Virus problem, help please
Discussion
3 of the PC's on the system have come up with a virus warning this morning - details are
Virus identified: REG.EXE (Worm/Generic.Tx - C:l386/REG.EXE)
I cant find any info on any of the standard virus sites, wondering if anyone here could give me some more info. AVG is happily sat there telling me it's infected but cant repair it and I'm sure Reg.exe is a registry edit program shipped with XP? so I cant just delete the file!
Virus identified: REG.EXE (Worm/Generic.Tx - C:l386/REG.EXE)
I cant find any info on any of the standard virus sites, wondering if anyone here could give me some more info. AVG is happily sat there telling me it's infected but cant repair it and I'm sure Reg.exe is a registry edit program shipped with XP? so I cant just delete the file!
Have you read this?
www.mcafee.com/us/local_content/misc/4715_dat_w95_ctx_faq.pdf
It seems McAfee has been incorrectly identifying some files as being viruses. Reg.exe is one of them. Might be worth double-checking before you do anything?
www.mcafee.com/us/local_content/misc/4715_dat_w95_ctx_faq.pdf
It seems McAfee has been incorrectly identifying some files as being viruses. Reg.exe is one of them. Might be worth double-checking before you do anything?
reg.exe google search said:
REG.EXE does almost everything Regedt32 can do, but it allows you to do it from a command line. This can be useful when you want to quickly make a change without opening Regedt32, and it also allows you to embed registry operations in logon scripts and batch files.
Time to get a better virus scanner IMHO. That was the first hit on google for 'reg.exe'.
I know Reg.exe is a real file, the problem is many virus' hide in "real" files. I wouldn't have been too worried as I know that virus checkers can occasionally mis-identify a file as a virus, but in this case there are 6 machines, all absolutely 100% identical, running exactly the same version, update etc of the antivirus, and only 3 of them are coming up with a problem - cant see why that would be unless there truly is a problem on those 3 computers?
BlairOut's suggestion sounds the most sensible way to approach it.
I am aware of viruses deploying their payload in to 'normal' files however generally speaking attacking such a little used file that isn't going to be run by the average user doesn't seem like a good idea if your trying to infect as many PC's as possible. Now attacking explorer.exe that one I can understand
Having said that if reg.exe is bigger/smaller on an infected machine to an uninfected machine with a different date/time stamp then we're on to a winner... if they are identicle in all respects then I suspect anything we do is a temporary patch to a problem that will manifest again at some point in time.
If it is a real infection I'd suggest looking at where those three machines have been to have picked this up from.
I am aware of viruses deploying their payload in to 'normal' files however generally speaking attacking such a little used file that isn't going to be run by the average user doesn't seem like a good idea if your trying to infect as many PC's as possible. Now attacking explorer.exe that one I can understand
Having said that if reg.exe is bigger/smaller on an infected machine to an uninfected machine with a different date/time stamp then we're on to a winner... if they are identicle in all respects then I suspect anything we do is a temporary patch to a problem that will manifest again at some point in time.
If it is a real infection I'd suggest looking at where those three machines have been to have picked this up from.
Edited by thepassenger on Friday 4th August 11:23
thepassenger said:
BlairOut's suggestion sounds the most sensible way to approach it.
I am aware of viruses deploying their payload in to 'normal' files however generally speaking attacking such a little used file that isn't going to be run by the average user doesn't seem like a good idea if your trying to infect as many PC's as possible. Now attacking explorer.exe that one I can understand
Having said that if reg.exe is bigger/smaller on an infected machine to an uninfected machine with a different date/time stamp then we're on to a winner... if they are identicle in all respects then I suspect anything we do is a temporary patch to a problem that will manifest again at some point in time.
If it is a real infection I'd suggest looking at where those three machines have been to have picked this up from.
I am aware of viruses deploying their payload in to 'normal' files however generally speaking attacking such a little used file that isn't going to be run by the average user doesn't seem like a good idea if your trying to infect as many PC's as possible. Now attacking explorer.exe that one I can understand
Having said that if reg.exe is bigger/smaller on an infected machine to an uninfected machine with a different date/time stamp then we're on to a winner... if they are identicle in all respects then I suspect anything we do is a temporary patch to a problem that will manifest again at some point in time.
If it is a real infection I'd suggest looking at where those three machines have been to have picked this up from.
Edited by thepassenger on Friday 4th August 11:23
sorry if I sounded like I was trying to teach you to suck eggs, slightly stressed at the mo (really didn't need this today!)
I have just checked the file size - on a good machine - 49kb. On the infected machine, 1346kb with date stamp of yesterday . I'm restarting in safe and duplicating files from an OK machine as we speak - with any luck we are on to a winner!
Davi said:
sorry if I sounded like I was trying to teach you to suck eggs, slightly stressed at the mo (really didn't need this today!)
No worries, I know what it's like and I should know by now how easy it is to appear snotty on-line when all you've got is text and to help.
Davi said:
I have just checked the file size - on a good machine - 49kb. On the infected machine, 1346kb with date stamp of yesterday . I'm restarting in safe and duplicating files from an OK machine as we speak - with any luck we are on to a winner!
That's a big bloody virus! Wonder where those machines have been....
Good luck with the transplant.
thepassenger said:
Davi said:
sorry if I sounded like I was trying to teach you to suck eggs, slightly stressed at the mo (really didn't need this today!)
No worries, I know what it's like and I should know by now how easy it is to appear snotty on-line when all you've got is text and to help.
Davi said:
I have just checked the file size - on a good machine - 49kb. On the infected machine, 1346kb with date stamp of yesterday . I'm restarting in safe and duplicating files from an OK machine as we speak - with any luck we are on to a winner!
That's a big bloody virus! Wonder where those machines have been....
Good luck with the transplant.
Possibly collecting data, e.g. keylogger and browser logger (looking for bank information and passwords etc.).
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff