Malware - Orz.exe
Hi guys,
Does anyone know anything about Orz.exe recognition with BitDefender? I just got a call from my girlfriend who is using my PC at home. Apparently it's doing a bunch of odd things (the most obvious being the mouse moving around on it's own and randomly clicking). She's pretty savvy with the computer being a programmer, same as me.
She commented that she had an error message this morning saying that Orz.exe had encountered a problem and needed to shut down. A quick Google search revealed it's (probably) a malware/trojan, so I got her to disconnect my machine from the network then kick off a full system scan.
However, the PC ran a full system scan last night and didn't pick anything up.
When I get home in a few hours, I'll be able to get a better idea of what's going on, but I just thought I'd get the ball rolling here and see if there's some info I can pick up which might help.
Are there any removal tools I should look at?
Cheers.
Chris.
Comments
-
Once you get home, please send us a sample of orz.exe, archived, protected with the password infected. Indeed it must be o trojan, and a signature will be added as soon as we get a fresh sample.
Thank you. Best regards.0 -
Thanks Andrei,
Unfortunately I was unable to find the executable file. The closest we found was a folder in the windows directory called "prefetch" which contained a bunch of files with a .pf extension. One of those filenames contained "orz.exe" within the string. I obliterated the entire directory, didn't think to save a copy till about 30 seconds too late. One of the other prefetch files seemed to be Google Desktop, which was apparently installed off a new external hard drive my girlfriend bought a couple of weeks ago.
I'll scan that drive when I get a chance (probably this evening) and see if that is the source of the infection. If so, I'll be sure to send you a copy.0 -
The prefetch files are unrelated to the actual executable (they are created by Windows for every executable run). Please see if you can find any other locations where the executable is present.
Best regards.0