hoping someone can help me here. Am getting a constant Generic VB.z trojan alert from McAfee which deletes a tmp file creation process onto the temp folder. I have updated to the latest DAT's and also am using Artemis high Alert level to scan through my laptop. Does not find anything. Also, McAfee does not detect any file creation onto the temp folder till I am connected to the internet. I dont normally use IE, but as soon as I do, I end up getting popups. I have run SuperAntispyware, Malwarebytes and numerous scans of McAfee as well, and none are able to pick this up. I also referred to the following information on McAfee on this http://vil.nai.com/vil/content/v_171235.htm for which I already have the latest DAT''s but unfortunately, still no luck. Also, this is a svchost generated file. I have gone through process explorer as well and looked through every svchost program. Did not find any unusual dll's or exe files in there. Any help would be greatly appreciated.
Do let me know.
Two things come to mind:
1. The svchost you mention, isn't the "real" svchost, and is simply undetected malware dropping files.
2. Svchost is the proper file expected on the system, but something is injected into it, causing it to misbehave.
You mentioned procexp, which is good if you know quite a bit about what you are looking for. However, if the details are foggy, I would use "GMER" (GMER.net). You can launch the .exe and it will do a quick scan right up front, and then you can hit the "scan" button on the right, to scan the entire system. Once that is complete, you can save the log down to the system.
If you like, you can post that log up here, and we can see if there is anything obvious.
thanks for your reply. I have attached the log generated by GMER. There was a warning stating that there was a change on ROOTKIT processes. Please let me know if there is something you notice.
So it points to "Disk - \Device\Harddisk0\DR0 - sector 00: rootkit-like behavior; - <-- ROOTKIT !!!"
MBR infectors are somewhat rare, but they certainly do still exist. Hard to say if this is the real culprit, or perhaps a "false detection" of GMER, against a legitimate change to your MBR (master boot record)
I would probably use the tool below, to capture your MBR, and then submit it to McAfee labs. (probably should open up a service request with us as well)
Thanks for the info guys. Not sure what else to do. I have escalated to our local IT guys in my company to log ticket with McAfee as they are also not able to figure this out. Please do let me know if there is anything else I can do.
The author of GMER has created a tool that you can run that may remove this problem. This is a command line utility for 32-bit Windows 2000 and later.
Use MBR -t at the command prompt to check for the rootkit, MBR -f to fix it if it is detected.
I also have made a Boot CD you can create to scan and clean your computer from known infections that can be detected by the AV or allows for manual removal.