cancel
Showing results for 
Search instead for 
Did you mean: 
natebo
Level 7
Report Inappropriate Content
Message 11 of 14

RE: An old virus returns, need help

Not sure if this a respone you were expecting, but it would appear you are the victim of a something trying to hack your system (from what I can see in the information). The McAfee information you are seeing is McAfee doing its job, but I don’t think you are going to find many answers here as your problem is really outside of McAfee.

Some points that come to mind, do you have the guest account enabled for a reason, computers in the DMZ can take a beating and need to be heavily locked down, and don't rely on the Windows Firewall to completely protect your system (in the DMZ).

Again, probably not the response you were looking for, but I don't think your going to find the answers here you are seeking. This is more general network security related.

RE: An old virus returns, need help

I recongize this. This is the Stration virus! I had a workstation in my company infected by the same thing, kept replicating the msupdate.exe.

Make sure your virus scanner has the latest dat. You can also try getting the extra.dat from www.webimmune.net/extra/getextra.aspx and enter the following.

W32\Stration@MM
W32\Stration.dl
W32\Stration.dldr

If you are still having problems, what I did was used Process Explorer http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx and I found a weird process that didn't have a company name running in my Windows folder. Kill it, and send it to webimmune, and they will update you with a new extra.dat.

Edit: BTW, I found this on a 32bit windows. Not too sure what the 64bit windows will have. But I do know its a stration virus. Here's the logs in my ProtectionPilot:

11/01/2006 16:58:03 W32/Stration@MM (ED) _ Continued Scan C:\WINDOWS\system32\ipxwkbdp.exe
11/01/2006 16:46:08 W32/Stration@MM _ Deleted C:\WINDOWS\mssmtpn.exe
11/01/2006 16:46:03 W32/Stration@MM _ Deleted C:\WINDOWS\msupdate.exe

In my case, the weird file without the company name is ipxwkbdp.exe.

It is also wise to kill the internet connection on this computer, as this virus actually gets updates by visiting some websites and running code on them.
Highlighted

viruses often hide themselves

This is what make me thankful I have more than one working PC. I'm using Windows XP Professional with Service Pack 2. I also use Windows XP Home Edition in my home with service pack 3. Plus I have three firewalls.

The first of the two I mentioned with XP Professional runs just fine at boot up and as long as I stay off the internet. Once I connect to the internet, that's when troubles just get started.

The hard drive goes into a state on being constantly busy with the harddrive light always blinking. The virus or whatever it is uses up so much CPU power on computer, I just have to pull the pull the plug to get it to shut, because it won't shut down. It's like my computer is being hijacked.

For security I always have task manager open when I'm using my computer, so I can keep an eye on processes. This allows me to immediately shut a process down when I see hot spots.

I have McAfee on all my PC's My Windows XP Professional computer is the only PC I've every had problems with. I'm obviously going to have to have the system professionally cleaned before it can go online again.

I think that McAfee has a vulnerability to the Straton Virus. Your OK until the Straton virus finds you, then your in trouble. Perhaps McAfee has a patch you can download to solve this problem.

If this doesn't help you may have to put your firewall in lockdown mode or even have your PC professionally cleaned.

Hope this is of some help.
tonyb99
Level 13
Report Inappropriate Content
Message 14 of 14

RE: viruses often hide themselves

oldmonument, the original post was in 2006 its now 2009, I doubt anyone has issues dealing with stration its pretty strightforward to clean most systems if you can isolate the virus strains and its still bootable.

if you are having issues with Stration why dont you make a post of the virus discussion and removal thread http://community.mcafee.com/forumdisplay.php?f=159 like you other posts there

(this obsolete thread is in the corporate admins area)

Locking thread - MOD
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community