Strange virus-like behaviour, no virus found?

Topic

New Reply

Hi all

I’ve got a Windows XP SP3 computer that’s exhibiting some classic virus behaviour:
1. Agonisingly slow (admittedly, it’s a AMD 2600 w 512Mb ram, but it’s gotten slower)
2. Secunia PSI reported an out-of-date (end of life) file in C:windowssystem32 called blastercln.exe
It’s apparently a blaster removal program. I deleted the file, but 5 seconds later it reappeared. Very odd.

I’ve run all of these without anything malicious being found:
1. Uploaded the out-of-date file to virustotal, with nothing found
2. MS Security Essentials
3. Malwarebytes
4. MS Safety scanner
5. I uninstalled MSE, and installed Norton Internet Security, update, full scan

I’ve also run:
1. Windows Update
2. Secunia PSI and updated everything that was mentioned

I’d be hard pressed to convince a jury that the machine had a virus. But I can’t explain why this out-of-date file keeps re-appearing.
I also tried clobbering the file with all XXXX, and making it read-only, but it gets overwritten (again).

Could a root kit be at play? I think MS used to have a burn-to-CD-and-reboot program, but I couldn’t remember what it was called.

Any ideas or hints most welcome.

Thank you

Peter

Reply | Quote

Replies

I’d try a registry cleaning tool like CCleaner’s registry cleaner component first.
Blastcln.exe if from MS, probably in the form of a WU malicious tool removal kit commonly associated with WU downloads.
Boot your computer after running the reg tool and have WU run to see if the exe is replaced.

If a rootkit is suspected then a clean install should be done, or a restoration of a previously clean image.
If you don’t have images or backup means, then that should be a big red flag in terms of your lack of a solid backup regimen.

Reply | Quote

The first thing I check with a reported general slowness is the drive transfer speeds, Check Your IDE Port Mode.

Then check the drive (chkdsk /r then SFC /scannow and WD bootable tools).

The outdated file is not a problem (but if you ran it and it ‘fixed’ something, it could be – ‘fixes’ change).

Reply | Quote

A similar question about the obsolete tool was asked in the XP forum here 10 days ago. Windows File Protection in XP SP3 replaces some files when deleted. But as the last post in this thread points out, you can probably find and delete the backup copy which will overcome the replacement: EOL Microsoft Windows Blaster Worm Removal Tool Uninstall

Bruce

Reply | Quote

Thanks, I hadn’t seen this.
Followed the instructions at the bottom of that thread. Windows had a bit of whinge about a file being deleted, then it’s business as normal.

Reply | Quote

I’m not sure you have a virus. I have had the same experience with a few PCs – after a few rounds of Windows critical updates, everything slows to a crawl.

Any computer with less than 1.5 GB is unacceptable for running today’s software. ALL the software packages I use consume far too much RAM. My computers with lesser RAM end up being converted to run Linux, or simply donated to charity.

Once you load something like Norton under Windows XP (with only 512 MB RAM), then you have NO free memory left. Windows itself will use up most of the 512 MB – anything else you do will run very slowly.

You can check free memory by pressing Control-Shift-Escape to bring up Task Manager. Then Look under the performance tab.

Reply | Quote

Peter…go get Kaspersky’s Rescue CD, or make a Windows Defender Offline CD. Both of them boot outside of your XP install and perform a far deeper scan than you can do in XP’s normal mode…where malware actively avoids detection and heals itself.

Kaspersky: http://support.kaspersky.com/faq/?qid=208282173
WDO: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

-John

Reply | Quote