Re: strange folder
- From: "Brian A." <gonefish'n@afarawaylake>
- Date: Thu, 29 Jun 2006 00:24:09 -0500
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=troj%5Fqoologic&alt=qoologic&Sect=SA
--
Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/
Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375
"SP" <na@xxxxxxxxx> wrote in message news:eZ5t3FumGHA.4868@xxxxxxxxxxxxxxxxxxxxxxx
The virus was TROJ_QOOLOGIC.AL. We use TrendMicro, and it's funny that their site doesn't have anything about this virus.
Anyway, thanks again and let's put this virus to rest for now.
Steve
"Brian A." <gonefish'n@afarawaylake> wrote in message news:OUq$0asmGHA.5076@xxxxxxxxxxxxxxxxxxxxxxxYou can have folders with the same name but not in the same directory. There are a few viruses that do that to keep you from removing it, the second one is setup to reactivate it in case you remove one.
What is/are the name of the virus/es?
As mentioned before, check your AV apps site articles on the virus/es, aside from my reason before it may be one they have a cleaning tool for.
--
Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/
Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375
"SP" <none> wrote in message news:uCrv%23LqmGHA.4064@xxxxxxxxxxxxxxxxxxxxxxxInteresting tip...thanks
In any case, I happened to think that virus now is so clever that it can do such trick as to create 2 folders with one name. To be honest, I didn't even know how to manually do such a thing - much less cleaning it up. Technically, it's impossible to have 2 folders with one name (needless to say). So, this must be quite a trick as this is my first time seeing it. That's why I'd like people to check it out as well.
For my incident, I was looking in the registry (Run key), and the virus was setting to run c:\program files\common files\Adobe\winword.exe. But, when I go to the Adobe folder, there wasn't any such Winword.exe. It turned out that there was a second Adobe folder. I'm not sure how it did it...as I said, how could it be technically possible ?
Steve
"Brian A." <gonefish'n@afarawaylake> wrote in message news:uEXUQMnmGHA.2112@xxxxxxxxxxxxxxxxxxxxxxxBTW, do not post any attachments unless specifically asked to. Posting any attachments is a good way to get ignored.
--
Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/
Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375
"SP" <none> wrote in message news:OC8C7OmmGHA.2452@xxxxxxxxxxxxxxxxxxxxxxxHi and thanks for your reply. That's a whole load of troubleshooting you gave...thanks again.
I'm cleaning the system as we speak, and I'm renaming and resending the photo file just to dispel any paranoia.
Just real quick on my approach.
-From the DOS prompt, I did a REN to rename the virus file from whatever it was to, say, bad_file.exe
-I rebooted the PC and was able to delete the renamed files.
-Scan the system again, and the scanning process is now able to remove addition viruses that it couldn't earlier.
Thing starts to look better. Also, this approach didn't work for every situation, but it seemed to have work this time around.
Steve
"Brian A." <gonefish'n@afarawaylake> wrote in message news:uXwtH%23lmGHA.4536@xxxxxxxxxxxxxxxxxxxxxxxDo you really expect anyone to open a file named Virus, especially even when
mentioning a compromised system? Put any Adobe issues on the back burner and clean
up your system.
Run a full system virus scan with fully up-to-date definitions.
**It is very important to run the update for each program before running the app/s
to be sure you have the latest definitions.**
Run the programs in Safe Mode after assuring you have shut down all running tasks
except explorer or systray and all apps are fully up to date.
Remove your Temp Internet files: Right click IE. Under the General tab click Delete
Files, put a check in Delete all Offline..., click OK and close when finished.
Delete all files in c:\windows\temp.
Download/run Cool Web Shredder from:
http://www.intermute.com/products/cwshredder.html
For Info on Cool Web Search variants:
http://www.richardthelionhearted.com/~merijn/cwschronicles.html
Download/install/run Ad-Aware SE to detect/rid of any other parasites/spyware that
may be installed. It can be obtained free from:
http://www.lavasoftusa.com/
After installing Ad-Aware, open it and click on the ref update to get the latest
up-to-date ref file, then run Ad-Aware and delete everything it finds.
Download/install/run Spybot - Search & Destroy:
http://security.kolla.de/index.php?lang=en&page=download
Run it at it's default settings until you learn an know more about it. Spybot S&D
is more of an advanced users tool and changing from the default settings can be
dangerous to the novice user. Items found in the default settings that are RED can
usually be safely removed. If you are unsure of a found item, do not remove it and
ask for help.
If you still have problems, download/run HijackThis from:
http://www.richardthelionhearted.com/~merijn/downloads.html
http://majorgeeks.com/downloads31.html
Copy HJT to it's own folder, this is where the log files will be saved. Run HJT in
Normal Mode.
Do not remove anything with it until you get advice on what to remove, HJThis will
list many apps that are needed along with the bad ones. Removing items listed
hap-hazardly without knowing what they are can/will create a royal mess. Read the
quick start here on how to create a log file that can be copied/pasted into a forum
that can provide assistance on removal of unwanted pests.
http://mjc1.com/mirror/hjt/#quick
Then post the logs to an appropriate forum where they specialize in
spyware/hijacker removal. Please read any sticky notes for proper posting which are
most commonly posted first at the top in each specific forum. Read any information
under each forum category name for information on what that particular one is used
for, look for the proper one that you post logs to.
http://forums.spywareinfo.com/
http://aumha.net/
http://forum.aumha.org/
After running the above and assuring you have a clean machine:
It's also a good idea to have a HOSTS file to block bad sites, scroll to HOSTS File
Manager here:
http://www.mvps.org/PracticallyNerded/Software.htm
Download/install/run SpywareBlaster which stops the badboys before they even get a
chance to install:
http://www.javacoolsoftware.com/spywareblaster.html
--
Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/
Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375
"SP" <none> wrote in message news:OVe1w5lmGHA.3880@xxxxxxxxxxxxxxxxxxxxxxxHi
Please take a look at the attached photo. Pay attention to the first Adobe folder
and the last Adobe folder. They looked as if they were having the same folder
name, but how is that possible ?
Anyway, the last Adobe was created by a virus, and I was trying to look carefully
to see if there was any difference in the filename (like a space of some sort), but
I couldn't manage to find the difference.
There are couple of viruses in the System32 folder, too. I can see from the DOS
prompt, but I could see it from a window (even I have already unchecked the boxes
to show hidden/system files).
Strange ! Maybe you can help me figure it out.
Thanks
Steve
.
- References:
- Re: strange folder
- From: Brian A.
- Re: strange folder
- From: Brian A.
- Re: strange folder
- From: SP
- Re: strange folder
- From: Brian A.
- Re: strange folder
- From: SP
- Re: strange folder
- Prev by Date: Re: strange folder
- Next by Date: Knoppix and BartePE experts
- Previous by thread: Re: strange folder
- Next by thread: Re: network problem?
- Index(es):
Relevant Pages
|
Loading
