Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I know for a fact that I am infected.


  • Please log in to reply
6 replies to this topic

#1 365_days_gone

365_days_gone

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 23 October 2010 - 11:02 PM

The first thing I do when I turn my computer on is open the task manager and leave it on the "processes" tab and leave it at the bottom. I do this cause it shows what programs are using for physical memory and how much total it being used. Anyways, I was on Facebook tonight, and for some reason my computer was lagging up horribly. I finally got the Firefox window up from the bottom tray bar and it said "stop script/continue running script"...anyways, I restarted my computer and brought up the task manager and the first thing I noticed in the processes tab were the weirdest files. The things have NEVER been there before.

http://www.esnips.com/doc/0fb5b9d4-7e22-45cc-8e74-18bc7327f113/TM-h

There...I highlighted the weird ones...but I stopped after those ones cause pretty much everything in there is new! They were never there before. From what I can tell, my computer is running fine and no different right now, but Im telling you, those files were never there before! Im pretty sure the only things ever running in there were running as "Owner" or "SYSTEM", never "Local Service" or "Netowrok Service". Im really hoping you guys recognize these as a virus and which one! AND HOW TO REMOVE IT!

Im running on Vista too.

Edited by 365_days_gone, 24 October 2010 - 10:34 AM.


BC AdBot (Login to Remove)

 


#2 Sightless

Sightless

  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Up in the Clouds
  • Local time:02:04 PM

Posted 24 October 2010 - 09:22 AM

Could you please post the names of the strange files rather than having an external link to them. It will help the helpers help you faster

#3 365_days_gone

365_days_gone
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 24 October 2010 - 10:35 AM

Sorry, I had posted the wrong link. The link now takes you right to a picture of my Processes-Task Manager screen. Showing the highlighted files.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:04 PM

Posted 24 October 2010 - 12:27 PM

It's still asking me to install software to download a readable image?
Chewy

No. Try not. Do... or do not. There is no try.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:04 PM

Posted 24 October 2010 - 12:29 PM

Your link is not loading for me so I cannot see the list of processes.

Most of the processes in Task Manager will be legitimate as shown in these links.It is not uncommon to have a lot of running processes showing in Task Manager. For instance, Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (.dll's) and can run other services underneath itself. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual for multiple instances of Svchost.exe running at the same time in Task Manager in order to optimize the running of the various services.
  • svchost.exe SYSTEM
  • svchost.exe LOCAL SERVICE
  • svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another technique is for the process to alter the registry and add itself as a Startup program or service so that it can run automatically each time the computer is booted. Keep in mind that a legitimate file can also be infected by some types of malware such as Virut which is a dangerous polymorphic file infector. A file's properties may give a clue to identifying it. Right-click on the file, choose Properties and examine the General and Version tabs.

Tools to investigate running processes and gather additional information to identify them and resolve problems:-- These tools will provide information about each process, CPU usage, file description and its path location.
-- System Explorer provides a security check of running processing using their online security database when you first launch the program. If you want process the initial scan, press the "Start Security Check" button. Keep in mind, that the check is not a guarantee of what is or is not detected as malware. Further investigation is always recommended. At the Security Check page you can also check the file through the VirusTotal database by pressing the Check MD5 button.


Anytime you come across a suspicious file or one that you do not recognize, search the name using Google <- click here for an example.

Or search the following databases:If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to one of the following online services that analyzes suspicious files:In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 365_days_gone

365_days_gone
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 27 October 2010 - 07:55 PM

There are far too many files to list.
Try this link

http://s1184.photobucket.com/albums/z327/Prototypebrad/?action=view&current=TM.jpg

And a highlighted version:
http://s1184.photobucket.com/albums/z327/Prototypebrad/?action=view&current=TM-h.jpg

Edited by 365_days_gone, 27 October 2010 - 08:03 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:04 PM

Posted 28 October 2010 - 06:41 AM

Now you need to investigate which .exe files you are not familiar with as I previously advised.

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google <- click here for an example.

Or search the following databases:


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users