Home > IT > Perwall.*, Worm_Autorun.Buk, SillyFDC virus, Global.exe, …

Perwall.*, Worm_Autorun.Buk, SillyFDC virus, Global.exe, …

June 23, 2008

Virus again!

I got stress with it, especically it was “This computer is being attacked” virus that i faced once, the same machine, the same user, :( . But now I can kill it manually.

First, her PC always show up by Symantec Anti Virus that “C:\Windows\Cursors\boom.vbs” contain a virus named SillyFDC, but can not clean, it counting up and up ,..

I start with googling “C:\Windows\Cursors\boom.vbs” and find some Chinese sites talking about it. I’m reading …. and BOOM! the fucking flying windows appear when i tried to kill Global.exe in Task manager!this computer is being attacked

A lot of process named: Fonts.exe, Global.exe, Svchost.exe in task manager!

:( Logging off, I continue searching by my pc, and luckily it has solution to remove this: It is HERE – Yes, it’s Chinese, and a little bit different from the one i have – may be a new variant.

Panda Security can detect Perwall.A which is similar, but file size is 225,280 bytes. It is same with Worm Autorun.BUK detected by TrendMicro. I’m sure that i face a new variant/verson of its.

Here is how to remove it manually:

STEP 1: – Seach and delete the below files, it SHOULD BETTER DONE by another PC and map the infected drives using Total Commander:

1.a. autorun.inf and MS_DOS.COM at root folder of each drives. And NOTED its size: mine is 233472 bytes

C:\autorun.inf, C:\MS-DOS.com

D:\autorun.inf, D:\MS-DOS.com

1.b. Search all file in harddrive has same size as 1.a  (233472 bytes) and delete if you think it’s doubtful, don;t worry it’s easy and you may delete most of them. Here are somes:

c:\windows\fonts\font.exe
c:\windows\system32\drivers\drivers.cab.exe
c:\windows\Media\rndll32.pif
c:\windows\system\KEYBOARD.exe
c:\windows\pchealth\binaries\HelpHost.com

c:\windows\pchealth\Global.exe

C:\WINDOWS\system32\dllcache\Recycler.(645FF040-5081-101B-9F08-00AA002F954E)\system.exe

1.c Serach again all files have 233472 bytes size to make sure that you don’t miss any one.

STEP 2: Remove Registry Items – Also should run remotely from another machine:

Browsing HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options go through its one by one subkeys to delete if you found anykey that has pointed to files that located as step1. Here are somes:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options
<auto.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe> <auto.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe>

<autorun.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe> <autorun.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe>

<autoruns.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe> <autoruns.exe> <C:\WINDOWS\system32\drivers\drivers.cab.exe>

<boot.exe> <C:\WINDOWS\Fonts\fonts.exe> <boot.exe> <C:\WINDOWS\Fonts\fonts.exe>

<ctfmon.exe> <C:\WINDOWS\Fonts\Fonts.exe> <ctfmon.exe> <C:\WINDOWS\Fonts\Fonts.exe>

<msconfig.exe> <C:\WINDOWS\Media\rndll32.pif> <msconfig.exe> <C:\WINDOWS\Media\rndll32.pif>

<ProcessManager.exe> <C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com>

<ProcessManager.exe> <C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com>

<procexp.exe> <C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com> <procexp.exe> <C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com>

<rundll32.exe> <C:\WINDOWS\Fonts\Fonts.exe> <rundll32.exe> <C:\WINDOWS\Fonts\Fonts.exe>

<taskmgr.exe> <C:\WINDOWS\Fonts\tskmgr.exe> <taskmgr.exe> <C:\WINDOWS\Fonts\tskmgr.exe>

OK, You can restart that PC. It should remove that virus.

This is one virus that I’ve ever remove manullay with a lot of searches and deletes from files to registry

  1. Joe G
    July 14, 2008 at 12:08 AM

    Did you get it fixed?

    I have the same virus. I had 4 boys here in the USA from SHaghai that did something and now I have the same thing.
    Do you know if Panda security software will fix it?
    If not how do I find the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion that you suggest and do I delete it?

    Joe

  2. July 15, 2008 at 10:45 AM

    Joe,
    I faced it twice, and this time i can kill it, so this entry is born. :)
    You can search the suggest items in your registry, it’s fine if you don’t see one or more of them, because this virus has many variants..

    Panda security can detect if old version, I’m not sure if it can detect new version, go on and have a try with latest virus definition updated. :)

  3. ko thet
    August 13, 2008 at 10:52 AM

    i want global clearn file with pdf

    thank very

  4. August 13, 2008 at 2:14 PM

    to ko thet: don’t really know what you mean? pardon, please!

  5. Mr. N
    September 26, 2008 at 6:08 PM

    The older version, Perwall.A (225,280 bytes), also changes ….

    HKEY_CLASSES_ROOT\MSCFile\Shell\Open\Command

    to point at one of the infected files, the key should have a value of…

    %SystemRoot%\system32\mmc.exe “%1” %*

    Thanks for your help in removing this from a friends pc.

  6. October 4, 2008 at 11:29 AM

    Nice…. It does help. It would be better, if you combine all of the command by 1 click clean.

  7. Sambo Men
    October 25, 2008 at 6:23 PM

    HELP!!! i have that virus like now… but I dont understand your steps…. can u please HELP me and elaborate more cuz i dunno laptop stuff well… like with ur first step where do i go first????

  8. October 25, 2008 at 11:30 PM

    Sambo Men,

    Step 1 is to search and delete virus files, please note that they will have the exact same size. But while you’re doing this, the flying object may appear all around the screen, so you better access the disks of the affected computer from another one.

    For ex: Machine A is the affected by virus, its IP address is 192.168.1.100. From another machine in your network, click Start -> Run, and type “\\192.168.1.100\C$” at the box, it will let you access C drive on the affected PC, then working on it with search and delete.

  9. Gavin
    December 10, 2008 at 11:54 AM

    Hey I have the exact same virus right now!

    Its easily the worst and most evil virus I have ever had. I have tried AVG, Kaspersky, Spy-Bot and Ad-Aware will have all failed to get this virus (are these programs any good?) but I will try panda security now and have my fingers crossed!!

  10. Francis
    December 17, 2008 at 4:23 PM

    Hi,

    Your guidance on this is very good and gets rid of the virus.
    But How do you get back your control panel and some other stuff such as gpedit.msc?

    Thanks

  11. December 17, 2008 at 4:49 PM

    Frank,
    I dont have any problem with gpedit.msc. You may got another virus that cracked it.

  12. Wong
    January 6, 2009 at 3:06 PM

    Well, i got the same virus in my computer too..
    good thing is, i managed to delete those virus when i formatted my pc..(2 times in a row)

    the bad thing is, i found that those virus also infect some executable programs such as directx installer and many of my games. the program origin size is also getting bigger when i checked it after i restart my computer..as example, i have a 100kb emulator for psx and the size changed to 149kb after it infect my com..

    funny thing is, looks like it only infect .exe, coz i have .com program and it still on it’s original size after the virus infect.

    one last thing, the virus also infect recycler on every drives..so the only way is to format the drive i guess.

    any help would be nice..

  13. Robbert
    January 12, 2009 at 8:47 AM

    I have the virus as well.. I’m just unsure how to access regedit from another pc! can anyone tell me?

    • January 12, 2009 at 10:19 AM

      Robbert: From your PC, you can open your own regedit, go to menu File -> Connect network registry, then type in the remote PC name or IP address. Make sure “Remote Registry” service is available and you have administrative privilege on it. :)

  14. charlie
    January 12, 2009 at 12:48 PM

    Hi.
    Thanks for the great article, although it is kindda too indepth for someone who hasnt studied basic programming or IT. i will try it none the less. Hppe not to delete crotocal files. One more question.
    What exactly is the name of this virus?

    • January 12, 2009 at 1:12 PM

      Charlie: It doesnt has an exact name, and it call differently by each Antivirus software: Perwall, SillyFDC, Worm_Autorun.Buk, …as you see in the title :)

  15. Robbert
    January 12, 2009 at 9:49 PM

    Hey guys,
    I’ve been trying this just about all day, but whenever i delete one of the files, they would return in seconds. I’ve even tried making a Java program that deletes all of them but for some reason they keep coming back. What am I doing wrong?

  16. Robbert
    January 12, 2009 at 10:45 PM

    Alright never mind, i tried running my program again in safe mode and that did the trick, everythings gone now. Thanks heaps!

  17. January 16, 2009 at 11:27 AM

    thank your site
    i have so many problem that virus
    when i read your site and i can solve my computer system

  18. tabs
    January 17, 2009 at 5:26 AM

    I had this same virus and tried to remove it manually according to these instructions, but had some problems (my fault though since I am no computer pro). That stupid bouncing banner even appeared when I restarted my computer in safe mode! Finally I tried restoring my system to a date before my computer was infected by going to Control Panel, then Performance and Maintenance, then System Restore. It worked! I don’t know if there are any problems yet having done it this way (I had to re-install updates for some of my programs), but so far so good — no more banner! Maybe this method will help other people too.

    Thanks for your help!

  19. January 21, 2010 at 4:33 AM

    Hi Everyone,

    I just wanted to share this FDA warning about Reglan.

    Since there is presently no known permanent cure for serious gastrointestinal distress, it
    is not surprising that many patients seek out treatments to provide long-term relief.

    According to package insert dosage instructions, Reglan was only intended to be taken
    for up to three months. People who have taken this drug for longer than the three–month
    prescribed period have sometimes developed a seriously debilitating condition known as
    tardive dyskinesia.

    Recently, the FDA has issued a public health warning to both patients
    and physicians with the intention of avoiding additional instances of this devastating disorder.
    No treatment is currently available to treat tardive dyskinesia symptoms. Many of these side
    effects are irreversible and permanent.

    For more information on Reglan and a list of tardive dyskinesia symptoms check out the
    Reglan Symptoms Site.

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: