Re: Alleged virus I can't detect
- From: Malke <malke@xxxxxxxxxxxxxxx>
- Date: Tue, 17 Feb 2009 11:35:15 -0800
Saga wrote:
Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the
enterprise was infected with Sallity virus. Removal was a pain, to say the
least. The virus evaded the firewall and the McAfee Enterprise virus
suite.
My PC has been desinfected, but still show signs of something that I can't
identify. Perhaps by describing its behavior here someone can offer an
opinion.
I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click
Taskbar-> Task Manager). When I do and examine the processes that are
running one stands out. This is an EXE whose name is a combination of
letters and numbers, always upper cap, such as RE34YO.EXE. I Google the
EXE name but find nothing which leads me to believe that the name is a
random selection of numbers and letters.
I search for the EXE file and find that it is happily living in the
C:\WINDOWS\TEMP folder. Its icon is that of a side view of a small brown
dog with the letters NT in the right bottom corner.
When I stop the service the EXE file in the windows\temp folder
mysteriously disappears.
After a given amount of time after stopping the process I once again look
at the running processes and find another process that is running and the
file name is again a combination of letters and numbers, but a different
name than the previous one.
All this that I mention raises alarms all over, but when I run a scan on
the disc or on the folder where the EXE file is located, the Trend Micro
anti virus does not detect anything. (To run the scan, I copied the
suspect EXE file to another folder and changed its extesion to bin.) I
suspectthat it might be a root kit, but am not sure. I am going to
download some utilities to further test my work PC, but thought I'd ask
here in case anyone is familiar with these (somewhat troubling) symptoms.
Pretty typical behavior of an infected machine. Since this is an office
workstation, I'd just flatten and rebuild. If you've been smart and created
images, this will take about 15 minutes. Otherwise, start scanning per
these general instructions:
Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware
Include scanning with David Lipman's Multi_AV and follow instructions to do
all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.
http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://tinyurl.com/yoeru3 - download link and more instructions
You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html
Or here: Malwarebytes malware removal guides - http://tinyurl.com/5xrpft
When all else fails, get guided help. Choose one of the specialty forums
listed at the first link. Register and read its posting FAQ. PLEASE DO NOT
POST LOGS IN THE MS NEWSGROUPS.
Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
http://www.elephantboycomputers.com/#FAQ
.
- Follow-Ups:
- Re: Alleged virus I can't detect
- From: Saga
- Re: Alleged virus I can't detect
- References:
- Alleged virus I can't detect
- From: Saga
- Alleged virus I can't detect
- Prev by Date: Re: Alleged virus I can't detect
- Next by Date: Re: Avg reinstall.
- Previous by thread: Re: Alleged virus I can't detect
- Next by thread: Re: Alleged virus I can't detect
- Index(es):
Relevant Pages
|
Loading
