Alleged virus I can't detect

Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was
infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the
firewall and the McAfee Enterprise virus suite.

My PC has been desinfected, but still show signs of something that I can't identify.
Perhaps by describing its behavior here someone can offer an opinion.

I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click Taskbar->
Task Manager). When I do and examine the processes that are running one stands
out. This is an EXE whose name is a combination of letters and numbers, always
upper cap, such as RE34YO.EXE. I Google the EXE name but find nothing which
leads me to believe that the name is a random selection of numbers and letters.

I search for the EXE file and find that it is happily living in the C:\WINDOWS\TEMP
folder. Its icon is that of a side view of a small brown dog with the letters NT in the
right bottom corner.

When I stop the service the EXE file in the windows\temp folder mysteriously
disappears.

After a given amount of time after stopping the process I once again look at the
running processes and find another process that is running and the file name is
again a combination of letters and numbers, but a different name than the previous
one.

All this that I mention raises alarms all over, but when I run a scan on the disc
or on the folder where the EXE file is located, the Trend Micro anti virus does not
detect anything. (To run the scan, I copied the suspect EXE file to another folder
and changed its extesion to bin.) I suspectthat it might be a root kit, but am not
sure. I am going to download some utilities to further test my work PC, but thought
I'd ask here in case anyone is familiar with these (somewhat troubling) symptoms.

Thank you, Saga
--



.

Relevant Pages

  • Re: Alleged virus I cant detect
    ... infected with Sallity virus. ... leads me to believe that the name is a random selection of numbers and letters. ... I search for the EXE file and find that it is happily living in the C:\WINDOWS\TEMP ... When I stop the service the EXE file in the windows\temp folder mysteriously ...
    (microsoft.public.security.virus)
  • Re: Alleged virus I cant detect
    ... The virus evaded the firewall and the McAfee Enterprise virus ... I search for the EXE file and find that it is happily living in the ... When I stop the service the EXE file in the windows\temp folder ... Include scanning with David Lipman's Multi_AV and follow instructions to do ...
    (microsoft.public.security.virus)
  • Re: Alleged virus I cant detect
    ... the infection may have ... leads me to believe that the name is a random selection of numbers and letters. ... I search for the EXE file and find that it is happily living in the C:\WINDOWS\TEMP ... When I stop the service the EXE file in the windows\temp folder mysteriously ...
    (microsoft.public.security.virus)
  • newfolder.exe containment procedure
    ... File Size equals 208Kb, uses a folder Icon the same name as parent folder, ... Ensure you set the PC to show hidden and system files and file extensions. ... That is the entry that starts the bug. ... delete the dormant virus files. ...
    (microsoft.public.security.virus)
  • RE: newfolder.exe containment procedure
    ... but what is it upto in the background? ... File Size equals 208Kb, uses a folder Icon the same name as parent folder, ... Ensure you set the PC to show hidden and system files and file extensions. ... delete the dormant virus files. ...
    (microsoft.public.security.virus)
Quantcast