Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Finding Hidden Files That May Be Malware


  • Please log in to reply
4 replies to this topic

#1 stephenhills

stephenhills

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 31 January 2008 - 03:26 AM

Hi. I've a problem with an IP address that keeps connecting to my PC unwantedly and exchanging information and am trying to find any programme on the PC that is giving it access. I was recommended SOPHOS Anti-rootkit, which has identified an unknown hidden file in C:\Documents and Settings\Stephen Hills\Local Settings\Temp\vxfwlb.exe However, even with folder options set to 'show hidden files' I cannot find that file - nor does 'search' locate it ? Sophos doesn't recommend cleaning it up - but I wanted to find it and see what date it appeared on my PC as if it is in the last week it is probably connected to my problems. How can I find and if necessary remove that file ? Thanks

BC AdBot (Login to Remove)

 


#2 Guest_Pivopija_*

Guest_Pivopija_*

  • Guests
  • OFFLINE
  •  

Posted 31 January 2008 - 11:01 AM

Are you left blank field "Hide protected operating system files (Recomended)" in Folder Options?

#3 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD

Posted 31 January 2008 - 11:51 AM

The location of the file: C:\Documents and Settings\Stephen Hills\Local Settings\Temp\vxfwlb.exe
That is in your IE cache folder. All you need to do is dump the cache, and it will be gone. Maybe it will be gone. It depends.

However, even with folder options set to 'show hidden files' I cannot find that file

Yeah, that's because it is a root kit (you did detect it with a rootkit finder). That means that your system has been modified in such a way that you can no longer believe anything that it tells you. For example, it is telling you that there is no such file, and you already know that it is there.

As I said before, maybe it will be gone, but maybe not. Infections such as these often employ sentinels that rewrite deleted files, or re-download deleted files, etc. Rule of thumb for a rootkit is to reformat because unless you have a snapshot of your system from before it was infected to compare with your system now, there is no way you will ever know if you have removed everything. And while you are trying to clean it up, it is busy stealing your passwords,stealing your bank card numbers, logging your keystrokes, sending out spam emails, or any number of other things.

It should not be connected to the Internet at all in its present condition.

Sophos doesn't recommend cleaning it up

That is likely because it is hooked into other files, and Sophos does not want to be responsible for screwing up your computer.

#4 stephenhills

stephenhills
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 31 January 2008 - 01:29 PM

Groovicus - many thanks. Not sure I wanted to hear all that - but at least I have been warned about what may be going on inside the PC. Would that rootkit also be responsible for the connection to the outside IP address and the exchange of data ? Can I block the offending IP address ? Thanks

#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:09 PM

Posted 01 February 2008 - 11:37 PM

:thumbsup:

I'm sure that wasn't what you wanted to hear. You probably could block the offending IP, but you have no way of knowing if the embedded program has a list of alternates or not. How can you be sure that you blocked it? Remember, your computer is lying to you. I know this sucks rocks, but rootkits are nasty business, and you never know what is happening. And to answer your question, the rootkit may be responsible for the mysterious connections. I would be curious to know what sort of data was being transmitted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users