OK, so I got this virus, patched the OS, installed McAfee Virus Scan AND Fire-Wall.

From my earlier post:
"Don't wish to scare you, but wpa.exe is probably a virus"

Brilliant. I turned it off as a service, wondered who put it there, and went on.

Well, this morning, as I booted my computer, apparently 'wpa.exe' tried to run again. McAfee Virus-Scan caught it this time, and cleaned the hell out of it. Deleted the file entirely. And yes, McAfee reported it's the "W32/SDBot.worm.gen.by" virus.

Now, I had already observed this thing trying to make connections out of my computer, and blocked those using McAfee Fire-Wall. It also found file "103.tmp" in my System32 directory, which ALSO wanted to connect out, and ALSO had the "Proxy-FBSR" trojan.

Wow. These tools really work well. Highly recommended.

A modern virus almost always has at least two separate processes running, both of which are always checking to make sure the other is running, and also checking to make sure both will be started with windows.

To get rid of a virus like that manually I usually take the following steps:
1. Identify the processes, if possible- sometimes they hide behind legitimate files, sometimes there are more than two.
2. Install winpatrol http://www.winpatrol.com
3. Disable (not remove) processes from starting in winpatrol.
4. In the registry look for the following keys (bookmark them if it's an xp machine):
localmachine/software/microsoft/windows/currentversion/run
currentuser/software/microsoft/windows/currentversion/run
5. Delete anything and everything that I know doesn't belong.
6. Close and immediately pull the plug. It takes of few seconds for the viral processes to realize the start up entries have been removed and write themselves back. Enough time to pull the plug, but not enough to shut down properly.
7. Re-start machine. If the virus isn't gone it will be at least very handicapped.

I should now be able to delete the actual files, or disable the services, etc. Sometimes I do have to play with things a little more, but this procedure mostly works. Once or twice I've done this and the machine wouldn't start because the virus had made itself essential to the running of the OS, but in each instance doing a repair from the original install disk has always fixed things.

The fun part is when the programs use random names to look like temp files.

I remember a lot of old viruses hiding in the form of what appeared to be legitimate temp files. Just nasty.

Thanks for WinPatrol, I know another, similar program called TrustNoEXE.

I remember the README.EXE virus that hit in 2000 or so. It would convert any file on your hard drive to the same file the moment you accessed it. (So much for installing or launching a program). Eventually it filled your hard drive, and forced a reboot. Your reboot allowed it to get to critical system files.