Stumped... Invalid char harboring trojan

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

My sister-in-law picked up a few nasties recently (myspace). AVG did away
with most of them but one remains. It lives in:

C:\Documents and Settings\Owner\Application Data\?asks\...

AVG, NAV, and Trend Micro's online scan see the offending file and all say
that they have successfully removed it, but if I scan again it's back. TM
shows the folder as

~\|asks\...

Booted a Linux live cd and mounted the ntfs volume with ntfs-3g (sweet!). I
was amazed to find that the folder is invisible to the shell. Running ClamAV
without updating the definitions found a trojan in pagefile.sys that had
never shown up when scanning under XP. Understandable. Made a gzipped tarball
of the existing swapfile and wiped the original. Booted back into XP and
\?asks is back, as is the trojan that lives there. Oh, and "Cowabanga by ol"
is listed under Add/Remove Programs. To distracted by the main issue to
bother with that though I will (attempt to) remove it when I go back.

So... I'm confused. I can't even find a way to create such a folder after
searching google for "folder name/path contain question mark/invalid
character/etc.". Well, I _think_ I could create it in Linux, at least on
ex2fs or the like (know I can); not sure if the ntfs driver follows ntfs
naming rules. I would imagine that I would be able to see it with ls if I
were able to do so.

I am not in front of her machine right now or I would name names, If anyone
has any ideas I will get the file names later today when I go back for round
2. Left Cygwin downloading just in case it can help (doubt it, probably
confined to what the underlying fs is capable of). Anyone up for a challenge?
TIA
FM
 
also you might
want to clear
pagefile upon shutting
down option.

and keep in mind
that your system restore
points may be harboring
that pesky critter as well.
 
I had her run Adaware and Spybot, but I wasn't there. I will give it a shot
but even if SB detected the malware, what could it do to circumvent the
illegal folder name? And why would it be invisible to Linux? Thx for the
response.
 
I know the easiest way to get rid of this probably starts with fdisk, but I
want to know how this happened.
 
fdisk is the
atomic option.

since my space uses
scipts, it is very likely
that malicious scripts
riddle the myspacer's
pc.

and lots of downloads
for myspace are probably
all over your harddrive. I
would suggest to uninstall
the explorer component and
all the other browsers as well.
Reset the firewall to default settings too.

then i would thoroughly get
rid of everything in the temp folders.
CCleaner is a good option for this.
Then do a chkdsk and reboot.

upon reboot besure not to
be connected to the net then
run a sfc /scannow
and reboot. Then see
how the pc is functioning.

As far as the hidden folder that
only linux can see, can't really say.
i remember back in the old days,
binanries in dos were pretty
managiable by software. Nowadays many
of those features have been subdued
by the current o.s.'s However, I am
sure they are still being used by
agencies like the cia. That folder/file
could very well be a highbred malware,
written in unix and able
to disable the harddrive and therefore
abel to disable windows too.

Maybe fdisk is a reasonable option
if the file you are referring to is one
of those malware that is set to go
off on millions of pc's on a special date.
Funny, either you nuke your harddisk or
possibly be nuked by that unknown file.
Sounds like somkind of underground
game/plot.

Can you provide more details
about that binary?

In the interim, it
won't hurt to try the above before
nuking your system....
 
Sure something bad is going on, unable to update AVG's definitions, auto or
manually.
I will try what you have suggested. The strange thing is that Linux (Insert)
using ntfs-3g and bash CANNOT see the directory despite having full r/w
access. I can see everything else that should be there. CMD is able to see it
but is powerless to remove it as far as I can tell. I'm riled now! Maybe a
sector editor to remove the '?'... (what FUN?) Already scanned for ?asks w/a
hexeditor. Ascii and hex turned up nothing. Could it be a virtual folder of
sorts? Only visible when XP is running...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SOS: Trojan on XP is not permitting to function any application 3
Trojan and other problems. 3
trojan horse delf.jkh 9
Trojan Horse Back Door Generic2.AKA 1
TROJANS: FOLDER OPTIONS folder Missing/Sys Restore won't work? ADMIN requirement shows up on its ow 18
Can't remove Trojan 16
Pesky TROJAN virus won't go away. 4
Downloader.Zlob Trojan horse in system32 files 1

Back
Top