Sign in to follow this  
Followers 0
Guest terenkleon

I have a computer virus, but can't actually find it. How do I dele

13 posts in this topic

The report said this:

C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe - hidden file!

Found 1 infected file!

----------------------

C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe --> Gen:Trojan.Heur2.LVP.iGW@aCqiX1h

--> HKCU\Software\Microsoft\Windows\CurrentV…

However, once I get past the 'Temp' part of "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" I'm at a loss, and copy-pasting the line doesn't work. Help?

0

Share this post


Link to post
Share on other sites

The trojan seem to be stored in an alternate datastream.

Try safe mode and command prompt and

del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"

If it doesn't work, you might need to use gmer or rootkit revealer.

0

Share this post


Link to post
Share on other sites

Rather:

DEL/A/F "%TEMP%\WINUPD.EXE"

0

Share this post


Link to post
Share on other sites

Rather:

DEL/A/F "%TEMP%\WINUPD.EXE"

How would this delete an alternate datastream ?

To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.

0

Share this post


Link to post
Share on other sites

To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.

Try running DEL /?.

You will notice how:

DEL [/P] [/F] [/Q] [/A[[:]attributes]] names

the red part is inside square brackets.

Would this mean anything? :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.

Try running DEL /?.

You will notice how:

DEL [/P] [/F] [/Q] [/A[[:]attributes]] names

the red part is inside square brackets.

Would this mean anything? :unsure:

jaclaz

That doesn't answer anything about why the "del" command would delete the file "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" with "DEL/A/F "%TEMP%\WINUPD.EXE"" more efficiently than doing "del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"". In fact i don't even see how it would delete it because there are no ":" before the trojan filename.

Edited by allen2
0

Share this post


Link to post
Share on other sites

That doesn't answer anything about why the "del" command would delete the file "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" with "DEL/A/F "%TEMP%\WINUPD.EXE"" more efficiently than doing "del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"".

Sure it does not :).

It was in fact, and as clearly stated, related to this:

To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.

and nothing else.

If you want to know whether the line Yzöwl posted is "more efficient" than the one you suggested, you may ask so. (but that would be ANOTHER question).

In fact i don't even see how it would delete it because there are no ":" before the trojan filename.

In fact I don't see a "\" (backslash) after "C:\Documents and Settings\Elkian\Local Settings\Temp" and before the ":", and AFAIK/AFAICR the ":" is not part of a path nor of a filename. :unsure: (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)

jaclaz

0

Share this post


Link to post
Share on other sites

In fact I don't see a "\" (backslash) after "C:\Documents and Settings\Elkian\Local Settings\Temp" and before the ":", and AFAIK/AFAICR the ":" is not part of a path nor of a filename. :unsure: (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)

BitDefender AFAICT. It's simply the format of the output saying "You have a file in your TEMP folder and its name is: abcdefg.xxx".

Obviously, there MUST be a backslash in order to work. What is with this "alternate datastream" stuff - what led you to believe that's where/what it is/was?

Sheesh! Safe Mode + Yzöwl's command should do the trick AND removing the HKCU entry (as an afterthought). Then rerun the Antivirus scan.

edit - And you might note that the OP hasn't returned. Been a lot of that going on lately...

Edited by submix8c
0

Share this post


Link to post
Share on other sites

the ":" is not part of a path nor of a filename. :unsure: (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)

jaclaz

It is allowed and (even required) for alternate data streams and example of how how Microsoft use those.

Edit Reason: More detailled examples there.

Edited by allen2
0

Share this post


Link to post
Share on other sites
The Windows NT Resource Kit documents the stream syntax as follows:

filename:stream

Filename NOT FolderName...
0

Share this post


Link to post
Share on other sites

The unreferenced antivirus must be F-Prot, BitDefender or GData, judging by the detection string (one of the only pieces of information the OP offered)... :whistle:

Moreover, as submix8c most aptly pointed out:

edit - And you might note that the OP hasn't returned. Been a lot of that going on lately...

So, I respectfully suggest you all move on to other matters and forget about this, unless (or until) the OP deigns to show up again and demonstrates he/she is at least reading this thread. :)

0

Share this post


Link to post
Share on other sites
The Windows NT Resource Kit documents the stream syntax as follows:

filename:stream

Filename NOT FolderName...

Yep :).

Example:

C:\somefolder: <- means "a suffusion of yellow"

C:\somefolder\ <- means a path to a folder

C:\somefolder\filename.ext <- means a path to a file

C:\somefolder\filename.ext:mystream <- means a path to a stream named "mystream" attached to file filename.ext

To view (and delete) streams, you may want to use STREAMS ;) :

http://technet.microsoft.com/en-us/sysinternals/bb897440

BUT also directories can have stream attached, i.e.:

C:\somefolder:myotherstream <- may mean a path to a stream named "myotherstream" attached to directory "somefolder", BUT it should be:

C:\somefolder\:myotherstream INSTEAD (with the backslash)

Only IF that is the case (C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe meaning a stream named "winupd.exe" attached to the directory "C:\Documents and Settings\Elkian\Local Settings\Temp") the DEL command won't have any effect (since you would need to delete the directory, with RD)

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Also bear in mind that the report said:

Found 1 infected file!
not 1 infected directory.
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.