Unknown exe(s)

[Guest]

[efsane]

Hello all

I have realized this alert on EVERY system startup. The icon is same. But name of exe "changes".







Comodo shows full path of folder. I go there, nothing appears about this exe.

After i block itS internet connection, it can't connect to internet.




Anyone has idea about this?

[aXes]

Hi efsane and welcome to the forum!

I think you have metamorphic virus(es). But the interesting one is you have Avast AV.

Did you scan all of your computer? If so, there is a fact that Melih was announced: Era of detection is dead!

I suggest you try another AV scanners. Fortunately you have CFP and at least you can stop viruses.

aXes

[N.T.T.W.]

Might be worth setting Avast to do a boot time scan.

Also might be worth setting a global rule preventing traffic to or from 85.197.99.143.


 

[Ragwing]

This sounds like something really bad. Try doing a boot-time scan, as suggested by N.T.T.W. If it doesn't work, try some other AV's.
If it's still there, return with your results here.

Cheers,
Ragwing

[AnotherOne]

Two points.  First, the fact that you can't find the file by checking the path shown means either the file is stealthed (suggesting a rootkit) or it is extracted to RAM and the path is only a virtual path.  Try a rootkit scan if nothing shows up with AV scans.  I believe that Avira's Antivir had one of the best detection rates of the free AV scanners.

Second, you can try tracking down the source of the file by right-clicking it on the Active Processes window.  There is an option to Terminate and Quarantine the file.  This may cause another file to reveal itself when it tries to check up on the quarantined file.  I've never tried this, but I assume that an alert will pop up when a quarantined file access is attempted.  On that pop-up, you will also have the option to quarantine the new file.  You may have to do this for a few files.  This may not work if the first file is virtual.  It depends on how the presence of the first file is checked up on.

[SS26]

You may also download DrWeb CureIT scanner, switch off internet connection (best thing is to unplug your modem).
Then boot in safe mode and run CureIT. It is a single executable wich doesn't need to be installed, but it is almost equal to standard DrWeb package capability.

[Ragwing]

If it's a rootkit, then RootkitRevealer or IceSword should be good enough.

[AnotherOne]

Rootkit Revealer does not have any removal tools and I am not sure that Ice Sword does either (couldn't get it to work on my system for some reason).  Another highly regarded rootkit tool is Panda Antirootkit:
http://research.pandasecurity.com/archive/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx
Download from the above page.  It has removal tools and is supposed to be easy to use.  Another simple test for rootkit presence is System Virginity Verifier at www.invisiblethings.org

[Tags:]