Loading...

Knowledge Center


Troubleshooting procedure for finding possible infected files if a virus is not detected
Technical Articles ID:  KB53094
Last Modified:  10/14/2014
Rated:


Environment

All McAfee desktop and server anti-virus products for Microsoft Windows

Summary

This article describes a number of procedures and locations to help you find suspicious files when an infection is not detected by your McAfee anti-virus products.

Possible symptoms include:
  • Suspicious computer behavior such as high CPU usage on unrecognized processes
  • Significantly increased network traffic or bandwidth usage
  • New services added or existing services removed
  • Unable to access network resources such as shared drives
  • Applications cease to function or files cannot be accessed
  • Unexpected registry keys added
  • Internet Explorer home page changed without permission
IMPORTANT: Because of the wide variety of malware and other threats, McAfee is unable to provide a list of all possible infection symptoms. If you suspect that your system is infected and the specific symptoms are not listed, you should still take all available precautions. Ensure that your DAT files are up-to-date and run an On-Demand Scan or command line scan of your system. If the infection is not detected, follow the procedures in this article to collect suspicious file samples and submit them to McAfee Labs.
 
The article includes references to some third-party tools. For instructions on using them, McAfee recommends you use the help files for the third-party products.

Before you begin looking for suspicious files:
  1. Update your DAT files and ensure that you have the latest scanning engine.
  2. Ensure that you have the latest product patch or hotfix.
  3. Install the latest Microsoft security patches.
  4. Verify the scan settings for your McAfee products.
  5. Run a full On-Demand Scan with all scan settings enabled.
  6. Apply the latest Beta DAT files and run an On-Demand Scan.
If the On-Demand Scan still fails to detect any threats: 
  1. Search Windows configuration files for any suspicious entries.
  2. Search the startup programs group for any items or applications you do not recognize.
  3. Check common registry locations for suspicious entries.
  4. Use Windows Explorer to check common directory locations for malicious files.
  5. Check the Windows Scheduler for entries you do not recognize.
  6. Use additional McAfee and third-party tools to discover malicious activity.

Solution 1

Basic checks before contacting McAfee Technical Support:

Ensure you use the latest DAT and Engine files
Download the current DAT and Engine from the McAfee Security Updates website:
  1. Obtain the latest security updates:
    To download a DAT, Engine, XDAT or Stinger, go to http://www.mcafee.com/apps/downloads/security-updates/security-updates.aspx.

    You might have to download these if your automated update fails or if you want to use an ExtraDAT on an infected system.
     
  2. Click the DAT tab to download the latest DAT. The file format denotes the DAT version dat-####.zip, where #### is the DAT version.
  3. Click the Engines tab to download the latest Engine.
  4. Check the Version column to identify the current released engine version.
Ensure you use the latest available product patch or hotfix
  1. Determine the latest patch and hotfix level using the supported platforms article for your product, available at: http://mcaf.ee/qj76n.
  2. Determine which McAfee patch/hotfix is installed. The way to do this varies from product to product, but typical methods include:
    • Right-click the McAfee icon in the system tray and select About.
    • Open the product console and select Help, About.
    • Some products require a console command to determine if a patch is installed. Refer to the relevant product documentation.
      For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.

       
  3. Download and install the latest McAfee product patch. A combination of a product patch, DAT, and Engine update might be required to remove a virus.
    McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

    NOTE:
     You will need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, as well as alternate locations for some products.
     
  4. Obtain the latest hotfix.
    Hotfixes are created to address specific issues and are not posted publicly, but are available by contacting Technical Support.

    For contact details:
    Go to http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport and select your country from the drop-down list.

    Alternatively
    :
    Log in to the ServicePortal at https://support.mcafee.com:
    • If you are a registered user, type your User Id and Password, and click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
Microsoft Security Patches
Install the latest Microsoft Security patches to prevent exploits of security vulnerabilities:
  1. For Windows updates, go to: http://update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?ln=en&returnurl=http://update.microsoft.com/microsoftupdate/v6/default.aspx?.
  2. Ensure the latest patches and fixes are downloaded and installed. You can configure Windows to do this automatically.  
McAfee point product configuration
Verify that you have configured the On-Access and On-Demand Scanners to:
  • Scan for Spyware
  • Scan for Potentially Unwanted Programs
Verify you have enabled the following options:
  • Heuristic scanning
  • Buffer Overflow Protection
  • Global Threat Intelligence at its highest sensitivity (see KB70130)

    Some of these options are available in VirusScan Enterprise only. Consult the product guide for your product for details and instructions.
    For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.


Run an On-Demand Scan with all scan settings enabled
Perform a full On-Demand Scan of all files with the primary action set to Clean. Consult the product guide for your product for details on how to configure an On-Demand Scan. For VirusScan Enterprise, click Start, Programs, McAfee, On-Demand Scan, Start. 


Run scan.exe with the latest Beta DAT files
If the On-Demand Scan and the standard DAT files do not detect the infection, it might be detected with the additional signatures in the Beta DAT files.

  1. Download the Beta DAT files from: http://www.mcafee.com/apps/mcafee-labs/beta/dat-file-updates.aspx
  2. Apply the Beta DAT files:
    • Automatically (using the latest SuperDAT executable)
      1. Launch avvwin_xdatbeta.exe on the infected computer. The executable updates all McAfee products that use DAT files.
        If the SuperDAT does not run properly, run the SuperDAT in forced mode. For instructions, see KB59164. Alternatively, install the DAT files manually.
      2. After the update completes, run an On-Demand Scan on all drives or databases depending on the product. 
         
    • Manually (using latest DAT file)
      To manually update the DAT files for your product, refer to the relevant article for instructions. 

      GroupShield for Domino KB51614
      GroupShield for Microsoft Exchange
      LinuxShield
      SaaS Endpoint Protection KB53768
      Security for SharePoint
      VirusScan Enterprise

Solution 2

Locate suspicious files
Startup folders and registry locations are most likely to contain suspicious entries. You should examine the following locations.

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Intel Security strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a .REG file that is not confirmed to be a genuine registry import file.

 
System Configuration files:

  • Win.ini
    This was used by earlier versions of Windows and used during system start up. With Windows 7 and later, details stored in this file are now placed in the registry.
  • System.ini
    This is a Windows Initialization file used primarily with earlier versions of Windows. However, this INI file is still used for backward compatibility in later versions of Windows.
  • Autoexec.bat
    This is used during the system startup and retained on later versions of Windows for backward compatibility and is stored on the root of the system drive. This batch file will execute commands at startup,
  • Config.sys
    This is a legacy Windows ASCII text file that contained configuration directives which can be accessed using msconfig.
To view the systems configuration using msconfig:

  1. Click Start, Run, type msconfig, and press ENTER.
  2. Examine the Startup items tab.
  3. Examine the win.ini and system.ini entries. 
 
Startup Group
When looking at folders, change the view to Details, and use the Date created column to arrange files: 
  • \documents and settings\all users\Start Menu\Programs\Startup
  • \winnt\profiles\all users\Start Manu\Programs\Startup
     
Registry Locations
Look at common locations in the registry that launch at startup and are often abused:
 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppINit_DLL

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Run
 
Malware specific:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools
HKEY_LOCAL_MACHINE\software\Microsoft\WindowsNT\CurrentVersion\Winlogon
 

Directory locations often used by viruses
 
C:\
%windir%\
%windir%\system32\
%windir%\system32\drivers
%windir%\system32\dllcache
%TEMP%
%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%userprofile%\local settings\temp
%userprofile%\application data
%userprofile%\local settings\application data
C:\Program Files\
C:\temp
C:\Recycler
C:\Documents and Settings
 

Analyze the registry for suspicious activity or malware
For details about the utilities referenced in the following steps, see KB72766
  1. Use IceSword rootkit detector to analyze the registry.
  2. Click Start, Programs, McAfee, On-Demand Scan, Start to run an On-Demand Scan.
  3. If On-Demand Scanning fails to detect a threat, use the free McAfee utilities FPort and Vision to monitor activity.
    NOTE: The following third-party utilities can also be useful for logging malicious file activity.
    • Process Explorer
    • TCPView
    • ProcMon
    • Autoruns
    • RootkitRevealer 

Solution 3

Before you contact McAfee Technical Support
  1. Gather suspicious samples.
    Collect into one location any files or methods listed above that you feel indicate a file is suspicious. Ensure that all sample files are included in a single password protected .zip file. Set the password to infected
      
  2. Submit samples to McAfee Labs.
    Upload the sample through the McAfee ServicePortal or Platinum Portal. For instructions, see KB68030.
     
  3. Collect and submit Minimum Escalation Requirements (MER) tool results for your McAfee products.
    1. Run the MER tool for your products. For details about the MER tool list for McAfee security products, see KB59385.
    2. Provide the Results.tgz file when you contact McAfee Technical Support.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.