New
#81
First post shows XP and Win 7 computers and router with minimal protection. Sounds like reinfection from CD/DVD or networked XP.
Found this:
VGHD.EXE has been seen to perform the following behavior:
- Executes a Process
- Registers a Dynamic Link Library File
- Adds products to the system registry
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Adds a Registry Key (RUNONCE) to auto start Programs on system start up
- Writes to another Process's Virtual Memory (Process Hijacking)
- The Process is polymorphic and can change its structure
- Uses rootkit techniques to conceal its presence, interrogation or removal
- Found on infected systems and resists interrogation by security products
- Makes outbound connections to other computers using NETBIOSOUT protocols
- The Process is packed and/or encrypted using a software packing process
VGHD.EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Terminated as a Process
- Has code inserted into its Virtual Memory space by other programs
- Changes to the file command map within the registry
- Deleted as a process from disk
- Added as a Registry auto start to load Program on Boot up
- Registered as a Dynamic Link Library File
Sounds like it is "hiding" in memory or in the MBR which is NOT affected by format commands unless specified to do so.
Regards,
GEWB