Limewire Acting Wierd (PLEASE HELP!!!)

kmag · #21 (**permalink**) June 21st, 2005

I sent an email to Kaspersky Labs antivirus yesterday about this virus and got an email back from one of their virus analysts. However, I haven't been infected and so I wasn't able to provide them with a sample of the virus.

If you'd be so kind as to help prevent others form getting this virus, please make a password-protected zip (or rar) file containing any viral files you are about to delete. The password should be "infected" and it should be mailed to NewVirus@kaspersky.com, with a subject of KLAB-571146.

It's my understanding that the major anti-virus labs have informal agreements about sharing new viruses with eachother.

If you're extra motivated to help stop this virus, there's also a web submission form at http://subwiz.trendmicro.com/SubWiz/...sp?opgWizard=7 . Presumably TrendMicro wants the winupdates file instead of the password protected zip file.

Unfortunately, it looks like Symantec/Norton Anti-Virus requires you to use Norton Anti-Virus to send in samples instead of using plain old email. If you have Norton Anti-virus, please by all means use Norton Anti-virus to send Symantec/Norton a copy of winupdates.

McAfee Anti-virus's website gives me the impression that there's no way for the average person to send them samples of suspected viruses.

#22 (**permalink**) June 23rd, 2005

this seems to be the virus everyone has. I tried follow the steps in the above post and they didn't work for me. First of all copying taskmgr.exe to my desktop didn't make a diference. By running ad-aware i was able to remove the file although it seemed to come back. These are the instruction and discription
from norton (symantec) calling it of a varient of W32.HLLW.Gaobot.BB, type:worm

http://www.brightmail.com/avcenter/v...gaobot.bc.html

DrStank · #23 (**permalink**) June 23rd, 2005

This did the trick. THANK YOU!!! The virus is gone. For windows XP users, instead of looking in system32 folder, you'll find those files in your "My Computer/C/I386" directory. Maybe because of the virus, my system wouldn't let me open that directory, so I went to start/search and looked up the taskmgr, regedit and cmd applications and dragged them to my desktop while holding down CTRL. Everything else worked like a charm. You're the best Bobby.

Quote:

Originally posted by BobbyNaini
I had this exact same problem, and after literally 24 hours of analyzing every inch of my computer, I solved the problem. I suspect that based on your descriptions of the problem (which I had as well), you are infected with a virus. It's unbelievable that none of my AntiVirus packages picked up this infection.

For me, everytime I restarted my computer, Limewire would automatically load up. Even if I closed it, it would just open back up again. On top of this, I could not even access the Task Manager in Windows XP to allow me to force a shutdown of Limewire. I hit CTRL-ALT-DEL and nothing would happen.

Anyways, here are the steps that need to be taken.

1) Uninstall Limewire. You can reinstall it at the end of these steps.

2) Disable System Restore in Windows. This can be done by right clicking on My Computer, selecting Properties, and then clicking on the System Restore tab. Then check the box Turn Off System Restore. Hit Apply, and then OK. If you are prompted to restart Windows, do so.

3) Now we need to fool the virus into allowing us to open the Task Manager. This can be done by copying the Task Manager executable file from the Windows directory. To do this, go to c:\windows\system32, select the file taskmgr.exe, right click on it, and select Copy. Go to the desktop, and click on an empty part of the desktop. Then right click on the desktop, and select Paste.

4) Double click on the taskmgr.exe file on your desktop. This should open the Task Manager. Click on the Performance tab. If you are in fact infected with a virus, you will likely (although not necessarily) see close to 100% CPU usage!! Now click on the Processes tab, followed by clicking twice on the CPU column header. What this does is order the files running on your computer based on the amount of CPU resources they are consuming in real time. If there is a process, other than System Idle Process, that is consuming close to 100% of the CPU, then it is this process (or file) that is infecting your computer. For me, and likely for a lot of you, that file will be winupdates.exe. Don't be tricked. This is not a Microsoft program. It's a virus masking itself as a legitimate file. Please remember the exact name of this process, because you will need it in a later step.

5) Click on this process to highlight it, then click the button End Process. A warning prompt should pop up. Click on Yes.

6) Now that this process is killed, we need to remove any references to it from the Registry. Once again, because this virus is blocking us from opening the Registry Editor, we need to trick the virus by copying the file to the desktop. Follow the same steps as in number 3, except this time, copy the following two files from their respective directories, and paste them on the desktop.

c:\windows\regedit.exe
c:\windows\system32\cmd.exe

7) Open regedit from the desktop. In the left window, click on My Computer so that it is highlighted. Now select Edit from the menu, followed by Find. In the Find box, type the name of the process that you ended from the Task Manager. If you recall, mine was winupdates. Do not include the .exe, just winupdates. Then click Find.

8) For the item that it found in the right window, click it to highlight it if it isn't highlighted already, and then right click on it, and select Delete. If a prompt pops up, select Yes or OK to confirm the delete.

9) Now, hit the F3 button once. This will find the next reference to that bad file. Follow step 8 again to delete the reference. Repeat steps 9 and 8 until the editor indicates that there are no more references to this file. Then exit the editor.

10) Finally, click on cmd.exe which you copied to the desktop. It will open the Command Prompt (which looks like DOS). Type the following commands in order, and hit Enter after each line:

cd c:\
cd program files
rd /s /q winupdates

11) Now restart your computer. Reinstall Limewire.

This should hopefully fix your problem.

Bobby Naini

kmag · #24 (**permalink**) June 24th, 2005

This is malware has been identified as
Worm.Win32.VB.an, the "AN Worm", sometimes called the "Zodiak Worm".

I was able to obtain a sample of this malware. I got free trial versions of both Norton Anti-virus and Kaspersky Anti-virus from Downoad.com.

Norton's 6/22/2005 virus definition library misses this malware.

Kaspersky catches it and quarantines it.

You can get a free 30-day trial from:
http://www.download.com/3120-20_4-0.html?qt=kaspersky

Let us all know if you find any other anti-virus scanners that catch this worm. It might be a new variant, because Norton's website claims they've been able to catch this worm since October 2003.

I've submitted a sample to Norton.

TrendMicro's webserver gave me an internal error when I tried submitting it via their web form.

roofdrop · #25 (**permalink**) June 25th, 2005

BobbyNaini and kc0rkx_finch, you two people saved my sanity, thankyou soooooooooooooooooo much, limewire poping up every 10 seconds was driving me insane. THANKYOU THANKYOU THANKYOU

#26 (**permalink**) June 27th, 2005

Man, this was well worth the reading!

I know exactly how and when my son loaded this virus on my computer, and I am ashamed to admit it. . . .but just so others don't make the same mistake, he tried to download and install a Pro version of Limewire from the Gnutella network.

I know this because, (due to his incessant pirating) I purchased a keystroke logger. I have now locked him out of my machine.

I seem to have my old faithful back on line now, thanks to you wonderful people! Whoooooo-Hooooooooo!

kc0rkx_finch · #27 (**permalink**) June 29th, 2005

Glad i could help someone. Any more questions please pm me as i have gotten very busy and dont have time to check the forum everyday.

H8MyBoss · #28 (**permalink**) July 29th, 2005

none of these solutions werked for me. Lime wire was trying to launch even after i THOUGHT i had deleted the program >> kept giving me some warning about Limewire tried to launch but failed. I simply went to All Programs, saw a Limewire folder, deleted that, and i havent had a problem since.

shame tho >> due to this problem, i refuse to use Limewire anymore >> i tried to install imewire again, but i kept getting the same problem.

I have to use Morpeus now, and it sux compared to Limewire.

AARomulus · #29 (**permalink**) August 7th, 2005

Plese help me i looked in the folders that you said to look in but the only thing that even said task manager was the MMTASK.TSK and i dont have a progam to open that up with so I went just into the windows folder to see if it was there and i found an .exe file than said TASKMAN and i moved it to the desktop and double clicked on it but it does not open anything so if you could please help me i would greatly appreciate it

AnubisR1 · #30 (**permalink**) August 17th, 2005

Quote:

Originally posted by kc0rkx_finch
!!!!!! IT WORKED!!!!!!

YEEEEEEEEEEEEEEEEEEESSSSSSSSSSSSSSSSSS

Dude you are a GENIUS

his whole process takes20 minutes max and that includes redownloading and installing limewire. I promise that this guy is NOT BLOWING WIND!! some of you might be a little antsy to do this but follow his directions it WORKS. NO AUTO POP LW!!!! WOOOOOOHOOOOOOOO!

I did the same thing. Worked great. If yer ever in Phoenix BobbyNaini, all the beer you want is on my tab.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Limewire is Acting funny???Messing up Windows!	SRT4pssh	General Windows Support	6	October 17th, 2007 01:17 PM
Limewire acting odd. Possible virus??	wjhsMandy	General Windows Support	4	June 23rd, 2006 12:06 PM
Limewire acting weird..help	sidhaanth	Windows	2	November 8th, 2005 08:24 AM
LimeWire acting up...again	DJ609	General Windows Support	0	April 27th, 2005 01:56 PM