Sign in with
Sign up | Sign in
Your question

new trojan/virus or something?

Last response: in Windows XP
Share
Anonymous
August 26, 2005 4:12:49 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

I just noticed it running in processes after a fresh reboot.

I scanned the mdar folder with housecall.trendmicro.com and after scanning
the it didn't say there was an infection but I'd rather error on the side of
caution.

oeat.exe
c:\program files\mdar\oeat.exe
c:\program files\mdar\rese (empty folder)
the file is hidden even if you have show hidden files and folders checked.
it's added to msconfig startup, searching the registry for oeat will find
its entry in the startup run folder so you can delete that.

The only way I've been able to confirm the file existed was to use an ftp
program to view locally, and also to use PGP to wipe the mdar folder... it
lists everything to confirm before wiping.

When I did finally wipe, I got an error
Directory could not be moved. The directory path may(one of those square
boxes here)be invalid, or the directory may not be empty.
c:\program files\mdar

I tried going to the command prompt and typing
rd "c:\program files\mdar" and it said the process cannot access the file
because it is being used by another process.

So, I rebooted into safe mode and used the rd command to delete the folder.

I dont see any new trace of it now.

More about : trojan virus

Anonymous
August 26, 2005 5:48:26 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

"Robert Blackwell" <rob@nospam.com> wrote:

>I just noticed it running in processes after a fresh reboot.
>
>I scanned the mdar folder with housecall.trendmicro.com and after scanning
>the it didn't say there was an infection but I'd rather error on the side of
>caution.
>
>oeat.exe
>c:\program files\mdar\oeat.exe
>c:\program files\mdar\rese (empty folder)
>the file is hidden even if you have show hidden files and folders checked.
>it's added to msconfig startup, searching the registry for oeat will find
>its entry in the startup run folder so you can delete that.
>
>The only way I've been able to confirm the file existed was to use an ftp
>program to view locally, and also to use PGP to wipe the mdar folder... it
>lists everything to confirm before wiping.
>
>When I did finally wipe, I got an error
>Directory could not be moved. The directory path may(one of those square
>boxes here)be invalid, or the directory may not be empty.
>c:\program files\mdar
>
>I tried going to the command prompt and typing
>rd "c:\program files\mdar" and it said the process cannot access the file
>because it is being used by another process.
>
>So, I rebooted into safe mode and used the rd command to delete the folder.
>


The fact that you were able to remove the folder and did not receive
any error messages after rebooting indicates that it may have been
some form of malware.

And a google search fails to find a single reference anywhere to
oeat.exe which is another indicator of probable malware.

The current crop of malware is so insidious that there is no single
tool that can be relied on to identify and remove all of it. A
combination of different tools is always advisable.

Trend Micro is one of the very good ones, but it needs to be backed up
with something else, such as:
- Microsoft Antispyware
- Lavasoft Ad-Aware
- Spybot Search & Destroy
- AVG Free Antivirus

There are a number of other good ones.

Good luck

Ron Martell Duncan B.C. Canada
--
Microsoft MVP
On-Line Help Computer Service
http://onlinehelp.bc.ca

In memory of a dear friend Alex Nichol MVP
http://aumha.org/alex.htm
Anonymous
August 26, 2005 7:33:26 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "Robert Blackwell" <rob@nospam.com>

| I just noticed it running in processes after a fresh reboot.
|
| I scanned the mdar folder with housecall.trendmicro.com and after scanning
| the it didn't say there was an infection but I'd rather error on the side of
| caution.
|
| oeat.exe
| c:\program files\mdar\oeat.exe
| c:\program files\mdar\rese (empty folder)
| the file is hidden even if you have show hidden files and folders checked.
| it's added to msconfig startup, searching the registry for oeat will find
| its entry in the startup run folder so you can delete that.
|
| The only way I've been able to confirm the file existed was to use an ftp
| program to view locally, and also to use PGP to wipe the mdar folder... it
| lists everything to confirm before wiping.
|
| When I did finally wipe, I got an error
| Directory could not be moved. The directory path may(one of those square
| boxes here)be invalid, or the directory may not be empty.
| c:\program files\mdar
|
| I tried going to the command prompt and typing
| rd "c:\program files\mdar" and it said the process cannot access the file
| because it is being used by another process.
|
| So, I rebooted into safe mode and used the rd command to delete the folder.
|
| I dont see any new trace of it now.
|

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

When in doubt, submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all paricipating vendors.

This could have been non-viral malware in the form of adware/spyware.

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

Although you used the Trend online scanner, the following tool provides Trend Sysclean and
the Sophos and McAfee Command Line Scanners. You should use the above Ad-aware and SpyBot
software and scan the system as well as use the Sophos and McAfee scanners in tghe below
utility.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Related resources
!