Hi,
Yesterday I was troubleshooting a family members computer, and came across this strange service/task. (named “controlformatmotion.exe”)
The computer was obviously infected by malware and the preinstalled McAffie had removed some of the ad-/spyware on it allready and now reported the PC as clean.
BUT as spam and ads still poped up randomly, it sure wasn’t clean for real.
Tried the usual stuff, cleaning out all installed apps, browser add-ons, temp-files, appdata catalog (.exe .msi. dll’s) etc etc… But still no luck.
It was then I found this process (or was it a service? I don’t remember). It could not be stopped, so I disabled and rebooted the PC.
Don’t know if it stopped but at least didn’t get any popups for the couple of minutes I was waiting.
So I figured it was time to google a bit around this claimed “.exe”-file… NOTHING… ? …when put in " " google didn’t give me one single hit.
Luckily I didn’t stop there, download/installed avast, ran a scan and it imediatly found “strange behaviour”. It wanted to go into deep scan (dos/boot time scan) and shortly after found a rootkit named “win32:dropper-gen [Drp]” in this folder:
C:Windows\SysWOW64\ControlFormatMotion\ControlFormatMotion.exe
So now I’m a bit uncertain what to think of this.
First, was this file only infected by this rootkit and belongs to some other app?
And, why didn’t I get a single search hit for it anyway?
Or, if this file belongs to the virus/rootkit, is it some kind of variation or just a randomly generated file-/pathname, since it didn’t give any search hits?
And finally, can I rely on the PC now being clean, or will I have to go on with several other cleaning methods, AV scans, etc?
Any suggestions?
Thanks!
Ø.S.