Virus Evades Panda & Kapersky
It looks like I've got a pesky infection on my hands that I can't get to go away.
Yesterday I was checking one of our client's servers, and found that its memory was getting eaten up by many, many multiple update.exe processes that were running in the background. A google search quickly revealed this:
Quote:
Process File: update or update.exe
Process Name: Downloader.W32.Gen
Description:
update.exe is registered as the W97M.Exedrop downloader. This process usually comes bundled with a virus and it’s main role is to do nothing other than download other viruses to your computer. It is a registered security risk and should be removed immediately.
Note: update.exe is also a process belonging to the BargainBuddy advertising program by eXact Advertising LLC. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.
(Link)
So this server already has Panda installed, so I ran a scan. Found 0 infected files. So next I tried online scans -- Housecall wouldn't run for some reason, but I got the Kapersky online scan to run. Interestingly enough, Kapersky found 4 infected files that Panda never caught; however, after even removing those, I still have tons of update.exe processes running.
You can kill the processes, but they immediately crank right back up.
So next I ran Spybot, and it found a handful of problems as well, but still failed to do anything about update.exe. Meanwhile, all these processes continue to eat away at ther server's memory.
So what should I do now? Before someone says "scan in safe mode", please note that's a last resort (though life would be a lot easier if I could). I work on these client machines remotely through RDC, so if I rebooted into safe mode, I'd lose access to the machine. If push comes to shove, we can send someone out there to do it in person, but that's a last resort.
What's funny is the client still has no clue they're infected. I just happened upon it while checking up on the server. That being the case, I hope I can get it cleaned out before they discover they have been infected -- just makes us look that much better when we fix problems before they know they have them!
Re: Virus Evades Panda & Kapersky
Quote:
[i]
So this server already has Panda installed, so I ran a scan. Found 0 infected files. So next I tried online scans -- Housecall wouldn't run for some reason, but I got the Kapersky online scan to run. Interestingly enough, Kapersky found 4 infected files that Panda never caught; however, after even removing those, I still have tons of update.exe processes running.
You can kill the processes, but they immediately crank right back up.
So next I ran Spybot, and it found a handful of problems as well, but still failed to do anything about update.exe. Meanwhile, all these processes continue to eat away at ther server's memory.[/B]
Going back to the orginal post, it really isnt that unusual for one AV snaner to miss an infection, while another picks right up on it. I have had McAfee has blown right past a number of invections, and Norton's AV has caught them. Or both have missed them and Housecall has gotten them. McAfee did surprize me in completely missing a older, well known infection.
Case and point for tighing up access to that server and locking it down a bit.