What do I do if I suspect I've isolated a piece of malware?
-
Ok, so I'm browsing Unity's documentation when out of nowhere:
[img]http://i.imgur.com/1Yyyu.png[/img]
I go look and sure enough at that exact moments I have a jar_cache[lots of numbers].tmp file and two DLLs that don't show up in a Google search. Zip/Jotti and three of them report something's in there though it's conflicting.
I'm fairly certain I've isolated it to these three files, what's the best place to submit them?
Also NOT really got the time to be nuking a Windows install from orbit, doing a new one, installing all my tools, etc... but got to really
-
[url]http://virusscan.jotti.org/en-gb/scanresult/a99e2b168efff21d41ea2386540722e385b01808[/url] <<< Jotti results
[url]https://www.virustotal.com/file/a61236d589094334c9a63dc2563f226f17715f125e91e2e0c4e7bccc4314b77e/analysis/1333833683/[/url] <<< VirusTotal results
Exact filenames are atdsv.dll, cicrap.dll and jar_cache7117336218327690976.tmp
For now... off to find my Windows 7 DVD
-
Can't you just roll back to a system restore point that predated the infection?
-
I doubt that's a very safe way of "avoiding" running with malware when I have no clue what it does?
-
I found some info on the internets that says the metfos trojan installs itself to these locations:
%AllUsersProfile%\{random} C:\WINDOWS\System64/32\svchost.exe C:\WINDOWS\system64/32\spoolsv.exe %AllUsersProfile%\Application Data\.dll %AllUsersProfile%\Application Data\.exe
If you got an x64 system, even better as it seems to be a x86 trojan, so the processes are clearly marked as 32-bits. Doesn't seems to be hard to remove manually if you have the slightest idea about what you're doing.
-
@Husky said:
Filed under: inb4 blakeyrant about java
Joke's on you, I did the blakeyrant on Twitter long before this even reached DailyWTF.
-
I find it more impressive that you've managed to create a user profile directory with nothing but whitespace and non-printable characters.
-
@db2 said:
I find it more impressive that you've managed to create a user profile directory with nothing but whitespace and non-printable characters.
When he logs in, he has to remember to quote his username.