virus/worm? recreates random .exe in run section of registry when deleted

  • Thread starter Thread starter Scot
  • Start date Start date
S

Scot

Not sure what this is or how to tackle it.

Basically there are multiple processes with random charcters then .exe in
the process list. If you kill one, a new randomly named one will show back
up a few seconds later. There is another randomly named .exe in the Run
section of the Local Machine key, which if you delete that key and then
refresh, a new randomly name .exe will be waiting to load on startup again.
When you go to c:\windows\system32 where it says this file resides, it is
not there....this is with show all turned on.

Anyone have any ideas?

thanks

scot
 
Forgot to mention that it doesn't seem to be trying to connect to or
listening on any ports. FWIW.

scot
 
Scot said:
Not sure what this is or how to tackle it.

Basically there are multiple processes with random charcters then .exe in
the process list. If you kill one, a new randomly named one will show back
up a few seconds later. There is another randomly named .exe in the Run
section of the Local Machine key, which if you delete that key and then
refresh, a new randomly name .exe will be waiting to load on startup again.
When you go to c:\windows\system32 where it says this file resides, it is
not there....this is with show all turned on.
Click to expand...

it's almost certainly malware of some kind... have you tried using a
virus scanner? have you tried submitting a copy of one of these
randomly named files to an av developer for analysis? i'd try those
first before trying to guess how to perform a manual removal of an
unknown piece of malware...
 
Never mind. It looks like it is called Sandbox
Click to expand...

If, as I suppose, you are running Norman Virus Control, it is likely
that the "Sandbox" term indicates that a "new" worm has been detected
on your system using heuristics. The "Sandbox" is the name of the
method used by the heuristics, and it is used as a prefix for naming
malwares detected using this technology.

If this is correct, there should be something else thant the terme
"Sandbox". Generic identifications include : Sandbox: W32/Malware,
W32/Downloader, W32/Backdoor, W32/EmailWorm, W32FileInfector,
W32/P2PWorm, W32/NetworkWorm (maybe others). This generic
identification may help to understand more precisely what the
malware is actually doing.

You may obtain more information by observing Norman log files
(right clic on the taskbar icon and then go to "utilities" ->
"messages". There are two ways to see the messages, directly
(left tab, click in the window, messages corresponding to
the current session are displayed) or by displaying the contents
of the log file containing the alert (right click, open the
..nps file). Then, double click on line corresponding to the
alert. The "details" window should contain information about
the malware. You can copy/paste this information here.

Additionnaly, you should send the infected file (if you
succeed to locate it) to (e-mail address removed) (in an encrypted
..zip archive, do no forget to give the .zip password in the
email). You can also send me the archive at tweakie(at)mail.nu

You should also submit the suspect files here :

http://www.kaspersky.com/scanforvirus.html
 
Back
Top