Re: Stumped... Invalid char harboring trojan

spybot would
be a good option
to excercise....


"fingers macgillicutty" <fingers macgillicutty@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:FD4A60A6-9C47-4720-952C-52420B8407C2@xxxxxxxxxxxxxxxx
My sister-in-law picked up a few nasties recently (myspace). AVG did away
with most of them but one remains. It lives in:

C:\Documents and Settings\Owner\Application Data\?asks\...

AVG, NAV, and Trend Micro's online scan see the offending file and all say
that they have successfully removed it, but if I scan again it's back. TM
shows the folder as

~\|asks\...

Booted a Linux live cd and mounted the ntfs volume with ntfs-3g (sweet!).
I
was amazed to find that the folder is invisible to the shell. Running
ClamAV
without updating the definitions found a trojan in pagefile.sys that had
never shown up when scanning under XP. Understandable. Made a gzipped
tarball
of the existing swapfile and wiped the original. Booted back into XP and
\?asks is back, as is the trojan that lives there. Oh, and "Cowabanga by
ol"
is listed under Add/Remove Programs. To distracted by the main issue to
bother with that though I will (attempt to) remove it when I go back.

So... I'm confused. I can't even find a way to create such a folder after
searching google for "folder name/path contain question mark/invalid
character/etc.". Well, I _think_ I could create it in Linux, at least on
ex2fs or the like (know I can); not sure if the ntfs driver follows ntfs
naming rules. I would imagine that I would be able to see it with ls if I
were able to do so.

I am not in front of her machine right now or I would name names, If
anyone
has any ideas I will get the file names later today when I go back for
round
2. Left Cygwin downloading just in case it can help (doubt it, probably
confined to what the underlying fs is capable of). Anyone up for a
challenge?
TIA
FM




.

Relevant Pages

  • Re: Stumped... Invalid char harboring trojan
    ... Booted a Linux live cd and mounted the ntfs volume with ntfs-3g. ... was amazed to find that the folder is invisible to the shell. ... without updating the definitions found a trojan in pagefile.sys that had ... as is the trojan that lives there. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: deny access to all but 1 folder
    ... And you can *not* deny access to C: (with NTFS), ... MCSE, CCEA, Microsoft MVP - Terminal Server ... no access to any folder unless specifically granted. ...
    (microsoft.public.windows.terminal_services)
  • Re: User rights in TS 2003
    ... I can't seem to lock that folder down with NTFS ... > You can hide any combination of drives that you want with a Group ... >> solve it with NTFS rights either. ...
    (microsoft.public.windows.terminal_services)
  • Re: File Searching, how to speed it up?
    ... If you have more data than FAT32 can hold, use ntfs with a larger cluster ... If the average disk queue length goes over 2 it does terrible things ... Nested, 120 files per folder, 60 of those folders for each parent ...
    (microsoft.public.dotnet.framework.performance)
  • Re: IIS Virtual directory not working
    ... right-click on the folder -> Properties -> Security ... Give IUSR_NTFS Read permissions. ... What you are doing is configuring IIS to use a particular account as the ...
    (microsoft.public.inetserver.iis)