Chacham's Journal: Chronicle: Reoved virii from local organization's computer

While supporting a local organization's computers, i remove the offending winsock entries. Lo and behold, they belonged to B-Secure. Things worked a lot better without it (remove the entries, have IE's wizard "fix" the connection) but it noticed it was gone on reboot. So, i killed it again, removed it from startup and things were moving along.

Then came Defense Center. It puts nasty icons on the desktop and wants you to buy into its scam. It runs one process, cleverly disguised as the Windows remote executable (wau something, i forget) and places itself in .exe in the registry. Every application runs it, then it runs your app, but it throws up warnings. Luckily, i had Process Explorer on the system, and watched what was happening. Killing the process did not kill its child, so i was able to get the programs i wanted to run. Security Essentials wasn't doing anything.

Took the hard drive out and connected it to another computer and did a full scan. It cleaned the virii, and i put it back. Still there, but Security Essentials started realizing there was a threat, but failed to remove the actual executable. Even a full scan didn't seem to remove Program Files\Defense Center (i deleted it myself after it *seemed* to have past it in the alphabetical order). But, it did ask to send a copy of it to them, which i did (twice).

I changed the .exe entry, deleted the file (it was in the temp directory), but now executables wouldn't start. To fix that, i used Explorer's Tools\Folder Options\File Types, to reset it as application. Then Security Essentials did a full scan and found no threats.

All in all there were three virii. One master that wasn't really detected, and two children that it caught after the other computer scanned it.

Windows Update installed a few items, .Net 4 and a Security Essentials update. A reboot made Windows want to do a full scan again. Instead, i did a quick scan, reinstalled B-Secure, rebooted, and started a full scan. That's where it is now. I'll have to make sure it restart ok next time.