Finding Hidden Files That May Be Malware

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Important Announcement: We have two terrific contests running on the site that I wanted all our members and guests to know about.

The first contest is the HP Magic Giveaway, which is underway as of November 28th. More information can be found at this topic, which will be updated very soon with further information.

The second contests, is for the chance to win two Seagate FreeAgent external hard drives. More information about this contest can be found here.

These are both amazing contests and I suggest everyone submit an entry for them.

- BleepingComputer Management

BleepingComputer.com > Security > AntiVirus, Firewall and Privacy Products and Protection Methods

Finding Hidden Files That May Be Malware

Options

stephenhills View Member Profile	Jan 31 2008, 03:26 AM Post #1
New Member Group: Members Posts: 4 Joined: 29-January 08 Member No.: 187,021	Hi. I've a problem with an IP address that keeps connecting to my PC unwantedly and exchanging information and am trying to find any programme on the PC that is giving it access. I was recommended SOPHOS Anti-rootkit, which has identified an unknown hidden file in C:\Documents and Settings\Stephen Hills\Local Settings\Temp\vxfwlb.exe However, even with folder options set to 'show hidden files' I cannot find that file - nor does 'search' locate it ? Sophos doesn't recommend cleaning it up - but I wanted to find it and see what date it appeared on my PC as if it is in the last week it is probably connected to my problems. How can I find and if necessary remove that file ? Thanks

Pivopija	Jan 31 2008, 11:01 AM Post #2
Guests	Are you left blank field "Hide protected operating system files (Recomended)" in Folder Options?

groovicus View Member Profile	Jan 31 2008, 11:51 AM Post #3
Hail Groovicus! Group: Site Admin Posts: 6,251 Joined: 5-June 04 From: Vermillion, SD Member No.: 689	The location of the file: C:\Documents and Settings\Stephen Hills\Local Settings\Temp\vxfwlb.exe That is in your IE cache folder. All you need to do is dump the cache, and it will be gone. Maybe it will be gone. It depends. QUOTE However, even with folder options set to 'show hidden files' I cannot find that file Yeah, that's because it is a root kit (you did detect it with a rootkit finder). That means that your system has been modified in such a way that you can no longer believe anything that it tells you. For example, it is telling you that there is no such file, and you already know that it is there. As I said before, maybe it will be gone, but maybe not. Infections such as these often employ sentinels that rewrite deleted files, or re-download deleted files, etc. Rule of thumb for a rootkit is to reformat because unless you have a snapshot of your system from before it was infected to compare with your system now, there is no way you will ever know if you have removed everything. And while you are trying to clean it up, it is busy stealing your passwords,stealing your bank card numbers, logging your keystrokes, sending out spam emails, or any number of other things. It should not be connected to the Internet at all in its present condition. QUOTE Sophos doesn't recommend cleaning it up That is likely because it is hooked into other files, and Sophos does not want to be responsible for screwing up your computer. -------------------- Never argue with Stupid People....

stephenhills View Member Profile	Jan 31 2008, 01:29 PM Post #4
New Member Group: Members Posts: 4 Joined: 29-January 08 Member No.: 187,021	Groovicus - many thanks. Not sure I wanted to hear all that - but at least I have been warned about what may be going on inside the PC. Would that rootkit also be responsible for the connection to the outside IP address and the exchange of data ? Can I block the offending IP address ? Thanks

groovicus View Member Profile	Feb 1 2008, 11:37 PM Post #5
Hail Groovicus! Group: Site Admin Posts: 6,251 Joined: 5-June 04 From: Vermillion, SD Member No.: 689	I'm sure that wasn't what you wanted to hear. You probably could block the offending IP, but you have no way of knowing if the embedded program has a list of alternates or not. How can you be sure that you blocked it? Remember, your computer is lying to you. I know this sucks rocks, but rootkits are nasty business, and you never know what is happening. And to answer your question, the rootkit may be responsible for the mysterious connections. I would be curious to know what sort of data was being transmitted. -------------------- Never argue with Stupid People....

« Next Oldest · AntiVirus, Firewall and Privacy Products and Protection Methods · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 1st December 2008 - 02:48 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides