Loading...

Knowledge Center


Troubleshooting procedure for finding possible infected files if a virus is not detected
Technical Articles ID:  KB53094
Last Modified:  02/10/2014
Rated:


Environment

All McAfee desktop and server anti-virus products for Microsoft Windows

 

Summary

This article describes a number of procedures and locations to help you find suspicious files when an infection is not detected by your McAfee anti-virus products.

Possible symptoms include:
  • Suspicious computer behavior such as high CPU usage on unrecognized processes
  • Significantly increased network traffic or bandwidth usage
  • New services added or existing services removed
  • Unable to access network resources such as shared drives
  • Applications cease to function or files cannot be accessed
  • Unexpected registry keys added
  • Internet Explorer home page changed without permission
IMPORTANT: Because of the wide variety of malware and other threats, McAfee is unable to provide a list of all possible infection symptoms. If you suspect that your system is infected and the specific symptoms are not listed, you should still take all available precautions. Ensure that your DAT files are up to date and run an On-Demand Scan or command line scan of your system. If the infection is not detected, follow the procedures in this article to collect suspicious file samples and submit them to McAfee Labs.

The article includes some third-party tools. For instructions on using them, McAfee recommends you use the third-party products' help files.

Before you begin looking for supicious files:
  1. Update your DAT files and ensure that you have the latest scanning engine.
  2. Ensure that you have the latest product patch or hotfix.
  3. Install the latest Microsoft security patches.
  4. Verify the scan settings for your McAfee products.
  5. Run a full On-Demand Scan with all scan settings enabled.
  6. Apply the latest Beta DAT files and run an On-Demand Scan.
If the On-Demand Scan still fails to detect any threats:
  1. Search Windows configuration files for any suspicious entries.
  2. Search the startup programs group for any items or applications you do not recognize.
  3. Check common registry locations for suspicious entries.
  4. Use Windows Explorer to check common directory locations for malicious files.
  5. Check the Windows Scheduler for entries you do not recognize.
  6. Use additional McAfee and third party tools to discover malicious activity.

Problem


 

Solution 1

Basic checks before contacting McAfee Technical Support
 
Ensure you use the latest DAT and Engine files
You can download the current DAT and Engine from the McAfee Security Updates website.
  1. Obtain the latest security updates:

    To download a DAT, Engine, XDAT or Stinger, go to http://www.mcafee.com/apps/downloads/security-updates/security-updates.aspx.

    You might have to download these if your automated update fails or if you want to use an ExtraDAT on an infected system.
     

  2. Click the DAT tab to download the latest DAT. The file format denotes the DAT version dat-####.zip, where #### is the DAT version.
  3. Click the Engines tab to download the latest Engine.
  4. Check the Version column to identify the current released engine version.
To install the latest DAT and Engine for Windows platforms, download and run the SuperDAT.
  1. Click the SuperDAT tab at the Security Updates website.
  2. Under the DAT file section, click on the posted sdat####.exe(windows).
  3. Save the file to your hard disk.
  4. Run this executable on any computer to update it with the latest DAT and Engine.

    NOTE: The SuperDAT updates in a sequential order any McAfee product it finds installed on the computer.
     
Ensure you use the latest available product patch or hotfix
  1. Use the Supported environments article for your product to determine the latest patch and hotfix level. For a master list of all Supported environments articles, see KB51109.
  2. Determine which McAfee patch/hotfix is installed. The way to do this varies from product to product but typical methods include:
    • Right-click the McAfee icon in the system tray and select About.
    • Open the product console and select Help, About.
    • Some products require a console command to determine if a Patch is installed. Refer to the relevant product documentation.

      For a full list of product documents, go to the McAfee ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Support Content list.


       
  3. Download and install the latest McAfee product patch. A combination of a product patch, DAT, and Engine update might be required to remove a virus.

    McAfee product software, upgrades, maintenance releases, and documentation are available from the McAfee Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

    NOTE:
     You will need a valid Grant Number for access. KB56057 provides additional information about the McAfee Downloads site, as well as alternate locations for some products.

     
  4. Obtain the latest hotfix.
    Hotfixes are created to address specific issues and are not posted publicly, but are available by contacting McAfee Technical Support.

    For contact details:

    Alternatively
    :
    Log in to the ServicePortal at https://support.mcafee.com:
    • If you are a registered user, type your User Id and Password, and click OK.
    • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
Microsoft Security Patches 
Install the latest Microsoft Security patches to prevent exploits of security vulnerabilities. 
  1. For Windows updates go to: http://update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?ln=en&returnurl=http://update.microsoft.com/microsoftupdate/v6/default.aspx?.
  2. Ensure the latest patches and fixes are downloaded and installed. You can configure Windows to do this automatically.
     
McAfee point product configuration
Verify that you have configured the On-Access and On-Demand Scanners to:
  • Scan for Spyware
  • Scan for Potentially Unwanted Programs
Verify you have enabled the following options:
  • Heuristic scanning
  • Buffer Overflow Protection
  • Global Threat Intelligence at its highest sensitivity (see KB70130)

    Some of these options are available in VirusScan Enterprise only. Consult the product guide for your product for details and instructions.

    For a full list of product documents, go to the McAfee ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Support Content list.

      
Run an On-Demand Scan with all scan settings enabled
Perform a full On-Demand Scan of all files with the primary action set to Clean. Consult the product guide for your product for details on how to configure an On-Demand Scan.
For VirusScan Enterprise, click Start, Programs, McAfee, On-Demand Scan, Start. 

 
Run scan.exe with the latest Beta DAT files
If the On-Demand Scan and the standard DAT files do not detect the infection, it might be detected with the additional signatures in the Beta DAT files.

  1. Download the Beta DAT files from: http://www.mcafee.com/apps/mcafee-labs/beta/dat-file-updates.aspx
  2. Apply the Beta DAT files:
    • Automatically (using the latest SuperDAT executable)
      1. Launch avvwin_xdatbeta.exe on the infected computer. The executable updates all McAfee products that use DAT files.
        If the SuperDAT does not run properly, run the SuperDAT in forced mode. For instructions, see KB59164. Alternatively, install the DAT files manually.
      2. After the update completes, run an On-Demand Scan on all drives or databases depending on the product. 
         
    • Manually (using latest DAT file)
      To manually update the DAT files for your product, use the relevant article for instructions. 

      GroupShield for Domino
      GroupShield for Microsoft Exchange
      LinuxShield
      SaaS Endpoint Protection KB53768
      Security for SharePoint
      VirusScan Enterprise
      VirusScan for Mac 9.0 KB70253

Solution 2

Locate suspicious files
Startup folders and registry locations are most likely to contain suspicious entries. You should examine the following locations.

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a .REG file that is not confirmed to be a genuine registry import file.


Win.ini and system.ini
<add explanatory text>, combine w/ Config files info
  1. Click Start, Run, type msconfig, and press ENTER.
  2. Examine the Startup items tab.
  3. Examine the win.ini and system.ini entries. 
Config files
Combine with win.in
.ini files (run/load lines)
Autoexec.bat
Config.sys


Startup Group
When looking at folders, change the view to Details, and use the Date created column to arrange files: 
  • \documents and settings\all users\Start Menu\Programs\Startup
  • \winnt\profiles\all users\Start Manu\Programs\Startup
     
Registry Locations
<verify for current OS versions, 64-bit, etc.>Look at common locations in the registry that launch at startup and are often abused:
 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppINit_DLL
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Run
 
Malware specific:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools
HKEY_LOCAL_MACHINE\software\Microsoft\WindowsNT\CurrentVersion\Winlogon
 

Directory locations often used by viruses
<explanatory text, verify for current OS versions>
 
C:\
%windir%\
%windir%\system32\
%windir%\system32\drivers
%windir%\system32\dllcache
%TEMP%
%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%userprofile%\local settings\temp
%userprofile%\application data
%userprofile%\local settings\application data
C:\Program Files\
C:\temp
C:\Recycler
C:\Documents and Settings
 

Windows Scheduler

<add steps>Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt. 


 
Analyze the registry for suspicious activity or malware
For details about the following utilities, see KB72766.
 
  1. Use IceSword rootkit detector to analyze the registry.
  2. Click Start, Programs, McAfee, On-Demand Scan, Start to run an On-Demand Scan.
  3. If On-Demand Scanning fails to detect a threat, use the free McAfee utilities FPort and Vision to monitor activity.
    NOTE: The following third-party utilities can also be useful for logging malicious file activity.
    • Process Explorer
    • TCPView
    • ProcMon
    • Autoruns
    • RootkitRevealer
     

Solution 3

Before you contact McAfee Technical Support
  1. Gather suspicious samples.
    Collect into one location any files or methods listed above that you feel indicate a file is suspicious. Ensure that all sample files are included in a single password protected .zip file. Set the password to infected
      
  2. Submit samples to McAfee Labs.
    Upload the sample through the McAfee ServicePortal or Platinum Portal. For instructions, see KB68030.
     
  3. Collect and submit Minimum Escalation Requirements (MER) tool results for your McAfee products.
    1. Run the MER tool for your products. For details about the MER tool list for McAfee security products, see KB59385.
    2. Provide the Results.tgz file when you contact McAfee Technical Support.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.