I'd like to know if this hidden file into the c:\WINNT\Fonts is
suppose to be there.
This process in the task manager used from 20 to 80% of the CPU
ressources. It's slowing down the PC, it's unbelievable.
I ended the process in the task manager but it always come back, I
even went to DOS prompt under the correct directory to try to
delete it but because it's always running I can't do it.
I ran AdAware and use McAfee and everything looks fine.
Is anyone have an idea?
I've seen this one, too. Symantec AV, Adaware, and SpyBot S&D do not
recognize it. File names are random but rarely over 6-7 characters
plus the .exe. File lengths are random, too, although usually in the
range of 700-900 KB. If you delete or rename the file, it comes back.
If you delete the "run" entry in the registry, it comes back. Kill the
process and it comes back. When I examined my system, I found these
hidden .exe files with different filenames everywhere in my WINNT
folder & subfolders (40 or 50 in all). It seems to create hidden
..dat files in your \docume~1\<username>\local settings\temp folder.
This is how I finally figured out how to get rid of it:
1) find the hidden .exe file on your system
2) Right click on it, select "Properties, select "Security" tab
3) If checked, uncheck the "inherited" box
4) Change privilege on this file such that every user including system
is "Deny All". (If the system can't read it, it can't run it)
5) Now kill the process using task manager. It will try to come back
but it can't because of the permissions in step 4 above.
6) Remove the "run" entries out of the registry. I use "startup
control panel" from
http://www.mlin.com, but registry editing will work
as well.
7) Reboot your computer (you should not see this process running after
it comes up)
8) Find the hidden file again, restore permissions, and delete it.
9) Search everywhere in your WinNT folder for clones of this file. Use
the windows search tool and look for files that contain the string
"\CurrentVersion\Run". This will find legitimate files too but might
find some that you missed. Pay particular attention to hidden files.
If other people log into this machine with different user names, they
could reactivate "their version" of this and you will become infected
again.
Good Luck and HTH,
John