Advertisement
- Home
- Software
- Internet / Email
- Spy / Ad Blockers
- How to remove this? (could be a virus or trojan)
Advertisement
- 1. IndiGenus 87,771
- 2. rpggamer... 67,345
- 3. phototropic 8,225
- 4. Jonvee 7,350
- 5. briancassin 7,150
- 6. war1 6,840
- 7. -Mystique- 6,500
- 8. younghv 6,470
- 9. johnb6767 6,400
- 10. orangutang 5,675
- 11. Admin3k 5,075
- 12. rindi 4,880
- 13. willcomp 4,600
- 14. r-k 4,440
- 15. paulop1975 3,225
- 1. rpggamer... 113,946
- 2. IndiGenus 109,196
- 3. war1 23,640
- 4. younghv 13,034
- 5. Sheharya... 13,014
- 6. r-k 12,874
- 7. phototropic 12,300
- 8. rindi 9,492
- 9. johnb6767 8,825
- 10. orangutang 8,605
- 11. justchat_1 7,424
- 12. Jonvee 7,350
- 13. briancassin 7,150
- 14. -Mystique- 6,824
- 15. michko 6,392
| 05.04.2008 at 05:34PM PDT, ID: 23375468 | Points: 500 |
|
[x]
Attachment Details
|
||
How to remove this? (could be a virus or trojan)
Tags:
Microsoft, Windows, XP and 2003 Server
Hi All
We tried to remove (ÖØÒª×ÊÁÏ×Ô¶¯±¸·Ý.exe and Autorun.inf) completely from our shared network drives which are running windows 2003 Sp2). This two files can be deleted but after a while they are recreated again.
In Autorun.inf , you may see this:
[autorun]
shell\open=´ò¿ª(&O)
shell\open\Command=ÖØÒª×ÊÁ
We run the CA antivirus and antispyware on the servers, it couldn't find any virus or spyware, we disabled autorun on all drives from group policy.
Please help
Thanks
Start your free trial to view this solution
We tried to remove (ÖØÒª×ÊÁÏ×Ô¶¯±¸·Ý.exe and Autorun.inf) completely from our shared network drives which are running windows 2003 Sp2). This two files can be deleted but after a while they are recreated again.
In Autorun.inf , you may see this:
[autorun]
shell\open=´ò¿ª(&O)
shell\open\Command=ÖØÒª×ÊÁ
We run the CA antivirus and antispyware on the servers, it couldn't find any virus or spyware, we disabled autorun on all drives from group policy.
Please help
Thanks
Question Stats
Zone:
Software
Question Asked By:
LioElectronic
Question Asked On:
05.04.2008
Participating Experts:
2
Points:
500
Views:
0
Translate:
Loading Advertisement...
Loading Advertisement...
| Microsoft |
- Internet Protocols
- Applications
- Development
- OS
- Hardware
- Windows Security
| Apple |
- Operating Systems
- Hardware
- Programming
- Networking
- Software
| Internet |
- Search Engines
- File Sharing
- WebTrends / Stats
- Spy / Ad Blockers
- Web Browsers
- New Net Users
- Web Development
- Chat / IM
- Anti Spam
- Web Servers
- Anti-Virus
- Email Clients
| Gamers |
- Tips
- Online / MMORPG
- Puzzle
- Emulators
- Action / Adventure
- Role Playing
- Consoles
- Game Programming
- Strategy
- Sports
- Misc
- Computer Games
| Digital Living |
- Hardware
- New Net Users
- New Users
- Software
- Digital Music
- Gaming World
- Home Security
- Apple
- Networking Hardware
| Virus & Spyware |
- Vulnerabilities
- IDS
- Encryption
- Anti-Virus
- Operating Systems Security
- Software Firewalls
- WebApplications
- Cell Phones
- Operating Systems
- Internet
- Hardware Firewalls
| Hardware |
- Handhelds / PDAs
- Displays / Monitors
- Components
- Networking Hardware
- Peripherals
- Laptops/Notebooks
- Storage
- Servers
- Desktops
- New Users
- Misc
- Apple
| Software |
- System Utilities
- Industry Specific
- Network Management
- Photos / Graphics
- Page Layout
- VMWare
- Misc
- Web Development
- OS
- CYGWIN
- Voice Recognition
- Message Queue
- Quality Assurance
- Security
- Firewalls
- MultiMedia Applications
- Development
- Database
- Office / Productivity
- Business Management
- OS/2 Apps
- Server Software
- Internet / Email
| ITPro |
- OS
- Storage
- Encryption
- Operating Systems Security
- Apple Hardware
- Laptops & Notebooks
- Servers
- Networking Hardware
- Peripherals
- Devices
- Displays / Monitors
- WebTrends / Stats
- Search Engines
- Firewalls
- WebApplications
- IDS
- Vulnerabilities
- Email Clients
- File Sharing
- Spy / Ad Blockers
- Web Browsers
- Web Servers
- Networking
- Anti-Virus
- Chat / IM
- Anti Spam
| Developer |
- Web Servers
- Web Browsers
- Game Programming
- Dev Tools
- Industry Specific
- Office / Productivity
- Database
- CYGWIN
- Web Development
- Search Engines
- File Sharing
- WebTrends / Stats
- Programming
- Content Management
- Application Servers
- Protocols
| Storage |
- Removable Backup Media
- Storage Technology
- Servers
- Grid
- Remote Access
- Backup / Restore
- Misc
- Hard Drives
| OS |
- Miscellaneous
- Security
- Development
- Linux
- VMWare
- MainFrame OS
- Unix
- Apple
- OS / 2
- AS / 400
- BeOS
- Microsoft
- VMS / OpenVMS
| Database |
- Oracle
- Miscellaneous
- MySQL
- Software
- Sybase
- Contact Management
- PostgreSQL
- Data Manipulation
- Clarion
- InterSystems Cache
- Siebel
- MUMPS
- OLAP
- SQLBase
- SAS
- GIS & GPS
- 4GL
- Berkeley DB
- DB2
- Informix
- Interbase / Firebird
- FoxPro
- Reporting
- LDAP
- Filemaker Pro
- MS SQL Server
- dBase
- MS Access
| Security |
- Misc
- Web Browsers
- Software Firewalls
- Operating Systems Security
- File Sharing
- Spy / Ad Blockers
- Vulnerabilities
- WebApplications
- IDS
- Anti-Virus
- Encryption
- Anti Spam
- Email Clients
- VPN
- Chat / IM
| Programming |
- Editors IDEs
- Installation
- Handhelds / PDAs
- Multimedia Programming
- System / Kernel
- Algorithms
- Game
- Signal Processing
- Project Management
- Open Source
- Database
- Misc
- Languages
- Processor Platforms
- Theory
| Web Development |
- Scripting
- Blogs
- Web Servers
- Software
- Search Engines
- Web Graphics
- Images
- Internet Marketing
- Images and Photos
- Components
- Document Imaging
- Web Languages/Standards
- Illustration
- WebApplications
- Fonts
- WebTrends / Stats
- Authoring
- Digital Camera Software
- Miscellaneous
| Networking |
- Protocols
- Apple Networking
- Network Management
- Message Queue
- Application Servers
- Content Management
- File Servers
- Email Servers
- Misc
- Java Editors & IDEs
- Wireless
- Networking Hardware
- Backup / Restore
- System Utilities
- ISPs & Hosting
- Web Servers
- Storage Technology
- Removable Backup Media
- Servers
- Broadband
- Grid
- OS / 2
- Novell Netware
- Unix Networking
- Windows Networking
- Security
- Telecommunications
- Operating Systems
- Linux Networking
| Other |
- Community Advisor
- Lounge
- Community Support
- New Net Users
- Philosophy / Religion
- Math / Science
- Miscellaneous
- URLs
- Expert Lounge
- Politics
- Puzzles / Riddles
| Community Support |
- Suggestions
- New to EE
- New Topics
- Community Advisor
- CleanUp
- Announcements
- General
- Feedback
- Input
- EE Bugs
| 05.04.2008 at 05:41PM PDT, ID: 21497541 |
There must be a running process which garantees that, even when you delete those files, they get created again.
Check two things:
1) Start > Programs > Starup
2) On the registry, search for the "run" keys (see attached screenshot) and look for any strange program/process loading on startup.
You might have a bigger problem, thow. Since that is a shared folder, this may be provoked by one of your client machines. Then, you would have to check every machine for the same startup programs.
Cheers,
PP
Check two things:
1) Start > Programs > Starup
2) On the registry, search for the "run" keys (see attached screenshot) and look for any strange program/process loading on startup.
You might have a bigger problem, thow. Since that is a shared folder, this may be provoked by one of your client machines. Then, you would have to check every machine for the same startup programs.
Cheers,
PP
| 05.04.2008 at 05:42PM PDT, ID: 21497545 |
I use Hyjackthis from Trend, but running this on a large network would be difficult, so might be worthwhile using Silent Runners script to process the results on logon...
http://www.trendsecure.com
for more info:
http://forums.techguy.org/
http://www.trendsecure.com
for more info:
http://forums.techguy.org/
| 05.04.2008 at 05:58PM PDT, ID: 21497580 |
I run registry and couldn't find anything strange.
only two items:
ctfmon.exe and updateMgr (acrobat 7.0)
only two items:
ctfmon.exe and updateMgr (acrobat 7.0)
| 05.04.2008 at 06:03PM PDT, ID: 21497591 |
Those are normal items/programs.
This may be a client machine doing this. Some malware found the share and keeps on putting those files in it. You could go through a couple of steps to identify the source of the situation.
1) Check the files for the owner. If a user on a client machine is, even if inadvertidly, creating the files, they would have that info.
2) Enable audit policy on the shared folder, in order to identify who is accessing it and creating files on it.
3) You could also temporarily disable the share, delete the files and check if they are created again. If they are, the problem is local. If they're not created, the problem is from a client machine which can no longer create the files on that share, since it is no longer shared.
Hope this helps.
Cheers,
PP
This may be a client machine doing this. Some malware found the share and keeps on putting those files in it. You could go through a couple of steps to identify the source of the situation.
1) Check the files for the owner. If a user on a client machine is, even if inadvertidly, creating the files, they would have that info.
2) Enable audit policy on the shared folder, in order to identify who is accessing it and creating files on it.
3) You could also temporarily disable the share, delete the files and check if they are created again. If they are, the problem is local. If they're not created, the problem is from a client machine which can no longer create the files on that share, since it is no longer shared.
Hope this helps.
Cheers,
PP
| 05.04.2008 at 06:05PM PDT, ID: 21497595 |
Anyway, don't forget debuggerau's suggestion to run Hyjackthis. You would have to run it, first locally and afterwards on every client machine where users with access to the share normally login.
Once again, Cheers,
Off to bed.
2:00AM, here and tomorrow is workday.
PP
Once again, Cheers,
Off to bed.
2:00AM, here and tomorrow is workday.
PP
| 05.05.2008 at 04:57PM PDT, ID: 21503902 |
If you script Silent runners into the logon script it will create logs of all running process at logon. Then you'll have a better chance to find the offending PC.
I'd suspect the file owner is a system account. but you never know, so check..
Might be best to look at the time/date of creation and see who is logging on then also. Try to match behavior with results somehow to help fasttrack a fix...
Also, check your security logs..
I'd suspect the file owner is a system account. but you never know, so check..
Might be best to look at the time/date of creation and see who is logging on then also. Try to match behavior with results somehow to help fasttrack a fix...
Also, check your security logs..
20080236-EE-VQP-29 / EE_QW_2_20070628
