0

has anyone seen this file before "gvtlsysguard.exe" and have any idea what it is? This weekend, I noticed one of my users had this file in their user profile's Local Settings folder and somehow they wrote a registry key to hklm/software/microsoft/windows/current version/run to run this program on startup for everyone. the odd thing about this is the user should not have any registry rights. does anyone know how the file got there and how did the registry entry take place?

Jacob
  • 443
  • 1
  • 9
  • 23

2 Answers2

3

I have seen this a few times at work even with computers "protected" by Symantec AV Corp 10. From what I have seen its coming from some website, file is placed in users local profile and written to registry to run at startup. The name of the program is different each time I see them. These programs usually disable command prompt, task manager, and so on. Reboot into safe mode, delete the file, remove the key, and remove any proxys it might have setup.

xeon
  • 3,806
  • 18
  • 18
3

Sounds like typical malware crap. Level the machine and start over. Hopefully you've got a disk image or such that you can restore from (and hopefully you don't have user data stored locally).

Since you say your user didn't have "Administrator" rights, though, it must be exploiting some kind of vulnerability to gain "Administrator" rights. That's not unheard of.

Lately, malware users are taking to writing to locations in the filesystem and registry that are accessible by unprivileged users. Are you certain it didn't write to the same location under HKEY_CURRENT_USER? That's becoming a lot more common an occurrance.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • +1 on reimaging. Don't even bother trying to "clean" the machine as others are sure to suggest. – jscott Feb 01 '10 at 21:07
  • I guess I really should image my drives, but I'm currently using a very embarrassing version of backupexec. After I deleted the file, everything went back to normal, but I was just wondering where this came from. I was out of work with the flu when it happened. – Jacob Feb 01 '10 at 21:32
  • Another +1 for nuke and reinstall. – John Gardeniers Feb 01 '10 at 22:54
  • I've successfully cleaned this sort of malware from family or friends' computers a few times, mostly to maintain familiarity with the tools. That is, I *think* I cleaned it, but in most cases I then helped the person back up their stuff and then wiped and re-installed everything. On a corporate machine, I'd take it off the network, backup anything local to a USB drive, then wipe and reimage. – Ward - Trying Codidact Feb 02 '10 at 05:41