.exe /im upnpsvc.exe /im EVENT.exe /im helper.exe /im service.exe /im msiexeca.exe /im uninstall.exe /im sound.exe
del "\\%comp%\c$\windows\psexesvc.exe"
del "\\%comp%\c$\winnt\psexesvc.exe"
for /f %%f in ('dir /b /AD "\\%comp%\c$\Documents and settings\"') do (
del "\\%comp%\c$\documents and settings\%%f\Start Menu\Programs\Startup\uninstall.exe"
del "\\%comp%\c$\documents and settings\%%f\local settings\temp\1.exe"
del "\\%comp%\c$\documents and settings\%%f\local settings\temp\2.exe"
del /p "\\%comp%\c$\documents and settings\%%f\application data\*.exe"
)
pause