[ previous ] [ next ] [ threads ]
 
 From:  Mark Schoonover <schoon at amgt dot com>
 To:  'Kasper Pedersen' <m0n0list dash kkp2 at kasperkp dot dk>, m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] OT Strange Virus?
 Date:  Wed, 2 Aug 2006 09:03:42 -0700
Kasper Pedersen wrote:
> ----- Original Message -----
> From: "Lee Sharp" <leesharp at hal dash pc dot org>
>> Aware, and Rootkit Revealer all show nothing.  Scanning under safe
>> mode still shows nothing.  In desperation I scanned (With an older
>> virus list) with UBCD 4 Win, and still nothing.  I have already lost
>> money on this job, but I want to KNOW what is doing this...  Any
>> thoughts? 
> 
> www.sysinternals.com  has two tool named process explorer and filemon.
> They can show what processes do what to which files. Copy in a bunch
> of jpgs, observe which process deletes them, find the executable with
> process explorer, then use PE to kill it. And remember to keep a copy
> of it (the nastyware) for later analysis.
> 
> Don't be too surprised if it's antivirus (sigh). Some of the less
> intelligent ones sometimes are a little too 'smart'. Like deleting all
> zipfiles with certain names, or deleting gifs with a certain size, or
> 'protecting' the machine against a JPG decoder bug.
> 
> /Kasper
> (There's only one o in lose)

Speaking of sysinternals, if you want there cool freeware, you better
download it soon. They been purchased by Microsoft, so who knows how long
these nifty pieces of software will remain.

Mark