Virus again!
I got stress with it, especically it was “This computer is being attacked” virus that i faced once, the same machine, the same user, :( . But now I can kill it manually.
First, her PC always show up by Symantec Anti Virus that “C:\Windows\Cursors\boom.vbs” contain a virus named SillyFDC, but can not clean, it counting up and up ,..
I start with googling “C:\Windows\Cursors\boom.vbs” and find some Chinese sites talking about it. I’m reading …. and BOOM! the fucking flying windows appear when i tried to kill Global.exe in Task manager!
A lot of process named: Fonts.exe, Global.exe, Svchost.exe in task manager!
:( Logging off, I continue searching by my pc, and luckily it has solution to remove this: It is HERE – Yes, it’s Chinese, and a little bit different from the one i have – may be a new variant.
Panda Security can detect Perwall.A which is similar, but file size is 225,280 bytes. It is same with Worm Autorun.BUK detected by TrendMicro. I’m sure that i face a new variant/verson of its.
Here is how to remove it manually:
STEP 1: - Seach and delete the below files, it SHOULD BETTER DONE by another PC and map the infected drives using Total Commander:
1.a. autorun.inf and MS_DOS.COM at root folder of each drives. And NOTED its size: mine is 233472 bytes
C:\autorun.inf, C:\MS-DOS.com
D:\autorun.inf, D:\MS-DOS.com
…
1.b. Search all file in harddrive has same size as 1.a (233472 bytes) and delete if you think it’s doubtful, don;t worry it’s easy and you may delete most of them. Here are somes:
c:\windows\fonts\font.exe
c:\windows\system32\drivers\drivers.cab.exe
c:\windows\Media\rndll32.pif
c:\windows\system\KEYBOARD.exe
c:\windows\pchealth\binaries\HelpHost.com
c:\windows\pchealth\Global.exe
C:\WINDOWS\system32\dllcache\Recycler.(645FF040-5081-101B-9F08-00AA002F954E)\system.exe
…
1.c Serach again all files have 233472 bytes size to make sure that you don’t miss any one.
STEP 2: Remove Registry Items – Also should run remotely from another machine:
Browsing HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options go through its one by one subkeys to delete if you found anykey that has pointed to files that located as step1. Here are somes:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options
<auto.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe> <auto.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe>
<autorun.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe> <autorun.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe>
<autoruns.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe> <autoruns.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe>
<boot.exe> <C:\WINDOWS\Fonts\fonts.exe> <boot.exe> <C:\WINDOWS\Fonts\fonts.exe>
<ctfmon.exe> <C:\WINDOWS\Fonts\Fonts.exe> <ctfmon.exe> <C:\WINDOWS\Fonts\Fonts.exe>
<msconfig.exe> <C:\WINDOWS\Media\rndll32.pif> <msconfig.exe> <C:\WINDOWS\Media\rndll32.pif>
<ProcessManager.exe> <C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com>
<ProcessManager.exe> <C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com>
<procexp.exe> <C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com> <procexp.exe> <C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com>
<rundll32.exe> <C:\WINDOWS\Fonts\Fonts.exe> <rundll32.exe> <C:\WINDOWS\Fonts\Fonts.exe>
<taskmgr.exe> <C:\WINDOWS\Fonts\tskmgr.exe> <taskmgr.exe> <C:\WINDOWS\Fonts\tskmgr.exe>
…
OK, You can restart that PC. It should remove that virus.
This is one virus that I’ve ever remove manullay with a lot of searches and deletes from files to registry
Đăng trong: 01 - IT | Thẻ: anti virus, autorun, autorun virus, boom.vbs, fonts.exe, global.exe, symantec, this computer is being attacked, virus, worm
Did you get it fixed?
I have the same virus. I had 4 boys here in the USA from SHaghai that did something and now I have the same thing.
Do you know if Panda security software will fix it?
If not how do I find the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion that you suggest and do I delete it?
Joe
Joe,
I faced it twice, and this time i can kill it, so this entry is born. :)
You can search the suggest items in your registry, it’s fine if you don’t see one or more of them, because this virus has many variants..
Panda security can detect if old version, I’m not sure if it can detect new version, go on and have a try with latest virus definition updated. :)
i want global clearn file with pdf
thank very
to ko thet: don’t really know what you mean? pardon, please!
The older version, Perwall.A (225,280 bytes), also changes ….
HKEY_CLASSES_ROOT\MSCFile\Shell\Open\Command
to point at one of the infected files, the key should have a value of…
%SystemRoot%\system32\mmc.exe “%1″ %*
Thanks for your help in removing this from a friends pc.
Nice…. It does help. It would be better, if you combine all of the command by 1 click clean.
HELP!!! i have that virus like now… but I dont understand your steps…. can u please HELP me and elaborate more cuz i dunno laptop stuff well… like with ur first step where do i go first????
Sambo Men,
Step 1 is to search and delete virus files, please note that they will have the exact same size. But while you’re doing this, the flying object may appear all around the screen, so you better access the disks of the affected computer from another one.
For ex: Machine A is the affected by virus, its IP address is 192.168.1.100. From another machine in your network, click Start -> Run, and type “\\192.168.1.100\C$” at the box, it will let you access C drive on the affected PC, then working on it with search and delete.
Hey I have the exact same virus right now!
Its easily the worst and most evil virus I have ever had. I have tried AVG, Kaspersky, Spy-Bot and Ad-Aware will have all failed to get this virus (are these programs any good?) but I will try panda security now and have my fingers crossed!!
Hi,
Your guidance on this is very good and gets rid of the virus.
But How do you get back your control panel and some other stuff such as gpedit.msc?
Thanks
Frank,
I dont have any problem with gpedit.msc. You may got another virus that cracked it.
Well, i got the same virus in my computer too..
good thing is, i managed to delete those virus when i formatted my pc..(2 times in a row)
the bad thing is, i found that those virus also infect some executable programs such as directx installer and many of my games. the program origin size is also getting bigger when i checked it after i restart my computer..as example, i have a 100kb emulator for psx and the size changed to 149kb after it infect my com..
funny thing is, looks like it only infect .exe, coz i have .com program and it still on it’s original size after the virus infect.
one last thing, the virus also infect recycler on every drives..so the only way is to format the drive i guess.
any help would be nice..
I have the virus as well.. I’m just unsure how to access regedit from another pc! can anyone tell me?
Robbert: From your PC, you can open your own regedit, go to menu File -> Connect network registry, then type in the remote PC name or IP address. Make sure “Remote Registry” service is available and you have administrative privilege on it. :)
Hi.
Thanks for the great article, although it is kindda too indepth for someone who hasnt studied basic programming or IT. i will try it none the less. Hppe not to delete crotocal files. One more question.
What exactly is the name of this virus?
Charlie: It doesnt has an exact name, and it call differently by each Antivirus software: Perwall, SillyFDC, Worm_Autorun.Buk, …as you see in the title :)
Hey guys,
I’ve been trying this just about all day, but whenever i delete one of the files, they would return in seconds. I’ve even tried making a Java program that deletes all of them but for some reason they keep coming back. What am I doing wrong?
Alright never mind, i tried running my program again in safe mode and that did the trick, everythings gone now. Thanks heaps!
thank your site
i have so many problem that virus
when i read your site and i can solve my computer system
I had this same virus and tried to remove it manually according to these instructions, but had some problems (my fault though since I am no computer pro). That stupid bouncing banner even appeared when I restarted my computer in safe mode! Finally I tried restoring my system to a date before my computer was infected by going to Control Panel, then Performance and Maintenance, then System Restore. It worked! I don’t know if there are any problems yet having done it this way (I had to re-install updates for some of my programs), but so far so good — no more banner! Maybe this method will help other people too.
Thanks for your help!