Odd virus-type activity

[PvilleStang]

So I'm working on a laptop, and I've run into a interesting problem. On the C: drive, when you try to open it, the virus has put an autorun script on it telling it to query the recycler for a long file name (randomly created, gibberish). I delete the autoexecute file, and it is regenerated. I've come to the conclusion it's c:\pagefile that is creating it (I believe it's a .sys, but can't be certain). The size of the file is 2096204 KB and accessed in the last 10 minutes. It's not only a hidden file, but a hidden system file, so I had to have Win show the hidden protected system files in order to find them. Included in the virus package seems to be C:\pagefile, c:\autorun, and the c:\recycler folder. Any ideas here?

 

[burn1337]

I would take a look at all the start up scripts if you haven't already.. I might also suggest doing a boot scan.. Or a scan like TRK... I might also take a look into autorun, see if there is anything strange in it, also the pagefile...

 

[PvilleStang]

Well, I ran symantec, came up clean. I ran Hijack this, and came up with little more than a few rerouted DNS addresses and some spyware, nothing outside the ordinary. The startup scripts were clean, but when I looked in c:\recycler, I found what I assume to be the culprit, which was a program that was hidden as a protected system file, and deleted it. The autorun file stopped regenerating, and haven't had as many issues. Oddly enough, though, the client said the computer froze when he sent a doc to the network printer, so there might be an issue with the print spooler now. Not sure if it's related, but it's worth noting.

 

[Spec]

Hirens boot disk...check it.

 

[burn1337]

Personally, I hate symantec products... I have never been satisfied with anything by them... I would suggest trying AVG, or Avast...
As for HiJackThis, it is a very outdated program, and only useful for windows 2k and below... Else wise, anything the reports show, is more then easy to find... Plus it is not continually updated... For something that shows better summaries and provides a much better protection level I suggest trying Spyware Terminator..
As for the printing issue, if it is not a PICNIC error, then I doubt it is connected to the previous problem, though of course I could be wrong..

 

[markhare]

Start the computer in safe mode and then run virus checkers and antispyware. Some good ones are Avira Antivirus and Spybot Search and Destroy which you can download on my site www.mhare.com.au. Also run a repair using your windows disc.

 

[burn1337]

Spec - I took a look at the Hirens boot disk... I am not satisfied enough to give it a try... I could do more with Knoppix then I could with that...
There was only two things I liked about it, the fact that it has support for partitioning (though in my opinion, if you can't use Fdisk, you really shouldn't be messing around with partitions), and Adaware SE (though outdated).
Any ext3 imaged disk could provide better support for the rest of the stuff..

 

[nevermind1534]

Upgrading my parents' computer to xp pro from home (about three or four years ago) fixed the print spooler that had been made nonexistant.