There is a virus that Trend finds as TSPY_GOLDUN.GEN. It cannot be cleaned or quarantined...just identified. It launches a service from the nuclab.sys file in Windows. The service runs stealth and is running in Safe mode.
In my instance, it came with a file named nuclabdll.dll also in the Windows directory. In SpyBot it shows as being in system.ini and it cannot be "not started" using the SpyBot software (it just adds itself back in). Even tea timer cannot stop it.
After killing it, there is still residue in the registry that I can't get rid of (lists as LegacyDriver and in service list).
Hopefully you can put this in your detection list and find a way to kill it off.
One more thing: When the system boots up, I see something that flashes across the screen that seems to have "Loading" and the letters PPR in it. However, it moves to quickly to determine if this is part of the BIOS or something else. This is a Dell Optiplex.
In my instance, it came with a file named nuclabdll.dll also in the Windows directory. In SpyBot it shows as being in system.ini and it cannot be "not started" using the SpyBot software (it just adds itself back in). Even tea timer cannot stop it.
After killing it, there is still residue in the registry that I can't get rid of (lists as LegacyDriver and in service list).
Hopefully you can put this in your detection list and find a way to kill it off.
One more thing: When the system boots up, I see something that flashes across the screen that seems to have "Loading" and the letters PPR in it. However, it moves to quickly to determine if this is part of the BIOS or something else. This is a Dell Optiplex.
