Re: Alleged virus I can't detect
- From: "Saga" <antiSpam@xxxxxxxxxxxxx>
- Date: Tue, 17 Feb 2009 13:58:30 -0600
I have downloaded Process Explorer, thanks.
Saga
--
" db ´¯`·.. ><)))º>` .. ." <databaseben at hotmail dot com> wrote in message
news:6BAE5878-BA5F-4B09-AF48-D6F7ECFCA1EF@xxxxxxxxxxxxxxxx
sometimes removing
an infection is not
enough to get a system
fully functional again.
the infection may have
corrupted system files
and they need to be
replaced with genuine
ones from a genuine cd.
the process above is
called a "repair installation"
-----------------
in regards to that variant,
you can use a utility from
microsoft.com called
process explorer.
as the name says, it will
provide details for the
processes running.
with it you will likely be
able to trace that process.
--
db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
"share the nirvana" - dbZen
~~~~~~~~~~~~~~~~~~
"Saga" <antiSpam@xxxxxxxxxxxxx> wrote in message news:uGjvBTSkJHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was
infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the
firewall and the McAfee Enterprise virus suite.
My PC has been desinfected, but still show signs of something that I can't identify.
Perhaps by describing its behavior here someone can offer an opinion.
I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click Taskbar->
Task Manager). When I do and examine the processes that are running one stands
out. This is an EXE whose name is a combination of letters and numbers, always
upper cap, such as RE34YO.EXE. I Google the EXE name but find nothing which
leads me to believe that the name is a random selection of numbers and letters.
I search for the EXE file and find that it is happily living in the C:\WINDOWS\TEMP
folder. Its icon is that of a side view of a small brown dog with the letters NT in the
right bottom corner.
When I stop the service the EXE file in the windows\temp folder mysteriously
disappears.
After a given amount of time after stopping the process I once again look at the
running processes and find another process that is running and the file name is
again a combination of letters and numbers, but a different name than the previous
one.
All this that I mention raises alarms all over, but when I run a scan on the disc
or on the folder where the EXE file is located, the Trend Micro anti virus does not
detect anything. (To run the scan, I copied the suspect EXE file to another folder
and changed its extesion to bin.) I suspectthat it might be a root kit, but am not
sure. I am going to download some utilities to further test my work PC, but thought
I'd ask here in case anyone is familiar with these (somewhat troubling) symptoms.
Thank you, Saga
--
.
- References:
- Alleged virus I can't detect
- From: Saga
- Alleged virus I can't detect
- Prev by Date: Re: Avg reinstall.
- Next by Date: Re: Alleged virus I can't detect
- Previous by thread: Re: Alleged virus I can't detect
- Next by thread: Re: Alleged virus I can't detect
- Index(es):
Relevant Pages
|
