Thread: Startup problems
View Single Post
  #2 (permalink)  
Old June 21st, 2005
kmag kmag is offline
Enthusiast
  
Join Date: June 21st, 2005
Posts: 49
kmag is flying high
Default You likely have a brand new virus.
If the solution suggested below (changing the LW preference) doesn't work, then it's a symptom of a pretty new virus.

I've been trying to get someone to send a copy to the anti-virus labs for the past day. Here's what you need to do in order to get rid of the virus and get it to the major anti-virus labs so others won't be infected:

The anti-virus labs will also be able to tell us if there's more we need to do, once they have a look at the virus.

(Much thanks to Bobby Naini for figuring this out. This mostly cut and pasted from several of his posts. The only stuff that's mine is the sutff about sending it to the anti-virus labs.)

1) Uninstall Limewire. You can reinstall it at the end of these steps.

2) Disable System Restore in Windows. This can be done by right clicking on My Computer, selecting Properties, and then clicking on the System Restore tab. Then check the box Turn Off System Restore. Hit Apply, and then OK. If you are prompted to restart Windows, do so.

3) Now we need to fool the virus into allowing us to open the Task Manager. This can be done by copying the Task Manager executable file from the Windows directory. To do this, go to c:\windows\system32, select the file taskmgr.exe, right click on it, and select Copy. Go to the desktop, and click on an empty part of the desktop. Then right click on the desktop, and select Paste.

4) Double click on the taskmgr.exe file on your desktop. This should open the Task Manager. Click on the Performance tab. If you are in fact infected with a virus, you will likely (although not necessarily) see close to 100% CPU usage!! Now click on the Processes tab, followed by clicking twice on the CPU column header. What this does is order the files running on your computer based on the amount of CPU resources they are consuming in real time. If there is a process, other than System Idle Process, that is consuming close to 100% of the CPU, then it is this process (or file) that is infecting your computer. For me, and likely for a lot of you, that file will be winupdates.exe. Don't be tricked. This is not a Microsoft program. It's a virus masking itself as a legitimate file. Please remember the exact name of this process, because you will need it in a later step.

5) Click on this process to highlight it, then click the button End Process. A warning prompt should pop up. Click on Yes.

6) Now that this process is killed, we need to remove any references to it from the Registry. Once again, because this virus is blocking us from opening the Registry Editor, we need to trick the virus by copying the file to the desktop. Follow the same steps as in number 3, except this time, copy the following two files from their respective directories, and paste them on the desktop.

c:\windows\regedit.exe
c:\windows\system32\cmd.exe

7) Open regedit from the desktop. In the left window, click on My Computer so that it is highlighted. Now select Edit from the menu, followed by Find. In the Find box, type the name of the process that you ended from the Task Manager. If you recall, mine was winupdates. Do not include the .exe, just winupdates. Then click Find.

8) For the item that it found in the right window, click it to highlight it if it isn't highlighted already, and then right click on it, and select Delete. If a prompt pops up, select Yes or OK to confirm the delete.

9) Now, hit the F3 button once. This will find the next reference to that bad file. Follow step 8 again to delete the reference. Repeat steps 9 and 8 until the editor indicates that there are no more references to this file. Then exit the editor.

10) Double-click on "My Computer" and then double-click on your C drive. Open up the Program Files folder. Make a password-protected zip archive of the winupdates folder, with a password of "infected". Name the zip file infected.zip. Email this to NewVirus@kaspersky.com with a subject line of KLAB-571146. If you can't figure out how to make a password-protected zip file, a regular zip file is almost as good. (The main reason for password protecting the zip file is to keep virus scanners from blocking your email, but if this in fact a brand new virus, it will pass through undetected anyway.)

11) Go to http://subwiz.trendmicro.com/SubWiz/...sp?opgWizard=7
and upload any program you find inside the winupdates folder.

12) Next, click on cmd.exe which you copied to the desktop. It will open the Command Prompt (which looks like DOS). Type the following commands in order, and hit Enter after each line:

cd c:\
cd program files
rd /s /q winupdates

13) Now restart your computer. Reinstall Limewire.

14) Go to C:\windows\prefetch and delete everything with winupdates in its name.

15) Turn System Restore back on in Windows. (Undo step #2)

This should hopefully fix your problem.


Bobby Naini also suggests:

For those of you who can't seem to find taskmgr.exe, cmd.exe, or regedit.exe, I would suggest you do the following if you have not already done so:

Open My Computer. Select Tools from the menu, followed by Folder Options. Click on the View tab. Make sure that there is a check mark next to the following items:

Display the Contents of System Folders
Show Hidden Files and Folder

Now, make sure there are no checkmarks beside the following:
Hide protected Operating System Files.

Also, if you are using the Search function in Windows to locate these files, make sure that you do it in the following way:

1) Click on the Start button in Windows, and then select Search.

2) Select All Files and Folder

3) Enter the file name in the first box.

4) Click on More Advanced Options.

5) Make sure that the following all have checkmarks next to them:
Search System Folders
Search Hidden Files and Folders
Search Subfolders

Then once these are checked, click on Search.
Last edited by kmag; June 22nd, 2005 at 09:48 AM.
Reply With Quote