Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible infection, win7 shutdown


  • Please log in to reply
No replies to this topic

#1 radioalarm

radioalarm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 04 November 2010 - 06:17 AM

Hi. I always thought that I have quite a lot of malware removal experience, but this case is driving me nuts.

I have four identical fresh Dell machines, Win7 Pro 32bit, Office 2010, MS security essentials. Also the usual stuff: adobe reader, ultravnc, etc. After a few days after installation, users started to observe strange behaviour. From time to time one proprietary software starts redraw its window very fast, it looks like it's closing and opening again, but the process does not really terminate. This happens for a few minutes, then the program is back to normal, where it was. Another trick is Word, which looks like somebody is pressing enter (adding new lines). This doesn't stop until the process is killed. Then today one PC started flicking windows again, and then shutdown itself gracefully (not a hard turn off).

Nothing suspicious in event logs, hardware also cannot be the problem (identical new machines). But all pcs have a mapped network drive, which has been infected with usbv.exe (W32.SillyP2P) and juana.exe (W32.Pilleuz!gen5), using autorun.inf. The virus names are written according to Symantec. The drive was cleaned at about the same time the Dell machines started acting weird.

I don't see anything bad on machines, tried autoruns, process explorer, scanning with MBAM, superantispyware, Eset online scanner, AVZ. No strange connections observed with tcpview. The users of these PCs are not likely to go on porn or similar unsecure sites.

I'm afraid to use specific tools like combofix, because I didn't have experience with them on win7. Could you recommend something?

Edit: I would add that no suspicious exe files found in usual places like %appdata% or %temp%.

Edited by radioalarm, 04 November 2010 - 09:28 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users