Sign in with
Sign up | Sign in
Your question

Possible Malware or Spyware?

Tags:
  • Windows XP
Last response: in Windows XP
Share
August 14, 2005 10:04:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,

Everytime i use my XP Professional Laptop, a suspicious .EXE also starts up
after while. Everytime, it has a different name which is randomly generated.
Ex. F5DCE.EXE or M5OR4.EXE and so on. Even if i kill the process from Task
Manager, it reappears after 10 mins or so. It start from C:\TEMP directory. I
have set my System and User env variable for TEMP to this directory.

I have Windows XP SP 2, Windows Antispyware Beta (latest definition files),
Trend Micro firewall and Virus Scanner (with latest updates). All are
licensed s/w and this laptop is on a corporate network.

If i scan with Trend Micro, it says that 1 malware found but does nothing
beyond it. Don't know if the malware it found is the same i am talking about.

can somebody tell me if this is some kind of a virus or spyware, etc.? How
can i get rid of this randomly starting program?

many thanks
anand

More about : malware spyware

August 15, 2005 3:27:47 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Tinkerer,

Many thanks for your quick reply. Tried downloading the adware but corporate
firewall blocks it.

will get some internal help to install and clean the laptop as per the steps
you have given.

thanks again
regards
anand

"Tinkerer" wrote:

> I'm cutting and pasting from another group here. It looks as if it may be relelvant.
> Subject of the post is "Aurora Fix", posted by AndyManchesta
> ---------------------------------------------------------------------------------
> Lavasoft have come to the rescue and released a new VX2
> cleaner that kills Aurora, After many weeks of testing
> and being involved in different fixes for this I have to
> hand it to them, there's is the best fix for Aurora at
> present and shows us all how it should be done.
>
> This is a beta test so even though I will post the link
> (which may change in the next couple of weeks when it
> comes out of beta) anyone who wants to use it should
> consider signing up to Lavasoft as a beta tester to help
> them improve applications and definition files, You can
> sign up at this address then choose definitions or
> programs to take part:
>
> http://www.lavasoftresearch.com/betaprogram
>
> First you need Adaware SE :
>
> http://www.download.com/Ad-Aware-SE-Personal-Edition/30...
>
> Then close Ad-aware SE and download the new VX2 Cleaner
> (Not the one of thier site as it will not detect Aurora)
>
> http://www.lavasoftresearch.com/upload/app/vx2cleaner.z...
>
> Save the file where you can find it easily then Extract
> the files and copy them (Left click and cover the files
> and then right click and copy) then open Lavasoft's Ad-
> Aware "Plugins" folder and paste them into there(Right
> click and paste).
>
> (C:\Program Files\Lavasoft\Ad-Aware SE\Plugins)
>
> Run Ad-Aware and click the Add-ons button in the main
> window.Select VX2 Cleaner from the list.
>
> Click the "Run Tool" button in the lower right corner of
> the window.Click "OK" when asked if you want to execute
> this tool.It will say VX2 variant found then press
> clean.Next it will say to reboot and run a smart scan
> with Adaware.
>
> It does miss acouple of traces which I will list below
> but it kills the Nail infection and makes it look so easy.
>
> Delete these if found:
>
> C:\WINDOWS\ffsnvqmgpiy.exe
> C:\WINDOWS\rramcx.exe
>
> Then you can clear the Temp Internet files and the
> contents of the prefetch folder to remove the final
> traces if you wish:
>
> goto start menu and run and type %temp% delete the
> contents of this folder or at least the files that are
> not in use then start and run and type prefetch and
> delete the contents of this folder and its finished !
>
> Good Work Lavasoft
>
> Regards Andy
>
>
>
>
> --
>
> Cheers,
> Tinkerer
>
>
> "Anand" <Anand@discussions.microsoft.com> wrote in message news:E17C0E74-D72E-445A-AFFB-87CCCF52EA22@microsoft.com...
> Hi,
>
> Everytime i use my XP Professional Laptop, a suspicious .EXE also starts up
> after while. Everytime, it has a different name which is randomly generated.
> Ex. F5DCE.EXE or M5OR4.EXE and so on. Even if i kill the process from Task
> Manager, it reappears after 10 mins or so. It start from C:\TEMP directory. I
> have set my System and User env variable for TEMP to this directory.
>
> I have Windows XP SP 2, Windows Antispyware Beta (latest definition files),
> Trend Micro firewall and Virus Scanner (with latest updates). All are
> licensed s/w and this laptop is on a corporate network.
>
> If i scan with Trend Micro, it says that 1 malware found but does nothing
> beyond it. Don't know if the malware it found is the same i am talking about.
>
> can somebody tell me if this is some kind of a virus or spyware, etc.? How
> can i get rid of this randomly starting program?
>
> many thanks
> anand
August 15, 2005 8:41:03 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

try looking for a suspect batch file on c: drive it may be rewriting the file
every time you start windows

if you are not sure wich one is suspect then edit any bat files you find and
look to see what they are doing

you may have to set your view to show all files as it may be hidden

"Anand" wrote:

> Hi,
>
> Everytime i use my XP Professional Laptop, a suspicious .EXE also starts up
> after while. Everytime, it has a different name which is randomly generated.
> Ex. F5DCE.EXE or M5OR4.EXE and so on. Even if i kill the process from Task
> Manager, it reappears after 10 mins or so. It start from C:\TEMP directory. I
> have set my System and User env variable for TEMP to this directory.
>
> I have Windows XP SP 2, Windows Antispyware Beta (latest definition files),
> Trend Micro firewall and Virus Scanner (with latest updates). All are
> licensed s/w and this laptop is on a corporate network.
>
> If i scan with Trend Micro, it says that 1 malware found but does nothing
> beyond it. Don't know if the malware it found is the same i am talking about.
>
> can somebody tell me if this is some kind of a virus or spyware, etc.? How
> can i get rid of this randomly starting program?
>
> many thanks
> anand
Related resources
August 15, 2005 11:13:19 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

No thanks needed Anand, but when you've tried cleaning the laptop, I'd like
to know if this was the problem or not. :-)

--

Cheers,
Tinkerer


"Anand" <Anand@discussions.microsoft.com> wrote in message
news:5F51A527-7978-405A-BFA1-93A413C6E035@microsoft.com...
Hi Tinkerer,

Many thanks for your quick reply. Tried downloading the adware but corporate
firewall blocks it.

will get some internal help to install and clean the laptop as per the steps
you have given.

thanks again
regards
anand

"Tinkerer" wrote:

> I'm cutting and pasting from another group here. It looks as if it may be
> relelvant.
> Subject of the post is "Aurora Fix", posted by AndyManchesta
> ---------------------------------------------------------------------------------
> Lavasoft have come to the rescue and released a new VX2
> cleaner that kills Aurora, After many weeks of testing
> and being involved in different fixes for this I have to
> hand it to them, there's is the best fix for Aurora at
> present and shows us all how it should be done.
>
> This is a beta test so even though I will post the link
> (which may change in the next couple of weeks when it
> comes out of beta) anyone who wants to use it should
> consider signing up to Lavasoft as a beta tester to help
> them improve applications and definition files, You can
> sign up at this address then choose definitions or
> programs to take part:
>
> http://www.lavasoftresearch.com/betaprogram
>
> First you need Adaware SE :
>
> http://www.download.com/Ad-Aware-SE-Personal-Edition/30...
>
> Then close Ad-aware SE and download the new VX2 Cleaner
> (Not the one of thier site as it will not detect Aurora)
>
> http://www.lavasoftresearch.com/upload/app/vx2cleaner.z...
>
> Save the file where you can find it easily then Extract
> the files and copy them (Left click and cover the files
> and then right click and copy) then open Lavasoft's Ad-
> Aware "Plugins" folder and paste them into there(Right
> click and paste).
>
> (C:\Program Files\Lavasoft\Ad-Aware SE\Plugins)
>
> Run Ad-Aware and click the Add-ons button in the main
> window.Select VX2 Cleaner from the list.
>
> Click the "Run Tool" button in the lower right corner of
> the window.Click "OK" when asked if you want to execute
> this tool.It will say VX2 variant found then press
> clean.Next it will say to reboot and run a smart scan
> with Adaware.
>
> It does miss acouple of traces which I will list below
> but it kills the Nail infection and makes it look so easy.
>
> Delete these if found:
>
> C:\WINDOWS\ffsnvqmgpiy.exe
> C:\WINDOWS\rramcx.exe
>
> Then you can clear the Temp Internet files and the
> contents of the prefetch folder to remove the final
> traces if you wish:
>
> goto start menu and run and type %temp% delete the
> contents of this folder or at least the files that are
> not in use then start and run and type prefetch and
> delete the contents of this folder and its finished !
>
> Good Work Lavasoft
>
> Regards Andy
>
>
>
>
> --
>
> Cheers,
> Tinkerer
>
>
> "Anand" <Anand@discussions.microsoft.com> wrote in message
> news:E17C0E74-D72E-445A-AFFB-87CCCF52EA22@microsoft.com...
> Hi,
>
> Everytime i use my XP Professional Laptop, a suspicious .EXE also starts
> up
> after while. Everytime, it has a different name which is randomly
> generated.
> Ex. F5DCE.EXE or M5OR4.EXE and so on. Even if i kill the process from Task
> Manager, it reappears after 10 mins or so. It start from C:\TEMP
> directory. I
> have set my System and User env variable for TEMP to this directory.
>
> I have Windows XP SP 2, Windows Antispyware Beta (latest definition
> files),
> Trend Micro firewall and Virus Scanner (with latest updates). All are
> licensed s/w and this laptop is on a corporate network.
>
> If i scan with Trend Micro, it says that 1 malware found but does nothing
> beyond it. Don't know if the malware it found is the same i am talking
> about.
>
> can somebody tell me if this is some kind of a virus or spyware, etc.? How
> can i get rid of this randomly starting program?
>
> many thanks
> anand
August 16, 2005 10:21:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi guys,

thanks for your recommendations.

Tinkerer,

Lavasoft Adware did not clean that rogue process. Adware found some cookies
which track information. I don't think that is the issue. Also, allen
mentioned to look for .bat files that renames the EXE everytime windows
boots. There is no suspect .bat files in C:\ or anywhere in my hard drive.

In my case the .EXE is 6 letters long. The current one running on my laptop
is called UL722D.EXE and is 2468K in size. If i kill this process, it dies
but starts again in 10 mins or so and is called something else (ex.
AT532G.EXE).

Is this is a valid windows process or could it be a rogue?

cheers
anand

"allen" wrote:

> try looking for a suspect batch file on c: drive it may be rewriting the file
> every time you start windows
>
> if you are not sure wich one is suspect then edit any bat files you find and
> look to see what they are doing
>
> you may have to set your view to show all files as it may be hidden
>
> "Anand" wrote:
>
> > Hi,
> >
> > Everytime i use my XP Professional Laptop, a suspicious .EXE also starts up
> > after while. Everytime, it has a different name which is randomly generated.
> > Ex. F5DCE.EXE or M5OR4.EXE and so on. Even if i kill the process from Task
> > Manager, it reappears after 10 mins or so. It start from C:\TEMP directory. I
> > have set my System and User env variable for TEMP to this directory.
> >
> > I have Windows XP SP 2, Windows Antispyware Beta (latest definition files),
> > Trend Micro firewall and Virus Scanner (with latest updates). All are
> > licensed s/w and this laptop is on a corporate network.
> >
> > If i scan with Trend Micro, it says that 1 malware found but does nothing
> > beyond it. Don't know if the malware it found is the same i am talking about.
> >
> > can somebody tell me if this is some kind of a virus or spyware, etc.? How
> > can i get rid of this randomly starting program?
> >
> > many thanks
> > anand
August 18, 2005 3:49:33 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I don't know of any windows processes that do that sort of thing, and I
don't think *any* legitimate service will. I would try an online virus
scanner.
Popups must be allowed at this site, then click virus detection:
http://security.symantec.com/sscv6/default.asp?langid=i...

You can also try here:
http://housecall.trendmicro.com/

I'm sure there are others out there, but these are the first two off the top
of my head. Do you use Microsoft Antispyware?


--

Cheers,
Tinkerer


"Anand" <Anand@discussions.microsoft.com> wrote in message
news:26A67C0F-3B5F-4F43-937A-D30CA9C3D76E@microsoft.com...
Hi guys,

thanks for your recommendations.

Tinkerer,

Lavasoft Adware did not clean that rogue process. Adware found some cookies
which track information. I don't think that is the issue. Also, allen
mentioned to look for .bat files that renames the EXE everytime windows
boots. There is no suspect .bat files in C:\ or anywhere in my hard drive.

In my case the .EXE is 6 letters long. The current one running on my laptop
is called UL722D.EXE and is 2468K in size. If i kill this process, it dies
but starts again in 10 mins or so and is called something else (ex.
AT532G.EXE).

Is this is a valid windows process or could it be a rogue?

cheers
anand

"allen" wrote:

> try looking for a suspect batch file on c: drive it may be rewriting the
> file
> every time you start windows
>
> if you are not sure wich one is suspect then edit any bat files you find
> and
> look to see what they are doing
>
> you may have to set your view to show all files as it may be hidden
>
> "Anand" wrote:
>
> > Hi,
> >
> > Everytime i use my XP Professional Laptop, a suspicious .EXE also starts
> > up
> > after while. Everytime, it has a different name which is randomly
> > generated.
> > Ex. F5DCE.EXE or M5OR4.EXE and so on. Even if i kill the process from
> > Task
> > Manager, it reappears after 10 mins or so. It start from C:\TEMP
> > directory. I
> > have set my System and User env variable for TEMP to this directory.
> >
> > I have Windows XP SP 2, Windows Antispyware Beta (latest definition
> > files),
> > Trend Micro firewall and Virus Scanner (with latest updates). All are
> > licensed s/w and this laptop is on a corporate network.
> >
> > If i scan with Trend Micro, it says that 1 malware found but does
> > nothing
> > beyond it. Don't know if the malware it found is the same i am talking
> > about.
> >
> > can somebody tell me if this is some kind of a virus or spyware, etc.?
> > How
> > can i get rid of this randomly starting program?
> >
> > many thanks
> > anand
!