PDA

View Full Version : sgzuuf.exe - virus?



MurghBpurn
September 24th, 2009, 20:07
After some help.

My processor seems to be working overtime with no applications running. One of the Processes in Windows Task Manager is sgzuuf.exe there's no such file showing when I search my Computer and I can't use End Process or TaskKill to stop it (even though TaskKill reports it terminated).

I've tried Googling sgzuuf and nothing shows

Any advise?

Oberoten
September 24th, 2009, 20:56
Check your :
Hkey_local_machine/Software/Microsoft/Windows/Current Version/Run
Hkey_Current_User/Software/Microsoft/Windows/Current Version/Run

for the executeable.

to see where the file is located, it should be noted that if this is in a temp directory it is pretty safe to handle the file as a virus and delete it while in safemode and then remove all keys pointing to it.

MurghBpurn
September 24th, 2009, 21:43
So a search for sgzuuf found this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run with a name of sgzuuf and a Data of C:\Documents and Settings\Phil\sgzuuf.exe

this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell NoRoam\MUICache with a Name of C:\Documents and Settings\Phil\sgzuuf.exe and a Data of sgzuuf

this:
HKEY_USERS\S-1-5-21-2930462304-1798460075-939075630-1006\Software\Microsoft\Windows\CurrentVersion\Run with a name of sgzuuf and a Data of C:\Documents and Settings\Phil\sgzuuf.exe

and this:
HKEY_USERS\S-1-5-21-2930462304-1798460075-939075630-1006\Software\Microsoft\Windows\ShellNoRoam\MUICac he with a Name of C:\Documents and Settings\Phil\sgzuuf.exe and a Data of sgzuuf

Needless to say there is no file of that name to be seen in C:\Documents and Settings\Phil\

Delete all 4 entries?

Oberoten
September 25th, 2009, 08:00
Make a backup of all instances and remove them afterwards. If it breaks any functionality just restore from the backups.

- Obe

Zeus
September 25th, 2009, 11:26
Download yourself a copy of Trend Micro's HiJack This! and run a scan.

Some viruses spread by attaching themselves to existing system processes, BHOs, Toolbar etc making them hard to remove by simple file deletes. You need to find the process thats creating the files and registry entiries. If you don't they will simply be recreated upon startup/next login.

If you look through the output list from Hijack This's scan of your machine you should be able to find the entry that is creating the files. You can then check the item and get Hijack This! to remove all the assoiciated entries and files. It may also tell you to reboot an re-scan before login (if offending files are resident in memory, a normal file delete will not work.)

You can grab Trend Micro's Hijack This! from: http://free.antivirus.com/hijackthis/

In addition I would also install and run Malwarebyte's Anti-Malware (found here: http://www.malwarebytes.org/mbam.php

These two tools should be able to remove 99% of the known viruses out there.

Tenian
September 25th, 2009, 11:32
Some particularly nasty virii will prevent you from loading anti-malware/anti-virus tools. You may need to look into a program that renames them (I know one exists for Malware Bytes).

Zeus
September 25th, 2009, 11:47
Here's a trick I use to circumvent virus/spyware and malware issues.

Rather than trying to prevent infection - the tools that do this are always at least one step behind virus developers - and I can think of better uses for $50-60 thanon anti-virus subscriptions every year (yes I'm that tight :D).

I limit all my interweb activity (web browsing, email, ftp, scp, downloads etc.) to a small virtual machine I have running under VMware's free VM software.

Now the VM I have created is a standard Vista system installed with the following additional software:

- Malwarebyte's Anti-Malware
- Spybot S&D
- Trend Micro's Hi-Jack This!

The VM is also configured to revert to a locked snapshot image of the OS. This means upon reboot the VM always returns to a known good state, any changes to the OS made (deliberate or not) prior to the restart are therefore lost.

What this means is I can use the VM safely to interact with networks outside of my own home network. In the event the VM becomes infected I simply restart it and voila its instantly gone.

I'm careful when moving files off of this system as well and have filters setup to screen for suspicious content, this way I also reduce any chance of spreading the virus to any of my other systems.

Anyway, just a thought.

Tokuriku
September 25th, 2009, 16:26
Very nice setup indeed :D

MurghBpurn
September 26th, 2009, 16:50
Download yourself a copy of Trend Micro's HiJack This! and run a scan.

Thanks, this seems to have worked. However there was reams of stuff it picked up, I just fixed the offending file as a lot of the others looked genuine.

Zeus
September 26th, 2009, 17:05
Yeah thats right. Some of the entries will be genuine and should not be removed. If you click on the info button in the bottom right corner it provides an explanation of all the different entries.

You can usually tell if a entry is suspect as the files they generate tend to have random characters in their filenames.

drahkar
November 6th, 2009, 13:08
HiJack This! is a nice program. It basically displays anything that's not default. Then you can just pick and choose what to affect.