Main Page 
PC Review
Forums
Newsgroups
Hardware
Anti-Virus
virus/worm? recreates random .exe in run section of registry when deleted
Forums
Newsgroups
Hardware
Anti-Virus
virus/worm? recreates random .exe in run section of registry when deleted
 |
virus/worm? recreates random .exe in run section of registry when deleted |
|
|
Thread Tools | Rate Thread |
18-03-2004, 07:58 PM
|
#1 |
|
Guest
Posts: n/a
|
virus/worm? recreates random .exe in run section of registry when deleted
Not sure what this is or how to tackle it.
Basically there are multiple processes with random charcters then .exe in the process list. If you kill one, a new randomly named one will show back up a few seconds later. There is another randomly named .exe in the Run section of the Local Machine key, which if you delete that key and then refresh, a new randomly name .exe will be waiting to load on startup again. When you go to c:\windows\system32 where it says this file resides, it is not there....this is with show all turned on. Anyone have any ideas? thanks scot |
|
|
18-03-2004, 08:02 PM
|
#2 |
|
Guest
Posts: n/a
|
Re: virus/worm? recreates random .exe in run section of registry when deleted
Forgot to mention that it doesn't seem to be trying to connect to or
listening on any ports. FWIW. scot "Scot" <blank@blank.blank.com> wrote in message news:c3cuuh$qdq@library1.airnews.net... > Not sure what this is or how to tackle it. > > Basically there are multiple processes with random charcters then .exe in > the process list. If you kill one, a new randomly named one will show back > up a few seconds later. There is another randomly named .exe in the Run > section of the Local Machine key, which if you delete that key and then > refresh, a new randomly name .exe will be waiting to load on startup again. > When you go to c:\windows\system32 where it says this file resides, it is > not there....this is with show all turned on. > > Anyone have any ideas? > > thanks > > scot > > |
|
|
|
18-03-2004, 08:24 PM
|
#3 |
|
Guest
Posts: n/a
|
Re: virus/worm? recreates random .exe in run section of registry when deleted
Never mind. It looks like it is called Sandbox
"Scot" <blank@blank.blank.com> wrote in message news:c3cv6s$gjk@library1.airnews.net... > Forgot to mention that it doesn't seem to be trying to connect to or > listening on any ports. FWIW. > > scot > "Scot" <blank@blank.blank.com> wrote in message > news:c3cuuh$qdq@library1.airnews.net... > > Not sure what this is or how to tackle it. > > > > Basically there are multiple processes with random charcters then .exe in > > the process list. If you kill one, a new randomly named one will show > back > > up a few seconds later. There is another randomly named .exe in the Run > > section of the Local Machine key, which if you delete that key and then > > refresh, a new randomly name .exe will be waiting to load on startup > again. > > When you go to c:\windows\system32 where it says this file resides, it is > > not there....this is with show all turned on. > > > > Anyone have any ideas? > > > > thanks > > > > scot > > > > > > |
|
|
|
18-03-2004, 08:26 PM
|
#4 |
|
Guest
Posts: n/a
|
Re: virus/worm? recreates random .exe in run section of registrywhen deleted
Scot wrote:
> Not sure what this is or how to tackle it. > > Basically there are multiple processes with random charcters then .exe in > the process list. If you kill one, a new randomly named one will show back > up a few seconds later. There is another randomly named .exe in the Run > section of the Local Machine key, which if you delete that key and then > refresh, a new randomly name .exe will be waiting to load on startup again. > When you go to c:\windows\system32 where it says this file resides, it is > not there....this is with show all turned on. it's almost certainly malware of some kind... have you tried using a virus scanner? have you tried submitting a copy of one of these randomly named files to an av developer for analysis? i'd try those first before trying to guess how to perform a manual removal of an unknown piece of malware... -- "we're the first ones to starve, we're the first ones to die the first ones in line for that pie in the sky and we're always the last when the cream is shared out for the worker is working when the fat cat's about" |
|
|
|
18-03-2004, 11:10 PM
|
#5 |
|
Guest
Posts: n/a
|
Re: virus/worm? recreates random .exe in run section of registrywhen deleted
On Thu, 18 Mar 2004, Scot wrote: > Never mind. It looks like it is called Sandbox > If, as I suppose, you are running Norman Virus Control, it is likely that the "Sandbox" term indicates that a "new" worm has been detected on your system using heuristics. The "Sandbox" is the name of the method used by the heuristics, and it is used as a prefix for naming malwares detected using this technology. If this is correct, there should be something else thant the terme "Sandbox". Generic identifications include : Sandbox: W32/Malware, W32/Downloader, W32/Backdoor, W32/EmailWorm, W32FileInfector, W32/P2PWorm, W32/NetworkWorm (maybe others). This generic identification may help to understand more precisely what the malware is actually doing. You may obtain more information by observing Norman log files (right clic on the taskbar icon and then go to "utilities" -> "messages". There are two ways to see the messages, directly (left tab, click in the window, messages corresponding to the current session are displayed) or by displaying the contents of the log file containing the alert (right click, open the ..nps file). Then, double click on line corresponding to the alert. The "details" window should contain information about the malware. You can copy/paste this information here. Additionnaly, you should send the infected file (if you succeed to locate it) to analysis@norman.no (in an encrypted ..zip archive, do no forget to give the .zip password in the email). You can also send me the archive at tweakie(at)mail.nu You should also submit the suspect files here : http://www.kaspersky.com/scanforvirus.html -- Tweakie |
|
|
|
19-03-2004, 12:37 PM
|
#6 |
|
Guest
Posts: n/a
|
Re: virus/worm? recreates random .exe in run section of registry when deleted
It is actually picked put as a backdoor called Sandbox by Trend Micro.
"kurt wismer" <kurtw@sympatico.ca> wrote in message news:5Cn6c.22797$E71.1553985@news20.bellglobal.com... > Scot wrote: > > > Not sure what this is or how to tackle it. > > > > Basically there are multiple processes with random charcters then .exe in > > the process list. If you kill one, a new randomly named one will show back > > up a few seconds later. There is another randomly named .exe in the Run > > section of the Local Machine key, which if you delete that key and then > > refresh, a new randomly name .exe will be waiting to load on startup again. > > When you go to c:\windows\system32 where it says this file resides, it is > > not there....this is with show all turned on. > > it's almost certainly malware of some kind... have you tried using a > virus scanner? have you tried submitting a copy of one of these > randomly named files to an av developer for analysis? i'd try those > first before trying to guess how to perform a manual removal of an > unknown piece of malware... > > -- > "we're the first ones to starve, we're the first ones to die > the first ones in line for that pie in the sky > and we're always the last when the cream is shared out > for the worker is working when the fat cat's about" |
|
|
|
19-03-2004, 01:01 PM
|
#7 |
|
Guest
Posts: n/a
|
Re: virus/worm? recreates random .exe in run section of registrywhen deleted
Scot wrote:
> It is actually picked put as a backdoor called Sandbox by Trend Micro. Have you tried the removal instructions in this document? http://www.trendmicro.com/vinfo/vir...=BKDR_SANDBOX.A |
|
|
|
|
| Thread Tools | |
| Rate This Thread | |
|
|
