Re: Alleged virus I can't detect
- From: 1PW <barcrnahgjuvfgyr@xxxxxxx>
- Date: Tue, 17 Feb 2009 11:30:01 -0800
On 02/17/2009 09:25 AM, Saga sent:
Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was
infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the
firewall and the McAfee Enterprise virus suite.
My PC has been disinfected, but still show signs of something that I can't identify.
Perhaps by describing its behavior here someone can offer an opinion.
I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click Taskbar->
Task Manager). When I do and examine the processes that are running one stands
out. This is an EXE whose name is a combination of letters and numbers, always
upper cap, such as RE34YO.EXE. I Google the EXE name but find nothing which
leads me to believe that the name is a random selection of numbers and letters.
I search for the EXE file and find that it is happily living in the C:\WINDOWS\TEMP
folder. Its icon is that of a side view of a small brown dog with the letters NT in the
right bottom corner.
When I stop the service the EXE file in the windows\temp folder mysteriously
disappears.
After a given amount of time after stopping the process I once again look at the
running processes and find another process that is running and the file name is
again a combination of letters and numbers, but a different name than the previous
one.
All this that I mention raises alarms all over, but when I run a scan on the disc
or on the folder where the EXE file is located, the Trend Micro anti virus does not
detect anything. (To run the scan, I copied the suspect EXE file to another folder
and changed its extension to bin.) I suspect that it might be a root kit, but am not
sure. I am going to download some utilities to further test my work PC, but thought
I'd ask here in case anyone is familiar with these (somewhat troubling) symptoms.
Thank you, Saga
Hello Saga
Your investigation was well done. Please upload the file to:
http://www.virustotal.com/>
When the result is available, cut & paste the full report to this thread.
In the meantime begin to think about downloading, installing, updating
and running the free versions of these two antimalware scanners:
MBAM: <http://www.malwarebytes.org/mbam.php>
SAS: <http://www.superantispyware.com/download.html>
If the file comes back from VirusTotal as a true positive, I would
recommend that you run the above two antimalware scans. I'd further
recommend your colleagues do the same on their systems without delay.
Have all copies of your Microsoft Office suites brought up to date.
Furthermore, please give much more consideration into installing SP3 for
your XP and any follow on patches from Microsoft.
Please post a follow up with your progress.
Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
.
- Follow-Ups:
- Re: Alleged virus I can't detect
- From: Saga
- Re: Alleged virus I can't detect
- References:
- Alleged virus I can't detect
- From: Saga
- Alleged virus I can't detect
- Prev by Date: Re: Avg reinstall.
- Next by Date: Re: Alleged virus I can't detect
- Previous by thread: Alleged virus I can't detect
- Next by thread: Re: Alleged virus I can't detect
- Index(es):
Relevant Pages
|
Loading
