Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Virus


  • This topic is locked This topic is locked
15 replies to this topic

#1 bellamy_now

bellamy_now

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 28 July 2005 - 08:01 PM

Hi, I have a virus hiding somewhere in my computer and nothing I do seems to find it! When I startup my computer two things happen. 1. A msdos window opens with a tittle wkssvc32.exe. Second ewido scanner says local.exe attempting to run. I clean local.exe but next time I reboot it's back. My system32 file is missing and I have done all the things multiple forums suggest to make it reappear without luck. The only way I can get to it is through run cmd and cd C:\windows\system32.exe.

Any help would be very much appreciated. :thumbsup:

BC AdBot (Login to Remove)

 


#2 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:10:01 AM

Posted 28 July 2005 - 08:20 PM

This is an undesirable program.

This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

If the description states that it is a piece of malware, you should immediately run an antivirus and antispyware program. If that does not help, feel free to ask us for assistance in the forums.

Name: Windows Workstation Service (32-bits)
Filename: wkssvc32.exe
Description: Identified as a SDBot variant.
File Location: %System%
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
Note: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP.

http://www.bleepingcomputer.com/startups/w....exe-10537.html

Removal Instructions: How to remove a Trojan, Virus, Worm, or other Malware
http://www.bleepingcomputer.com/forums/How...are-tut101.html

#3 bellamy_now

bellamy_now
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 28 July 2005 - 08:26 PM

Thanks for the fast reply. I know this is a virus, but it can't seemed to be removed. It seems to be keeping me from loading any antivirus software such as Mcafee and AVG. It also hinders the updating process and made my system32 folder disappear. I have searched several forums and only found a few posts with similar problems, but no solutionis. Any new ideas?

#4 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:10:01 AM

Posted 28 July 2005 - 08:35 PM

Please read the information on the following page:
http://www.bleepingcomputer.com/forums/How...are-tut101.html

Then
1.
Download and extract the Autoruns program by Sysinternals to C:\Autoruns
http://www.sysinternals.com/Utilities/Autoruns.html

2. Reboot into Safe Mode so that the malware is not started when you are doing these steps. Many malware monitor the keys that allow them to start and if they notice they have been removed, will automatically replace that startup key. For this reason booting into safe mode allows us to get past that defense in most cases.

3. Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe.

4. When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options.

1. Include empty locations

2. Verify Code Signatures

3. Hide Signed Microsoft Entries

5. Then press the F5 key on your keyboard to refresh the startups list using these new settings.

6. The program shows information about your startup entries in 8 different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well. Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for malware to create multiple startup entries. It is important to note that many malware programs disguise themselves by using the same filenames as valid Microsoft files. it is therefore important to know exactly which file, and the folder they are in, that you want to remove. You can check our Startup Database for that information or ask for help in our forums.

7. Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.

8. Now that we made it so it will not start on boot up, you should delete the file using My Computer or Windows Explorer. If you can not see the file, it may be hidden. To allow you to see hidden files you can follow the steps for your operating system found in this tutorial:

How to see hidden files in Windows

9. When you are finished removing the malware entries from the Registry and deleting the files, reboot into normal mode as you will now be clean from the infection.


How to protect yourself in the future

In order to protect yourself from this happening again it is important that take proper care and precautions when using your computer. Make sure you have updated antivirus and spyware removal software running, all the latest updates to your operating system, a firewall, and only open attachments or click on popups that you know are safe. These precautions can be a tutorial unto itself, and luckily, we have one created already:

Simple and easy ways to keep your computer safe and secure on the Internet

Please read this tutorial and follow the steps listed in order to be safe on the Internet.


Conclusion

Now that you know how to remove a generic malware from your computer, it should help you stay relatively clean from infection. Unfortunately there are a lot of malware that makes it very difficult to remove and these steps will not help you with those particular infections. In situations like that where you need extra help, do not hesitate to ask for help in our forums. We also have a self-help section that contains detailed fixes on some of the more common infections that may be able to help. This self-help section can be found here:

Spyware & Malware Self-Help and Reading Room
http://www.bleepingcomputer.com/forums/Spy...g_Room-f55.html

--
Lawrence Abrams
Bleeping Computer Spyware & Malware Removal Series
BleepingComputer.com: Computer Help & Tutorials for the beginning computer user.





Created: 05/18/2005

This article is published and created for http://www.bleepingcomputer.com, otherwise known as Bleeping Computer, and is covered by all copyright laws. All articles on this website are copyright © 2004 by Bleeping Computer, LLC. All right reserved. Use of these articles is limited to viewing and printing for personal use only. If you would like to use this material or portions of this material for other purposes you must receive explicit permission from Bleeping Computer before reprinting or redistributing this article in any medium.

#5 bellamy_now

bellamy_now
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 28 July 2005 - 08:49 PM

I have tried....oh god have I tried. This particular virus doesn't get the fact it is not wanted. Any specific advice for this problem? If anyone can help I would appreciate it. Scanners and malwhere say I am clean, but system32 folder still missing.

#6 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:10:01 AM

Posted 28 July 2005 - 08:50 PM

You could download a-squared (aČ) Free

I have just checked a-squared's malware database. And SDBot and many varients of it are listed. This is a great tool.

a-squared (aČ) is a complementary product to antivirus software and desktop firewalls on MS Windows computers. Antivirus software specializes in detecting classic viruses. Many available products have weaknesses in detecting other malicious software (Malware) like Trojans, Dialers, Worms and Spyware (Adware). aČ fills the gap that malware writers exploit.


Posted Image

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:01 AM

Posted 28 July 2005 - 08:53 PM

Sophos has a tool specific to dealing with SDBot.. you may have a slightly mutated strain that is resisting other means of removal....
http://www.sophos.com/support/disinfection/sdbot.html

It's worth a shot, although A-Squared is a nice application to have on your system anyway. :thumbsup:

#8 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:10:01 AM

Posted 28 July 2005 - 09:16 PM

I have tried....oh god have I tried. This particular virus doesn't get the fact it is not wanted. Any specific advice for this problem? If anyone can help I would appreciate it. Scanners and malwhere say I am clean, but system32 folder still missing.

How to see hidden files in Windows
http://www.bleepingcomputer.com/forums/How...dows-tut62.html

Try A2 first, because even if it doesn't resolve this problem it will be an asset later anyway.

Did you download, install, update and run the Microsoft Beta anti-malware program recommended earlier?

#9 bellamy_now

bellamy_now
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 29 July 2005 - 12:09 AM

Thank you all for your advice. I ran A squared and it found 6 problems which were fixed. I rebooted and wkssvc32.exe window popped up again. The sophos link didn't work. I don't know if this is the virus but I have noticed several different anti-virus sites don't come up when I clink on links for them. I didn'ts see the earlier instructions for the micrsoft beta malwhere. Please reinstruct. I know my windows/system32 is there I just can't see it. Thanks again for any advice.

#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:01 AM

Posted 29 July 2005 - 08:04 AM

Your hosts file is blocking the downloads. Clearing your hosts file will allow you to get to some of those websites, but if you are runnng anything like IESpyad, you will be losing that protection until we get you fixed up.

Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

See if you can link to the tool you were given before. You should also be able to download HJT, and any other diagnostic programs that you need.

#11 bellamy_now

bellamy_now
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 29 July 2005 - 03:19 PM

I ran hoster and restored by original hosts and was able to get the sophos program....thanks for that. The scan ran but found no problems......! I searched in some other forums and found one similar posting to my problems. It seems they fixed the problem by having another computer use the harddrive as a slave and then scanned it and found a bunch of hidden viruses. Is that my only option!!!

#12 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:01 AM

Posted 29 July 2005 - 03:28 PM

Go for this option now:
http://www.bleepingcomputer.com/forums/How...orum-t1112.html

Then you will have to be patient. Someone will be along to help as soon as they have a moment free. :thumbsup:

#13 bellamy_now

bellamy_now
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 29 July 2005 - 03:40 PM

Ok...so I downloaded Highjack This and following the instructions but couldn't get it to run. I disabled, ewido, microsoft antispyware and a2 guard. Then when I tried to run highjack this the startup screen were you can start the scan opened for about one second and then disappeared.....? Any advice.

#14 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:01 AM

Posted 29 July 2005 - 03:51 PM

Sounds like you have a CWS variant.... try renaming the executable for hijackthis to something else, anything...cool.exe, killit.exe... anything at all. Then try running it.

#15 bellamy_now

bellamy_now
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 29 July 2005 - 06:20 PM

Sorry...I realized I needed to post this is the other forum which I have done....Thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users