There was a suspicious exe placed on her desktop. 0.bunchofnumbers.exe (sorry, I did not write that one down). Moreover, there is an even more suspicious task running in the listing. It has the name "1956182124:2466736011.exe". Yes, I know that colon (":") is the device separator character, but that's what it says in the running tasks listing. There is a 0 byte file c:\windows\1956182124 ... I can not find 2466736011.exe anywhere on the disk. This exe is launched by a services entry for a service identified as "6cf89874".
I removed the disk from her desktop and with a usb tether from my laptop ran malwarebytes on the entire thing, and AVG on the Docs&settings folder. Neither recognized anything significant (including the 0.whatever.exe which I left in the desktop folder for them to find).
I looked at files modified around the time of the desktop file timestamp. Found a couple of java files and removed them. She had been browsing soapzone, and the cookies right around that time were for some of the ad streams. I also found a cache file of some sort in an antivirus app folder, so I suspect it was preparing to not be discovered.
I removed the 0.whatever.exe file from the desktop folder, the java files, and the antivirus cache file then put the disk back in her computer.
The wierd task was still there, so I dumped the registry and found the service entries (yes, I mentioned them above, but this is when I found them).
I removed the entry for service 6cf89874 in CurrentControlSet, ControlSet003 and ControlSet004 (actually one of those was liked to current control set).
I removed the 0 byte file c:\windows\1956182124
I powered off the machine (not shutdown as I did not want to give any virus-reinstaller a chance there).
The task in the running tasks list, the zero byte file, and the registry entries for the service came back.
Since the colon is a device separator, I figure this is some serious bypass mojo and the actual virus is hidden god-knows-where.
Is anybody familiar with the trick of tasks with colons in their names?
Is anybody familiar with these symptoms?
Edited by hamluis, 23 September 2011 - 01:08 PM.
Moved from XP to Am I Infected.