Rico123 Posted November 18, 2008 Hello, Today SAS found c:\windows\system32\GKSUI18.exe SAS was successful at removing then required a reboot & was then in quarantine. I then selected remove from quarantine. re-scanned with SAS & all was clean Question - My external hdd, which has Acronis 10 backed up files on it. Can SAS get into the compressed Acronis files for a good scan? I tried doing it, it lasted only seconds on G:\ then SAS said G:\$secure$SDS is this a failed scan? Regarding the removed GKSUI18.exe - I really did not notice any adverse effects on the infected machine, how would this malware been executed? From SAS Log: SUPERAntiSpyware Scan Loghttps://www.superantispyware.com Generated 11/17/2008 at 05:31 PM Application Version : 4.21.1004 Core Rules Database Version : 3640 Trace Rules Database Version: 1623 Scan type : Quick Scan Total Scan Time : 00:07:17 Memory items scanned : 297 Memory threats detected : 0 Registry items scanned : 359 Registry threats detected : 0 File items scanned : 7076 File threats detected : 1 Trojan.Gen C:\WINDOWS\SYSTEM32\GKSUI18.EXE Thank You Rick Share this post Link to post Share on other sites
SUPERAntiSpy Posted November 18, 2008 We can't get into the compressed archives/backups. Share this post Link to post Share on other sites
Rico123 Posted November 18, 2008 Hello, Thank you for the response! Further investigation leads me to believe this is/was an "FP" Exploring the backup drive (ext hdd, Acronis back=ups) shows: c:\windows\system 32\GKSUI18.exe 72kb 72kb x 1024 = 73,728 bytes. From Prevx I found: http://spywarefiles.prevx.com/ssBFDF148315/GKSUmore.html Also from Prevx: * Safety Rating: Known Malware, do not run * Malware Family: Part of Malware group - Covert Sys Exec * Determination: Automatically determined using Prevx centralized heuristics * Malware Form: EXPLOIT * Protection: Prevx provides powerful security products that you can use to detect, remove and protect you from GKSUI18.EXE and safeguard your PC against viruses, trojans, worms, spyware, rootkits and adware * Why risk having spyware on your PC when it takes less than 2 minutes to thoroughly check it with Prevx CSI? Click here to check your PC with Prevx CSI Now. * First seen: Nov 14 2006 (GMT) * Last seen: Nov 14 2006 (GMT) * File Size: 69,632 bytes It seems known Trojan size = 69,632 bytes which does not equal 72kb Where I'm not sure is: % signs surrounding a folder (see url above) Who does this exe file belong to? Not 100% sure I should restore it from Acronis Do you have a database to ID threats? I just googled & chose 1st match < why I referenced Prevx > Thanks Rick Share this post Link to post Share on other sites
SUPERAntiSpy Posted November 18, 2008 We are investigating the sample you submitted now (thank you for submitting!) and we will post our results. Share this post Link to post Share on other sites
