Re: [m0n0wall] OT Strange Virus?

From:	"Kasper Pedersen" <m0n0list dash kkp2 at kasperkp dot dk>
To:	"m0n0wall" <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] OT Strange Virus?
Date:	Wed, 2 Aug 2006 11:08:48 +0200

----- Original Message ----- 
From: "Lee Sharp" <leesharp at hal dash pc dot org>
> Aware, and Rootkit Revealer all show nothing.  Scanning under safe mode 
> still shows nothing.  In desperation I scanned (With an older virus list) 
> with UBCD 4 Win, and still nothing.  I have already lost money on this 
> job, but I want to KNOW what is doing this...  Any thoughts?

www.sysinternals.com  has two tool named process explorer and filemon.
They can show what processes do what to which files. Copy in a bunch of 
jpgs, observe which process deletes them, find the executable with process 
explorer, then use PE to kill it. And remember to keep a copy of it (the 
nastyware) for later analysis.

Don't be too surprised if it's antivirus (sigh). Some of the less 
intelligent ones sometimes are a little too 'smart'. Like deleting all 
zipfiles with certain names, or deleting gifs with a certain size, or 
'protecting' the machine against a JPG decoder bug.

/Kasper
(There's only one o in lose)