Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



I have a computer virus, but can't actually find it. How do I dele

- - - - -

  • Please log in to reply
12 replies to this topic

#1
Guest_terenkleon_*

Guest_terenkleon_*
  • Guests
  • Joined --
The report said this:

C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe - hidden file!


Found 1 infected file!
----------------------

C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe --> Gen:Trojan.Heur2.LVP.iGW@aCqiX1h
--> HKCU\Software\Microsoft\Windows\CurrentV…

However, once I get past the 'Temp' part of "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" I'm at a loss, and copy-pasting the line doesn't work. Help?


How to remove advertisement from MSFN

#2
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
  • Joined 13-January 06
The trojan seem to be stored in an alternate datastream.
Try safe mode and command prompt and
del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"
If it doesn't work, you might need to use gmer or rootkit revealer.

#3
Yzöwl

Yzöwl

    Wise Owl

  • Super Moderator
  • 4,537 posts
  • Joined 13-October 04
  • OS:Windows 7 x64
  • Country: Country Flag

Donator

Rather:
DEL/A/F "%TEMP%\WINUPD.EXE"


#4
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
  • Joined 13-January 06

Rather:

DEL/A/F "%TEMP%\WINUPD.EXE"

How would this delete an alternate datastream ?
To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.

#5
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,472 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.

Try running DEL /?.
You will notice how:
DEL [/P] [/F] [/S] [/Q] [/A[[:]attributes]] names
the red part is inside square brackets.
Would this mean anything? :unsure:

jaclaz

#6
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
  • Joined 13-January 06


To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.

Try running DEL /?.
You will notice how:
DEL [/P] [/F] [/S] [/Q] [/A[[:]attributes]] names
the red part is inside square brackets.
Would this mean anything? :unsure:

jaclaz

That doesn't answer anything about why the "del" command would delete the file "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" with "DEL/A/F "%TEMP%\WINUPD.EXE"" more efficiently than doing "del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"". In fact i don't even see how it would delete it because there are no ":" before the trojan filename.

Edited by allen2, 18 December 2011 - 07:58 AM.


#7
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,472 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

That doesn't answer anything about why the "del" command would delete the file "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" with "DEL/A/F "%TEMP%\WINUPD.EXE"" more efficiently than doing "del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"".

Sure it does not :).
It was in fact, and as clearly stated, related to this:

To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.

and nothing else.

If you want to know whether the line Yzöwl posted is "more efficient" than the one you suggested, you may ask so. (but that would be ANOTHER question).

In fact i don't even see how it would delete it because there are no ":" before the trojan filename.

In fact I don't see a "\" (backslash) after "C:\Documents and Settings\Elkian\Local Settings\Temp" and before the ":", and AFAIK/AFAICR the ":" is not part of a path nor of a filename. :unsure: (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)

jaclaz

#8
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,289 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

In fact I don't see a "\" (backslash) after "C:\Documents and Settings\Elkian\Local Settings\Temp" and before the ":", and AFAIK/AFAICR the ":" is not part of a path nor of a filename. :unsure: (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)

BitDefender AFAICT. It's simply the format of the output saying "You have a file in your TEMP folder and its name is: abcdefg.xxx".

Obviously, there MUST be a backslash in order to work. What is with this "alternate datastream" stuff - what led you to believe that's where/what it is/was?

Sheesh! Safe Mode + Yzöwl's command should do the trick AND removing the HKCU entry (as an afterthought). Then rerun the Antivirus scan.

edit - And you might note that the OP hasn't returned. Been a lot of that going on lately...

Edited by submix8c, 18 December 2011 - 10:16 AM.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#9
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
  • Joined 13-January 06

the ":" is not part of a path nor of a filename. :unsure: (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)

jaclaz

It is allowed and (even required) for alternate data streams and example of how how Microsoft use those.
Edit Reason: More detailled examples there.

Edited by allen2, 18 December 2011 - 10:30 AM.


#10
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,289 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

The Windows NT Resource Kit documents the stream syntax as follows:
filename:stream

Filename NOT FolderName...

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#11
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,887 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

The unreferenced antivirus must be F-Prot, BitDefender or GData, judging by the detection string (one of the only pieces of information the OP offered)... :whistle:

Moreover, as submix8c most aptly pointed out:

edit - And you might note that the OP hasn't returned. Been a lot of that going on lately...

So, I respectfully suggest you all move on to other matters and forget about this, unless (or until) the OP deigns to show up again and demonstrates he/she is at least reading this thread. :)

#12
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,472 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

The Windows NT Resource Kit documents the stream syntax as follows:
filename:stream

Filename NOT FolderName...

Yep :).
Example:
C:\somefolder: <- means "a suffusion of yellow"
C:\somefolder\ <- means a path to a folder
C:\somefolder\filename.ext <- means a path to a file
C:\somefolder\filename.ext:mystream <- means a path to a stream named "mystream" attached to file filename.ext

To view (and delete) streams, you may want to use STREAMS ;) :
http://technet.micro...ernals/bb897440

BUT also directories can have stream attached, i.e.:
C:\somefolder:myotherstream <- may mean a path to a stream named "myotherstream" attached to directory "somefolder", BUT it should be:
C:\somefolder\:myotherstream INSTEAD (with the backslash)

Only IF that is the case (C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe meaning a stream named "winupd.exe" attached to the directory "C:\Documents and Settings\Elkian\Local Settings\Temp") the DEL command won't have any effect (since you would need to delete the directory, with RD)

jaclaz

Edited by jaclaz, 18 December 2011 - 11:38 AM.


#13
Yzöwl

Yzöwl

    Wise Owl

  • Super Moderator
  • 4,537 posts
  • Joined 13-October 04
  • OS:Windows 7 x64
  • Country: Country Flag

Donator

Also bear in mind that the report said:

Found 1 infected file!

not 1 infected directory.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users