• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2988
  • Last Modified:

Autorun.inf and ircphate.exe Virus/Trojan

Hi

Environment
The network has approximately 30 users running Windows XP SP3.  The server is running Windows 2003 Server, this server is a member server acting in the role of the File server.  One of the shares created on the server has the two above mentioned files stored there - autorun.inf and ircphate.exe.  The attributes on the two files is shown as hidden.  I have used a variety of tools to try to remove this virus.  Sophos, Norton, Kapersky all with no luck.  The Sophos application was able to identify it however unable to clean the server of the file.

Each time a user access the share with the trojan Norton pops up indicating that it has quarantined the file.  The services running on that server are as follows

almon.exe
bill.exe - out call accounting software
csrss.exe
explorer.exe
jusched.exe
pkimon.exe
rdpclip.exe
savmain.exe
schedhlp.exe
taskmgr.exe
timeoutmonitor.exe
traymonitor.exe
winlogon.exe
wuacualt.exe

Could anyone advise on how can successfully remove these files from my server.

Thanks
0
fudger
Asked:
fudger
1 Solution
 
Seth_McCauleyCommented:
It sounds like there is another virus your scans aren't detecting that is downloading this one (a trojan downloader). Can you find a copy of this infected file, "ircphate.exe"? If so, try uploading it to an online virus scanner and post a link to the results so we can get more info about this virus:
http://www.virustotal.com

Also submit the virus here and post a link to the results:
http://anubis.iseclab.org/


As for the autorun.inf file, I strongly advise that you disable autorun on all of your computers. It is a method of spreading used by many viruses (mainly for spreading by flash drives). Disabling it will prevent further spread of this virus in your organization and prevent the spread of others in the future. There is a way to disable Autorun.inf (auto-launching applications from removable media) without disabling the Windows XP "Autoplay" feature (the menu that XP pops up when you insert removable media).

Below you will find a batch file that applies the registry changes needed to prevent execution of autorun.inf. You may need to reboot before this change takes effect.  I apply it to all computers via a Group Policy startup script. If you would like to know more about this trick, it is detailed in this article: http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-Autorun-attacks

@echo off
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /d "@SYS:DoesNotExist"

Open in new window

0
 
fudgerAuthor Commented:
Hi

Please see all the trojans found by Sophos.  I tried uploading the ircphate.exe trojan onto the two suggested sites, however in both cases I am getting a permission error and the file is not allowing me to upload to the sites.

I will take your suggestion and disable the autorun.inf file from the computers in the network.

Any other suggestions for removing this trojan from my network.

Thanks
sophos-quarantine.JPG
0
 
Seth_McCauleyCommented:
That may help, although I would like to see the results of those other scanners. The second one actually runs it in a sandbox and gives detailed results on the viruses behavior.

Your virus scanner is most likely blocking access to the file. You will need to temporarily (very briefly) disable your antivirus real-time scanner in order to upload the file. As soon as it is uploaded, turn the real-time protection back on.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
fudgerAuthor Commented:
Hi

Please see the attached report.

Thanks
http---anubis.iseclab.pdf
0
 
fudgerAuthor Commented:
Please see the contents of the autorun.inf file

[autorun]
open=ircphate.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=ircphate.exe
shell\open\default=1
0
 
Seth_McCauleyCommented:
Excellent, thanks. I looked over the Anubis report and saw some very useful information. The viruses that show up in your Sophos quarantine list are generic names for virus behavior, most likely identified through heuristics (and not a specific virus signature).

"Mal/SillyFDC-A" is a class of viruses that spread via Autorun.inf.
"Mal/IRCBot-B" is a backdoor that allows remote access to an intruder via IRC channels
"Mal/Behav-024" displays malware like behavior. Seems to be related to "SillyFDC".
"Mal/AutoInf-C" is an Autorun.inf file that has been hijacked to run a virus.

The above viruses seem to have many different file names and locations they can go by, so finding everything manually would be difficult. I've provided some steps below that will help speed this up. I think the best course of action is to prevent the virus from running and then run the full scans again. Can this server be taken offline? It might be necessary to fully remove the infection. Here is what I recommend:

1) If this server is heavily used, schedule an outage (if possible).

2) Run regedit and remove entires for "ircphate.exe" and any other suspicious executable from the following locations:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load"
Note: You may need to look in more places than "Current User" if you regularly log into this server with more than one account. In that case, you may need to check each of the "HKEY_USERS\___(SID)___" keys in place of HKCU.

3) Restart the server in safe mode immediately after changing the registry settings.

4) From safe mode, run regedit and repeat step 2 to ensure the malicious registry entries have not returned.

5) Delete all files from "C:\Windows\Temp" Delete all temp files from "C:\Documents and Settings\USERNAME\Local Settings\Temp" for anyone who regularly access the server. If you get an error deleting some files (such as"Perflib_Perfdata_XXX.dat" files), skip those types of files and delete the rest. This is a lot easier from the command line, because (for example) "del /q "c:\Windows\Temp\*.*" will delete everything it can and skip the files it can't.

6) Delete these folders if found:
C:\Downloads (if you had created this folder, skip files you know belong there)
C:\P (may be a randomly generated name)

7) Delete these files if found:
C:\kbfy.exeler.exe (may be a randomly generated name)
C:\cbuzbhosw.exee (may be a randomly generated name)
C:\autorun.inf

8) Repeat step 5-6 for the root of all drives and shares.

9) Remove other files used by the virus...
I put together a batch file that checks for any of the known filenames used by the viruses above (except randomly generated ones). I did not have it delete anything, in case one of these is a false positive. Save the text below as a ".bat" file and run it (it doesn't matter where you run it from). Notepad should open with a list of files which may be related to the virus. Unless you are certain these are safe, I recommend you delete anything this comes up with. I confirmed on the list was empty (no false positives) on a clean Windows XP machine and on 2003 server.

10) Run full scans with any virus utilities you have. Some scanners will not work in safe mode, although it's rare. If that happens, run everything you can, reboot, then run the scanner after a normal boot. In addition to virus scanning, I recommend you scan with Spybot, Adaware, Malwarebytes, and SuperAntiSpyware (even if you have already). Also, although I'm sure this is obvious, make sure all your anti-malware utilities are fully up-to-date before scanning.

Malwarebytes Anti-Malware
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Spybot - Search & Destroy
http://download.cnet.com/Spybot-Search-amp-Destroy/3000-8022_4-10122137.html

Ad-Aware Free Anti-Malware
http://download.cnet.com/Ad-Aware-Free-Anti-Malware/3000-8022_4-10045910.html

SuperAntiSpyware Free Edition
http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html


11) Restart Windows normally and check to see if any of the files returned. You may need to repeat step 10 in order to fully remove the infection.

@echo off
echo The following files have been flagged as suspicious: >SuspiciousFilesLog.txt
echo ===================================================== >>SuspiciousFilesLog.txt
if exist "%AllUsersProfile%\smss.exe" echo %AllUsersProfile%\smss.exe>>SuspiciousFilesLog.txt
if exist "%AppData%\microsoft\cd burning\auto.exe" echo %AppData%\microsoft\cd burning\auto.exe>>SuspiciousFilesLog.txt
if exist "%AppData%\microsoft\explorer1.exe" echo %AppData%\microsoft\explorer1.exe>>SuspiciousFilesLog.txt
if exist "%AppData%\microsoft\vinlog.exe" echo %AppData%\microsoft\vinlog.exe>>SuspiciousFilesLog.txt
if exist "%AppData%\microsoft\winlog.exe" echo %AppData%\microsoft\winlog.exe>>SuspiciousFilesLog.txt
if exist "%AppData%\microsoft\winlogom.exe" echo %AppData%\microsoft\winlogom.exe>>SuspiciousFilesLog.txt
if exist "%AppData%\microsoft\winlogon.exe" echo %AppData%\microsoft\winlogon.exe>>SuspiciousFilesLog.txt
if exist "%AppData%\servicehost.dll" echo %AppData%\servicehost.dll>>SuspiciousFilesLog.txt
if exist "%AppData%\sysdate.dll" echo %AppData%\sysdate.dll>>SuspiciousFilesLog.txt
if exist "%CommonAppData%\%computername%\snhost.exe" echo %CommonAppData%\%computername%\snhost.exe>>SuspiciousFilesLog.txt
if exist "%CommonAppData%\fearghus\lsass.exe" echo %CommonAppData%\fearghus\lsass.exe>>SuspiciousFilesLog.txt
if exist "%CommonAppData%\microsoft\usb2.0\usb-hi.exe" echo %CommonAppData%\microsoft\usb2.0\usb-hi.exe>>SuspiciousFilesLog.txt
if exist "%CommonAppData%\winmgmt.exe" echo %CommonAppData%\winmgmt.exe>>SuspiciousFilesLog.txt
if exist "%CommonDocuments%\netspeedshare.exe" echo %CommonDocuments%\netspeedshare.exe>>SuspiciousFilesLog.txt
if exist "%CommonPrograms%\startup\hotkeydrive.exe" echo %CommonPrograms%\startup\hotkeydrive.exe>>SuspiciousFilesLog.txt
if exist "%CommonPrograms%\startup\kbdrv16.com" echo %CommonPrograms%\startup\kbdrv16.com>>SuspiciousFilesLog.txt
if exist "%DownloadedProgramFiles%\svchost.exe" echo %DownloadedProgramFiles%\svchost.exe>>SuspiciousFilesLog.txt
if exist "%Profiles%\photo\photo1.exe" echo %Profiles%\photo\photo1.exe>>SuspiciousFilesLog.txt
if exist "%ProgramFiles%\common files\system\runn.exe" echo %ProgramFiles%\common files\system\runn.exe>>SuspiciousFilesLog.txt
if exist "%ProgramFiles%\common files\system\winlogon.exe" echo %ProgramFiles%\common files\system\winlogon.exe>>SuspiciousFilesLog.txt
if exist "%ProgramFiles%\common files\system\winsver.exe" echo %ProgramFiles%\common files\system\winsver.exe>>SuspiciousFilesLog.txt
if exist "%ProgramFiles%\internet explorer\signup\conime.exe" echo %ProgramFiles%\internet explorer\signup\conime.exe>>SuspiciousFilesLog.txt
if exist "%ProgramFiles%\meex.exe" echo %ProgramFiles%\meex.exe>>SuspiciousFilesLog.txt
if exist "%ProgramFiles%\windowsupdate.exe" echo %ProgramFiles%\windowsupdate.exe>>SuspiciousFilesLog.txt
if exist "%System%\%computername%\my_heart.exe" echo %System%\%computername%\my_heart.exe>>SuspiciousFilesLog.txt
if exist "%System%\360safefix.dll" echo %System%\360safefix.dll>>SuspiciousFilesLog.txt
if exist "%System%\3800hk.dll" echo %System%\3800hk.dll>>SuspiciousFilesLog.txt
if exist "%System%\algs.exe" echo %System%\algs.exe>>SuspiciousFilesLog.txt
if exist "%System%\antieng.dll" echo %System%\antieng.dll>>SuspiciousFilesLog.txt
if exist "%System%\avjcsrvx.exe" echo %System%\avjcsrvx.exe>>SuspiciousFilesLog.txt
if exist "%System%\baidu.exe" echo %System%\baidu.exe>>SuspiciousFilesLog.txt
if exist "%System%\bserver.dll" echo %System%\bserver.dll>>SuspiciousFilesLog.txt
if exist "%System%\cache\syssafe.exe" echo %System%\cache\syssafe.exe>>SuspiciousFilesLog.txt
if exist "%System%\cbak.exe" echo %System%\cbak.exe>>SuspiciousFilesLog.txt
if exist "%System%\cltmon.exe" echo %System%\cltmon.exe>>SuspiciousFilesLog.txt
if exist "%System%\cmpop.exe" echo %System%\cmpop.exe>>SuspiciousFilesLog.txt
if exist "%System%\configs.exe" echo %System%\configs.exe>>SuspiciousFilesLog.txt
if exist "%System%\cool_gamesetup.exe.exe" echo %System%\cool_gamesetup.exe.exe>>SuspiciousFilesLog.txt
if exist "%System%\davfinci.scr" echo %System%\davfinci.scr>>SuspiciousFilesLog.txt
if exist "%System%\dllcache\smnpcl.dll" echo %System%\dllcache\smnpcl.dll>>SuspiciousFilesLog.txt
if exist "%System%\dllcache\svchost.exe" echo %System%\dllcache\svchost.exe>>SuspiciousFilesLog.txt
if exist "%System%\driro.exe" echo %System%\driro.exe>>SuspiciousFilesLog.txt
if exist "%System%\drivers\etc\systems.exe" echo %System%\drivers\etc\systems.exe>>SuspiciousFilesLog.txt
if exist "%System%\drivers\spoclsv.exe" echo %System%\drivers\spoclsv.exe>>SuspiciousFilesLog.txt
if exist "%System%\drivers\suchost.exe" echo %System%\drivers\suchost.exe>>SuspiciousFilesLog.txt
if exist "%System%\drivers\svchosl.exe" echo %System%\drivers\svchosl.exe>>SuspiciousFilesLog.txt
if exist "%System%\drivers\txp1atform.exe" echo %System%\drivers\txp1atform.exe>>SuspiciousFilesLog.txt
if exist "%System%\exp1orer.exe" echo %System%\exp1orer.exe>>SuspiciousFilesLog.txt
if exist "%System%\explore.exe" echo %System%\explore.exe>>SuspiciousFilesLog.txt
if exist "%System%\explorer.exe" echo %System%\explorer.exe>>SuspiciousFilesLog.txt
if exist "%System%\extensionsk.exe" echo %System%\extensionsk.exe>>SuspiciousFilesLog.txt
if exist "%System%\fordown.exe" echo %System%\fordown.exe>>SuspiciousFilesLog.txt
if exist "%System%\grouppolicy\bttnserv.exe" echo %System%\grouppolicy\bttnserv.exe>>SuspiciousFilesLog.txt
if exist "%System%\icondrv.exe" echo %System%\icondrv.exe>>SuspiciousFilesLog.txt
if exist "%System%\icwutieinll.dll" echo %System%\icwutieinll.dll>>SuspiciousFilesLog.txt
if exist "%System%\imaps.exe" echo %System%\imaps.exe>>SuspiciousFilesLog.txt
if exist "%System%\inets2n.exe" echo %System%\inets2n.exe>>SuspiciousFilesLog.txt
if exist "%System%\isass.exe" echo %System%\isass.exe>>SuspiciousFilesLog.txt
if exist "%System%\ixerhq.exe" echo %System%\ixerhq.exe>>SuspiciousFilesLog.txt
if exist "%System%\jksing.dll" echo %System%\jksing.dll>>SuspiciousFilesLog.txt
if exist "%System%\keyboard\services.exe" echo %System%\keyboard\services.exe>>SuspiciousFilesLog.txt
if exist "%System%\kxuaqm.exe" echo %System%\kxuaqm.exe>>SuspiciousFilesLog.txt
if exist "%System%\lnkstfb.exe" echo %System%\lnkstfb.exe>>SuspiciousFilesLog.txt
if exist "%System%\local.dll" echo %System%\local.dll>>SuspiciousFilesLog.txt
if exist "%System%\lofsdjbo.dll" echo %System%\lofsdjbo.dll>>SuspiciousFilesLog.txt
if exist "%System%\loinplay.exe" echo %System%\loinplay.exe>>SuspiciousFilesLog.txt
if exist "%System%\microsoftcorporation.dll" echo %System%\microsoftcorporation.dll>>SuspiciousFilesLog.txt
if exist "%System%\mndhfdwd.dll" echo %System%\mndhfdwd.dll>>SuspiciousFilesLog.txt
if exist "%System%\msarti.com" echo %System%\msarti.com>>SuspiciousFilesLog.txt
if exist "%System%\mscidaemon.dll" echo %System%\mscidaemon.dll>>SuspiciousFilesLog.txt
if exist "%System%\msiexec16.exe" echo %System%\msiexec16.exe>>SuspiciousFilesLog.txt
if exist "%System%\msn.exe" echo %System%\msn.exe>>SuspiciousFilesLog.txt
if exist "%System%\msnrmgs.exe" echo %System%\msnrmgs.exe>>SuspiciousFilesLog.txt
if exist "%System%\my_heart.exe" echo %System%\my_heart.exe>>SuspiciousFilesLog.txt
if exist "%System%\network.dll" echo %System%\network.dll>>SuspiciousFilesLog.txt
if exist "%System%\nvsvc86.exe" echo %System%\nvsvc86.exe>>SuspiciousFilesLog.txt
if exist "%System%\proxykrn.exe" echo %System%\proxykrn.exe>>SuspiciousFilesLog.txt
if exist "%System%\qin58.exe" echo %System%\qin58.exe>>SuspiciousFilesLog.txt
if exist "%System%\qq.dll" echo %System%\qq.dll>>SuspiciousFilesLog.txt
if exist "%System%\rejoice.dll" echo %System%\rejoice.dll>>SuspiciousFilesLog.txt
if exist "%System%\rodri.exe" echo %System%\rodri.exe>>SuspiciousFilesLog.txt
if exist "%System%\s.exe" echo %System%\s.exe>>SuspiciousFilesLog.txt
if exist "%System%\servidor.exe" echo %System%\servidor.exe>>SuspiciousFilesLog.txt
if exist "%System%\sizhu.exe" echo %System%\sizhu.exe>>SuspiciousFilesLog.txt
if exist "%System%\smms.exe" echo %System%\smms.exe>>SuspiciousFilesLog.txt
if exist "%System%\sorck.exe" echo %System%\sorck.exe>>SuspiciousFilesLog.txt
if exist "%System%\spoclsv.exe" echo %System%\spoclsv.exe>>SuspiciousFilesLog.txt
if exist "%System%\stormserver.dll" echo %System%\stormserver.dll>>SuspiciousFilesLog.txt
if exist "%System%\svchosts.exe" echo %System%\svchosts.exe>>SuspiciousFilesLog.txt
if exist "%System%\sys.exe" echo %System%\sys.exe>>SuspiciousFilesLog.txt
if exist "%System%\system32dll.exe" echo %System%\system32dll.exe>>SuspiciousFilesLog.txt
if exist "%System%\system64.exe" echo %System%\system64.exe>>SuspiciousFilesLog.txt
if exist "%System%\systen.exe" echo %System%\systen.exe>>SuspiciousFilesLog.txt
if exist "%System%\tmp.exe" echo %System%\tmp.exe>>SuspiciousFilesLog.txt
if exist "%System%\twain.dll" echo %System%\twain.dll>>SuspiciousFilesLog.txt
if exist "%System%\twain0.dll" echo %System%\twain0.dll>>SuspiciousFilesLog.txt
if exist "%System%\users.exe" echo %System%\users.exe>>SuspiciousFilesLog.txt
if exist "%System%\vest.dll" echo %System%\vest.dll>>SuspiciousFilesLog.txt
if exist "%System%\vmdetdhc.exe" echo %System%\vmdetdhc.exe>>SuspiciousFilesLog.txt
if exist "%System%\w32module.exe" echo %System%\w32module.exe>>SuspiciousFilesLog.txt
if exist "%System%\weiai.exe" echo %System%\weiai.exe>>SuspiciousFilesLog.txt
if exist "%System%\windns32.dll" echo %System%\windns32.dll>>SuspiciousFilesLog.txt
if exist "%System%\windowsupdt.exe" echo %System%\windowsupdt.exe>>SuspiciousFilesLog.txt
if exist "%System%\winflags.scr" echo %System%\winflags.scr>>SuspiciousFilesLog.txt
if exist "%System%\winsys32_070122.dll" echo %System%\winsys32_070122.dll>>SuspiciousFilesLog.txt
if exist "%System%\winsys32_070123.dll" echo %System%\winsys32_070123.dll>>SuspiciousFilesLog.txt
if exist "%System%\wintmp.exe" echo %System%\wintmp.exe>>SuspiciousFilesLog.txt
if exist "%System%\winwps32.dll" echo %System%\winwps32.dll>>SuspiciousFilesLog.txt
if exist "%System%\wsafs.exe" echo %System%\wsafs.exe>>SuspiciousFilesLog.txt
if exist "%Temp%\0004a312_rar\smss.exe" echo %Temp%\0004a312_rar\smss.exe>>SuspiciousFilesLog.txt
if exist "%Temp%\0004a499_rar\smss.exe" echo %Temp%\0004a499_rar\smss.exe>>SuspiciousFilesLog.txt
if exist "%Temp%\1045.exe" echo %Temp%\1045.exe>>SuspiciousFilesLog.txt
if exist "%Temp%\ixp000.tmp\02.exe" echo %Temp%\ixp000.tmp\02.exe>>SuspiciousFilesLog.txt
if exist "%Temp%\new threat\icondrv.exe" echo %Temp%\new threat\icondrv.exe>>SuspiciousFilesLog.txt
if exist "%Temp%\symantec\windowsxp.exe" echo %Temp%\symantec\windowsxp.exe>>SuspiciousFilesLog.txt
if exist "%Temp%\temp\server.exe" echo %Temp%\temp\server.exe>>SuspiciousFilesLog.txt
if exist "%Temp%\tt.exe" echo %Temp%\tt.exe>>SuspiciousFilesLog.txt
if exist "%UserProfile%\lsass.exe" echo %UserProfile%\lsass.exe>>SuspiciousFilesLog.txt
if exist "%UserProfile%\smss.exe" echo %UserProfile%\smss.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\autorun.exe" echo %Windir%\autorun.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\conf.exe" echo %Windir%\conf.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\config_.com" echo %Windir%\config_.com>>SuspiciousFilesLog.txt
if exist "%Windir%\config_.exe" echo %Windir%\config_.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\dcbdcatys32_080716a.dll" echo %Windir%\dcbdcatys32_080716a.dll>>SuspiciousFilesLog.txt
if exist "%Windir%\firewalls.exe" echo %Windir%\firewalls.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\game.exe" echo %Windir%\game.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\help\hlps.exe" echo %Windir%\help\hlps.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\livemessenger.com" echo %Windir%\livemessenger.com>>SuspiciousFilesLog.txt
if exist "%Windir%\logout.exe" echo %Windir%\logout.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\lsass.exe" echo %Windir%\lsass.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\lsasser.exe" echo %Windir%\lsasser.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\mscalc.exe" echo %Windir%\mscalc.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\msnmsgr.exe" echo %Windir%\msnmsgr.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\msnsmgr.exe" echo %Windir%\msnsmgr.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\ntmssvc.dll" echo %Windir%\ntmssvc.dll>>SuspiciousFilesLog.txt
if exist "%Windir%\pchealth\helpctr\msconfig.exe" echo %Windir%\pchealth\helpctr\msconfig.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\pictures.exe" echo %Windir%\pictures.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\rodri.exe" echo %Windir%\rodri.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\runsdlls.exe" echo %Windir%\runsdlls.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\services.exe" echo %Windir%\services.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\settings.exe" echo %Windir%\settings.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\smss.exe" echo %Windir%\smss.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\startupfolder.com" echo %Windir%\startupfolder.com>>SuspiciousFilesLog.txt
if exist "%Windir%\startupfolder.exe" echo %Windir%\startupfolder.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system\config_.com" echo %Windir%\system\config_.com>>SuspiciousFilesLog.txt
if exist "%Windir%\system\config_.exe" echo %Windir%\system\config_.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system\csrss.exe" echo %Windir%\system\csrss.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system\mscalc.exe" echo %Windir%\system\mscalc.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system\msvc32s.exe" echo %Windir%\system\msvc32s.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system\startupfolder.com" echo %Windir%\system\startupfolder.com>>SuspiciousFilesLog.txt
if exist "%Windir%\system\startupfolder.exe" echo %Windir%\system\startupfolder.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system\svchost.exe" echo %Windir%\system\svchost.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system\windows.exe" echo %Windir%\system\windows.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system32\config_.com" echo %Windir%\system32\config_.com>>SuspiciousFilesLog.txt
if exist "%Windir%\system32\config_.exe" echo %Windir%\system32\config_.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system32\kkk.txt" echo %Windir%\system32\kkk.txt>>SuspiciousFilesLog.txt
if exist "%Windir%\system32\mscalc.exe" echo %Windir%\system32\mscalc.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system32\startupfolder.com" echo %Windir%\system32\startupfolder.com>>SuspiciousFilesLog.txt
if exist "%Windir%\system32\startupfolder.exe" echo %Windir%\system32\startupfolder.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system32ratbot.exe" echo %Windir%\system32ratbot.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\system32stopaor.exe" echo %Windir%\system32stopaor.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\systen32\svchost.exe" echo %Windir%\systen32\svchost.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\taskmam.exe" echo %Windir%\taskmam.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\tasks\scvhost.exe" echo %Windir%\tasks\scvhost.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\tttt.exe" echo %Windir%\tttt.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\vxds.exe" echo %Windir%\vxds.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\windowsxp.exe" echo %Windir%\windowsxp.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\winhost32.exe" echo %Windir%\winhost32.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\winlogon.exe" echo %Windir%\winlogon.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\wkssevr.exe" echo %Windir%\wkssevr.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\wmdupdate.exe" echo %Windir%\wmdupdate.exe>>SuspiciousFilesLog.txt
if exist "%Windir%\xccdf32_080926a.dll" echo %Windir%\xccdf32_080926a.dll>>SuspiciousFilesLog.txt
if exist "c:\auto.exe" echo c:\auto.exe>>SuspiciousFilesLog.txt
if exist "c:\boot.exe" echo c:\boot.exe>>SuspiciousFilesLog.txt
if exist "c:\bootsect.exe" echo c:\bootsect.exe>>SuspiciousFilesLog.txt
if exist "c:\file1.exe" echo c:\file1.exe>>SuspiciousFilesLog.txt
if exist "c:\game.exe" echo c:\game.exe>>SuspiciousFilesLog.txt
if exist "c:\image\svchost.exe" echo c:\image\svchost.exe>>SuspiciousFilesLog.txt
if exist "c:\inetpub.exe" echo c:\inetpub.exe>>SuspiciousFilesLog.txt
if exist "c:\lsass.exe" echo c:\lsass.exe>>SuspiciousFilesLog.txt
if exist "c:\ms-dos\ntdlr.com" echo c:\ms-dos\ntdlr.com>>SuspiciousFilesLog.txt
if exist "c:\new.exe" echo c:\new.exe>>SuspiciousFilesLog.txt
if exist "c:\pictures.exe" echo c:\pictures.exe>>SuspiciousFilesLog.txt
if exist "c:\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\sys.exe" echo c:\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\sys.exe>>SuspiciousFilesLog.txt
if exist "c:\recycler\autoplay.exe" echo c:\recycler\autoplay.exe>>SuspiciousFilesLog.txt
if exist "c:\services.exe" echo c:\services.exe>>SuspiciousFilesLog.txt
if exist "c:\sexygirls.exe" echo c:\sexygirls.exe>>SuspiciousFilesLog.txt
if exist "c:\shirinfarazk.exe" echo c:\shirinfarazk.exe>>SuspiciousFilesLog.txt
if exist "c:\smss.exe" echo c:\smss.exe>>SuspiciousFilesLog.txt
if exist "c:\windows.exe" echo c:\windows.exe>>SuspiciousFilesLog.txt
if exist "c:\winlogon.exe" echo c:\winlogon.exe>>SuspiciousFilesLog.txt
start notepad SuspiciousFilesLog.txt

Open in new window

0
 
Seth_McCauleyCommented:
Also, here is a version of that batch file that actually deletes those suspicious files for you instead of just listing them. I have it prompt for deletion on each file just to be safe. If you want it to go through the whole list without prompting, do a find/replace in notepad: replace "del /p" with "del".
@echo off
echo The following files have been flagged as suspicious and will be deleted:
echo =====================================================
echo.
if exist "%AllUsersProfile%\smss.exe" del /p "%AllUsersProfile%\smss.exe"
if exist "%AppData%\microsoft\cd burning\auto.exe" del /p "%AppData%\microsoft\cd burning\auto.exe"
if exist "%AppData%\microsoft\explorer1.exe" del /p "%AppData%\microsoft\explorer1.exe"
if exist "%AppData%\microsoft\vinlog.exe" del /p "%AppData%\microsoft\vinlog.exe"
if exist "%AppData%\microsoft\winlog.exe" del /p "%AppData%\microsoft\winlog.exe"
if exist "%AppData%\microsoft\winlogom.exe" del /p "%AppData%\microsoft\winlogom.exe"
if exist "%AppData%\microsoft\winlogon.exe" del /p "%AppData%\microsoft\winlogon.exe"
if exist "%AppData%\servicehost.dll" del /p "%AppData%\servicehost.dll"
if exist "%AppData%\sysdate.dll" del /p "%AppData%\sysdate.dll"
if exist "%CommonAppData%\%computername%\snhost.exe" del /p "%CommonAppData%\%computername%\snhost.exe"
if exist "%CommonAppData%\fearghus\lsass.exe" del /p "%CommonAppData%\fearghus\lsass.exe"
if exist "%CommonAppData%\microsoft\usb2.0\usb-hi.exe" del /p "%CommonAppData%\microsoft\usb2.0\usb-hi.exe"
if exist "%CommonAppData%\winmgmt.exe" del /p "%CommonAppData%\winmgmt.exe"
if exist "%CommonDocuments%\netspeedshare.exe" del /p "%CommonDocuments%\netspeedshare.exe"
if exist "%CommonPrograms%\startup\hotkeydrive.exe" del /p "%CommonPrograms%\startup\hotkeydrive.exe"
if exist "%CommonPrograms%\startup\kbdrv16.com" del /p "%CommonPrograms%\startup\kbdrv16.com"
if exist "%DownloadedProgramFiles%\svchost.exe" del /p "%DownloadedProgramFiles%\svchost.exe"
if exist "%Profiles%\photo\photo1.exe" del /p "%Profiles%\photo\photo1.exe"
if exist "%ProgramFiles%\common files\system\runn.exe" del /p "%ProgramFiles%\common files\system\runn.exe"
if exist "%ProgramFiles%\common files\system\winlogon.exe" del /p "%ProgramFiles%\common files\system\winlogon.exe"
if exist "%ProgramFiles%\common files\system\winsver.exe" del /p "%ProgramFiles%\common files\system\winsver.exe"
if exist "%ProgramFiles%\internet explorer\signup\conime.exe" del /p "%ProgramFiles%\internet explorer\signup\conime.exe"
if exist "%ProgramFiles%\meex.exe" del /p "%ProgramFiles%\meex.exe"
if exist "%ProgramFiles%\windowsupdate.exe" del /p "%ProgramFiles%\windowsupdate.exe"
if exist "%System%\%computername%\my_heart.exe" del /p "%System%\%computername%\my_heart.exe"
if exist "%System%\360safefix.dll" del /p "%System%\360safefix.dll"
if exist "%System%\3800hk.dll" del /p "%System%\3800hk.dll"
if exist "%System%\algs.exe" del /p "%System%\algs.exe"
if exist "%System%\antieng.dll" del /p "%System%\antieng.dll"
if exist "%System%\avjcsrvx.exe" del /p "%System%\avjcsrvx.exe"
if exist "%System%\baidu.exe" del /p "%System%\baidu.exe"
if exist "%System%\bserver.dll" del /p "%System%\bserver.dll"
if exist "%System%\cache\syssafe.exe" del /p "%System%\cache\syssafe.exe"
if exist "%System%\cbak.exe" del /p "%System%\cbak.exe"
if exist "%System%\cltmon.exe" del /p "%System%\cltmon.exe"
if exist "%System%\cmpop.exe" del /p "%System%\cmpop.exe"
if exist "%System%\configs.exe" del /p "%System%\configs.exe"
if exist "%System%\cool_gamesetup.exe.exe" del /p "%System%\cool_gamesetup.exe.exe"
if exist "%System%\davfinci.scr" del /p "%System%\davfinci.scr"
if exist "%System%\dllcache\smnpcl.dll" del /p "%System%\dllcache\smnpcl.dll"
if exist "%System%\dllcache\svchost.exe" del /p "%System%\dllcache\svchost.exe"
if exist "%System%\driro.exe" del /p "%System%\driro.exe"
if exist "%System%\drivers\etc\systems.exe" del /p "%System%\drivers\etc\systems.exe"
if exist "%System%\drivers\spoclsv.exe" del /p "%System%\drivers\spoclsv.exe"
if exist "%System%\drivers\suchost.exe" del /p "%System%\drivers\suchost.exe"
if exist "%System%\drivers\svchosl.exe" del /p "%System%\drivers\svchosl.exe"
if exist "%System%\drivers\txp1atform.exe" del /p "%System%\drivers\txp1atform.exe"
if exist "%System%\exp1orer.exe" del /p "%System%\exp1orer.exe"
if exist "%System%\explore.exe" del /p "%System%\explore.exe"
if exist "%System%\explorer.exe" del /p "%System%\explorer.exe"
if exist "%System%\extensionsk.exe" del /p "%System%\extensionsk.exe"
if exist "%System%\fordown.exe" del /p "%System%\fordown.exe"
if exist "%System%\grouppolicy\bttnserv.exe" del /p "%System%\grouppolicy\bttnserv.exe"
if exist "%System%\icondrv.exe" del /p "%System%\icondrv.exe"
if exist "%System%\icwutieinll.dll" del /p "%System%\icwutieinll.dll"
if exist "%System%\imaps.exe" del /p "%System%\imaps.exe"
if exist "%System%\inets2n.exe" del /p "%System%\inets2n.exe"
if exist "%System%\isass.exe" del /p "%System%\isass.exe"
if exist "%System%\ixerhq.exe" del /p "%System%\ixerhq.exe"
if exist "%System%\jksing.dll" del /p "%System%\jksing.dll"
if exist "%System%\keyboard\services.exe" del /p "%System%\keyboard\services.exe"
if exist "%System%\kxuaqm.exe" del /p "%System%\kxuaqm.exe"
if exist "%System%\lnkstfb.exe" del /p "%System%\lnkstfb.exe"
if exist "%System%\local.dll" del /p "%System%\local.dll"
if exist "%System%\lofsdjbo.dll" del /p "%System%\lofsdjbo.dll"
if exist "%System%\loinplay.exe" del /p "%System%\loinplay.exe"
if exist "%System%\microsoftcorporation.dll" del /p "%System%\microsoftcorporation.dll"
if exist "%System%\mndhfdwd.dll" del /p "%System%\mndhfdwd.dll"
if exist "%System%\msarti.com" del /p "%System%\msarti.com"
if exist "%System%\mscidaemon.dll" del /p "%System%\mscidaemon.dll"
if exist "%System%\msiexec16.exe" del /p "%System%\msiexec16.exe"
if exist "%System%\msn.exe" del /p "%System%\msn.exe"
if exist "%System%\msnrmgs.exe" del /p "%System%\msnrmgs.exe"
if exist "%System%\my_heart.exe" del /p "%System%\my_heart.exe"
if exist "%System%\network.dll" del /p "%System%\network.dll"
if exist "%System%\nvsvc86.exe" del /p "%System%\nvsvc86.exe"
if exist "%System%\proxykrn.exe" del /p "%System%\proxykrn.exe"
if exist "%System%\qin58.exe" del /p "%System%\qin58.exe"
if exist "%System%\qq.dll" del /p "%System%\qq.dll"
if exist "%System%\rejoice.dll" del /p "%System%\rejoice.dll"
if exist "%System%\rodri.exe" del /p "%System%\rodri.exe"
if exist "%System%\s.exe" del /p "%System%\s.exe"
if exist "%System%\servidor.exe" del /p "%System%\servidor.exe"
if exist "%System%\sizhu.exe" del /p "%System%\sizhu.exe"
if exist "%System%\smms.exe" del /p "%System%\smms.exe"
if exist "%System%\sorck.exe" del /p "%System%\sorck.exe"
if exist "%System%\spoclsv.exe" del /p "%System%\spoclsv.exe"
if exist "%System%\stormserver.dll" del /p "%System%\stormserver.dll"
if exist "%System%\svchosts.exe" del /p "%System%\svchosts.exe"
if exist "%System%\sys.exe" del /p "%System%\sys.exe"
if exist "%System%\system32dll.exe" del /p "%System%\system32dll.exe"
if exist "%System%\system64.exe" del /p "%System%\system64.exe"
if exist "%System%\systen.exe" del /p "%System%\systen.exe"
if exist "%System%\tmp.exe" del /p "%System%\tmp.exe"
if exist "%System%\twain.dll" del /p "%System%\twain.dll"
if exist "%System%\twain0.dll" del /p "%System%\twain0.dll"
if exist "%System%\users.exe" del /p "%System%\users.exe"
if exist "%System%\vest.dll" del /p "%System%\vest.dll"
if exist "%System%\vmdetdhc.exe" del /p "%System%\vmdetdhc.exe"
if exist "%System%\w32module.exe" del /p "%System%\w32module.exe"
if exist "%System%\weiai.exe" del /p "%System%\weiai.exe"
if exist "%System%\windns32.dll" del /p "%System%\windns32.dll"
if exist "%System%\windowsupdt.exe" del /p "%System%\windowsupdt.exe"
if exist "%System%\winflags.scr" del /p "%System%\winflags.scr"
if exist "%System%\winsys32_070122.dll" del /p "%System%\winsys32_070122.dll"
if exist "%System%\winsys32_070123.dll" del /p "%System%\winsys32_070123.dll"
if exist "%System%\wintmp.exe" del /p "%System%\wintmp.exe"
if exist "%System%\winwps32.dll" del /p "%System%\winwps32.dll"
if exist "%System%\wsafs.exe" del /p "%System%\wsafs.exe"
if exist "%Temp%\0004a312_rar\smss.exe" del /p "%Temp%\0004a312_rar\smss.exe"
if exist "%Temp%\0004a499_rar\smss.exe" del /p "%Temp%\0004a499_rar\smss.exe"
if exist "%Temp%\1045.exe" del /p "%Temp%\1045.exe"
if exist "%Temp%\ixp000.tmp\02.exe" del /p "%Temp%\ixp000.tmp\02.exe"
if exist "%Temp%\new threat\icondrv.exe" del /p "%Temp%\new threat\icondrv.exe"
if exist "%Temp%\symantec\windowsxp.exe" del /p "%Temp%\symantec\windowsxp.exe"
if exist "%Temp%\temp\server.exe" del /p "%Temp%\temp\server.exe"
if exist "%Temp%\tt.exe" del /p "%Temp%\tt.exe"
if exist "%UserProfile%\lsass.exe" del /p "%UserProfile%\lsass.exe"
if exist "%UserProfile%\smss.exe" del /p "%UserProfile%\smss.exe"
if exist "%Windir%\autorun.exe" del /p "%Windir%\autorun.exe"
if exist "%Windir%\conf.exe" del /p "%Windir%\conf.exe"
if exist "%Windir%\config_.com" del /p "%Windir%\config_.com"
if exist "%Windir%\config_.exe" del /p "%Windir%\config_.exe"
if exist "%Windir%\dcbdcatys32_080716a.dll" del /p "%Windir%\dcbdcatys32_080716a.dll"
if exist "%Windir%\firewalls.exe" del /p "%Windir%\firewalls.exe"
if exist "%Windir%\game.exe" del /p "%Windir%\game.exe"
if exist "%Windir%\help\hlps.exe" del /p "%Windir%\help\hlps.exe"
if exist "%Windir%\livemessenger.com" del /p "%Windir%\livemessenger.com"
if exist "%Windir%\logout.exe" del /p "%Windir%\logout.exe"
if exist "%Windir%\lsass.exe" del /p "%Windir%\lsass.exe"
if exist "%Windir%\lsasser.exe" del /p "%Windir%\lsasser.exe"
if exist "%Windir%\mscalc.exe" del /p "%Windir%\mscalc.exe"
if exist "%Windir%\msnmsgr.exe" del /p "%Windir%\msnmsgr.exe"
if exist "%Windir%\msnsmgr.exe" del /p "%Windir%\msnsmgr.exe"
if exist "%Windir%\ntmssvc.dll" del /p "%Windir%\ntmssvc.dll"
if exist "%Windir%\pchealth\helpctr\msconfig.exe" del /p "%Windir%\pchealth\helpctr\msconfig.exe"
if exist "%Windir%\pictures.exe" del /p "%Windir%\pictures.exe"
if exist "%Windir%\rodri.exe" del /p "%Windir%\rodri.exe"
if exist "%Windir%\runsdlls.exe" del /p "%Windir%\runsdlls.exe"
if exist "%Windir%\services.exe" del /p "%Windir%\services.exe"
if exist "%Windir%\settings.exe" del /p "%Windir%\settings.exe"
if exist "%Windir%\smss.exe" del /p "%Windir%\smss.exe"
if exist "%Windir%\startupfolder.com" del /p "%Windir%\startupfolder.com"
if exist "%Windir%\startupfolder.exe" del /p "%Windir%\startupfolder.exe"
if exist "%Windir%\system\config_.com" del /p "%Windir%\system\config_.com"
if exist "%Windir%\system\config_.exe" del /p "%Windir%\system\config_.exe"
if exist "%Windir%\system\csrss.exe" del /p "%Windir%\system\csrss.exe"
if exist "%Windir%\system\mscalc.exe" del /p "%Windir%\system\mscalc.exe"
if exist "%Windir%\system\msvc32s.exe" del /p "%Windir%\system\msvc32s.exe"
if exist "%Windir%\system\startupfolder.com" del /p "%Windir%\system\startupfolder.com"
if exist "%Windir%\system\startupfolder.exe" del /p "%Windir%\system\startupfolder.exe"
if exist "%Windir%\system\svchost.exe" del /p "%Windir%\system\svchost.exe"
if exist "%Windir%\system\windows.exe" del /p "%Windir%\system\windows.exe"
if exist "%Windir%\system32\config_.com" del /p "%Windir%\system32\config_.com"
if exist "%Windir%\system32\config_.exe" del /p "%Windir%\system32\config_.exe"
if exist "%Windir%\system32\kkk.txt" del /p "%Windir%\system32\kkk.txt"
if exist "%Windir%\system32\mscalc.exe" del /p "%Windir%\system32\mscalc.exe"
if exist "%Windir%\system32\startupfolder.com" del /p "%Windir%\system32\startupfolder.com"
if exist "%Windir%\system32\startupfolder.exe" del /p "%Windir%\system32\startupfolder.exe"
if exist "%Windir%\system32ratbot.exe" del /p "%Windir%\system32ratbot.exe"
if exist "%Windir%\system32stopaor.exe" del /p "%Windir%\system32stopaor.exe"
if exist "%Windir%\systen32\svchost.exe" del /p "%Windir%\systen32\svchost.exe"
if exist "%Windir%\taskmam.exe" del /p "%Windir%\taskmam.exe"
if exist "%Windir%\tasks\scvhost.exe" del /p "%Windir%\tasks\scvhost.exe"
if exist "%Windir%\tttt.exe" del /p "%Windir%\tttt.exe"
if exist "%Windir%\vxds.exe" del /p "%Windir%\vxds.exe"
if exist "%Windir%\windowsxp.exe" del /p "%Windir%\windowsxp.exe"
if exist "%Windir%\winhost32.exe" del /p "%Windir%\winhost32.exe"
if exist "%Windir%\winlogon.exe" del /p "%Windir%\winlogon.exe"
if exist "%Windir%\wkssevr.exe" del /p "%Windir%\wkssevr.exe"
if exist "%Windir%\wmdupdate.exe" del /p "%Windir%\wmdupdate.exe"
if exist "%Windir%\xccdf32_080926a.dll" del /p "%Windir%\xccdf32_080926a.dll"
if exist "c:\auto.exe" del /p "c:\auto.exe"
if exist "c:\boot.exe" del /p "c:\boot.exe"
if exist "c:\bootsect.exe" del /p "c:\bootsect.exe"
if exist "c:\file1.exe" del /p "c:\file1.exe"
if exist "c:\game.exe" del /p "c:\game.exe"
if exist "c:\image\svchost.exe" del /p "c:\image\svchost.exe"
if exist "c:\inetpub.exe" del /p "c:\inetpub.exe"
if exist "c:\lsass.exe" del /p "c:\lsass.exe"
if exist "c:\ms-dos\ntdlr.com" del /p "c:\ms-dos\ntdlr.com"
if exist "c:\new.exe" del /p "c:\new.exe"
if exist "c:\pictures.exe" del /p "c:\pictures.exe"
if exist "c:\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\sys.exe" del /p "c:\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\sys.exe"
if exist "c:\recycler\autoplay.exe" del /p "c:\recycler\autoplay.exe"
if exist "c:\services.exe" del /p "c:\services.exe"
if exist "c:\sexygirls.exe" del /p "c:\sexygirls.exe"
if exist "c:\shirinfarazk.exe" del /p "c:\shirinfarazk.exe"
if exist "c:\smss.exe" del /p "c:\smss.exe"
if exist "c:\windows.exe" del /p "c:\windows.exe"
if exist "c:\winlogon.exe" del /p "c:\winlogon.exe"
echo.
echo File cleanup complete. Press any key to exit...
pause>NUL

Open in new window

0
 
Seth_McCauleyCommented:
I almost forgot... I suggest running that Autorun vulnerability fix I posted above (on the server), to help prevent re-infection while you are trying to clean it. Run it before you reboot into safe mode.
0
 
fudgerAuthor Commented:
Hi

Thanks for all your comments I will perform the suggested actions this evening after hours and post the results.

Thanks again.
0
 
fudgerAuthor Commented:
Hi

No references of ircphate.exe were found in the registry.  I used the Malwarebytes in Safe mode to scan the system for any infections.  The application found none.  I will repeat that process with the other anti-spyware applications.  Sophos does not allow me to run that application in safe mode.  After restarting and running in normal mode, three infections were still found.  Please see below:

Mal/SillyFDC-A
Mal/IRCBot-B
Mal/Behav-024

I will repeat the steps this afternoon after hours and let you know the results.

Thanks
0
 
Seth_McCauleyCommented:
Were you successful in removing the infection?
0
 
fudgerAuthor Commented:
No I wasnt.
0
 
tkac1josCommented:
Our Enterprise has recently seen a few infections of this variant as well. We have communicated with our anti-virus vendor and they have produced a beta definition file being utilized at the moment as well as a Regular definition file ready for tomarrow. I will post more when I have a solid confirmed identification using the new definition files.
0
 
farjadarshadCommented:
Use following

Combofix
registry cleaner
malewarebytes
Superantispyware
Hijackthis

AntiVirus
1. Eset Nod32
2. Symantec Endpoint
3. Norton 360

And for removing viruses, torjans from registry follow the links
http://farjadarshad.blogspot.com/2008/12/places-where-viruses-and-trojans-hide.html
hope above link will help you

OR

You have to search the registry with the name of that virus like i have shown in following link
http://farjadarshad.blogspot.com/2009/10/virus-unwiseexe-removing-technique.html
http://farjadarshad.blogspot.com/2009/04/how-to-remove-desktopini-folderhtt.html
http://farjadarshad.blogspot.com/2009/04/make-friendship-with-windows-registry.html
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now