Guest terenkleon Posted December 17, 2011 Share Posted December 17, 2011 The report said this:C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe - hidden file!Found 1 infected file!----------------------C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe --> Gen:Trojan.Heur2.LVP.iGW@aCqiX1h--> HKCU\Software\Microsoft\Windows\CurrentV…However, once I get past the 'Temp' part of "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" I'm at a loss, and copy-pasting the line doesn't work. Help? Link to comment Share on other sites More sharing options...
allen2 Posted December 17, 2011 Share Posted December 17, 2011 The trojan seem to be stored in an alternate datastream.Try safe mode and command prompt anddel /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"If it doesn't work, you might need to use gmer or rootkit revealer. Link to comment Share on other sites More sharing options...
Yzöwl Posted December 17, 2011 Share Posted December 17, 2011 Rather:DEL/A/F "%TEMP%\WINUPD.EXE" Link to comment Share on other sites More sharing options...
allen2 Posted December 17, 2011 Share Posted December 17, 2011 Rather:DEL/A/F "%TEMP%\WINUPD.EXE"How would this delete an alternate datastream ?To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work. Link to comment Share on other sites More sharing options...
jaclaz Posted December 18, 2011 Share Posted December 18, 2011 To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.Try running DEL /?.You will notice how:DEL [/P] [/F] [/Q] [/A[[:]attributes]] namesthe red part is inside square brackets.Would this mean anything? jaclaz Link to comment Share on other sites More sharing options...
allen2 Posted December 18, 2011 Share Posted December 18, 2011 (edited) To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.Try running DEL /?.You will notice how:DEL [/P] [/F] [/Q] [/A[[:]attributes]] namesthe red part is inside square brackets.Would this mean anything? jaclazThat doesn't answer anything about why the "del" command would delete the file "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" with "DEL/A/F "%TEMP%\WINUPD.EXE"" more efficiently than doing "del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"". In fact i don't even see how it would delete it because there are no ":" before the trojan filename. Edited December 18, 2011 by allen2 Link to comment Share on other sites More sharing options...
jaclaz Posted December 18, 2011 Share Posted December 18, 2011 That doesn't answer anything about why the "del" command would delete the file "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe" with "DEL/A/F "%TEMP%\WINUPD.EXE"" more efficiently than doing "del /q /f "C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe"". Sure it does not .It was in fact, and as clearly stated, related to this:To my knowledge "/A" is to delete files based on their attribute and needs an attributes like S as in this example "/A:S" to work.and nothing else.If you want to know whether the line Yzöwl posted is "more efficient" than the one you suggested, you may ask so. (but that would be ANOTHER question).In fact i don't even see how it would delete it because there are no ":" before the trojan filename.In fact I don't see a "\" (backslash) after "C:\Documents and Settings\Elkian\Local Settings\Temp" and before the ":", and AFAIK/AFAICR the ":" is not part of a path nor of a filename. (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)jaclaz Link to comment Share on other sites More sharing options...
submix8c Posted December 18, 2011 Share Posted December 18, 2011 (edited) In fact I don't see a "\" (backslash) after "C:\Documents and Settings\Elkian\Local Settings\Temp" and before the ":", and AFAIK/AFAICR the ":" is not part of a path nor of a filename. (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)BitDefender AFAICT. It's simply the format of the output saying "You have a file in your TEMP folder and its name is: abcdefg.xxx".Obviously, there MUST be a backslash in order to work. What is with this "alternate datastream" stuff - what led you to believe that's where/what it is/was?Sheesh! Safe Mode + Yzöwl's command should do the trick AND removing the HKCU entry (as an afterthought). Then rerun the Antivirus scan.edit - And you might note that the OP hasn't returned. Been a lot of that going on lately... Edited December 18, 2011 by submix8c Link to comment Share on other sites More sharing options...
allen2 Posted December 18, 2011 Share Posted December 18, 2011 (edited) the ":" is not part of a path nor of a filename. (actually colon is not an accepted character in *any* file/directory name under Windows, so it probably comes from the output of the unreferenced antivirus)jaclazIt is allowed and (even required) for alternate data streams and example of how how Microsoft use those.Edit Reason: More detailled examples there. Edited December 18, 2011 by allen2 Link to comment Share on other sites More sharing options...
submix8c Posted December 18, 2011 Share Posted December 18, 2011 The Windows NT Resource Kit documents the stream syntax as follows:filename:streamFilename NOT FolderName... Link to comment Share on other sites More sharing options...
dencorso Posted December 18, 2011 Share Posted December 18, 2011 The unreferenced antivirus must be F-Prot, BitDefender or GData, judging by the detection string (one of the only pieces of information the OP offered)... Moreover, as submix8c most aptly pointed out:edit - And you might note that the OP hasn't returned. Been a lot of that going on lately...So, I respectfully suggest you all move on to other matters and forget about this, unless (or until) the OP deigns to show up again and demonstrates he/she is at least reading this thread. Link to comment Share on other sites More sharing options...
jaclaz Posted December 18, 2011 Share Posted December 18, 2011 (edited) The Windows NT Resource Kit documents the stream syntax as follows:filename:streamFilename NOT FolderName...Yep .Example:C:\somefolder: <- means "a suffusion of yellow"C:\somefolder\ <- means a path to a folderC:\somefolder\filename.ext <- means a path to a fileC:\somefolder\filename.ext:mystream <- means a path to a stream named "mystream" attached to file filename.extTo view (and delete) streams, you may want to use STREAMS :http://technet.microsoft.com/en-us/sysinternals/bb897440BUT also directories can have stream attached, i.e.:C:\somefolder:myotherstream <- may mean a path to a stream named "myotherstream" attached to directory "somefolder", BUT it should be:C:\somefolder\:myotherstream INSTEAD (with the backslash)Only IF that is the case (C:\Documents and Settings\Elkian\Local Settings\Temp:winupd.exe meaning a stream named "winupd.exe" attached to the directory "C:\Documents and Settings\Elkian\Local Settings\Temp") the DEL command won't have any effect (since you would need to delete the directory, with RD)jaclaz Edited December 18, 2011 by jaclaz Link to comment Share on other sites More sharing options...
Yzöwl Posted December 19, 2011 Share Posted December 19, 2011 Also bear in mind that the report said:Found 1 infected file!not 1 infected directory. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now