Help on getting rid of virus - Win 2000. Multiple instances of of weird exe file being loaded into v

  • Thread starter Thread starter Lars Burk
  • Start date Start date
L

Lars Burk

Hi all,

My brother has managed to load a virus on his notebook, which creates a
weird file (co5cjvw81c.exe) that is loaded multiple times as process until
the virtual memory is flooded with it and the system halts! This only takes
about 1 minute after entering credentials.

If started in safe mode. I can rename or delete the file, but upon start in
normal mode, the "mother virus" (worm or whatever it is) creates a new
"blabla.exe" file and floods the virtual memory until the system is halted.

In safe mode, I have not found any perculiar entries in startup or regedit
run/runonce. May be somebody provides a hint what is going on and how I can
get rid of it!!!


Thanks in advance

Lars
 
If started in safe mode. I can rename or delete the file, but upon start in
normal mode, the "mother virus" (worm or whatever it is) creates a new
"blabla.exe" file and floods the virtual memory until the system is halted.
Click to expand...

The description of symptoms doesn't help much, in identifying the virus. Once
you know what virus it is, it gets a whole lot easier, to figure out how to
fix it<G>.

Either install an av scanner, and run it in safe mode, or take a copy of the
file, and check it via an online scan.

See http://www.claymania.com/panic.html for general info, and links to
various av scanners, and online scans.

Regards, Dave Hodgins
 
Lars:

Another place to load an infector is adding it to the SHELL.

In Win9x/ME in the SYSTEM.INI it has the directive...
shell=explorer.exe

Some infectors will replace the line with...
shell=explorer.exe infector.exe

In Win2K and WinXP the shell is done in the Registry as...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"

Some infectors will replace the shell key with...
"Shell"="Explorer.exe infector.exe"


Note that in Safe Mode the infector will still be executed this way unlike those in the
Registry RUN locations.

In addition:
If you post to UseNet with your TRUE, not a munged, email address then you have invited the
Swen Internet worm [aka; W32/Gibe-F] to visit you.

The Swen is news spelled backwards. The reason it is called this is because the Swen worm
harvests email addresses from UseNet News Groups. It has an engine that allows it to post
itself to UseNet News Groups as well as it has its own email engine. From the list of
email addresses that it has harvested, it will then email itself to those addresses.

Dave



| Hi all,
|
| My brother has managed to load a virus on his notebook, which creates a
| weird file (co5cjvw81c.exe) that is loaded multiple times as process until
| the virtual memory is flooded with it and the system halts! This only takes
| about 1 minute after entering credentials.
|
| If started in safe mode. I can rename or delete the file, but upon start in
| normal mode, the "mother virus" (worm or whatever it is) creates a new
| "blabla.exe" file and floods the virtual memory until the system is halted.
|
| In safe mode, I have not found any perculiar entries in startup or regedit
| run/runonce. May be somebody provides a hint what is going on and how I can
| get rid of it!!!
|
|
| Thanks in advance
|
| Lars
|
|
 
Back
Top