Frontpage
Forums
Tutorials
Members
Calendar
Subscription
Donate
Links
Contact 
Help
The report said this:
C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe - hidden file!
Found 1 infected file!
----------------------
C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe --> Gen:Trojan.Heur2.LVP.iGW@aCqiX1h
--> HKCU\Software\Microsoft\Windows\CurrentV…
However, once I get past the 'Temp' part of "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" I'm at a loss, and copy-pasting the line doesn't work. Help?
Page 1 of 1
I have a computer virus, but can't actually find it. How do I dele
Rate Topic:
#1
- Group: Banned
- Posts: 1
- Joined: 17-December 11
- OS:none specified
-
Country:
Posted 17 December 2011 - 09:56 AM
Back to top
#2
- Not really Newbie
-
- Group: Members
- Posts: 1,439
- Joined: 13-January 06
Posted 17 December 2011 - 10:09 AM
The trojan seem to be stored in an alternate datastream.
Try safe mode and command prompt and
If it doesn't work, you might need to use gmer or rootkit revealer.
Try safe mode and command prompt and
del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"
If it doesn't work, you might need to use gmer or rootkit revealer.
#3
- Wise Owl
-
- Group: Super Moderator
- Posts: 4,195
- Joined: 13-October 04
- OS:Windows 7 x64
Posted 17 December 2011 - 12:33 PM
Rather:
DEL/A/F "%TEMP%\WINUPD.EXE"
#4
- Not really Newbie
-
- Group: Members
- Posts: 1,439
- Joined: 13-January 06
Posted 17 December 2011 - 01:54 PM
Yzöwl, on 17 December 2011 - 12:33 PM, said:
Rather:
DEL/A/F "%TEMP%\WINUPD.EXE"
How would this delete an alternate datastream ?
To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.
#5
- The Finder
-
- Group: Developers
- Posts: 9,111
- Joined: 23-July 04
- OS:none specified
-
Country:
Posted 18 December 2011 - 05:41 AM
allen2, on 17 December 2011 - 01:54 PM, said:
To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.
Try running DEL /?.
You will notice how:
DEL [/P] [/F] [/S] [/Q] [/A[[:]attributes]] names
the red part is inside square brackets.
Would this mean anything?
jaclaz
#6
- Not really Newbie
-
- Group: Members
- Posts: 1,439
- Joined: 13-January 06
Posted 18 December 2011 - 07:57 AM
jaclaz, on 18 December 2011 - 05:41 AM, said:
allen2, on 17 December 2011 - 01:54 PM, said:
To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.
Try running DEL /?.
You will notice how:
DEL [/P] [/F] [/S] [/Q] [/A[[:]attributes]] names
the red part is inside square brackets.
Would this mean anything?
jaclaz
That doesn't answer anything about why the "del" command would delete the file "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" with "DEL/A/F "%TEMP%\WINUPD.EXE"" more efficiently than doing "del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"". In fact i don't even see how it would delete it because there are no ":" before the trojan filename.
This post has been edited by allen2: 18 December 2011 - 07:58 AM
#7
- The Finder
-
- Group: Developers
- Posts: 9,111
- Joined: 23-July 04
- OS:none specified
-
Country:
Posted 18 December 2011 - 09:54 AM
allen2, on 18 December 2011 - 07:57 AM, said:
That doesn't answer anything about why the "del" command would delete the file "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" with "DEL/A/F "%TEMP%\WINUPD.EXE"" more efficiently than doing "del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"".
Sure it does not
.It was in fact, and as clearly stated, related to this:
allen2, on 17 December 2011 - 01:54 PM, said:
To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.
and nothing else.
If you want to know whether the line Yzöwl posted is "more efficient" than the one you suggested, you may ask so. (but that would be ANOTHER question).
allen2, on 18 December 2011 - 07:57 AM, said:
In fact i don't even see how it would delete it because there are no ":" before the trojan filename.
In fact I don't see a "\" (backslash) after "C:\Documents and Settings\Elkian\Local Settings\Temp" and before the ":", and AFAIK/AFAICR the ":" is not part of a path nor of a filename.
(actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)jaclaz
#8
- Systems Annihilist
-
- Group: Members
- Posts: 1,829
- Joined: 14-September 05
- OS:none specified
-
Country:
Posted 18 December 2011 - 10:14 AM
jaclaz, on 18 December 2011 - 09:54 AM, said:
In fact I don't see a "\" (backslash) after "C:\Documents and Settings\Elkian\Local Settings\Temp" and before the ":", and AFAIK/AFAICR the ":" is not part of a path nor of a filename. (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)
(actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)Obviously, there MUST be a backslash in order to work. What is with this "alternate datastream" stuff - what led you to believe that's where/what it is/was?
Sheesh! Safe Mode + Yzöwl's command should do the trick AND removing the HKCU entry (as an afterthought). Then rerun the Antivirus scan.
edit - And you might note that the OP hasn't returned. Been a lot of that going on lately...
This post has been edited by submix8c: 18 December 2011 - 10:16 AM
#9
- Not really Newbie
-
- Group: Members
- Posts: 1,439
- Joined: 13-January 06
Posted 18 December 2011 - 10:20 AM
jaclaz, on 18 December 2011 - 09:54 AM, said:
the ":" is not part of a path nor of a filename. (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)
jaclaz
(actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)jaclaz
It is allowed and (even required) for alternate data streams and example of how how Microsoft use those.
Edit Reason: More detailled examples there.
This post has been edited by allen2: 18 December 2011 - 10:30 AM
#10
- Systems Annihilist
-
- Group: Members
- Posts: 1,829
- Joined: 14-September 05
- OS:none specified
-
Country:
Posted 18 December 2011 - 11:15 AM
Quote
The Windows NT Resource Kit documents the stream syntax as follows:
filename:stream
filename:stream
#11
- Adiuvat plus qui nihil obstat
-
- Group: Super Moderator
- Posts: 3,966
- Joined: 07-April 07
- OS:98SE
-
Country:
Posted 18 December 2011 - 11:23 AM
The unreferenced antivirus must be F-Prot, BitDefender or GData, judging by the detection string (one of the only pieces of information the OP offered)... 
Moreover, as submix8c most aptly pointed out:
So, I respectfully suggest you all move on to other matters and forget about this, unless (or until) the OP deigns to show up again and demonstrates he/she is at least reading this thread.
Moreover, as submix8c most aptly pointed out:
submix8c, on 18 December 2011 - 10:14 AM, said:
edit - And you might note that the OP hasn't returned. Been a lot of that going on lately...
So, I respectfully suggest you all move on to other matters and forget about this, unless (or until) the OP deigns to show up again and demonstrates he/she is at least reading this thread.
#12
- The Finder
-
- Group: Developers
- Posts: 9,111
- Joined: 23-July 04
- OS:none specified
-
Country:
Posted 18 December 2011 - 11:34 AM
submix8c, on 18 December 2011 - 11:15 AM, said:
Quote
The Windows NT Resource Kit documents the stream syntax as follows:
filename:stream
filename:stream
Yep
.Example:
C:\somefolder: <- means "a suffusion of yellow"
C:\somefolder\ <- means a path to a folder
C:\somefolder\filename.ext <- means a path to a file
C:\somefolder\filename.ext:mystream <- means a path to a stream named "mystream" attached to file filename.ext
To view (and delete) streams, you may want to use STREAMS
:http://technet.micro...ernals/bb897440
BUT also directories can have stream attached, i.e.:
C:\somefolder:myotherstream <- may mean a path to a stream named "myotherstream" attached to directory "somefolder", BUT it should be:
C:\somefolder\:myotherstream INSTEAD (with the backslash)
Only IF that is the case (C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe meaning a stream named "winupd.exe" attached to the directory "C:\Documents and Settings\Elkian\Local Settings\Temp") the DEL command won't have any effect (since you would need to delete the directory, with RD)
jaclaz
This post has been edited by jaclaz: 18 December 2011 - 11:38 AM
#13
- Wise Owl
-
- Group: Super Moderator
- Posts: 4,195
- Joined: 13-October 04
- OS:Windows 7 x64
Posted 19 December 2011 - 09:20 AM
Also bear in mind that the report said:not 1 infected directory.
Quote
Found 1 infected file!
- ← Computer and Network Forensics Forum ?
- Malware Prevention and Security
- A way to fix bad malware problems with Windows →
Share this topic:
Page 1 of 1