On 25 Mar 2010 at 22:57, Burian, Matthew J. (mjb) wrote: > That one file you saw in the recycle bin sounds very similar in name > to the Microsoft Antimalware process of "MsMpEng.exe" used in OneCare > and now used in Security Essentials. (Also may be used with Windows > Defender??) > > Just an interesting, though probably unrelated similarity in file naming.
Probably an intentional mis-naming by the malware. Actually it turned out to be a true nasty trojan, not an FP (although I had those today also*). Info pages here: W32/IRCbot.gen.aj http://vil.nai.com/vil/content/v_252087.htm W32/Rimecud http://vil.nai.com/vil/content/v_237984.htm My infections had the filename of the first of those but the exact file- location and registry-keys of the second. VIPRE identified them as "Worm.Win32.Rimecud" [where DO they get these names???] and the VIPRE info page (doesn't say anything useful, unfortunately) is here: http://www.sunbeltsecurity.com/ThreatDisplay.aspx?name=Worm.Win32.Rimecud&tid=4268277&cs=50289929C7DB40A0D03710195D3B1B1C or here if the above wraps unusably: http://preview.tinyurl.com/ydtnjw6 I had three machines where the VIPRE "Deep Scan" found this. I need to make sure I get Deep Scans on the rest of the network RSN as this spreads via network shares among other methods. Angus * FPs on half a dozen files in hidden directory C:\hp\recovery\wizard\fsadmin\ on one XP Home machine that still sits on my network. Submitted them to Sunbelt after dealing with Rimecud. No answer yet, but it was after 9 PM Florida time when I submitted them. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~