Possible Infection - How to further investigate

Discussion in 'ESET NOD32 Antivirus' started by wolliballa, Sep 26, 2012.

Thread Status:
Not open for further replies.
  1. wolliballa

    wolliballa Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    90
    Location:
    Germany
    I might have been hit by a sort of latest Win32/trustezeb malware during preparation of a malware sample to be sent to ESET. At the end, NOD32 has put a file out of /Appdata/local/temp into quarantine, so I believed the machine to be clean.
    Now I discovered, that from time to time, NOD32 is blocking access to tmsavu.com and seneesamj.com which googling tells me to be somewhat connected to malware. At time of blocking no browser is active, so I believe a certain malware process still being active.
    Autoruns and ProcessExplorer currently don't show any unknown or unsigned program/process (at least to me).
    Currently MalwareBytes is running and discovered nothing so far.
    Any chance that NOD32 logs would tell me, what process has startet the request to the external adress, so I could start from there to kill it ?
    Where would i see logs of blocked adresses and frequency........
    From other sites (Avira) I learned that
    • %WINDIR%\explorer.exe
    • %SYSDIR%\svchost.exe
    • %SYSDIR%\ctfmon.exe
    might be modified and infected.

    Would a systemrecovery (going back 4 days) do a real cleaning?

    Any help would be appreciated
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I assume that running an on-demand scan (inluding memory) doesn't show any infection either. In that case, please generate a SysInspector log and email it to samples[at]eset.com with a reference to this thread. You can also check the reputation of running processes under Tools -> Running processes which might give you a clue as to which process is malicious.
     
  3. wolliballa

    wolliballa Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    90
    Location:
    Germany
    Update:
    As I needed my laptop desparately, I waited for Malwarebytes having finished its run ( no suspect files found ).
    I chose to pull the system back 5 days by system recovery (this was a known date before infection), went fine, no blocked-adress-popups from NOD32 so far..........
     
Thread Status:
Not open for further replies.