Possible Malware or Spyware?

[Guest]

Hi,

Everytime i use my XP Professional Laptop, a suspicious .EXE also starts up
after while. Everytime, it has a different name which is randomly generated.
Ex. F5DCE.EXE or M5OR4.EXE and so on. Even if i kill the process from Task
Manager, it reappears after 10 mins or so. It start from C:\TEMP directory. I
have set my System and User env variable for TEMP to this directory.

I have Windows XP SP 2, Windows Antispyware Beta (latest definition files),
Trend Micro firewall and Virus Scanner (with latest updates). All are
licensed s/w and this laptop is on a corporate network.

If i scan with Trend Micro, it says that 1 malware found but does nothing
beyond it. Don't know if the malware it found is the same i am talking about.

can somebody tell me if this is some kind of a virus or spyware, etc.? How
can i get rid of this randomly starting program?

many thanks
anand

 

[Tinkerer]

I'm cutting and pasting from another group here. It looks as if it may be relelvant.
Subject of the post is "Aurora Fix", posted by AndyManchesta
---------------------------------------------------------------------------------
Lavasoft have come to the rescue and released a new VX2
cleaner that kills Aurora, After many weeks of testing
and being involved in different fixes for this I have to
hand it to them, there's is the best fix for Aurora at
present and shows us all how it should be done.

This is a beta test so even though I will post the link
(which may change in the next couple of weeks when it
comes out of beta) anyone who wants to use it should
consider signing up to Lavasoft as a beta tester to help
them improve applications and definition files, You can
sign up at this address then choose definitions or
programs to take part:

http://www.lavasoftresearch.com/betaprogram

First you need Adaware SE :

http://www.download.com/Ad-Aware-SE...45910..html?part=dl-ad-aware&subj=dl&tag=top5

Then close Ad-aware SE and download the new VX2 Cleaner
(Not the one of thier site as it will not detect Aurora)

http://www.lavasoftresearch.com/upload/app/vx2cleaner.zip

Save the file where you can find it easily then Extract
the files and copy them (Left click and cover the files
and then right click and copy) then open Lavasoft's Ad-
Aware "Plugins" folder and paste them into there(Right
click and paste).

(C:\Program Files\Lavasoft\Ad-Aware SE\Plugins)

Run Ad-Aware and click the Add-ons button in the main
window.Select VX2 Cleaner from the list.

Click the "Run Tool" button in the lower right corner of
the window.Click "OK" when asked if you want to execute
this tool.It will say VX2 variant found then press
clean.Next it will say to reboot and run a smart scan
with Adaware.

It does miss acouple of traces which I will list below
but it kills the Nail infection and makes it look so easy.

Delete these if found:

C:\WINDOWS\ffsnvqmgpiy.exe
C:\WINDOWS\rramcx.exe

Then you can clear the Temp Internet files and the
contents of the prefetch folder to remove the final
traces if you wish:

goto start menu and run and type %temp% delete the
contents of this folder or at least the files that are
not in use then start and run and type prefetch and
delete the contents of this folder and its finished !

Good Work Lavasoft

Regards Andy




--

Cheers,
Tinkerer


Hi,

Everytime i use my XP Professional Laptop, a suspicious .EXE also starts up
after while. Everytime, it has a different name which is randomly generated.
Ex. F5DCE.EXE or M5OR4.EXE and so on. Even if i kill the process from Task
Manager, it reappears after 10 mins or so. It start from C:\TEMP directory. I
have set my System and User env variable for TEMP to this directory.

I have Windows XP SP 2, Windows Antispyware Beta (latest definition files),
Trend Micro firewall and Virus Scanner (with latest updates). All are
licensed s/w and this laptop is on a corporate network.

If i scan with Trend Micro, it says that 1 malware found but does nothing
beyond it. Don't know if the malware it found is the same i am talking about.

can somebody tell me if this is some kind of a virus or spyware, etc.? How
can i get rid of this randomly starting program?

many thanks
anand

 

[Guest]

Hi Tinkerer,

Many thanks for your quick reply. Tried downloading the adware but corporate
firewall blocks it.

will get some internal help to install and clean the laptop as per the steps
you have given.

thanks again
regards
anand

 

[Guest]

try looking for a suspect batch file on c: drive it may be rewriting the file
every time you start windows

if you are not sure wich one is suspect then edit any bat files you find and
look to see what they are doing

you may have to set your view to show all files as it may be hidden

 

[Tinkerer]

No thanks needed Anand, but when you've tried cleaning the laptop, I'd like
to know if this was the problem or not.

--

Cheers,
Tinkerer


Hi Tinkerer,

Many thanks for your quick reply. Tried downloading the adware but corporate
firewall blocks it.

will get some internal help to install and clean the laptop as per the steps
you have given.

thanks again
regards
anand

 

[Guest]

Hi guys,

thanks for your recommendations.

Tinkerer,

Lavasoft Adware did not clean that rogue process. Adware found some cookies
which track information. I don't think that is the issue. Also, allen
mentioned to look for .bat files that renames the EXE everytime windows
boots. There is no suspect .bat files in C:\ or anywhere in my hard drive.

In my case the .EXE is 6 letters long. The current one running on my laptop
is called UL722D.EXE and is 2468K in size. If i kill this process, it dies
but starts again in 10 mins or so and is called something else (ex.
AT532G.EXE).

Is this is a valid windows process or could it be a rogue?

cheers
anand

 

[Tinkerer]

I don't know of any windows processes that do that sort of thing, and I
don't think *any* legitimate service will. I would try an online virus
scanner.
Popups must be allowed at this site, then click virus detection:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

You can also try here:
http://housecall.trendmicro.com/

I'm sure there are others out there, but these are the first two off the top
of my head. Do you use Microsoft Antispyware?


--

Cheers,
Tinkerer


Hi guys,

thanks for your recommendations.

Tinkerer,

Lavasoft Adware did not clean that rogue process. Adware found some cookies
which track information. I don't think that is the issue. Also, allen
mentioned to look for .bat files that renames the EXE everytime windows
boots. There is no suspect .bat files in C:\ or anywhere in my hard drive.

In my case the .EXE is 6 letters long. The current one running on my laptop
is called UL722D.EXE and is 2468K in size. If i kill this process, it dies
but starts again in 10 mins or so and is called something else (ex.
AT532G.EXE).

Is this is a valid windows process or could it be a rogue?

cheers
anand