On Windows Task Manager I'm seeing something keafu.exe. The Properties says something about AppData\Roaming\suwygygi . Sometimes I'll get a popup that says keafu has stopped working. When I do an internet search, there is zero results for keafu.exe . Interestingly, it says it was created and last accessed on March 5, 2014. At that time I was away for 2 weeks and my computer was turned off. Does anyone know what this is?
Sounds suspicious but, as you say, there isn't much information on the web. Probably something "extra" that's come included with another download. One has to be extra alert for "optional" extras when downloading anything these days. As a precaution I would run some free tools - see the last link in my signature below.
Under 3rd Party Tools run Malwarebytes Free and AdwCleaner for starters. Note to keep Malwarebytes actually free do NOT accept any free trial offer.
.Message was edited by: Ex_Brit on 11/06/14 7:32:48 EDT AM
Not too recently. I did download a program called Handbrake probably a month or so ago. I have scanned the computer with Malware Bytes, CCleaner, and just a little while ago with ADWCleaner as suggested by Ex_Brit and it's still showing up in Task Manager. Not sure if it's harmful or not.
It wouldn't do any harm for you to post a Hijackthis log on one of the forums listed in the last link in my signature below. Scroll down to that section. They would be better equipped to answer your question. May take time though.
Thanks all for your suggestions. I found Malwarebytes has a beta version of their Rootkit Removal Tool. I downloaded and ran that and that did remove keafu.exe plus 2 more I didn't know I had. The folders they were in are still there, but empty. I've decided not to mess with them. The McAfee Root Removal Tool would probably have worked also.
Answered, I know, but I was bothered by the fact that "keafu.exe" was a name apparently not seen anywhere else.
In fact there is one reference to it : in the 'Behavioural Information' section of a VirusTotal report. That report gives the malware names used by McAfee and Microsoft - "Generic Downloader.rv" and "Worm:Win32/Vobfus.II" respectively.
Microsoft confuse things a little by saying the McAfee name is "VBObfus.da".
Thanks Hayton, Maybe this isn't answered. I clicked on the microsoft link you provided and see this worm places this file on an infected computer.
c:\documents and settings\administrator\hoibep.exe . When I try to access this area of my computer I get an "Access Denied" popup. I'm attaching a screen shot of this part of my computer. Actually, I don't know if the attachment worked or not. I haven't used that feature before. I think there are some suspicious files at the top also that appear locked.
Thanks for any advice you can provide.
On Vista and above Documents and Settings is a hidden system folder and not accessible by default.
On those machines the equivalent would be c:\users\ ot c:\programdata\
The McAfee equivalent with removal instructions is here: http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1562352#none