Re: Malicious script running on XP Home but undetected.

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 12/16/04 

Date: Wed, 15 Dec 2004 20:42:09 -0500

Milkus wrote:
> I was hoping someone could point me in the right direction for dealing
> with the following 'virus'/malware/pest. Currently it has not been
> detected by any of the major online virus scanners, AVG, F-Secure,
> Trojan Hunter, Stinger, Panda, Mcfee, Housecall, AdAware, Xsoftspy,
> Hijackthis, CWShredder ... All have latest patches...
>
> What happens is that sporodically I lose control of the desktop and
> random programs start executing or closing down, windows start poping
> up, services start running, administrative tasks will be activated
> (eg: try to make new user, scan random files with antivirus software
> etc), the taskbar is resized and moved to new positions. Basically it
> all happens for 5-20 secs, extremely fast, doesnt seem to be
> destroying files though.
>
> It will happen, maybe once in 4 hours or twice in a minute. No
> suspicious processes show up in task manager, and I cant capture any
> scripts being executed. What it does do is restrict my ability to
> operate the machine, as data is easily lost when programs shut down.
>
> It is not dependent on internet access, or browser used. If I do a
> search on files that have changed just after the episode, nothing of
> note comes up, just prefetch files from the programs that were opened.
>
> How can I find this thing and remove it. My conclusion is that I have
> a 'dirty' dll or exe, disguised with a common name. I dont have a
> restore point that would be early enough to thwart it. I also noticed
> on shutdown last night, when XP goes to the blue shutdown page, it had
> a message saying it was installing 1-4 updates before shutdown. I have
> not seen this before so manually shut it off, but would think the
> designer of this thing would not advertise such a change.
>
> I have unistalled SP2 then reinstalled it to no avail. My last resort
> is a total rebuild, but I am worried about backing up any file.

My advice? Back up only your data files and reinstall from scratch. Enable
your firewall or ensure you're behind some firewall before connecting to the
Internet for the first time. Patch Windows back up to SP2, etc., install
your software. Install good antivirus software and scan your backed-up files
before restoring them/copying them back. You need to run good AV software
locally & keep it updated all the time.