Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 686 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

W32/Autorun-BQJ "hiding" on XP machine

Blossom

We have a machine (XP SP3) that appears to have a functioning, updating Sophos (9.5.5 VDL 4.67G) installed which detects nothing when a full scan is run.

Nothing is showing as detected or cleanable on the SEC for the machine and SEC says the machine is up to date and last updated earlier this morning.

However any memory stick put into the machine seems to get infected with W32/Autorun-BQJ – this gets picked up when the stick is put into another of our machines running Sophos.

We've checked and there is no file c:\documents and settings\support\application data\ktfsfc.exe as mentioned in http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/W32~AutoRun-BQJ.aspx on the machine.

Any suggestions for how to sort  this machine  - before we decide it's quicker to do a total rebuild?

Thanks.

:14641


This thread was automatically locked due to age.
Parents
  • 0

    Hello Blossom,

    if you suspect that "something" is hiding and not detected by Sophos it's IMO a good idea to pin it down. 

    First of all - what item (file) on the stick is detected as W32/Autorun-BQJ ? Can you clean it and does it re-appear if you plug the stick in the suspicious machine? If so, you might want to give the Sophos Source of Infection Tool a try.

    You could also run Process Explorer to check for unknown processes and TcpView for outgoing connections.

    Christian

    :14643
Reply
  • 0

    Hello Blossom,

    if you suspect that "something" is hiding and not detected by Sophos it's IMO a good idea to pin it down. 

    First of all - what item (file) on the stick is detected as W32/Autorun-BQJ ? Can you clean it and does it re-appear if you plug the stick in the suspicious machine? If so, you might want to give the Sophos Source of Infection Tool a try.

    You could also run Process Explorer to check for unknown processes and TcpView for outgoing connections.

    Christian

    :14643
Children
No Data