Guest Saga Posted February 17, 2009 Posted February 17, 2009 Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the firewall and the McAfee Enterprise virus suite. My PC has been desinfected, but still show signs of something that I can't identify. Perhaps by describing its behavior here someone can offer an opinion. I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click Taskbar-> Task Manager). When I do and examine the processes that are running one stands out. This is an EXE whose name is a combination of letters and numbers, always upper cap, such as RE34YO.EXE. I Google the EXE name but find nothing which leads me to believe that the name is a random selection of numbers and letters. I search for the EXE file and find that it is happily living in the C:\WINDOWS\TEMP folder. Its icon is that of a side view of a small brown dog with the letters NT in the right bottom corner. When I stop the service the EXE file in the windows\temp folder mysteriously disappears. After a given amount of time after stopping the process I once again look at the running processes and find another process that is running and the file name is again a combination of letters and numbers, but a different name than the previous one. All this that I mention raises alarms all over, but when I run a scan on the disc or on the folder where the EXE file is located, the Trend Micro anti virus does not detect anything. (To run the scan, I copied the suspect EXE file to another folder and changed its extesion to bin.) I suspectthat it might be a root kit, but am not sure. I am going to download some utilities to further test my work PC, but thought I'd ask here in case anyone is familiar with these (somewhat troubling) symptoms. Thank you, Saga -- Quote
Guest db ´¯`·.. > Posted February 17, 2009 Posted February 17, 2009 sometimes removing an infection is not enough to get a system fully functional again. the infection may have corrupted system files and they need to be replaced with genuine ones from a genuine cd. the process above is called a "repair installation" ----------------- in regards to that variant, you can use a utility from microsoft.com called process explorer. as the name says, it will provide details for the processes running. with it you will likely be able to trace that process. -- db·´¯`·...¸><)))º> DatabaseBen, Retired Professional - Systems Analyst - Database Developer - Accountancy - Veteran of the Armed Forces "share the nirvana" - dbZen ~~~~~~~~~~~~~~~~~~<span style="color:blue"> > ></span> "Saga" <antiSpam@somewhere.com> wrote in message news:uGjvBTSkJHA.1252@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was > infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the > firewall and the McAfee Enterprise virus suite. > > My PC has been desinfected, but still show signs of something that I can't identify. > Perhaps by describing its behavior here someone can offer an opinion. > > I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click Taskbar-> > Task Manager). When I do and examine the processes that are running one stands > out. This is an EXE whose name is a combination of letters and numbers, always > upper cap, such as RE34YO.EXE. I Google the EXE name but find nothing which > leads me to believe that the name is a random selection of numbers and letters. > > I search for the EXE file and find that it is happily living in the C:WINDOWSTEMP > folder. Its icon is that of a side view of a small brown dog with the letters NT in the > right bottom corner. > > When I stop the service the EXE file in the windowstemp folder mysteriously > disappears. > > After a given amount of time after stopping the process I once again look at the > running processes and find another process that is running and the file name is > again a combination of letters and numbers, but a different name than the previous > one. > > All this that I mention raises alarms all over, but when I run a scan on the disc > or on the folder where the EXE file is located, the Trend Micro anti virus does not > detect anything. (To run the scan, I copied the suspect EXE file to another folder > and changed its extesion to bin.) I suspectthat it might be a root kit, but am not > sure. I am going to download some utilities to further test my work PC, but thought > I'd ask here in case anyone is familiar with these (somewhat troubling) symptoms. > > Thank you, Saga > -- > > > </span> Quote
Guest 1PW Posted February 17, 2009 Posted February 17, 2009 On 02/17/2009 09:25 AM, Saga sent:<span style="color:blue"> > Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was > infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the > firewall and the McAfee Enterprise virus suite. > > My PC has been disinfected, but still show signs of something that I can't identify. > Perhaps by describing its behavior here someone can offer an opinion. > > I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click Taskbar-> > Task Manager). When I do and examine the processes that are running one stands > out. This is an EXE whose name is a combination of letters and numbers, always > upper cap, such as RE34YO.EXE. I Google the EXE name but find nothing which > leads me to believe that the name is a random selection of numbers and letters. > > I search for the EXE file and find that it is happily living in the C:WINDOWSTEMP > folder. Its icon is that of a side view of a small brown dog with the letters NT in the > right bottom corner. > > When I stop the service the EXE file in the windowstemp folder mysteriously > disappears. > > After a given amount of time after stopping the process I once again look at the > running processes and find another process that is running and the file name is > again a combination of letters and numbers, but a different name than the previous > one. > > All this that I mention raises alarms all over, but when I run a scan on the disc > or on the folder where the EXE file is located, the Trend Micro anti virus does not > detect anything. (To run the scan, I copied the suspect EXE file to another folder > and changed its extension to bin.) I suspect that it might be a root kit, but am not > sure. I am going to download some utilities to further test my work PC, but thought > I'd ask here in case anyone is familiar with these (somewhat troubling) symptoms. > > Thank you, Saga</span> Hello Saga Your investigation was well done. Please upload the file to: http://www.virustotal.com/> When the result is available, cut & paste the full report to this thread. In the meantime begin to think about downloading, installing, updating and running the free versions of these two antimalware scanners: MBAM: <http://www.malwarebytes.org/mbam.php> SAS: <http://www.superantispyware.com/download.html> If the file comes back from VirusTotal as a true positive, I would recommend that you run the above two antimalware scans. I'd further recommend your colleagues do the same on their systems without delay. Have all copies of your Microsoft Office suites brought up to date. Furthermore, please give much more consideration into installing SP3 for your XP and any follow on patches from Microsoft. Please post a follow up with your progress. Pete -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t] Quote
Guest Malke Posted February 17, 2009 Posted February 17, 2009 Saga wrote: <span style="color:blue"> > Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the > enterprise was infected with Sallity virus. Removal was a pain, to say the > least. The virus evaded the firewall and the McAfee Enterprise virus > suite. > > My PC has been desinfected, but still show signs of something that I can't > identify. Perhaps by describing its behavior here someone can offer an > opinion. > > I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click > Taskbar-> Task Manager). When I do and examine the processes that are > running one stands out. This is an EXE whose name is a combination of > letters and numbers, always upper cap, such as RE34YO.EXE. I Google the > EXE name but find nothing which leads me to believe that the name is a > random selection of numbers and letters. > > I search for the EXE file and find that it is happily living in the > C:WINDOWSTEMP folder. Its icon is that of a side view of a small brown > dog with the letters NT in the right bottom corner. > > When I stop the service the EXE file in the windowstemp folder > mysteriously disappears. > > After a given amount of time after stopping the process I once again look > at the running processes and find another process that is running and the > file name is again a combination of letters and numbers, but a different > name than the previous one. > > All this that I mention raises alarms all over, but when I run a scan on > the disc or on the folder where the EXE file is located, the Trend Micro > anti virus does not detect anything. (To run the scan, I copied the > suspect EXE file to another folder and changed its extesion to bin.) I > suspectthat it might be a root kit, but am not sure. I am going to > download some utilities to further test my work PC, but thought I'd ask > here in case anyone is familiar with these (somewhat troubling) symptoms.</span> Pretty typical behavior of an infected machine. Since this is an office workstation, I'd just flatten and rebuild. If you've been smart and created images, this will take about 15 minutes. Otherwise, start scanning per these general instructions: Go through these general malware removal steps systematically - http://www.elephantboycomputers.com/page2....emoving_Malware Include scanning with David Lipman's Multi_AV and follow instructions to do all scans in Safe Mode. Please see the special Notes regarding using Multi_AV in Vista. http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions http://tinyurl.com/yoeru3 - download link and more instructions You can also check to see if there are targeted removal steps for your malware here: Bleeping Computer removal how-to's - http://www.bleepingcomputer.com/forums/forum55.html Or here: Malwarebytes malware removal guides - http://tinyurl.com/5xrpft When all else fails, get guided help. Choose one of the specialty forums listed at the first link. Register and read its posting FAQ. PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS. Malke -- MS-MVP Elephant Boy Computers - Don't Panic! http://www.elephantboycomputers.com/#FAQ Quote
Guest Saga Posted February 17, 2009 Posted February 17, 2009 VirusTotal results: File WR7E44.bin received on 02.17.2009 20:41:52 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/39 (0%) Antivirus Version Last Update Result a-squared 4.0.0.93 2009.02.17 - AhnLab-V3 2009.2.17.2 2009.02.17 - AntiVir 7.9.0.83 2009.02.17 - Authentium 5.1.0.4 2009.02.17 - Avast 4.8.1335.0 2009.02.16 - AVG 8.0.0.237 2009.02.17 - BitDefender 7.2 2009.02.17 - CAT-QuickHeal 10.00 2009.02.17 - ClamAV 0.94.1 2009.02.17 - Comodo 982 2009.02.17 - DrWeb 4.44.0.09170 2009.02.17 - eSafe 7.0.17.0 2009.02.17 - eTrust-Vet 31.6.6361 2009.02.17 - F-Prot 4.4.4.56 2009.02.17 - F-Secure 8.0.14470.0 2009.02.17 - Fortinet 3.117.0.0 2009.02.17 - GData 19 2009.02.17 - Ikarus T3.1.1.45.0 2009.02.17 - K7AntiVirus 7.10.582 2009.01.09 - Kaspersky 7.0.0.125 2009.02.17 - McAfee 5528 2009.02.16 - McAfee+Artemis 5528 2009.02.16 - Microsoft 1.4306 2009.02.17 - NOD32 3862 2009.02.17 - Norman 6.00.06 2009.02.17 - nProtect 2009.1.8.0 2009.02.17 - Panda 9.4.3.20 2009.02.17 - PCTools 4.4.2.0 2009.02.17 - Prevx1 V2 2009.02.17 - Rising 21.17.12.00 2009.02.17 - SecureWeb-Gateway 6.7.6 2009.02.17 - Sophos 4.38.0 2009.02.17 - Sunbelt 3.2.1855.2 2009.02.17 - Symantec 10 2009.02.17 - TheHacker 6.3.2.2.259 2009.02.17 - TrendMicro 8.700.0.1004 2009.02.17 - VBA32 3.12.8.13 2009.02.17 - ViRobot 2009.2.17.1611 2009.02.17 - VirusBuster 4.5.11.0 2009.02.17 - Additional information File size: 296224 bytes MD5...: e87c01a56df3cf7c680db722b000110c SHA1..: be9313ab7e0e0ae5bfd9ca9ac8d59f1c65e587e7 SHA256: 0da78125502b153390a6a2f0f22eaff75813a908bbd412c605b1d1f3952385f0 SHA512: 75af512502f0e866359e537bf2020383eecf43bbcaad1dfc0bb27d994293db8d 2b5ab59b7828817dd6dfe7f8981c051b81ce0df2592fd59836a8983c03adae0d ssdeep: 6144:DMHxQEeBbRS7gPKudvJNKxG7is6pKJabJUn13Lr9WfopDJwF:SxQEMbJ3NK FGSJm1WfaY PEiD..: - TrID..: File type identification Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x41df09 timedatestamp.....: 0x48f461d9 (Tue Oct 14 09:09:45 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 ..text 0x1000 0x354cb 0x36000 6.62 0ab523966d49694195b94cf9feb4edb8 ..rdata 0x37000 0xb7f3 0xc000 5.02 f496276b852d914783e616320012954e ..data 0x43000 0xb760 0x3000 3.15 8948fa9c9c7fa78654bfe009577f9478 ..rsrc 0x4f000 0xaf8 0x1000 4.42 2bcf1a70016ed06b5a10b8e00bc88603 ( 7 imports )<span style="color:blue"> > WS2_32.dll: -, -, - > ADVAPI32.dll: SetSecurityDescriptorDacl, InitializeSecurityDescriptor, StartServiceA, > QueryServiceStatus, CloseServiceHandle, OpenServiceA, OpenSCManagerA, RegCloseKey, > RegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, > QueryServiceConfigA, RegNotifyChangeKeyValue > KERNEL32.dll: GlobalUnlock, GlobalLock, GlobalAlloc, GlobalFree, lstrcmpA, TlsGetValue, > GlobalReAlloc, GlobalHandle, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, InterlockedDecrement, > InterlockedIncrement, GlobalGetAtomNameA, GetThreadLocale, ResumeThread, GlobalFlags, lstrcmpW, > GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GetLocaleInfoA, GetCPInfo, GetOEMCP, > SetFilePointer, FlushFileBuffers, FormatMessageA, CreateFileA, GetFileAttributesA, RaiseException, > RtlUnwind, ExitThread, CreateThread, GetSystemTimeAsFileTime, UnhandledExceptionFilter, > SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, HeapReAlloc, GetCommandLineA, > GetProcessHeap, GetStartupInfoA, HeapSize, ExitProcess, GetACP, IsValidCodePage, LCMapStringA, > LCMapStringW, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, FreeEnvironmentStringsA, > GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, > GetFileType, QueryPerformanceCounter, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, > EnumSystemLocalesA, IsValidLocale, GetConsoleCP, GetConsoleMode, GetLocaleInfoW, SetStdHandle, > WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetLastError, GetCurrentProcess, LoadLibraryW, > CreateFileW, WaitNamedPipeW, SetNamedPipeHandleState, WriteFile, SetWaitableTimer, > GetOverlappedResult, ReadFile, GetCurrentThreadId, CreateEventW, CreateNamedPipeW, > DisconnectNamedPipe, ConnectNamedPipe, lstrlenA, CompareStringA, MultiByteToWideChar, > InterlockedExchange, WaitForMultipleObjects, LocalAlloc, LocalFree, CreateProcessA, > GetModuleFileNameA, GetTickCount, CopyFileA, TerminateProcess, MoveFileExA, GetVersion, > VirtualAlloc, DeleteFileA, ResetEvent, SetEvent, TerminateThread, DeleteCriticalSection, > CreateEventA, InitializeCriticalSection, GetCurrentDirectoryA, GetComputerNameA, GetTempPathA, > GetTempFileNameA, GetSystemDirectoryA, FindFirstFileA, FindNextFileA, FindClose, lstrcmpiA, > OpenFile, WideCharToMultiByte, GetVersionExA, EnterCriticalSection, _lclose, LeaveCriticalSection, > GetPrivateProfileIntA, FreeLibrary, FindResourceA, LoadResource, LockResource, SizeofResource, > CreateMutexA, OpenMutexA, Sleep, ReleaseMutex, GetModuleHandleA, WaitForSingleObject, > GetExitCodeThread, lstrcpyA, GetLastError, GetCurrentProcessId, OpenProcess, CloseHandle, > ReadProcessMemory, WriteProcessMemory, GetProcAddress, LoadLibraryA, InterlockedCompareExchange > USER32.dll: DestroyMenu, PostQuitMessage, RegisterWindowMessageA, LoadIconA, WinHelpA, GetCapture, > GetClassLongA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, DestroyWindow, > GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, GetClientRect, GetMenu, > PostMessageA, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, > CopyRect, DefWindowProcA, CallWindowProcA, SystemParametersInfoA, IsIconic, GetWindowPlacement, > SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, EnableMenuItem, > CheckMenuItem, SetWindowPos, SetWindowLongA, IsWindow, GetDlgItem, GetFocus, ClientToScreen, > GetWindow, GetDlgCtrlID, GetWindowRect, GetClassNameA, PtInRect, SetWindowTextA, UnregisterClassA, > SetWindowsHookExA, CallNextHookEx, GrayStringA, DrawTextExA, DispatchMessageA, GetKeyState, > ValidateRect, GetWindowTextA, LoadCursorA, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, > GetSysColorBrush, UnhookWindowsHookEx, GetWindowThreadProcessId, SendMessageA, GetParent, > GetWindowLongA, GetLastActivePopup, IsWindowEnabled, EnableWindow, MessageBoxA, GetMenuState, > GetMenuItemID, GetMenuItemCount, GetSubMenu, wsprintfA, DrawTextA, TabbedTextOutA, PeekMessageA > GDI32.dll: TextOutA, ExtTextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, > SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, RectVisible, DeleteDC, > GetStockObject, PtVisible, DeleteObject, GetDeviceCaps, SetMapMode, RestoreDC, SaveDC, SetBkColor, > SetTextColor, GetClipBox, CreateBitmap > WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter > OLEAUT32.dll: -, -, -</span> ( 61 exports ) __0TmProcessGuard@@QAE@KHH@Z, __0TmProcessGuard@@QAE@PBD0HH@Z, __0TmProcessGuard@@QAE@XZ, __0TmServiceGuard@@QAE@PBD00HH@Z, __0TmServiceGuard@@QAE@PBDKHH@Z, __0TmServiceGuard@@QAE@XZ, __1TmProcessGuard@@UAE@XZ, __1TmServiceGuard@@UAE@XZ, __4TmProcessGuard@@QAEXAAV0@@Z, __4TmServiceGuard@@QAEXAAV0@@Z, ___7TmProcessGuard@@6B@, ___7TmServiceGuard@@6B@, _BackupService@TmServiceGuard@@IAEXXZ, _CheckProcess@TmProcessGuard@@QAE_NAAVCStringArray@@H@Z, _GetGuardInfo@TmProcessGuard@@QBEXAAKAAV_$CStringT@DV_$StrTraitMFC@DV_$ChTraitsCRT@D@ATL@@@@@ATL@@1AAH2@Z, _GetService@TmServiceGuard@@QAE_AV_$CStringT@DV_$StrTraitMFC@DV_$ChTraitsCRT@D@ATL@@@@@ATL@@XZ, _IsIPChanged@@YA_NPBDPADH@Z, _IsMonitor@TmProcessGuard@@IBE_NXZ, _IsNTPlatform@@YA_NXZ, _IsProcessAlive@TmProcessGuard@@MAE_NXZ, _IsProcessAlive@TmServiceGuard@@MAE_NXZ, _IsRetryNow@TmProcessGuard@@IBE_NXZ, _IsTheSame@TmProcessGuard@@QBE_NABV_$CStringT@DV_$StrTraitMFC@DV_$ChTraitsCRT@D@ATL@@@@@ATL@@0@Z, _IsTheSame@TmProcessGuard@@QBE_NK@Z, _IsTheSame@TmProcessGuard@@QBE_NPBV1@@Z, _IsValidProcess@TmProcessGuard@@QBE_NXZ, _QueryAllLog@TmProcessGuard@@QBEXAAVCStringArray@@@Z, _RegWatchDog_Ofc@@YA_NXZ, _RegWatchDog_Ofc_95@@YA_NXZ, _RegWatchDog_Ofc_NTRT@@YA_NXZ, _RegWatchDog_Ofc_PCCNTMON@@YA_NXZ, _RegWatchDog_Ofc_TMLISTEN@@YA_NXZ, _RegWatchDog_Ofc_TMPROXY@@YA_NXZ, _ResetMonitor@TmProcessGuard@@IAEXXZ, _ResetRetryCount@TmProcessGuard@@QAEXXZ, _ResetRetryTick@TmProcessGuard@@QAEXXZ, _ResetRetryVar@TmProcessGuard@@QAEXXZ, _RetryWakeupProcess@TmProcessGuard@@MAE_NXZ, _RetryWakeupProcess@TmServiceGuard@@MAE_NXZ, _SetMonitor@TmProcessGuard@@IAEXXZ, _SetProcessID@TmProcessGuard@@QAEXK@Z, _SetRetryCountLimit@TmProcessGuard@@QAEXH@Z, _SetRetryTickLimit@TmProcessGuard@@QAEXH@Z, _StepMonitor@TmProcessGuard@@IAEXXZ, _StepRetry@TmProcessGuard@@IAEXXZ, _UnRegWatchDog_Ofc@@YA_NXZ, _UnRegWatchDog_Ofc_95@@YA_NXZ, _UnRegWatchDog_Ofc_NTRT@@YA_NXZ, _UnRegWatchDog_Ofc_PCCNTMON@@YA_NXZ, _UnRegWatchDog_Ofc_TMLISTEN@@YA_NXZ, _UnRegWatchDog_Ofc_TMPROXY@@YA_NXZ, C_IsIPChanged, C_OfcDogLockFiles, C_RegWatchDog_Ofc, C_RegWatchDog_Ofc_PCCNTMON, C_RegWatchDog_Ofc_TMLISTEN, C_RegWatchDog_Ofc_TMPROXY, C_UnRegWatchDog_Ofc, C_UnRegWatchDog_Ofc_PCCNTMON, C_UnRegWatchDog_Ofc_TMLISTEN, C_UnRegWatchDog_Ofc_TMPROXY CWSandbox info: <a href="http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=e87c01a56df3cf7c680db722b000110c" target="_blank">http://research.sunbelt-software.com/partn...80db722b000110c</a> -- "1PW" <barcrnahgjuvfgyr@nby.pbz> wrote in message news:gnf37p$b4i$1@news.motzarella.org...<span style="color:blue"> > On 02/17/2009 09:25 AM, Saga sent:<span style="color:green"> >> Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was >> infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the >> firewall and the McAfee Enterprise virus suite. >> >> My PC has been disinfected, but still show signs of something that I can't identify. >> Perhaps by describing its behavior here someone can offer an opinion. >> >> I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click Taskbar-> >> Task Manager). When I do and examine the processes that are running one stands >> out. This is an EXE whose name is a combination of letters and numbers, always >> upper cap, such as RE34YO.EXE. I Google the EXE name but find nothing which >> leads me to believe that the name is a random selection of numbers and letters. >> >> I search for the EXE file and find that it is happily living in the C:WINDOWSTEMP >> folder. Its icon is that of a side view of a small brown dog with the letters NT in the >> right bottom corner. >> >> When I stop the service the EXE file in the windowstemp folder mysteriously >> disappears. >> >> After a given amount of time after stopping the process I once again look at the >> running processes and find another process that is running and the file name is >> again a combination of letters and numbers, but a different name than the previous >> one. >> >> All this that I mention raises alarms all over, but when I run a scan on the disc >> or on the folder where the EXE file is located, the Trend Micro anti virus does not >> detect anything. (To run the scan, I copied the suspect EXE file to another folder >> and changed its extension to bin.) I suspect that it might be a root kit, but am not >> sure. I am going to download some utilities to further test my work PC, but thought >> I'd ask here in case anyone is familiar with these (somewhat troubling) symptoms. >> >> Thank you, Saga</span> > > Hello Saga > > Your investigation was well done. Please upload the file to: > > http://www.virustotal.com/> > > When the result is available, cut & paste the full report to this thread. > > In the meantime begin to think about downloading, installing, updating > and running the free versions of these two antimalware scanners: > > MBAM: <http://www.malwarebytes.org/mbam.php> > > SAS: <http://www.superantispyware.com/download.html> > > If the file comes back from VirusTotal as a true positive, I would > recommend that you run the above two antimalware scans. I'd further > recommend your colleagues do the same on their systems without delay. > > Have all copies of your Microsoft Office suites brought up to date. > > Furthermore, please give much more consideration into installing SP3 for > your XP and any follow on patches from Microsoft. > > Please post a follow up with your progress. > > Pete > -- > 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t] </span> Quote
Guest Leythos Posted February 17, 2009 Posted February 17, 2009 In article <uGjvBTSkJHA.1252@TK2MSFTNGP03.phx.gbl>, antiSpam@somewhere.com says...<span style="color:blue"> > Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was > infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the > firewall and the McAfee Enterprise virus suite. > > My PC has been desinfected, but still show signs of something that I can't identify. > Perhaps by describing its behavior here someone can offer an opinion.</span> Download and run/use the MBAM tool listed below, it's considered one of the best free removal tools, is created and hosted by a reputable group that is respected by the anti-malware community, and you can read about it at the link below./ Do not trust anything from disreputable sources such as PCBUTTS1.COM, no reputable person or group in the anti-malware community will direct you to that site. MalwareBytes Anti-Malware http://www.malwarebytes.org/mbam.php -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Quote
Guest Saga Posted February 17, 2009 Posted February 17, 2009 I have downloaded Process Explorer, thanks. Saga -- " db ´¯`·.. ><)))º>` .. ." <databaseben at hotmail dot com> wrote in message news:6BAE5878-BA5F-4B09-AF48-D6F7ECFCA1EF@microsoft.com...<span style="color:blue"> > sometimes removing > an infection is not > enough to get a system > fully functional again. > > the infection may have > corrupted system files > and they need to be > replaced with genuine > ones from a genuine cd. > > the process above is > called a "repair installation" > > ----------------- > > in regards to that variant, > > you can use a utility from > microsoft.com called > process explorer. > > as the name says, it will > provide details for the > processes running. > > with it you will likely be > able to trace that process. > > > -- > > db·´¯`·...¸><)))º> > DatabaseBen, Retired Professional > - Systems Analyst > - Database Developer > - Accountancy > - Veteran of the Armed Forces > > "share the nirvana" - dbZen > > ~~~~~~~~~~~~~~~~~~<span style="color:green"> >> >></span> > > "Saga" <antiSpam@somewhere.com> wrote in message news:uGjvBTSkJHA.1252@TK2MSFTNGP03.phx.gbl...<span style="color:green"> >> Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was >> infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the >> firewall and the McAfee Enterprise virus suite. >> >> My PC has been desinfected, but still show signs of something that I can't identify. >> Perhaps by describing its behavior here someone can offer an opinion. >> >> I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click Taskbar-> >> Task Manager). When I do and examine the processes that are running one stands >> out. This is an EXE whose name is a combination of letters and numbers, always >> upper cap, such as RE34YO.EXE. I Google the EXE name but find nothing which >> leads me to believe that the name is a random selection of numbers and letters. >> >> I search for the EXE file and find that it is happily living in the C:WINDOWSTEMP >> folder. Its icon is that of a side view of a small brown dog with the letters NT in the >> right bottom corner. >> >> When I stop the service the EXE file in the windowstemp folder mysteriously >> disappears. >> >> After a given amount of time after stopping the process I once again look at the >> running processes and find another process that is running and the file name is >> again a combination of letters and numbers, but a different name than the previous >> one. >> >> All this that I mention raises alarms all over, but when I run a scan on the disc >> or on the folder where the EXE file is located, the Trend Micro anti virus does not >> detect anything. (To run the scan, I copied the suspect EXE file to another folder >> and changed its extesion to bin.) I suspectthat it might be a root kit, but am not >> sure. I am going to download some utilities to further test my work PC, but thought >> I'd ask here in case anyone is familiar with these (somewhat troubling) symptoms. >> >> Thank you, Saga >> -- >> >> >> </span></span> Quote
Guest Saga Posted February 17, 2009 Posted February 17, 2009 Thanks, the Removing Malware page is full of info. I will make sure to follow it step by step. Saga -- "Malke" <malke@invalid.invalid> wrote in message news:e9sYbbTkJHA.5836@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > Saga wrote: ><span style="color:green"> >> Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the >> enterprise was infected with Sallity virus. Removal was a pain, to say the >> least. The virus evaded the firewall and the McAfee Enterprise virus >> suite. >> >> My PC has been desinfected, but still show signs of something that I can't >> identify. Perhaps by describing its behavior here someone can offer an >> opinion. >> >> I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click >> Taskbar-> Task Manager). When I do and examine the processes that are >> running one stands out. This is an EXE whose name is a combination of >> letters and numbers, always upper cap, such as RE34YO.EXE. I Google the >> EXE name but find nothing which leads me to believe that the name is a >> random selection of numbers and letters. >> >> I search for the EXE file and find that it is happily living in the >> C:WINDOWSTEMP folder. Its icon is that of a side view of a small brown >> dog with the letters NT in the right bottom corner. >> >> When I stop the service the EXE file in the windowstemp folder >> mysteriously disappears. >> >> After a given amount of time after stopping the process I once again look >> at the running processes and find another process that is running and the >> file name is again a combination of letters and numbers, but a different >> name than the previous one. >> >> All this that I mention raises alarms all over, but when I run a scan on >> the disc or on the folder where the EXE file is located, the Trend Micro >> anti virus does not detect anything. (To run the scan, I copied the >> suspect EXE file to another folder and changed its extesion to bin.) I >> suspectthat it might be a root kit, but am not sure. I am going to >> download some utilities to further test my work PC, but thought I'd ask >> here in case anyone is familiar with these (somewhat troubling) symptoms.</span> > > Pretty typical behavior of an infected machine. Since this is an office > workstation, I'd just flatten and rebuild. If you've been smart and created > images, this will take about 15 minutes. Otherwise, start scanning per > these general instructions: > > Go through these general malware removal steps systematically - > http://www.elephantboycomputers.com/page2....emoving_Malware > > Include scanning with David Lipman's Multi_AV and follow instructions to do > all scans in Safe Mode. Please see the special Notes regarding using > Multi_AV in Vista. > > http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions > http://tinyurl.com/yoeru3 - download link and more instructions > > You can also check to see if there are targeted removal steps for your > malware here: > Bleeping Computer removal how-to's - > http://www.bleepingcomputer.com/forums/forum55.html > Or here: Malwarebytes malware removal guides - http://tinyurl.com/5xrpft > > When all else fails, get guided help. Choose one of the specialty forums > listed at the first link. Register and read its posting FAQ. PLEASE DO NOT > POST LOGS IN THE MS NEWSGROUPS. > > Malke > -- > MS-MVP > Elephant Boy Computers - Don't Panic! > http://www.elephantboycomputers.com/#FAQ > </span> Quote
Guest Saga Posted February 17, 2009 Posted February 17, 2009 Thanks for the tip. I'll be sure to avoid Pcbutts1.com and other similar sites, and suspicious software such as the one that is advertised in a pop up and is called AntiSpyware 2008 :-) Regards, Saga -- "Leythos" <spam999free@rrohio.com> wrote in message news:MPG.2404e065413f3c5798993d@us.news.astraweb.com...<span style="color:blue"> > In article <uGjvBTSkJHA.1252@TK2MSFTNGP03.phx.gbl>, > antiSpam@somewhere.com says...<span style="color:green"> >> Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was >> infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the >> firewall and the McAfee Enterprise virus suite. >> >> My PC has been desinfected, but still show signs of something that I can't identify. >> Perhaps by describing its behavior here someone can offer an opinion.</span> > > Download and run/use the MBAM tool listed below, it's considered one of > the best free removal tools, is created and hosted by a reputable group > that is respected by the anti-malware community, and you can read about > it at the link below./ > > Do not trust anything from disreputable sources such as PCBUTTS1.COM, no > reputable person or group in the anti-malware community will direct you > to that site. > > MalwareBytes Anti-Malware > http://www.malwarebytes.org/mbam.php > > -- > - Igitur qui desiderat pacem, praeparet bellum. > - Calling an illegal alien an "undocumented worker" is like calling a > drug dealer an "unlicensed pharmacist" > spam999free@rrohio.com (remove 999 for proper email address) </span> Quote
Guest Saga Posted February 17, 2009 Posted February 17, 2009 Follow up - I downloaded Process Explorer and identified the mysterious EXE as an OFGDOG application linked to Trend Micro products. It appears that the behavior that I described is typical for this component. Some info here: http://www.file.net/process/ofcdog.exe.html In any case, I also downloaded MBAM and am currently doing a full scan. Saga Quote
Guest Malke Posted February 17, 2009 Posted February 17, 2009 Saga wrote: <span style="color:blue"> > Follow up - I downloaded Process Explorer and identified the mysterious > EXE as an OFGDOG application linked to Trend Micro products. It appears > that the behavior that I described is typical for this component. Some > info here: > > http://www.file.net/process/ofcdog.exe.html > > In any case, I also downloaded MBAM and am currently doing a full scan. > Saga</span> Thanks for updating the thread. Malke -- MS-MVP Elephant Boy Computers - Don't Panic! http://www.elephantboycomputers.com/#FAQ Quote
Guest The Real Truth MVP Posted February 18, 2009 Posted February 18, 2009 If you continue to listen to Leythos or anyone listed in my sig you will be formatting your computer by next week. He is a troll. -- The Real Truth http://pcbutts1-therealtruth.blogspot.com/ WARNING Do NOT follow any advice given by the people listed below. They do NOT have the expertise or knowledge to fix your issue. Do not waste your time. David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos. "Saga" <antiSpam@somewhere.com> wrote in message news:%23bN8c5TkJHA.1408@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > Thanks for the tip. I'll be sure to avoid Pcbutts1.com and other similar > sites, and > suspicious software such as the one that is advertised in a pop up and is > called > AntiSpyware 2008 :-) > Regards, Saga > -- > > > > "Leythos" <spam999free@rrohio.com> wrote in message > news:MPG.2404e065413f3c5798993d@us.news.astraweb.com...<span style="color:green"> >> In article <uGjvBTSkJHA.1252@TK2MSFTNGP03.phx.gbl>, >> antiSpam@somewhere.com says...<span style="color:darkred"> >>> Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the >>> enterprise was >>> infected with Sallity virus. Removal was a pain, to say the least. The >>> virus evaded the >>> firewall and the McAfee Enterprise virus suite. >>> >>> My PC has been desinfected, but still show signs of something that I >>> can't identify. >>> Perhaps by describing its behavior here someone can offer an opinion.</span> >> >> Download and run/use the MBAM tool listed below, it's considered one of >> the best free removal tools, is created and hosted by a reputable group >> that is respected by the anti-malware community, and you can read about >> it at the link below./ >> >> Do not trust anything from disreputable sources such as PCBUTTS1.COM, no >> reputable person or group in the anti-malware community will direct you >> to that site. >> >> MalwareBytes Anti-Malware >> http://www.malwarebytes.org/mbam.php >> >> -- >> - Igitur qui desiderat pacem, praeparet bellum. >> - Calling an illegal alien an "undocumented worker" is like calling a >> drug dealer an "unlicensed pharmacist" >> spam999free@rrohio.com (remove 999 for proper email address)</span> > > </span> Quote
Guest Max Wachtel Posted February 18, 2009 Posted February 18, 2009 The Real Truth MVP, after much thought, came up with this jewel:<span style="color:blue"> > If you continue to listen to Leythos or anyone listed in my sig you will > be formatting your computer by next week. He is a troll. > </span> The only troll is you -- Virus Removal http://max.shplink.com/removal.html Keep Clean http://max.shplink.com/keepingclean.html Change nomail.afraid.org to gmail.com to reply by email. nomail.afraid.org is specifically setup for use in USENET Quote
Guest Leythos Posted February 18, 2009 Posted February 18, 2009 In article <gnfl87$uqk$1@news.motzarella.org>, not@real.atall says...<span style="color:blue"> > If you continue to listen to Leythos or anyone listed in my sig you will be > formatting your computer by next week. He is a troll. > </span> And yet any security professional will tell you that once a computer is compromised that there is no way to certify that the machine is clean of all known and unknown malware. So, as I explain many times, you can choose to clean it to some level of risk that you accept, never being sure that it's 100% clean, or you can wipe it and reinstall in a safe environment and be sure that it's clean. You can't even write your own code, as has been proven many times, and the pornographic materials that you posted on your website give a clear indication that you are not one of the good people. -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Quote
Guest FromTheRafters Posted February 18, 2009 Posted February 18, 2009 "Saga" <antiSpam@somewhere.com> wrote in message news:OaQbXMUkJHA.2344@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > Follow up - I downloaded Process Explorer and identified > the mysterious EXE as an > OFGDOG application linked to Trend Micro products. It > appears that the behavior that > I described is typical for this component. Some info here: > > http://www.file.net/process/ofcdog.exe.html > > In any case, I also downloaded MBAM and am currently doing > a full scan. > Saga</span> Back to what Malke mentioned... Do consider disk images as a relatively painless recovery option. At least look into it if you haven't already. This time maybe you can consider yourself lucky it wasn't some really sticky malware. Flatten and rebuild is often the best option - even more so if you planned ahead. Quote
Guest ---Fitz--- Posted February 18, 2009 Posted February 18, 2009 Well since I'm no longer in your sig...let me be the first to reinforce Leythos' advice. Stay away from this site that hosts porn and files that Butts wants you to install. His programs will alter the hosts file on your computer so that you cannot connect to reputable sites such as www.mvps.org (Microsoft Most Valuable Professional). ---Fitz--- "The Real Truth MVP" <not@real.atall> wrote in message news:gnfl87$uqk$1@news.motzarella.org...<span style="color:blue"> > If you continue to listen to Leythos or anyone listed in my sig you will > be formatting your computer by next week. He is a troll. > > -- > The Real Truth http://pcbutts1-therealtruth.blogspot.com/ > WARNING Do NOT follow any advice given by the people listed below. > They do NOT have the expertise or knowledge to fix your issue. Do not > waste your time. > David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos. > </span> Quote
Guest Saga Posted February 18, 2009 Posted February 18, 2009 Agreed, I will look into disk imaging. I did not remark on this topic because I do not know if the enterprise where I am does any imaging - although This is something that I'll be looking into. I have heard of DiskImage XML - I will look into this product further. Any suggestions on disk imaging software? Thanks Saga -- "FromTheRafters" <erratic@nomail.afraid.org> wrote in message news:%23g26l0WkJHA.5732@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > "Saga" <antiSpam@somewhere.com> wrote in message news:OaQbXMUkJHA.2344@TK2MSFTNGP05.phx.gbl...<span style="color:green"> >> Follow up - I downloaded Process Explorer and identified the mysterious EXE as an >> OFGDOG application linked to Trend Micro products. It appears that the behavior that >> I described is typical for this component. Some info here: >> >> http://www.file.net/process/ofcdog.exe.html >> >> In any case, I also downloaded MBAM and am currently doing a full scan. >> Saga</span> > > Back to what Malke mentioned... > > Do consider disk images as a relatively painless recovery option. At least look into it if you > haven't already. This time maybe you can consider yourself lucky it wasn't some really sticky > malware. Flatten and rebuild is often the best option - even more so if you planned ahead. > > </span> Quote
Guest FromTheRafters Posted February 19, 2009 Posted February 19, 2009 http://www.download.com/Acronis-True-Image...4-10168093.html "Saga" <antiSpam@somewhere.com> wrote in message news:O1xbhDekJHA.1292@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > Agreed, I will look into disk imaging. I did not remark on > this topic because I do > not know if the enterprise where I am does any imaging - > although This is something > that I'll be looking into. I have heard of DiskImage XML - > I will look into this product > further. Any suggestions on disk imaging software? Thanks > Saga > -- > > "FromTheRafters" <erratic@nomail.afraid.org> wrote in > message news:%23g26l0WkJHA.5732@TK2MSFTNGP05.phx.gbl...<span style="color:green"> >> "Saga" <antiSpam@somewhere.com> wrote in message >> news:OaQbXMUkJHA.2344@TK2MSFTNGP05.phx.gbl...<span style="color:darkred"> >>> Follow up - I downloaded Process Explorer and identified >>> the mysterious EXE as an >>> OFGDOG application linked to Trend Micro products. It >>> appears that the behavior that >>> I described is typical for this component. Some info >>> here: >>> >>> http://www.file.net/process/ofcdog.exe.html >>> >>> In any case, I also downloaded MBAM and am currently >>> doing a full scan. >>> Saga</span> >> >> Back to what Malke mentioned... >> >> Do consider disk images as a relatively painless recovery >> option. At least look into it if you haven't already. >> This time maybe you can consider yourself lucky it wasn't >> some really sticky malware. Flatten and rebuild is often >> the best option - even more so if you planned ahead. >> >></span> > > </span> Quote
Guest Sam Posted February 19, 2009 Posted February 19, 2009 So you'll end up with a 100% clean system. I don't see anything wrong with that. Flatten and rebuild is my preferred method of cleaning a compromised system. I don't trust any removal tools. I might test some removal tools to see how effective they are. My final step is nuke and recreate partitions followed by format and reinstall. Voila! Clean system. Check this out: http://www.microsoft.com/technet/community...gmt/sm0504.mspx "The Real Truth MVP" <not@real.atall> wrote in message news:gnfl87$uqk$1@news.motzarella.org...<span style="color:blue"> > If you continue to listen to Leythos or anyone listed in my sig you will > be formatting your computer by next week. He is a troll. > > -- > The Real Truth http://pcbutts1-therealtruth.blogspot.com/ > WARNING Do NOT follow any advice given by the people listed below. > They do NOT have the expertise or knowledge to fix your issue. Do not > waste your time. > David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos. > > > > > "Saga" <antiSpam@somewhere.com> wrote in message > news:%23bN8c5TkJHA.1408@TK2MSFTNGP06.phx.gbl...<span style="color:green"> >> Thanks for the tip. I'll be sure to avoid Pcbutts1.com and other similar >> sites, and >> suspicious software such as the one that is advertised in a pop up and is >> called >> AntiSpyware 2008 :-) >> Regards, Saga >> -- >> >> >> >> "Leythos" <spam999free@rrohio.com> wrote in message >> news:MPG.2404e065413f3c5798993d@us.news.astraweb.com...<span style="color:darkred"> >>> In article <uGjvBTSkJHA.1252@TK2MSFTNGP03.phx.gbl>, >>> antiSpam@somewhere.com says... >>>> Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the >>>> enterprise was >>>> infected with Sallity virus. Removal was a pain, to say the least. The >>>> virus evaded the >>>> firewall and the McAfee Enterprise virus suite. >>>> >>>> My PC has been desinfected, but still show signs of something that I >>>> can't identify. >>>> Perhaps by describing its behavior here someone can offer an opinion. >>> >>> Download and run/use the MBAM tool listed below, it's considered one of >>> the best free removal tools, is created and hosted by a reputable group >>> that is respected by the anti-malware community, and you can read about >>> it at the link below./ >>> >>> Do not trust anything from disreputable sources such as PCBUTTS1.COM, no >>> reputable person or group in the anti-malware community will direct you >>> to that site. >>> >>> MalwareBytes Anti-Malware >>> http://www.malwarebytes.org/mbam.php >>> >>> -- >>> - Igitur qui desiderat pacem, praeparet bellum. >>> - Calling an illegal alien an "undocumented worker" is like calling a >>> drug dealer an "unlicensed pharmacist" >>> spam999free@rrohio.com (remove 999 for proper email address)</span> >> >></span> > </span> Quote
Guest Root Kit Posted February 19, 2009 Posted February 19, 2009 On Wed, 18 Feb 2009 20:26:45 -0800, "Sam" <sam@sam> wrote: <span style="color:blue"> >So you'll end up with a 100% clean system. I don't see anything wrong with >that. Flatten and rebuild is my preferred method of cleaning a compromised >system. I don't trust any removal tools. I might test some removal tools to >see how effective they are. My final step is nuke and recreate partitions >followed by format and reinstall. Voila! Clean system. > >Check this out: >http://www.microsoft.com/technet/community...gmt/sm0504.mspx</span> I second that. Quote
Guest Saga Posted February 19, 2009 Posted February 19, 2009 Thanks! Saga -- "FromTheRafters" <erratic@nomail.afraid.org> wrote in message news:eLXkngjkJHA.1184@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > http://www.download.com/Acronis-True-Image...4-10168093.html > > "Saga" <antiSpam@somewhere.com> wrote in message news:O1xbhDekJHA.1292@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> Agreed, I will look into disk imaging. I did not remark on this topic because I do >> not know if the enterprise where I am does any imaging - although This is something >> that I'll be looking into. I have heard of DiskImage XML - I will look into this product >> further. Any suggestions on disk imaging software? Thanks >> Saga >> -- >> >> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message >> news:%23g26l0WkJHA.5732@TK2MSFTNGP05.phx.gbl...<span style="color:darkred"> >>> "Saga" <antiSpam@somewhere.com> wrote in message news:OaQbXMUkJHA.2344@TK2MSFTNGP05.phx.gbl... >>>> Follow up - I downloaded Process Explorer and identified the mysterious EXE as an >>>> OFGDOG application linked to Trend Micro products. It appears that the behavior that >>>> I described is typical for this component. Some info here: >>>> >>>> http://www.file.net/process/ofcdog.exe.html >>>> >>>> In any case, I also downloaded MBAM and am currently doing a full scan. >>>> Saga >>> >>> Back to what Malke mentioned... >>> >>> Do consider disk images as a relatively painless recovery option. At least look into it if you >>> haven't already. This time maybe you can consider yourself lucky it wasn't some really sticky >>> malware. Flatten and rebuild is often the best option - even more so if you planned ahead. >>> >>></span> >> >></span> > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.