I found this little blue box last week in the upper left corner of my display on my PC at work. Once I dragged it to the open desktop, it appears to be a "window" roughly 1/4 inch wide and 1/2 inch deep. After researching my task manager, I was able to link it to iexplore.exe; of course, I wasn't running the browser at that time. This has now been found on nearly 300 PCs in my company over the past 7 days. It's evading my antivirus signatures. It evades Spybot. I've found nothing recent about this on any website. These infected PCs have exe files stored in the D&S\Username\Application Data folder. There are various names but all are 404,992 bytes. Some of the names are:
Lsas.exe
Event.exe
Svchosts.exe
Helper.exe
Upnpsvc.exe
Service.exe
Rundll.exe
Msiexeca.exe
Logon.exe
Dumpreport.exe
Sound.exe
Taskmon.exe

Once I stop IExplore and delete the file(s), it doesn't appear to come back. Does anyone know if this is a 2008 recurrance of an old issue?

Thanks in advance.

Hello dc2@28352,


This has now been found on nearly 300 PCs in my company over the past 7 days. It's evading my antivirus signatures. It evades Spybot.

Volunteer analysts cannot work without seeing a HJT log, however...

Post #5 http://forums.spybot.info/showpost.php?p=25712&postcount=5 in this sticky topic: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)


Note:
When the infected computer in question is a company machine in the workplace, and you are an employee.

The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thanks for your understanding.

--------------------------------------------
Malware removal forum volunteers are unable to assist users with infected Corporate, Government or Institutional machines. Please contact our office support so they may provide direct assistance for your needs. Thank you. :)

Spybot S&D Corporate-Small Business Editions (http://www.safer-networking.ie/en/index.html)
For more information, please send an email to licenses(at)spybot.infoBest regards.

"More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable."

Sorry about the post. I am the sys admin for the company...certainly not looking for fault or blame and my IT techs are jumping through hoops right now trying to figure this thing out. I had found similar symptoms on other forums from Apr 2007 time frame. I was searching for "what is this thing" moreso that requesting a cure. Once again, sorry for the oversight. I'll look elsewhere.