2

My computer got one of those Recycle bin viruses, e621ca05.exe. It's an old installation of Windows XP and I can't even enter safe mode because it was in a shaky state already. So I can't follow the steps describe everywhere to get rid of it.

But anyway I should be able to find a registry entry or the process or service that it uses. I know that it's running, or at least it's notified of external drives being added, because whenever I format my pen drive and plug it, it will automatically copy the virus there again. I've gone through the bunch of entries in HKEY_LOCAL_MACHINE\...\CurrentVersion\Run, HKEY_CURRENT_USER\...\CurrentVersion\Run, and RunOnce. I've also gone through the processes running in the task manager; nothing looks suspicious, except for those svchost that I don't really know in depth.

I guess that it might be running as a service, but almost all of them are signed by Microsoft.

So my questions are:

  1. Is there any other kind of process besides those in the task manager and services?
  2. Is there other place where applications sign to be loaded on start besides ..\CurrentVersion\Run (or RunOnce)?

PD: I've got Avira installed and updated. Doesn't help at all.

user3748908
  • 121
  • 2
  • 2
    Documenting all the areas from which the malware can execute automatically are just too many. To give you an idea, take a look at the blog series "Beyond good ol' Run keys". The first one is available at http://www.hexacorn.com/blog/2012/07/23/beyond-good-ol-run-key/. So far 30th posts have been posted. So you can see how much places are there to automatically run a malware. A reasonable approach is to start afresh from a clean slat. – void_in Apr 29 '15 at 09:49

0 Answers0