-
July 24th, 2004, 02:57 AM
#1
Member
rimix.exe no info on this virus, so here's what I got
Good evening folks.
Here my situation:
Win 2k with all updates
Spybot S&D updated and ran
Ad-aware updated and ran
Symantec AV Corp updated and ran
All reg keys asscociated with rimix.exe deleted. (along with any other key words associated with the files listed below)
Trend Housecall ran (just in case)
Here's whats left:
Periodical I will have rimix.exe as one of my processes. If not caught, it will spawn a whole bunch of others processes(trust.exe, final.exe, update.exe, and a whole bunch of net.exe, and cmd.exe) These will of course take up a huge amount of resources.
Upon investigation of the file system, I find a folder in my C:/WINNT/SYSTEM32/ called DRIVER/VGA. Now thats driver, not to be confused with drivers. Contained in this folder are the files that are causing the problems.
app.exe
autoexe
config.sys
exprins.sys
ip.sys
rimix.exe
setting.sys
surce.exe
tool.sys
trust.exe
update.exe
winsows.sys
Now these files can be deleted, but will pop in in a few minutes time. Also none of the malware scanners will pick these files or processes up (even while the processes are actively running). Symantec and Trend Housecall will not pick them up. Now I know that surce is a know virus type, which Symantec will pick up but cannot delete.
So what do you all think? I'm pretty sure I've hit my limit. I have done a search here, sarc, trend, mcafee, and google, for rimix.exe or any of the others with no results.
Thanks in advanced folks. Any help is appreciated.
Tachyon
|-----|Alcohol is my anti-drug |-----|
-
July 24th, 2004, 03:35 AM
#2
You could post the executable in a password protected zip file(put the password in your post), and I will download and examine the file to try to identify it.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
July 24th, 2004, 03:46 AM
#3
Member
Here you go:
password: P@ss1234
Appears to open mIRC, also the autoexe contains alot of default username/pass phrases for admin accounts.
Again I appreciate any help on getting rid of this.
Tachyon
|-----|Alcohol is my anti-drug |-----|
-
July 24th, 2004, 05:31 AM
#4
send me the other executables as well.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
July 24th, 2004, 06:08 AM
#5
I would try running your scanners in safe mode, you will have a better chance of deleting stuff.
Also, start SpyBot in "advanced mode" and use the tools to check out BHOs, the Hosts file etc.
Good luck
EDIT: you might like to look here: http://www.newbie.org/help/messages/28195.html
EDIT#2:
Appears to open mIRC, also the autoexe contains alot of default username/pass phrases for admin accounts.
That sounds like a member of the rbot/sbot family.............there are about 700 of them! and new ones come out every week.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|