Nobody likes to be called a dummy by a dummy.

Day of the Virus, part Deux

OK, so I got this virus, patched the OS, installed McAfee Virus Scan AND Fire-Wall.

From my earlier post:
"Don't wish to scare you, but wpa.exe is probably a virus"

Brilliant. I turned it off as a service, wondered who put it there, and went on.

Well, this morning, as I booted my computer, apparently 'wpa.exe' tried to run again. McAfee Virus-Scan caught it this time, and cleaned the hell out of it. Deleted the file entirely. And yes, McAfee reported it's the "W32/SDBot.worm.gen.by" virus.

Now, I had already observed this thing trying to make connections out of my computer, and blocked those using McAfee Fire-Wall. It also found file "103.tmp" in my System32 directory, which ALSO wanted to connect out, and ALSO had the "Proxy-FBSR" trojan.

Wow. These tools really work well. Highly recommended.
Permalink AllanL5 
August 19th, 2005
A modern virus almost always has at least two separate processes running, both of which are always checking to make sure the other is running, and also checking to make sure both will be started with windows.

To get rid of a virus like that manually I usually take the following steps:
1. Identify the processes, if possible- sometimes they hide behind legitimate files, sometimes there are more than two.
2. Install winpatrol http://www.winpatrol.com
3. Disable (not remove) processes from starting in winpatrol.
4. In the registry look for the following keys (bookmark them if it's an xp machine):
localmachine/software/microsoft/windows/currentversion/run
currentuser/software/microsoft/windows/currentversion/run
5. Delete anything and everything that I know doesn't belong.
6. Close and immediately pull the plug. It takes of few seconds for the viral processes to realize the start up entries have been removed and write themselves back. Enough time to pull the plug, but not enough to shut down properly.
7. Re-start machine. If the virus isn't gone it will be at least very handicapped.

I should now be able to delete the actual files, or disable the services, etc. Sometimes I do have to play with things a little more, but this procedure mostly works. Once or twice I've done this and the machine wouldn't start because the virus had made itself essential to the running of the OS, but in each instance doing a repair from the original install disk has always fixed things.
Permalink Joel Coehoorn 
August 19th, 2005
The fun part is when the programs use random names to look like temp files.
Permalink Aaron F Stanton 
August 19th, 2005
I remember a lot of old viruses hiding in the form of what appeared to be legitimate temp files. Just nasty.
Permalink QADude 
August 19th, 2005
Thanks for WinPatrol, I know another, similar program called TrustNoEXE.

I remember the README.EXE virus that hit in 2000 or so. It would convert any file on your hard drive to the same file the moment you accessed it. (So much for installing or launching a program). Eventually it filled your hard drive, and forced a reboot. Your reboot allowed it to get to critical system files.
Permalink MarkTAW 
August 20th, 2005

This topic was orginally posted to the off-topic forum of the
Joel on Software discussion board.

Other topics: August, 2005 Other topics: August, 2005 Recent topics Recent topics