Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Did The Worm Change My Bios?


  • Please log in to reply
1 reply to this topic

#1 MotherMary

MotherMary

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 31 January 2007 - 06:03 PM

My husband got a brand-new eMachine in July 2006. At the end of December, I was on his computer and noticed that his network connection (the little green icons in the system tray) was named "WetPxxxx4Sale."

I tried to do a System Restore. The computer refused! In fact, it didn't even HAVE any little blue underlined days before about Dec. 27, and this was Dec. 31.

Jerry's computer came bundled with McAfee. I did a full system scan with McAfee, which assured me the computer was clean -- no worms, no viruses. An expert friend told me that in his professional opinion, McAfee was a useless piece of bleep, so on my friend's recommendation, I bought a copy of Norton Internet Security (which I've had on my own computer for years).

A full system scan with a fully up-to date Norton assured me that Jerry's computer was clean -- no worms, no viruses. But I was still on "WetPxxxx4Sale."

I used the Task Manager to make a list of all the processes that were running at startup. Then I used MY computer to look them up at www.sysinfo.org. Two of them were identified as viruses, wuauclt.exe and wmiprvse.exe, which sysinfo said is "added by the SONEBOT-B worm." Which was identified in bleeping 2004!!!)

So on Jerry's computer, I went into Safe Mode and deleted all instances of both viruses "by hand." Then I flushed the Recycle Bin.

Feeling happy that surely I had solved the problem, and still in Safe Mode, I went into regedit and changed both instances of "WetPxxxx4Sale" to "Mary loves Jerry."

Then I restarted Jerry's computer in the ordinary state. And when I checked, I found that the little icons in the system tray were STILL "WetPxxxx4Sale"!!

I went back into Safe Mode. I checked to make sure that the offending viruses were still gone, which they were. I went back into regedit and changed both instances of "WetPxxxx4Sale" to "Mary loves Jerry 2."

You guessed it. Jerry's computer is still being served by "WetPxxxx4Sale." Norton says everything is fine. No processes appear to be running that aren't supposed to be running.

Some time in the last few days of frustration, I seem to remember a "regedit32." is that different from regedit? Would trying that do any good at all?

I am no expert. I've used a computer every day for more than 20 years, but I've hit my ceiling on computer savvy with what you've just read. My GUESS is that Jerry's computer has a worm that's sophisticated enough to hide from Norton. But I figure it can't really be the SONEBOT-B worm, because that was identified in freaking 2004, which is centuries ago in malware, I'm sure. Maybe it's "son(e) of SONEBOT," as it were.

It can't be up to much if both McAfee and Norton say it's not there, and every process that's running when no programs are running is identified as innocent by the computer. (For example, "used by Norton Antivirus.") The computer seems to be running just fine. Jerry has other e-mail addresses, but he can't remember his passwords, so he uses Hotmail exclusively -- no chance for the worm to take over his addressbook, I wouldn't think.

sysinfo.org says that wmiprvse.exe is a legitimate file that's SUPPOSED to be in the system32\wbem subdirectory, not running at startup. But I deleted it, and it stayed deleted through the next two visits to Safe Mode. Would it do any good at all for me to e-mail MY copy of wmiprvse.exe to myself at Yahoo, download it onto Jerry's computer, and then in Safe Mode put it where it belongs?

Or has the worm gotten into Jerry's BIOS? -- i.e., would it even do any good to go drastic and scrub Jerry's computer clean and reinstall the very operating system? Or would I go through all that pain and in the end discover that I was STILL connected by "WetPxxxx4Sale"?

I'm frustrated! I hope someone here can put me out of my misery!

Mary


Mod Edit: Edited to remove offensive word. ~tg

Edited by tg1911, 31 January 2007 - 06:21 PM.


BC AdBot (Login to Remove)

 


m

#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:11 PM

Posted 31 January 2007 - 06:18 PM

I suggest you post a HijackThis log for examination.
A member of the HijackThis Team will walk you through, step by step, how to disinfect your computer.

Once you post your log, don't make any changes to your system, as that could change the results of the posted log, making it more difficult to properly clean your system.

Read Preparation Guide for use before posting a HijackThis Log.
Please read, and follow, all directions carefully!!!

If the steps, prior to the posting of a HijackThis log don't eliminate the problem:

Then, run a log, and post it in the HijackThis forum, >at this link<.
Do not, post it in this topic.
Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response, because the HJT Team are very busy. Please, be patient, as these people are volunteers. They will help you, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users