How to delete spyware/virus that isn't there?

Discussion in 'OT Technology' started by mdaniel, Mar 9, 2006.

  1. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,496
    Likes Received:
    305
    Location:
    Northwest Mejicooooooo
    I've seen a few instances of malware that works as follows:

    I'll see some junk filename in task manager like fj6kgi.exe.

    Killing it simply causes another randomly named .exe file to appear.

    Msconfig shows the file lives in c:\windows\system32

    I'll boot from a CD or view the disk from another machine but the .exe file can't be found. (yes, hidden & system files are visible) Listing all .exe files in the system32 folder and sorting by date shows no odd filenames with recent dates.


    So its like the files only exist when Windows is running (even in safe mode) and then it can't be killed or deleted. If Windows isn't running, there's no files to delete. Antivirus & antispyware programs don't detect it.
     
  2. Boogieman117

    Boogieman117 PSN: Boogieman117

    Joined:
    Jan 6, 2006
    Messages:
    17,554
    Likes Received:
    0
    Location:
    20678/20657 area
    Google the filename? Any hits?
     
  3. jwynn

    jwynn Yeah I Know I Dont Have Enough Posts

    Joined:
    Jan 28, 2006
    Messages:
    288
    Likes Received:
    0
    Location:
    FL
    Process Explorer

    http://www.sysinternals.com/Utilities/ProcessExplorer.html

    It will show you the processes as a tree so you can find the parent process that keeps respawning the one you kill. It also shows you what files and directories each process has open. You can track that thing down in 30 seconds with this thing. Its great, its free. Theres tons of invaluable free software on that website, and info!
     
  4. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    yeah, russinovich writes some good shit
     
  5. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,496
    Likes Received:
    305
    Location:
    Northwest Mejicooooooo
    Yeah I'll Google the filenames but since they're randomly generated, I never get any hits.
     
  6. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,496
    Likes Received:
    305
    Location:
    Northwest Mejicooooooo
    Thanks. I'll throw that on my thumb drive for the next time I see a machine with one of those little bastards on it.
     
  7. Yep

    Yep Knick knack paddy whack, give the old dog a bone

    Joined:
    Jan 22, 2001
    Messages:
    4,603
    Likes Received:
    0
    Location:
    South Jersey
    Might be worth looking into carrying a BartPE CD. No spyware or virus can hide from it.
     
  8. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,496
    Likes Received:
    305
    Location:
    Northwest Mejicooooooo
    I already have something similar and the files in question aren't there when I boot into it. That's the freaky part.
     

Share This Page